A role access control method based on trust evaluation and privacy budget cooperation
By employing a role-based access control method that combines trust assessment and privacy budgeting, the problem of accumulated privacy loss in multi-round statistical queries is solved. This method achieves a balance between accuracy and privacy protection in different scenarios and uses hierarchical budget management and differential privacy technology to dynamically control the accuracy of query results.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- NANJING UNIV OF AERONAUTICS & ASTRONAUTICS
- Filing Date
- 2026-04-07
- Publication Date
- 2026-06-19
Smart Images

Figure CN122247720A_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the technical fields of information security, access control, and data privacy protection. It is a role-based access control method based on the collaborative control of trust assessment and privacy budget. The method is applicable to data sharing systems with continuous statistical query needs, and is used to dynamically control the accuracy of query result disclosure after role authorization is granted. Background Technology
[0002] Role-based access control (RBAC) models are widely used in information systems across enterprises, government, healthcare, and finance due to their simplicity and ease of deployment. Traditional role-based access control primarily relies on static roles and preset permission sets to determine authorization, focusing on whether access requests are permitted.
[0003] However, in data sharing scenarios oriented towards statistical analysis, access control alone is insufficient to meet privacy protection needs. Once authorized, access subjects can often initiate multiple rounds of statistical queries, leading to a continuous accumulation of privacy losses with each query. Existing role-based access control models generally lack a unified quantification and constraint mechanism for privacy consumption across query cycles.
[0004] Meanwhile, while existing differential privacy methods can suppress privacy leaks by injecting random noise into query results, if they are not combined with role permissions, usage constraints, and user trust status, their budget allocation is difficult to reflect the differences between different subjects, different uses, and different risk scenarios. This can easily lead to insufficient constraints in high-risk scenarios or excessively limited accuracy in low-risk scenarios.
[0005] Therefore, there is an urgent need for a method that, after role-based access control authorization is granted, can further combine user trust level, purpose, query sensitivity, and remaining budget status to differentiate the accuracy of query result publication, so as to control cumulative privacy loss while ensuring data availability. Summary of the Invention
[0006] To address the aforementioned technical problems, this invention proposes a role-based access control method based on the collaborative control of trust assessment and privacy budget.
[0007] To achieve the above objectives, the present invention adopts the following technical solution: A role-based access control method based on trust assessment and privacy budget collaborative control includes the following steps: (1) Receive an access request, the access request including user identifier, role information, query task, purpose identifier, user trust level and target dataset; wherein, the purpose identifier is bound by the business process and is verified by the server before the request enters the decision.
[0008] (2) Perform basic authorization checks on the access request based on the role information and purpose constraints.
[0009] (3) After the basic authorization check is passed, the available budget boundary for this query is determined based on the system-level global privacy budget limit and the sub-budget pools corresponding to the role information and purpose identifier; wherein, the global privacy budget limit is used to constrain the total differential privacy budget that the target data is allowed to consume during its lifecycle; the sub-budget pools are divided according to the combination of roles and purposes, and the sum of the capacities of each sub-budget pool does not exceed the global privacy budget limit.
[0010] (4) Calculate the privacy budget for this query based on role, purpose, user trust level, query sensitivity, number of service deployments, global remaining budget, and sub-pool remaining budget; wherein, determine the scenario baseline budget ε_base based on role and purpose, scale the scenario baseline budget based on user trust level, and tighten the budget based on query sensitivity and number of service deployments to generate candidate budgets. .
[0011] (5) The scenario baseline budget, candidate budget, lifetime single budget cap, and single privacy budget satisfy the following relationships:
[0012] in, Indicates the role-use scenario coefficient. Indicates the standard budget, Indicates based on the user's overall trust level Trust scaling function, Indicates based on global query sensitivity The sensitivity contraction function, Indicates the total remaining budget. This indicates the remaining budget in the corresponding role-purpose sub-budget pool. This indicates the maximum number of releases allowed during the lifecycle, where n represents the number of releases that have already been served.
