A cross-domain access control system for realizing role and group mapping based on cross-domain authorization

Abstract

The invention relates to a cross-domain access control system for role implementation and group mapping on the basis of cross-domain authorization medium. The cross-domain access control system of the invention maintains one role and group mapping strategy table through one cross-domain authorization medium system, wherein, the strategy table is provided with a serials of mapping strategies, and one mapping strategy defines the mapping relationship of roles and groups from one authorization domain to another. When the users of one authorization domain access another authorization domain, the medium system of cross-domain authorization provides roles and groups in the target authorization domain to be accessed, corresponding to the roles and groups in the original authorization domain and on the basis of roles and groups strategy, leading user limit of authorization in one domain to be converted or correspondingly matched to another domain, thereby realizing cross-domain access control based on RBAC or ACL. The cross-domain access control system of the invention is not only suitable for the cross-domain access control based on RBAC and based on ACL, but also suitable for the cross-domain access control based on inter-domain of RBAC and ACL.

Description

technical field [0001] The invention belongs to the technical field of information security access control, in particular to a cross-domain access control system that realizes role and group mapping based on a cross-domain authorization intermediary. Background technique [0002] In order to protect various information system resources on the network, such as hosts, files, data, services, etc., it is necessary to implement authorization management (Authorization Management) and access control (Access Control) for these resources. Generally, the implementation of access control includes three functional parts: authority and authorization policy management, online authorization decision-making, and online authorization implementation. Privilege and Authorization Policy Management (Privilege and Authorization Policy Management), responsible for managing user rights and resource access control policies (Access Control Policy) or rules (in the present invention, authorization pol...

AI Technical Summary

Problems solved by technology

First of all, the commonly used role mapping scheme is to directly perform role mapping between two authorized domains by the respective access control system of each authorized domain. When there are many authorized domains, this scheme will make the role mapping work complicated and not It is easy to maintain and expand. For example, if the security policy or role definition and role permissions of any authorized domain are changed, all related systems of the authorized domain must be adjusted or modified accordingly; secondly, the relevant technology is only suitable for RBAC's cross-domain access control is not suitable for ACL-based cross-domain access control (and ACL is currently the most widely used access control technology), let alone cross-domain access control between ACL-based domains and RBAC-based domains ; Secondly, the related technology usually needs to carry out relatively large modification to the existing access control system (especially the access control system based on ACL), or even reinvent the wheel, which is obviously not a satisfactory solution

Images