Identity binding-based multi-agent permission control method and device
By receiving control commands and user identification from smart terminals, assigning them to bound smart agents and performing multi-dimensional permission verification, the problem of insufficient reliability of identity recognition and privacy leakage in existing technologies is solved, realizing safe and convenient multi-scenario and multi-role intelligent control.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- HEFEI BAYUN INFORMATION TECHNOLOGY CO LTD
- Filing Date
- 2026-05-08
- Publication Date
- 2026-07-03
AI Technical Summary
Existing intelligent control solutions cannot achieve hardware-level unique identity binding, resulting in insufficient reliability of identity recognition, risks of unauthorized impersonation, unauthorized operation, and privacy leakage. Furthermore, they have weak scene adaptability and cannot meet the intelligent control needs of multiple scenarios and multiple roles.
By receiving control commands and user identification from smart terminals, the commands are assigned to smart agents bound to the user's identity, standardized control commands are generated, and multi-dimensional permission verification is performed to ensure the standardization and security of command processing.
It achieves precise association between control commands and user identities, independent distribution and processing, constructs a complete security control closed loop, improves the security and reliability of intelligent control, and adapts to the needs of multiple scenarios and multiple roles.
Smart Images

Figure CN122339818A_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of computer technology, and in particular to a method and device for multi-agent access control based on identity binding. Background Technology
[0002] With the deep integration of IoT and AI technologies, intelligent control technology has been widely implemented in numerous fields, including home life, office management, industrial production, park operation and maintenance, and commercial services. The types and numbers of network-connected and controllable intelligent devices continue to grow, and application scenarios involving multiple personnel and roles collaboratively controlling devices are becoming increasingly common. The industry is placing higher demands on intelligent control solutions regarding identity recognition accuracy, operational security, scenario adaptability flexibility, and ease of use. Simultaneously, the rapid development of multi-agent technology provides technical support for the realization of personalized and differentiated intelligent control services. How to combine multi-agent technology to build a secure, universal, and convenient intelligent control system has become a key research direction in this field.
[0003] Currently, mainstream intelligent control solutions in this field mostly use common devices such as smartphones, central control panels, and smart speakers as control entry points. They use software-level methods such as account passwords and biometric recognition to distinguish the identity of operators. They employ a centralized public artificial intelligence service module to uniformly process the control commands of all users, and then send the processed commands to the local central control device through a fixed transmission link. The central control device then completes the issuance of commands and the driving control of the controlled devices.
[0004] Existing solutions of this type all use shared public devices as the core control entry point, relying on software-level identity recognition and access control mechanisms, and employing centralized public service modules to complete command processing, with fixed transmission links and terminal forms. However, these solutions cannot achieve hardware-level unique identity binding, resulting in insufficient reliability of identity recognition and susceptibility to problems such as unauthorized impersonation and unauthorized operations. Furthermore, they have weak scenario adaptability, lack an end-to-end security control loop, cannot isolate multi-user data, pose privacy risks, and have cumbersome operation processes, making them difficult to adapt to the intelligent control needs of multiple scenarios and multiple roles. Summary of the Invention
[0005] To address the aforementioned issues, this application provides a method and device for multi-agent access control based on identity binding.
[0006] The embodiments of this application disclose the following technical solutions: In a first aspect, embodiments of this application provide a multi-agent access control method based on identity binding, the method comprising: Receive control commands from the smart terminal and the user identity identifier bound to the smart terminal; Based on the user identity identifier, the control commands are assigned to the intelligent agent bound to the user identity identifier; The intelligent agent parses the control commands to generate standardized control commands that include target device identification and control operation information. Based on a preset permission policy, multi-dimensional permission verification is performed on the user identity identifier, the target device identifier, and the control operation information; If the multi-dimensional permission verification passes, an execution command is issued to the controlled device corresponding to the target device identifier.
[0007] In one possible implementation, receiving control commands from the smart terminal and a user identity identifier bound to the smart terminal specifically includes: The control command and user identification are received through a preset first transmission path or a second transmission path; the first transmission path is that the smart terminal directly sends the control command and user identification through the communication network, and the second transmission path is that the smart terminal sends the control command and user identification through a relay node, wherein the relay node includes at least one of a central control module, a gateway, an edge node, a local server, and a cloud server.
[0008] In one possible implementation, the step of parsing the control instructions through the intelligent agent to generate standardized control instructions including target device identifier and control operation information specifically includes: The intelligent agent invokes a pre-associated knowledge base to perform intent recognition and parameter extraction on the control commands, and matches them to obtain the corresponding target device identifier, control operation name, and operation parameters. The knowledge base includes at least one of the following: a user-intelligent agent binding relationship knowledge base, a device information knowledge base, and a central control function information knowledge base. The target device identifier, the control operation name, and the operation parameters are encapsulated to generate standardized control instructions.
[0009] In one possible implementation, the multi-dimensional permission verification includes one or more of the following verification dimensions: agent legitimacy verification, user identity and role matching verification, target device operation permission verification, control operation function legitimacy verification, control operation parameter compliance verification, authorization validity period verification, and device command lock status verification.
[0010] In one possible implementation, the smart terminal corresponds to a unique user, and the smart terminal has a built-in, tamper-proof user identity identifier; the smart terminal collects the user's control commands through a built-in trigger module, and the trigger module supports at least one interaction method among physical buttons, touch, tapping, pinching, voice, gestures, and proximity sensing.
[0011] In one possible implementation, the method further includes: During the multi-dimensional permission verification process, if it is detected that the target control operation of the controlled device corresponding to the target device identifier is in an instruction lock state, the permission priority of the user who initiated the control instruction is obtained, and the permission priority of the user who initiated the control instruction is compared with the permission priority of the lock instruction initiator. When the user who initiates the control command has a higher permission priority than the user who initiates the lock command, the permission verification is deemed successful, and the user is allowed to unlock and execute the corresponding control operation. The verification fails when the user who initiates the control command has a lower permission priority than the user who initiates the lock command, or when the user who initiates the control command has the same permission priority as the user who initiates the lock command.
[0012] In one possible implementation, the method further includes: Receive a temporary authorization instruction from the smart terminal bound by the administrator. The temporary authorization instruction includes the identity identifier of the authorized object, the identifier of the authorized target device, the authorization control operation, and the authorization validity period. Verify the administrator's identity and authorization permissions; After successful verification, the preset permission policy is updated to configure the target device operation permissions within the validity period for the authorized object's identity identifier.
[0013] In one possible implementation, the method further includes: If the multi-dimensional permission verification fails, the corresponding control operation will be refused, and a permission-free prompt will be sent to the smart terminal that initiated the control command. After the controlled device completes the execution instruction, it sends the execution status and result back to the corresponding intelligent agent.
[0014] Secondly, embodiments of this application disclose a multi-agent access control device based on identity binding, the device comprising: The receiving module is used to receive control commands from the smart terminal and user identification identifiers bound to the smart terminal; The allocation module is used to allocate the control commands to the intelligent agents bound to the user identity identifier based on the user identity identifier; The generation module is used to parse the control instructions through the intelligent agent and generate standardized control instructions including target device identifier and control operation information; The verification module is used to perform multi-dimensional permission verification on the user identity identifier, the target device identifier, and the control operation information based on a preset permission policy. The delivery module is used to send an execution command to the controlled device corresponding to the target device identifier if the multi-dimensional permission verification passes.