[0013] (6) When the single privacy budget meets the release conditions, a query is executed within the authorized data range, and differential privacy noise injection is performed on the query results according to the single privacy budget to output noisy results; the differential privacy noise injection determines the random noise intensity based on the query sensitivity and the single privacy budget, and perturbs the real query results; for the Laplace mechanism, the noise scale b satisfies the following relationship: in, This indicates the global sensitivity of query q. This represents the privacy budget allocated for this single query.
[0014] (7) After the noisy result is output, the budget is deducted from the global remaining budget and the corresponding sub-pool remaining budget, and the budget consumption and release status are recorded. The budget checking and budget deduction process is atomic to avoid out-of-bounds deduction or duplicate deduction under concurrent conditions.
[0015] (8) The method uses a global privacy budget to uniformly constrain the budget consumption of sub-budget pools with different roles or purposes in order to resist cross-pool attacks.
[0016] (9) The method also includes log recording and budget threshold monitoring steps for recording query roles, purposes, user trust levels, budget consumption and result publication status.
[0017] (10) When the single privacy budget does not meet the release conditions or the budget is insufficient, return a rejection response and terminate data-related output.
[0018] The beneficial effects of adopting the above technical solution are as follows: (1) This invention integrates differential privacy budget governance and role access control authorization process into a unified design, extending authorization control from simple admission judgment to query result disclosure accuracy control.
[0019] (2) The present invention adopts a hierarchical budget structure that combines global budget with role-purpose sub-budget pools, which can implement differentiated budget management for different access scenarios under the premise that the total privacy loss is controlled.
[0020] (3) This invention incorporates user trust, purpose, query sensitivity and remaining budget status into a single query budget decision, which can achieve a more reasonable balance between privacy protection and query availability.
[0021] (4) The present invention forms a closed-loop control through budget accounting, log recording and threshold monitoring, which can effectively suppress the cumulative privacy consumption in multiple rounds of statistical queries and improve the long-term service capability of the system. Attached Figure Description
[0022] Figure 1 The overall flowchart of a role access control method based on trust assessment and privacy budget collaborative control of the present invention; Detailed Implementation
[0023] The technical solution of the present invention will be described in detail below with reference to the accompanying drawings.
[0024] A role-based access control method based on trust assessment and privacy budget collaborative control includes the following steps: (1) Receive an access request, which includes user ID, role information, query task, purpose ID, user trust level and target dataset; wherein, user trust level can be provided by a front-end trust assessment module, and purpose ID is bound by the business process and verified before the request enters the decision.
[0025] (2) The system performs a basic authorization check. The access control decision module determines whether the request is qualified to access based on role permissions and usage constraints; if not, it directly returns a denial response. This step ensures that subsequent privacy budgeting and differential privacy mechanisms only apply to requests that have been authorized by the role.
[0026] (3) After the basic authorization check is passed, the available budget boundary for this query is determined based on the system-level global privacy budget limit and the sub-budget pools corresponding to the role information and purpose identifier; wherein, the global privacy budget limit is used to constrain the total differential privacy budget that the target data is allowed to consume during its lifecycle; the sub-budget pools are divided according to the combination of roles and purposes, and the sum of the capacities of each sub-budget pool does not exceed the global privacy budget limit.
[0027] (4) Calculate the privacy budget for this query based on role, purpose, user trust level, query sensitivity, number of service deployments, global remaining budget, and sub-pool remaining budget; wherein, determine the scenario baseline budget ε_base based on role and purpose, scale the scenario baseline budget based on user trust level, and tighten the budget based on query sensitivity and number of service deployments to generate candidate budgets. .
[0028] (5) The scenario baseline budget, candidate budget, lifetime single budget cap, and single privacy budget satisfy the following relationships:
[0029] in, Indicates the role-use scenario coefficient. Indicates the standard budget, Indicates based on the user's overall trust level Trust scaling function, Indicates based on global query sensitivity The sensitivity contraction function, Indicates the total remaining budget. This indicates the remaining budget in the corresponding role-purpose sub-budget pool. This indicates the maximum number of releases allowed during the lifecycle, where n represents the number of releases that have already been served.