[0015] In one possible implementation, the receiving module is specifically used to receive the control command and user identity identifier through a preset first transmission path or a second transmission path; the first transmission path is that the smart terminal directly sends the control command and user identity identifier through a communication network, and the second transmission path is that the smart terminal sends the control command and user identity identifier through a relay node, wherein the relay node includes at least one of a central control module, a gateway, an edge node, a local server, and a cloud server.
[0016] In one possible implementation, the generation module is specifically used to call a pre-associated knowledge base through the agent to perform intent recognition and parameter extraction on the control command, and match the corresponding target device identifier, control operation name and operation parameters; the knowledge base includes at least one of a user and agent binding relationship knowledge base, a device information knowledge base and a central control function information knowledge base; and encapsulates the target device identifier, the control operation name and the operation parameters to generate a standardized control command.
[0017] In one possible implementation, the multi-dimensional permission verification includes one or more of the following verification dimensions: agent legitimacy verification, user identity and role matching verification, target device operation permission verification, control operation function legitimacy verification, control operation parameter compliance verification, authorization validity period verification, and device command lock status verification.
[0018] In one possible implementation, the smart terminal corresponds to a unique user, and the smart terminal has a built-in, tamper-proof user identity identifier; the smart terminal collects the user's control commands through a built-in trigger module, and the trigger module supports at least one interaction method among physical buttons, touch, tapping, pinching, voice, gestures, and proximity sensing.
[0019] In one possible implementation, the verification module is further configured to, during the multi-dimensional permission verification process, if it is detected that the target control operation of the controlled device corresponding to the target device identifier is in an instruction lock state, obtain the permission priority of the user initiating the control instruction, and compare the permission priority of the user initiating the control instruction with the permission priority of the lock instruction initiator; when the permission priority of the user initiating the control instruction is higher than the permission priority of the lock instruction initiator, the permission verification is determined to be successful, and unlocking and execution of the corresponding control operation are allowed; when the permission priority of the user initiating the control instruction is lower than the permission priority of the lock instruction initiator, or the permission priority of the user initiating the control instruction is at the same level as the permission priority of the lock instruction initiator, the verification is determined to be unsuccessful.
[0020] In one possible implementation, the verification module is further configured to receive a temporary authorization instruction from the smart terminal bound to the administrator, the temporary authorization instruction including the identity identifier of the authorized object, the identity identifier of the authorized target device, the authorization control operation, and the authorization validity period; verify the identity and authorization permissions of the administrator; and after the verification is successful, update the preset permission policy and configure the target device operation permissions within the corresponding validity period for the identity identifier of the authorized object.
[0021] In one possible implementation, the verification module is further configured to refuse to execute the corresponding control operation if the multi-dimensional permission verification fails, and to send a no-permission prompt to the smart terminal that initiated the control command; after the controlled device completes the execution command, it sends the execution status and result back to the corresponding smart agent.
[0022] Thirdly, embodiments of this application disclose a control device, including a processor and a memory, wherein the memory is used to store programs, instructions or code, and the processor is used to execute the programs, instructions or code in the memory to complete the identity-bound multi-agent permission control method as described in any of the first aspects.
[0023] Fourthly, embodiments of this application disclose a computer-readable storage medium storing a computer program, which is loaded by a processor to execute the identity-bound multi-agent access control method as described in any of the first aspects.
[0024] This application provides a method and device for multi-agent access control based on identity binding. The method includes: receiving a control command from a smart terminal and a user identity identifier bound to the smart terminal; then, based on the received user identity identifier, assigning the control command to an agent bound to the user identity identifier; subsequently, parsing the control command through the corresponding agent to generate a standardized control command containing a target device identifier and control operation information; finally, based on a preset access control policy, performing multi-dimensional access control verification on the user identity identifier, target device identifier, and control operation information; and only when the multi-dimensional access control verification passes, issuing an execution command to the controlled device corresponding to the target device identifier.
[0025] This application's embodiments achieve precise association between control commands and user identities through user identity identifiers bound to smart terminals. Combined with the binding and allocation mechanism of user identity identifiers and intelligent agents, it enables independent distribution and processing of control commands from different users, solving the problems of user data confusion and privacy leaks caused by the centralized public service processing model in existing technologies. By having intelligent agents parse commands and generate standardized control commands, the standardization and consistency of command processing are ensured. Simultaneously, relying on multi-dimensional permission verification, a complete secure control loop is constructed from command reception to device execution. This achieves precise control of operational permissions from a process perspective, effectively avoiding the risks of illegal and unauthorized operations, improving the security and reliability of intelligent control. Furthermore, the standardized process architecture has good scenario adaptability and can meet the intelligent control needs of multiple scenarios and multiple roles. Attached Figure Description
[0026] To more clearly illustrate the technical solutions in the embodiments of this application or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0027] Figure 1 A flowchart illustrating a multi-agent access control method based on identity binding provided in an embodiment of this application; Figure 2 This is a schematic diagram of a multi-agent access control device based on identity binding, provided in an embodiment of this application. Detailed Implementation
[0028] As described earlier, with the deep integration of IoT and AI technologies, intelligent control technology has been widely implemented in homes, offices, industries, parks, and other fields. The types and numbers of network-connected and controllable devices continue to grow, and scenarios involving multi-person, multi-role collaborative control are becoming increasingly common. The industry is placing higher demands on the accuracy of identity recognition, operational security, scenario adaptability, and ease of use of intelligent control solutions. The development of multi-agent technology has also provided technical support for personalized intelligent control services. How to build a secure, universal, and convenient intelligent control system has become a key research direction in this field. Currently, mainstream intelligent control solutions in this field mostly rely on smartphones, Using common devices such as central control panels and smart speakers as control entry points, this approach distinguishes operators through software and employs a centralized public AI service module to process all user control commands. These commands are then transmitted to the local central control device via a fixed link to drive the controlled devices. However, this approach lacks hardware-level unique identity binding, resulting in insufficient reliability of identity recognition and susceptibility to unauthorized impersonation and unauthorized operations. Furthermore, it suffers from weak scenario adaptability, lacks an end-to-end security control loop, fails to isolate multi-user data leading to privacy risks, and has cumbersome operation processes, making it difficult to adapt to the intelligent control needs of multiple scenarios and roles.
[0029] To address this technical problem, embodiments of this application provide a method and device for multi-agent access control based on identity binding. The method includes: receiving a control command from a smart terminal and a user identity identifier bound to the smart terminal; then, based on the received user identity identifier, assigning the control command to the smart agent bound to the user identity identifier; subsequently, parsing the control command through the corresponding smart agent to generate a standardized control command including a target device identifier and control operation information; finally, a central control module performs multi-dimensional permission verification on the user identity identifier, target device identifier, and control operation information based on a preset permission policy; and only when the multi-dimensional permission verification passes is the execution command issued by the central control module to the controlled device corresponding to the target device identifier.
[0030] This application's embodiments achieve precise association between control commands and user identities through user identity identifiers bound to smart terminals. Combined with the binding and allocation mechanism of user identity identifiers and intelligent agents, independent distribution and processing of control commands from different users are achieved, solving the problems of user data confusion and privacy leaks caused by the centralized public service processing model in existing technologies. By having intelligent agents parse commands and generate standardized control commands, the standardization and consistency of command processing are ensured. Simultaneously, relying on the multi-dimensional permission verification process of the central control module, a complete secure control closed loop is constructed from command reception to device execution. This achieves precise control of operational permissions from a process perspective, effectively avoiding the risks of illegal and unauthorized operations, improving the security and reliability of intelligent control. Furthermore, the standardized process architecture has good scenario adaptability and can meet the intelligent control needs of multiple scenarios and multiple roles.
[0031] The method provided in this application embodiment can be widely adapted to intelligent control needs in various scenarios such as home, business office, industrial production, and park operation and maintenance. In various scenarios, the core control entry point is a personal dedicated hardware command terminal uniquely bound to the user's identity. Different forms of hardware terminals, such as bracelets, rings, wristbands, name tag terminals, tool buttons, and industrial handles, can be flexibly selected according to scenario requirements. Combined with multi-agent service modules and central control hardware platforms deployed locally or in the cloud, dedicated intelligent agents and hierarchical operation permissions can be configured for users with different roles. In the home scenario, hierarchical control of home appliances and access control for family members and visitors can be realized. In the office and park scenario, unauthorized operation interception of office equipment, access control, and computer room facilities can be realized. In the industrial scenario, hierarchical operation and security control of production line equipment and industrial controllers can be realized. The entire process does not rely on mobile phones, APPs, or account logins. Through a complete closed loop of hardware-level identity binding, independent processing of dedicated intelligent agents, and multi-dimensional permission verification by the central control, safe, convenient, and accurate intelligent device control can be achieved.
[0032] To enable those skilled in the art to better understand the present application, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present application, and not all embodiments. Based on the embodiments in the present application, all other embodiments obtained by those of ordinary skill in the art without creative effort are within the scope of protection of the present application.
[0033] See Figure 1 , Figure 1 This is a flowchart illustrating a multi-agent access control method based on identity binding, provided in an embodiment of this application. The method provided in this embodiment can be applied to a locally deployed central control module or to a cloud server. The following description uses the central control module as the execution subject, and the method includes: S101: The central control module receives control commands from the smart terminal and the user identity identifier bound to the smart terminal.
[0034] In this embodiment, the smart terminal specifically refers to a hardware command terminal that is pre-uniquely bound to a single user / role. It serves as the exclusive entry point for users to initiate device control operations and has a built-in, tamper-proof, fixed storage module for storing the user's unique identity identifier bound to that terminal. The smart terminal, as the command initiation carrier, employs a one-person-one-terminal exclusive binding mechanism. Each smart terminal corresponds to a unique user, and the smart terminal has a built-in, tamper-proof, fixed storage unit to store the user's unique identity identifier bound to that smart terminal and that user. This achieves a strong binding between the terminal and the user's identity at the hardware level, preventing modification or tampering of identity information through software means.
[0035] Control commands are operational information collected by the user through the interaction module of a smart terminal to express the user's intention to control the device. These commands can take various forms, including but not limited to voice commands, button-triggered commands, and gesture commands. In this embodiment, the smart terminal has a built-in trigger module that supports at least one interaction method among physical buttons, touch, tapping, pinching, voice, gestures, and proximity sensing. Users can select the appropriate interaction method to initiate control operations based on their usage scenarios and operating habits. The trigger module collects the user's operational intentions in real time, generates corresponding control commands, and synchronously associates them with the built-in user identity identifier, packages them into a standardized data packet, and sends it to the system.
[0036] User identification is a standardized coded information used within the system to uniquely distinguish user identity and role. It is uniquely bound to the smart terminal and cannot be arbitrarily tampered with. It is the core basis for subsequent permission verification and smart agent matching. In this embodiment, the system continuously keeps the port listening through a preset communication protocol and communication link, receives communication requests initiated by the smart terminal in real time, and synchronously extracts and parses the content of the control commands initiated by the user and the user identification bound to the smart terminal from the received data packets, thus completing the basic collection of core data.
[0037] In this step, the system continuously listens to the port, accurately receives data packets through a preset communication protocol, and simultaneously parses and extracts user-initiated control commands and the user's unique identifier bound to the smart terminal from the data packets. Basic legitimacy verification is also performed to ensure that the received identifier completely matches the terminal's built-in fixed identifier, eliminating abnormal data packets with tampered identities or invalid formats. This step, through the smart terminal's hardware-level identity solidification design, guarantees the uniqueness, authenticity, and immutability of the received user identifier from the source, solving the core pain point of software identity recognition being easily misused. Furthermore, diverse interaction methods adapt to the operational needs of various scenarios such as home, office, and industry, significantly lowering the user's learning curve and providing a reliable identity basis for subsequent full-process permission control and intelligent agent matching.
[0038] During data reception and parsing, the system simultaneously performs basic compliance checks on the extracted control commands and user identifiers. This includes verifying whether the user identifier's format conforms to system specifications, whether it is a legally registered identifier within the system, and whether the control command is a recognizable and valid command content. Abnormal data packets with incorrect formats, invalid identifiers, or invalid content are eliminated to prevent invalid data from entering subsequent processing. Furthermore, this application embodiment is compatible with multiple transmission paths, supporting both receiving data packets sent directly by smart terminals via WAN and LAN, and receiving data packets forwarded by relay nodes such as central control units and gateways. This adapts to the command reception needs of different network environments, and maintains the binding correspondence between control commands and user identifiers throughout the reception process, without altering their association.
[0039] This application's embodiments achieve synchronous acquisition and strong binding of control commands and user identity identifiers from the source of the control flow. Relying on the unique binding relationship between the smart terminal and the user identity identifier, the uniqueness and credibility of the operator's identity are guaranteed at the hardware level, solving the security risks of identity theft and pseudo-identity operations caused by existing technologies that rely on software-level identity recognition. At the same time, invalid data is filtered out in advance through basic compliance verification, improving the processing efficiency of subsequent processes. The design compatible with multi-path transmission also greatly improves the solution's adaptability to different deployment scenarios and network environments, providing accurate and reliable core input data for the entire process of subsequent agent allocation, command parsing, and permission verification.
[0040] To further enhance the network adaptability and scenario compatibility of the instruction receiving stage in step S101, and to meet the access needs of smart terminals with different deployment environments and communication capabilities, this application embodiment also provides an instruction receiving implementation method with dual transmission paths, as follows: In one possible implementation, the method includes: receiving the control command and user identification via a preset first transmission path or a second transmission path; the first transmission path is that the smart terminal directly sends the control command and user identification via a communication network, and the second transmission path is that the smart terminal sends the control command and user identification via a relay node, wherein the relay node includes at least one of a central control module, a gateway, an edge node, a local server, and a cloud server.