[0030] (6) When the single privacy budget meets the release conditions, a query is executed within the authorized data range, and differential privacy noise injection is performed on the query results according to the single privacy budget to output noisy results; the differential privacy noise injection determines the random noise intensity based on the query sensitivity and the single privacy budget, and perturbs the real query results; for the Laplace mechanism, the noise scale b satisfies the following relationship: in, This indicates the global sensitivity of query q. This represents the privacy budget allocated for this single query.
[0031] (7) The system performs budget accounting and audit monitoring. After the noisy result is output, the system performs budget deduction on the global remaining budget and the corresponding sub-pool remaining budget. The log monitoring module records the role, purpose, user trust level, budget consumption and release status of this request, and monitors the budget threshold. The budget check and budget deduction process adopts atomic processing to avoid out-of-bounds deduction or duplicate deduction under concurrent conditions.
[0032] (8) The method uses a global privacy budget to uniformly constrain the budget consumption of sub-budget pools with different roles or purposes in order to resist cross-pool attacks.
[0033] (9) The method also includes log recording and budget threshold monitoring steps for recording query roles, purposes, user trust levels, budget consumption and result publication status.
[0034] (10) When the single privacy budget does not meet the release conditions or the budget is insufficient, return a rejection response and terminate data-related output.
[0035] In summary, this invention integrates differential privacy result disclosure control into role-based access control authorization, and through the collaborative design of hierarchical budget management, query-level budget calculation, differential privacy execution, budget accounting and log monitoring, it achieves continuous constraint on cumulative privacy loss in multi-round statistical query scenarios.
Claims
1.A role-based access control method based on collaborative control of trust evaluation and privacy budget, characterized in that, The method comprises the following steps: (1) receiving an access request, the access request comprising a user identifier, role information, a query task, a use identifier, a user trust level, and a target data set; wherein the use identifier is bound by a business process and is checked by a server before the request enters a decision; (2) performing a basic authorization check on the access request according to the role information and the use constraints; (3) when the basic authorization check passes, determining the budget available boundary for this query according to the system-level global privacy budget upper limit and the sub-budget pool corresponding to the role information and the use identifier; wherein the global privacy budget upper limit is used to constrain the total differential privacy budget allowed to be consumed by the target data within the life cycle; the sub-budget pool is divided according to the combination of roles and uses, and the sum of the capacities of each sub-budget pool does not exceed the global privacy budget upper limit; (4) calculating a single privacy budget for this query according to the role, the use, the user trust degree, the query sensitivity, the number of served publications, the global remaining budget, and the sub-pool remaining budget; wherein, a scene base budget ε base is determined according to the role and the use, the scene base budget is scaled according to the user trust degree, the budget is tightened according to the query sensitivity and the number of served publications, and a candidate budget is generated ; (5) the scene reference budget, the candidate budget, the life cycle single budget upper limit, and the single privacy budget satisfy the following relationships respectively: ; wherein, represents a role-purpose scenario coefficient, represents a standard budget, represents a trust scaling function based on a user’s overall trust score, represents a sensitivity shrink function based on a query’s global sensitivity, represents a global remaining budget, represents a remaining budget corresponding to a role-purpose sub-budget pool, represents a maximum number of releases allowed over a lifetime, n represents a number of releases already served; (6) when the single privacy budget meets the release condition, performing a query within the authorized data range and performing differential privacy noise injection on the query result according to the single privacy budget to output a noisy result; the differential privacy noise injection determines the random noise intensity based on the query sensitivity and the single privacy budget, and performs perturbation processing on the real query result; for the Laplace mechanism, the noise scale b satisfies the following relationship: ; wherein, denotes the global sensitivity of the query q, denotes the single privacy budget allocated for this query. (7) after outputting the noisy result, performing budget deduction on the global remaining budget and the corresponding sub-pool remaining budget, and recording the budget consumption and the release state; the budget check and budget deduction process adopts atomic processing to avoid over-limit deduction or repeated deduction under concurrent conditions; (8) the method uniformly constrains the budget consumption of different role or different use sub-budget pools by the global privacy budget to resist cross-pool attacks; (9) the method further comprises a log recording and budget threshold monitoring step of recording the query role, use, user trust level, budget consumption, and result release state; (10) when the single privacy budget does not meet the release condition or the budget remaining is insufficient, a rejection response is returned and the data-related output is terminated.