[0041] In this embodiment, the system pre-sets two independently switchable and parallel compatible instruction uplink transmission paths: a first transmission path and a second transmission path. These paths are used to receive control commands and user identification identifiers sent by smart terminals, comprehensively covering the access needs of different network environments and deployment scenarios. The first transmission path is a direct connection path, meaning the smart terminal directly sends control commands and user identification identifiers through the communication network without needing a local relay device, and can directly establish an end-to-end communication connection with the multi-agent service module. The second transmission path is a relay transmission path, meaning the smart terminal sends control commands and user identification identifiers through a relay node, which then receives and forwards the data packets. The relay node includes at least one of a central control module, a gateway, an edge node, and a local server, adapting to smart terminal access scenarios that lack public network access capabilities and only support local area network communication.
[0042] In actual operation, the intelligent terminal can autonomously select an appropriate transmission path based on its current network environment and communication hardware capabilities, or it can choose the default transmission path according to the system's preset path priority configuration. When the intelligent terminal is in a public network environment and has the network conditions to directly connect to the multi-agent service module, it can prioritize the first transmission path, reducing transmission relay links, lowering command transmission latency, and meeting the high real-time control requirements. When the intelligent terminal is only in a local area network environment and cannot directly access the multi-agent service module deployed on the public network, it can automatically switch to the second transmission path, using relay nodes such as the central control module and gateway within the local area network to forward data packets, ensuring stable and reliable transmission of control commands and user identity identifiers. Simultaneously, when receiving data packets, regardless of the transmission path used, the system will completely retain the binding relationship between control commands and user identity identifiers, without modifying the core content of the data packets, ensuring that subsequent core processes such as agent allocation and permission verification are not affected by transmission path switching.
[0043] This application's embodiments, through a compatible dual-transmission path design, address the technical shortcomings of existing technologies where the command transmission path is fixed and singular, unable to flexibly adapt to different network environments and deployment scenarios. It can achieve low-latency command transmission via a direct connection path, meeting application scenarios with urgent control and high real-time requirements, or it can cover deployment scenarios in local area networks or environments without public networks via a relay path, significantly improving the solution's network compatibility and scenario adaptability. Simultaneously, both transmission paths ensure the synchronous and complete transmission of control commands and user identity identifiers, enhancing adaptability while guaranteeing the reliability of command transmission and the security of identity information. This allows the entire control method to flexibly adapt to the intelligent control needs of various scenarios such as homes, offices, industries, parks, and commerce, without requiring adjustments to the core control process for different deployment environments.
[0044] S102: The central control module distributes control commands to the intelligent agent bound to the user's identity based on the user's identity.
[0045] User identification is the sole legal basis for matching users with corresponding intelligent agents within the system. An intelligent agent specifically refers to a dedicated intelligent service instance that is uniquely bound to a single user / role in advance. Each intelligent agent is only responsible for processing the control commands of the corresponding bound user, and has an independent session space, a dedicated knowledge base, and independent processing logic. It can be deployed in the cloud, at the edge, or on a local server.
[0046] This embodiment of the application takes a control command that has undergone compliance verification and a user identity identifier as input, and retrieves a user-agent binding relationship database pre-built and updated in real time. This database stores the unique mapping relationship between all legitimate user identity identifiers and their corresponding dedicated agents within the system, including core information such as the agent's unique number, access interface, deployment location, and session permissions. The system accurately matches the received user identity identifier with the mapping data in the binding relationship database to retrieve the target agent uniquely bound to that user identity identifier.
[0047] After completing the matching and retrieval of the target intelligent agent, the system distributes control commands to the processing queue of the target intelligent agent through a dedicated encrypted session channel. During distribution, the binding relationship between the control commands and the user's identity is fully preserved, and the original content of the commands is not modified, ensuring that the commands received by the intelligent agent are completely consistent with the original intent initiated by the user. Throughout the command distribution process, the system simultaneously performs a second validity check. If the user's identity has no corresponding registered intelligent agent in the binding relationship database, or if the matched intelligent agent is offline or unavailable, the system will immediately terminate the command distribution process and return a message to the intelligent terminal that the identity has no corresponding service and cannot be processed, preventing illegal or unassigned commands from entering subsequent processing stages. Simultaneously, the system establishes independent channels for command distribution to different users, ensuring that the command distribution and transmission processes of different users do not interfere with each other, completely avoiding cross-contamination and mis-sending of commands to non-corresponding intelligent agents.
[0048] This application's embodiments achieve precise and exclusive allocation of control commands through the pre-binding relationship between user identity identifiers and intelligent agents, constructing a core processing architecture of one dedicated intelligent agent per user. This differs from the centralized public intelligent agent processing mode, achieving physical and logical isolation of different user command processing at the underlying level. This effectively solves the core pain points of privacy leaks and data obfuscation caused by multi-user command and mixed data processing in existing technologies. Simultaneously, through secondary legality verification during the allocation process, it further filters out unassigned and illegal user commands, improving system security. The precise one-to-one binding allocation mechanism also ensures a strong association between subsequent command parsing, permission verification, and user identity throughout the entire process, providing core architectural support for the implementation of the entire permission control method and offering a foundation for personalized and exclusive intelligent services for different users.
[0049] S103: The central control module parses the control commands through the intelligent agent and generates standardized control commands that include the target device identifier and control operation information.
[0050] The intelligent agent can be pre-associated with a dedicated knowledge base matching the corresponding user's operation permissions. Through the intelligent agent's end-to-end processing of the user's original control commands—including intent recognition, core entity extraction, parameter completion, and compliance verification—the unstructured user operation intent is transformed into structured information recognizable by the system. The target device identifier is a standardized, unique code used within the system to uniquely distinguish each controlled device. Control operation information refers to the specific operation performed on the target controlled device, which may include structured information such as operation name, execution parameters, and execution requirements.
[0051] Using control commands as input, the intelligent agent calls a pre-associated knowledge base to perform natural language understanding and intent recognition on the original control commands, accurately extracting the user's core control intent. At the same time, it matches the corresponding controlled device information from the device information knowledge base, extracts a unique target device identifier, and obtains the legal control operation information that matches the device, thus completing the extraction, completion, and calibration of core information.
[0052] After extracting and calibrating core information, the agent associates and encapsulates the extracted target device identifier and control operation information with the corresponding user's identity identifier and the agent's unique number. It then generates standardized control commands according to a pre-agreed format between the system and the central control module, ensuring that the generated commands fully comply with the central control module's identification specifications and can be directly read and processed by the module. During generation, the agent simultaneously performs integrity and pre-compliance checks on the standardized control commands. This includes verifying whether the target device identifier is a legitimate device registered in the system, whether the control operation information is an executable operation supported by the target device, and whether the operation parameters conform to the target device's parameter specifications. Invalid commands that do not exist, involve illegal operations, or have non-compliant parameters are preemptively eliminated. If the verification fails, the agent terminates the command generation process and returns an invalid or unexecutable message to the initiating smart terminal. Only after successful verification will the final standardized control command be generated, providing compliant and executable standardized input for subsequent command transmission and permission verification.
[0053] By using an intelligent agent uniquely bound to the user's identity to complete the instruction parsing, independent and isolated parsing and processing of different user instructions is achieved. This avoids the core pain points of cross-contamination and privacy information leakage caused by multiple user data in the centralized processing mode of public intelligent agents. At the same time, relying on a dedicated knowledge base matched with user permissions, the accuracy of instruction intent recognition is greatly improved, effectively avoiding misoperation problems caused by parsing deviations.
[0054] To further improve the accuracy and scenario adaptability of the dedicated intelligent agent in parsing control commands, reduce the cost of updating and maintaining equipment information, and ensure the compliance and executability of standardized control commands, this application also provides an implementation method for command parsing and standardization generation based on a pre-associative knowledge base, as follows: In one possible implementation, the step of parsing the control instructions through the intelligent agent to generate standardized control instructions including target device identifier and control operation information specifically includes: By invoking a pre-associated knowledge base, the intelligent agent performs intent recognition and parameter extraction on control commands, matching the corresponding target device identifier, control operation name, and operation parameters. The target device identifier, control operation name, and operation parameters are then encapsulated to generate standardized control commands.
[0055] The intelligent agent is pre-associated with a knowledge base that matches the corresponding user's operation permissions. This knowledge base includes at least one of the following: a user-intelligent agent binding relationship knowledge base, a device information knowledge base, and a central control function information knowledge base. Among them, the user-intelligent agent binding relationship knowledge base is used to store the correspondence between user identity identifiers, intelligent agent unique numbers, user roles, and permission levels, providing an identity and permission benchmark for instruction parsing.
[0056] The device information knowledge base stores complete basic information about all controlled devices within the system, serving as the core basis for intelligent agents to match target devices and identify legitimate operations. The central control function information knowledge base stores system-level operation instruction specifications supported by the central control module, including execution rules and parameter requirements for management operations such as authorization, deauthorization, device addition / deletion, and permission adjustment. It can simultaneously cover the parsing needs of both device control and system management instructions.
[0057] Specifically, the device information knowledge base in this application embodiment can adopt a sliced storage structure with a single device and a single file. This structure means that the knowledge base creates an exclusive storage file for each controlled device, and each storage file corresponds one-to-one with a single controlled device. The file stores the unique device identifier of the corresponding controlled device, the list of executable control operations, the operation parameter specifications, and the associated central control module number information. Updating or adding / deleting information for a single device only requires modifying the corresponding storage file, without adjusting the overall structure of the knowledge base.
[0058] In actual execution, after receiving a control command, the agent first invokes a pre-associated knowledge base to perform natural language understanding and intent recognition on the command, extracting core information and performing compliance matching. For user-initiated device control commands, the agent prioritizes retrieving the device information knowledge base, extracting keywords such as device name, deployment location, and operation intent from the command, and accurately matching them to obtain the corresponding unique device identifier, the name of the control operation supported by the device, and the compliant operation parameters. For user-initiated system management commands, the agent retrieves the central control function information knowledge base, matching it to obtain the corresponding central control management operation name, parameter specifications, and execution requirements.
[0059] Simultaneously, the intelligent agent verifies the identity and authorization scope of the user initiating the current command through a knowledge base of user-agent binding relationships. This ensures that the parsing process only matches devices and functions that the user can operate, filtering out unauthorized operations in advance. After completing intent recognition, parameter extraction, and compliance matching, the intelligent agent combines the verified target device identifier, control operation name, and operation parameters with the user's identity identifier and the intelligent agent's unique number, and encapsulates them according to a unified data format pre-agreed between the system and the central control module. This generates standardized control commands that are formatted correctly, have complete information, and can be directly recognized and processed by the central control module.
[0060] This application embodiment provides a comprehensive and accurate benchmark for the parsing of intelligent agents' instructions through a pre-associated multi-dimensional knowledge base, which greatly improves the accuracy of intent recognition for spoken instructions and instructions in complex scenarios, effectively avoids misoperation and invalid instructions caused by parsing deviations, and covers the parsing needs of all types of instructions for device control and system management, thereby improving the solution's adaptability to all scenarios.
[0061] S104: The central control module performs multi-dimensional permission verification on user identity, target device identification, and control operation information based on preset permission policies.
[0062] The central control module is the core of the system's access control and command scheduling. It has a built-in dedicated access control policy library and serves as the implementation platform for the entire access control mechanism. The preset access control policies are a set of access control rules pre-configured and stored in the central control module. They clearly define the one-to-one correspondence between different user identities, roles, operable and controlled devices, operable control operations, and execution restrictions. They can be flexibly configured according to scenario requirements and cover various control rules such as role levels, device groups, time restrictions, authorization validity periods, and hierarchical operation permissions.
[0063] This application embodiment takes standardized control commands as input, and accurately extracts three core verification elements from the standardized commands: user identity identifier, target device identifier, and control operation information. Then, it retrieves the preset permission policies in the permission policy library and starts the full-process multi-dimensional verification.
[0064] In the actual verification process, the central control module adopts a serial progressive verification logic to complete multi-dimensional compliance verification in sequence. If any dimension verification fails, the verification process will be terminated immediately, and the overall verification will be judged as failing. Only when all dimension verifications pass will the multi-dimensional permission verification be judged as passing.
[0065] By using centralized, multi-dimensional permission verification in the central control module, the last core security defense line is built from the initiation of the command to the execution of the device, solving the core technical problems of lacking a refined permission control mechanism that is compatible with identity binding, and being prone to unauthorized operations, illegal operations, and misoperations.
[0066] The specific implementation methods for each verification dimension are as follows: The central control module verifies the agent's legitimacy by checking whether the agent number carried in the standardized instructions is a legitimate agent that has been registered in the system and uniquely bound to the current user's identity. It also intercepts instructions initiated by unregistered agents or illegal agents with mismatched binding relationships.
[0067] User identity and role matching verification: The central control module verifies whether the current user identity is a legally registered identity in the system and whether it matches the user roles registered in the preset permission policy. It confirms the user's basic permission level and control scope, and intercepts illegal operations such as identity impersonation and role mismatch.
[0068] For target device operation permission verification, the central control module verifies whether the current user has access and operation permissions for the controlled device corresponding to the target device identifier based on the matched user roles and permission levels, and blocks unauthorized operations without device operation permissions.
[0069] The central control module verifies the legality of control operation functions, checking whether the operation functions in the current control operation information are executable functions supported by the target controlled device. It also verifies whether the function is within the current user's permission scope, blocking unauthorized operations that are not supported by the device or for which the user does not have the corresponding function permissions.
[0070] The central control module verifies the compliance of control operation parameters, checking whether the execution parameters in the control operation information conform to the parameter specifications of the target controlled device and whether they are within the current user's permission range. It also intercepts invalid operations with incorrect parameter formats or parameters that are out of range.
[0071] The authorization validity period verification module verifies whether the current user's authorization for the target device and target operation is within the validity period. It also verifies whether it meets the preset additional authorization restrictions such as time period and region, and blocks expired authorizations and non-compliant operations in non-compliant time periods / regions.
[0072] Device command lock status verification: The central control module verifies whether the target operation of the current target device is in a command lock locked state. If it is in a locked state, it compares the permission level of the user who initiated the command with the permission level of the person who initiated the lock command. Only if the person who initiated the command has a higher permission level can the unlock be allowed and the verification be passed; otherwise, the conflicting operation of the user with lower permission level is blocked.
[0073] To further address the issues of operational conflicts and low-privilege users interfering with the execution of high-privilege core control commands in multi-role, multi-user collaborative control scenarios, and to ensure the stability and priority management capabilities of critical control operations, this application also provides a device command lock verification implementation method based on permission priority, as follows: During the multi-dimensional permission verification process, if it is detected that the target control operation of the controlled device corresponding to the target device identifier is in the command lock state, the permission priority of the user who initiated the control command is obtained, and the permission priority of the user who initiated the control command is compared with the permission priority of the lock command initiator. When the user initiating the control command has a higher permission priority than the user initiating the lock command, the permission verification is deemed successful, and the user is allowed to unlock and execute the corresponding control operation. The verification fails when the user initiating the control command has a lower priority than the user initiating the lock command, or when the user initiating the control command has the same priority as the user initiating the lock command.
[0074] In this embodiment, the command lock is an execution lock state that can be simultaneously set for the target control operation of the target controlled device when the user initiates a control command. In the locked state, the corresponding operation of the target device can only be modified or overwritten by user commands that meet the permission requirements, thus preventing irrelevant operations from interfering with the stable execution of core control commands. Permission priority is a pre-set order of permission levels for different user identities and roles in the system's preset permission policy. The higher the priority, the more it determines the user's unlocking permission for operations on the locked device. For example, system administrators can be set to the highest priority, with ordinary employees and visitors set to lower priority levels in turn. The permission boundaries of different priorities can be flexibly configured according to scenario requirements.
[0075] During the actual verification process, the central control module, in its multi-dimensional permission verification, checks whether the controlled device corresponding to the target device identifier in the standardized control command is in a command lock state. If the target control operation is not detected to be in a locked state, this step of verification is skipped, and the permission verification is deemed successful after completing the remaining verification process. If the target control operation is detected to be in a command lock state, the central control module immediately retrieves the permission priority of the user who initiated the control command and the permission priority of the command lock initiator from the preset permission policy library, and compares the two precisely.
[0076] When the comparison results show that the user initiating this control command has a higher permission priority than the user initiating the lock command, the central control module determines that this step of the verification passes, allowing the target control operation to be unlocked, and continues to complete the remaining verification process. Ultimately, the overall permission verification is deemed successful, and the execution of this control operation is supported. When the comparison results show that the user initiating this control command has a lower permission priority than the user initiating the lock command, or that both have the same permission priority, the central control module directly determines that this step of the verification fails, simultaneously terminating the overall multi-dimensional permission verification process, determining that the overall permission verification fails, and refusing to execute this control command.
[0077] This application's embodiments resolve the operational conflicts of controlled devices on the same platform in multi-role, multi-user scenarios by employing a device command lock verification mechanism based on permission priority. This prevents misoperations by low-privilege users and irrelevant operations from interfering with the execution of core control commands by high-privilege users. It is particularly suitable for high-frequency needs such as parental control of children's device operation in home scenarios, administrator control of core equipment in office scenarios, and technician control of production line equipment in industrial scenarios, ensuring the stability and security of critical control operations. Simultaneously, through the comparison rule of "high priority can be unlocked, low / same level cannot be unlocked," it achieves precise control of operational conflicts while also addressing the emergency control needs of high-privilege users. This avoids the problem of inflexible adjustments after command lock locking, further improving the multi-dimensional permission verification control dimensions and enhancing the refined control capabilities and scenario adaptability of the entire permission control method.
[0078] S105: If the multi-dimensional permission verification passes, the central control module sends an execution command to the controlled device corresponding to the target device identifier.
[0079] Controlled devices are terminal execution devices within the system that have IoT communication capabilities and can receive instructions from the central control module to complete corresponding actions. Each controlled device corresponds to a unique target device identifier, covering all categories of intelligently controllable terminals such as smart homes, office equipment, industrial equipment, and park facilities.
[0080] After confirming that the multi-dimensional permission verification is successful, the central control module first extracts the target device identifier and control operation information from the standardized control commands, retrieves the communication protocol and execution specifications corresponding to the target device, and converts the standardized control commands into execution commands that the target controlled device can directly recognize and execute. The commands are then issued through a communication link matched with the target device. In this embodiment, the controlled device can be a specific hardware device, and a system can run within it to provide functional services such as storage services or streaming media services. Issuing execution commands to the controlled device can also be understood as sending execution commands to the system within the controlled device.
[0081] During the execution of commands, the central control module can automatically adapt to various communication protocols and transmission links, such as Wi-Fi, BLE, ZigBee, LAN, and industrial bus, based on the hardware capabilities and deployment environment of the target controlled device. This ensures stable and reliable transmission of commands in different scenarios without requiring adjustments to the core control process for different devices. Before officially issuing the execution command, the central control module simultaneously performs online status verification of the target device, confirming that the controlled device corresponding to the target device identifier is online and executable, thus avoiding issuing invalid commands to offline or faulty devices.
[0082] Simultaneously, a unique execution serial number is generated for this execution command, and this serial number is strongly bound to the user's identity identifier, the dedicated intelligent agent number, and the target device identifier, enabling full traceability of a single control operation. After the command is issued, the central control module continuously monitors the execution status feedback of the target controlled device, receives the action execution results and real-time device status information returned by the controlled device, and transmits the complete execution results back to the dedicated intelligent agent bound to the corresponding user. Finally, it can synchronously feed back to the intelligent terminal that initiated the control command, forming a complete closed loop from command initiation, identity matching, parsing and processing, permission verification to device execution.
[0083] By converting and adapting the central control module to a unified protocol, standardized control commands are enabled to drive controlled devices of different brands, categories, and communication protocols in a compatible manner, solving the problems of poor compatibility and inability to uniformly manage multiple types of devices in existing technologies.
[0084] To further improve the closed-loop management of the identity-bound multi-agent access control method, clarify the rules for intercepting and handling illegal commands, ensure users' right to know about the entire command execution process, and achieve full-link traceability of control operations, this application also provides supporting implementation methods for handling abnormal access verification and closed-loop feedback of command execution status, as follows: If multi-dimensional permission verification fails, the central control module refuses to execute the corresponding control operation and sends a permission-deficient message to the smart terminal that initiated the control command. After the controlled device completes the execution command, the central control module sends the execution status and result back to the corresponding smart agent.
[0085] This application embodiment includes a verification exception handling and execution closed-loop feedback mechanism to complement the entire access control method. If multi-dimensional access verification fails, the central control module will directly terminate the processing flow of the current instruction, refuse to execute the corresponding control operation, and accurately provide a permission-free prompt to the smart terminal that initiated the control instruction. This intercepts all illegal operations at the source and ensures the user's right to know the status of instruction execution. After the controlled device completes the execution of the instruction, the central control module will send back the complete execution status and result from the controlled device to the corresponding smart agent bound to the user's identity that initiated the instruction. This constructs a closed-loop process from instruction initiation and access verification to device execution, achieving full-link traceability for a single control operation and further improving the security, manageability, and scenario adaptability of the entire method.
[0086] To further enhance the flexibility and adaptability of access control across multiple roles and scenarios, and to meet the short-term device operation needs of non-fixed roles such as visitors, temporary maintenance personnel, and temporary collaborators, while also ensuring the security and traceability of access control, this application also provides a temporary authorization configuration implementation based on administrator-exclusive permissions, as follows: Receive temporary authorization instructions from the smart terminal bound by the administrator. The temporary authorization instructions include the identity of the authorized object, the identity of the authorized target device, the authorization control operation, and the authorization validity period.
[0087] The central control module verifies the administrator's identity and authorized permissions. Upon successful verification, the preset permission policy is updated, configuring the corresponding valid target device operation permissions for the authorized object's identity identifier.
[0088] As an example, an administrator is a dedicated user configured in the system's preset permission policy, possessing the highest level of permissions and temporary authorization management privileges across the entire system. Their user identity is uniquely bound at the hardware level to their dedicated smart terminal and the highest-authority dedicated smart agent, and authorization operations can only be initiated through their bound dedicated smart terminal. A temporary authorization command is a management command initiated by the administrator through their dedicated smart terminal to configure short-term device operation permissions for a specified object. The command must contain four core elements: the identity of the authorized object, the identifier of the target device, the authorization control operation, and the authorization validity period.
[0089] In this application, the authorized object identifier is the unique identity code of the authorized user, the authorized target device identifier is the unique device code of the controlled device for which the operation permission is granted, the authorized control operation is the specific executable device function granted, and the authorization validity period is the start and end time of the temporary permission. After the validity period expires, the corresponding permission will automatically become invalid. The execution subject of this application embodiment is the central control module, and the overall process is fully compatible with the multi-dimensional permission verification mechanism of the main solution of this application. After the temporary permission is configured, the control commands initiated by the authorized user can be directly adapted to the original verification process without adjusting the core management logic of the system.
[0090] The central control module receives a temporary authorization command from the smart terminal bound to the administrator. Simultaneously, it extracts the administrator's user identity and key elements of the temporary authorization from the command data packet, and then initiates a special verification of the administrator's identity and authorization permissions. The verification includes the legality of the administrator's identity, the binding relationship between the administrator and the smart terminal initiating the command, and whether the administrator possesses the necessary temporary authorization permissions. If any verification item fails, the central control module will directly reject the temporary authorization request and send a message to the administrator's smart terminal indicating the reason for the authorization failure.
[0091] Only after all administrator identity and authorization permission verifications pass will the central control module initiate the permission policy update process. Based on the core elements of the temporary authorization instruction, the module adds corresponding temporary permission entries to the preset permission policy library, configures the target device operation permissions within the authorization validity period for the authorized object's identity identifier, clarifies the effective time, expiration time, operable device range, and boundaries of the control operations that can be performed, and sets priority rules for temporary permissions that are lower than the administrator's fixed permissions to prevent temporary permissions from overriding the control logic of the original fixed permissions.
[0092] In this embodiment, the central control module monitors the validity period of temporary permissions in real time. When the validity period expires, it will automatically clean up the corresponding temporary permission entries in the permission policy library, update the preset permission policy synchronously, and the corresponding device operation permissions of the authorized object will automatically become invalid. There is no need for manual revocation, which completely avoids the security risk of unauthorized operation caused by the long-term retention of temporary permissions.
[0093] Meanwhile, the central control module generates immutable operation logs for the entire process of initiating, verifying, configuring, and revoking temporary authorizations. These logs are strongly bound to the administrator's identity and the authorized object's identity, ensuring full traceability. This embodiment solves the problem of fixed permission configurations that cannot adapt to the short-term operational needs of temporary personnel, ensuring both system security and significantly improving the flexibility of permission configuration.
[0094] This application also provides a multi-agent access control device based on identity binding, such as... Figure 2 As shown, the device includes: The receiving module 201 is used to receive control commands from the smart terminal and user identity identifiers bound to the smart terminal; The allocation module 202 is used to allocate the control command to the intelligent agent bound to the user identity based on the user identity identifier; The generation module 203 is used to parse the control command through the intelligent agent and generate a standardized control command including the target device identifier and control operation information; The verification module 204 is used to perform multi-dimensional permission verification on the user identity identifier, the target device identifier, and the control operation information based on a preset permission policy. The issuing module 205 is used to issue an execution command to the controlled device corresponding to the target device identifier if the multi-dimensional permission verification passes.
[0095] In one possible implementation, the receiving module 201 is specifically used to receive the control command and user identity identifier through a preset first transmission path or a second transmission path; the first transmission path is that the smart terminal directly sends the control command and user identity identifier through a communication network, and the second transmission path is that the smart terminal sends the control command and user identity identifier through a relay node, wherein the relay node includes at least one of a central control module, a gateway, an edge node, a local server, and a cloud server.
[0096] In one possible implementation, the generation module 203 is specifically used to call a pre-associated knowledge base through the intelligent agent to perform intent recognition and parameter extraction on the control command, and match the corresponding target device identifier, control operation name and operation parameters; the knowledge base includes at least one of a user and intelligent agent binding relationship knowledge base, a device information knowledge base and a central control function information knowledge base; and encapsulates the target device identifier, the control operation name and the operation parameters to generate a standardized control command.
[0097] In one possible implementation, the multi-dimensional permission verification includes one or more of the following verification dimensions: agent legitimacy verification, user identity and role matching verification, target device operation permission verification, control operation function legitimacy verification, control operation parameter compliance verification, authorization validity period verification, and device command lock status verification.
[0098] In one possible implementation, the smart terminal corresponds to a unique user, and the smart terminal has a built-in, tamper-proof user identity identifier; the smart terminal collects the user's control commands through a built-in trigger module, and the trigger module supports at least one interaction method among physical buttons, touch, tapping, pinching, voice, gestures, and proximity sensing.
[0099] In one possible implementation, the verification module 204 is further configured to, during the multi-dimensional permission verification process, if it is detected that the target control operation of the controlled device corresponding to the target device identifier is in a command lock state, obtain the permission priority of the user initiating the control command, and compare the permission priority of the user initiating the control command with the permission priority of the lock command initiator; when the permission priority of the user initiating the control command is higher than the permission priority of the lock command initiator, the permission verification is determined to be successful, and the unlocking and execution of the corresponding control operation are allowed; when the permission priority of the user initiating the control command is lower than the permission priority of the lock command initiator, or the permission priority of the user initiating the control command is at the same level as the permission priority of the lock command initiator, the verification is determined to be unsuccessful.
[0100] In one possible implementation, the verification module 204 is further configured to receive a temporary authorization instruction from the smart terminal bound to the administrator, the temporary authorization instruction including the identity identifier of the authorized object, the identity identifier of the authorized target device, the authorization control operation, and the authorization validity period; verify the identity and authorization permissions of the administrator; and after the verification is successful, update the preset permission policy and configure the target device operation permissions within the corresponding validity period for the identity identifier of the authorized object.
[0101] In one possible implementation, the verification module 204 is further configured to refuse to execute the corresponding control operation if the multi-dimensional permission verification fails, and to send a no-permission prompt to the smart terminal that initiated the control command; after the controlled device completes the execution command, it sends the execution status and result back to the corresponding smart agent.
[0102] This application also provides a control device. The control device may include a memory and a processor. The processor is used to execute the identity-bound multi-agent permission control method described in any of the above embodiments. The memory may be random access memory (RAM), flash memory, read-only memory (ROM), non-volatile read-only memory (EPROM), registers, hard disk, removable disk, etc.
[0103] Memory can store computer instructions. When these instructions are executed by a processor, the processor can use them to implement identity-based multi-agent access control methods. Memory can also store data.
[0104] In the above embodiments, implementation can be achieved, in whole or in part, through software, hardware, firmware, or any combination thereof. When implemented in software, it can be implemented, in whole or in part, as a computer program product. A computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, all or part of the flow or function according to the embodiments of this application is generated. The computer can be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device. The computer instructions can be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another. For example, computer instructions can be transmitted from one website, computer, server, or data center to another website, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) means. The computer-readable storage medium can be any available medium that a computer can access or a data storage device such as a server or data center that integrates one or more available media. The available medium can be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape) or a semiconductor medium (e.g., solid-state disk (SSD)).
[0105] This application also provides a readable storage medium for storing the methods provided in the above embodiments. For example, RAM, flash memory, ROM, EPROM, registers, hard disk, removable disk, or any other form of storage medium in the art.
[0106] In the embodiments of this application, the terms "first" and "second" (if they exist) are used only as name identifiers and do not represent the order of first and second.
[0107] It should be noted that the various embodiments in this specification are described in a progressive manner, with each embodiment focusing on the differences from other embodiments. Similar or identical parts between embodiments can be referred to interchangeably. Regarding the methods disclosed in the embodiments, since they correspond to the product embodiments disclosed in the embodiments, the description is relatively simple; relevant parts can be referred to in the description of the product embodiments.
[0108] The above description of the disclosed embodiments enables those skilled in the art to make or use this application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the general principles defined herein may be implemented in other embodiments without departing from the spirit or scope of this application. Therefore, this application is not to be limited to the embodiments shown herein, but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims
1. A multi-agent access control method based on identity binding, characterized in that, The method includes: Receive control commands from the smart terminal and the user identity identifier bound to the smart terminal; Based on the user identity identifier, the control commands are assigned to the intelligent agent bound to the user identity identifier; The intelligent agent parses the control commands to generate standardized control commands that include target device identification and control operation information. Based on a preset permission policy, multi-dimensional permission verification is performed on the user identity identifier, the target device identifier, and the control operation information; If the multi-dimensional permission verification passes, an execution command is issued to the controlled device corresponding to the target device identifier.
2. The method according to claim 1, characterized in that, The receiving of control commands from the smart terminal and the user identity identifier bound to the smart terminal specifically includes: The control command and user identification are received through a preset first transmission path or a second transmission path; the first transmission path is that the smart terminal directly sends the control command and user identification through the communication network, and the second transmission path is that the smart terminal sends the control command and user identification through a relay node, wherein the relay node includes at least one of a central control module, a gateway, an edge node, a local server, and a cloud server.
3. The method according to claim 1, characterized in that, The step of parsing the control commands through the intelligent agent to generate standardized control commands including target device identifiers and control operation information specifically includes: The intelligent agent invokes a pre-associated knowledge base to perform intent recognition and parameter extraction on the control commands, and matches them to obtain the corresponding target device identifier, control operation name, and operation parameters. The knowledge base includes at least one of the following: a user-intelligent agent binding relationship knowledge base, a device information knowledge base, and a central control function information knowledge base. The target device identifier, the control operation name, and the operation parameters are encapsulated to generate standardized control instructions.
4. The method according to claim 1, characterized in that, The multi-dimensional permission verification includes one or more of the following verification dimensions: agent legitimacy verification, user identity and role matching verification, target device operation permission verification, control operation function legitimacy verification, control operation parameter compliance verification, authorization validity period verification, and device command lock status verification.
5. The method according to claim 1, characterized in that, The smart terminal corresponds to a unique user and has a built-in, tamper-proof user identity identifier. The smart terminal collects the user's control commands through a built-in trigger module, which supports at least one interaction method among physical buttons, touch, tapping, pinching, voice, gestures, and proximity sensing.
6. The method according to claim 1, characterized in that, The method further includes: During the multi-dimensional permission verification process, if it is detected that the target control operation of the controlled device corresponding to the target device identifier is in an instruction lock state, the permission priority of the user who initiated the control instruction is obtained, and the permission priority of the user who initiated the control instruction is compared with the permission priority of the lock instruction initiator. When the user who initiates the control command has a higher permission priority than the user who initiates the lock command, the permission verification is deemed successful, and the user is allowed to unlock and execute the corresponding control operation. The verification fails when the user who initiates the control command has a lower permission priority than the user who initiates the lock command, or when the user who initiates the control command has the same permission priority as the user who initiates the lock command.
7. The method according to claim 1, characterized in that, The method further includes: Receive a temporary authorization instruction from the smart terminal bound by the administrator. The temporary authorization instruction includes the identity identifier of the authorized object, the identifier of the authorized target device, the authorization control operation, and the authorization validity period. Verify the administrator's identity and authorization permissions; After successful verification, the preset permission policy is updated to configure the target device operation permissions within the validity period for the authorized object's identity identifier.
8. The method according to claim 1, characterized in that, The method further includes: If the multi-dimensional permission verification fails, the corresponding control operation will be refused, and a permission-free prompt will be sent to the smart terminal that initiated the control command. After the controlled device completes the execution instruction, the block sends the execution status and result back to the corresponding intelligent agent.
9. A multi-agent access control device based on identity binding, characterized in that, The device includes: The receiving module is used to receive control commands from the smart terminal and user identification identifiers bound to the smart terminal; The allocation module is used to allocate the control commands to the intelligent agents bound to the user identity identifier based on the user identity identifier; The generation module is used to parse the control instructions through the intelligent agent and generate standardized control instructions including target device identifier and control operation information; The verification module is used to perform multi-dimensional permission verification on the user identity identifier, the target device identifier, and the control operation information based on a preset permission policy. The delivery module is used to send an execution command to the controlled device corresponding to the target device identifier if the multi-dimensional permission verification passes.
10. A control device, characterized in that, It includes a processor and a memory, the memory being used to store programs, instructions, or code, and the processor being used to execute the programs, instructions, or code in the memory to complete the identity-bound multi-agent access control method as described in any one of claims 1-8.