阅读说明：本技术 访问控制方法、设备及存储介质 (Access control method, device and storage medium ) 是由 杨宁 于 2019-09-11 设计创作，主要内容包括：一种访问控制方法,包括：终端设备(1100)确定所在的安全域的访问设备(1200)的角色；在所述终端设备(1100)的访问控制列表的至少一个访问控制角色中包括所述访问设备(1200)的角色的情况下,所述终端设备(1100)允许所述访问设备(1200)对所述终端设备(1100)中的安全资源进行配置,所述访问控制角色为被允许进行所述安全资源的配置的角色。还提供另一种访问控制方法以及电子设备(1400)、存储介质。(An access control method comprising: the terminal device (1100) determines the role of the access device (1200) of the security domain; when the role of the access device (1200) is included in at least one access control role of the access control list of the terminal device (1100), the terminal device (1100) allows the access device (1200) to configure the secure resource in the terminal device (1100), and the access control role is a role allowed to configure the secure resource. Another access control method, an electronic device (1400), and a storage medium are also provided.)

An access control method comprising:

the terminal equipment determines the role of the access equipment of the security domain;

and under the condition that at least one access control role in the access control list of the terminal equipment comprises the role of the access equipment, the terminal equipment allows the access equipment to configure the security resources in the terminal equipment, and the access control role is the role allowed to configure the security resources.

The method of claim 1, wherein,

the access control list is preset in the terminal equipment;

or the access control list is configured by an activation device.

The method of claim 1 or 2,

for access devices of different security domains, the access control lists are the same access control list, and the roles of the access devices of the different security domains are the same; or

For access devices of different security domains, the access control lists are different access control lists, and roles of the access devices of the different security domains are different.

The method of any of claims 1 to 3, wherein the access list further comprises: a security resource corresponding to the access control role that is allowed to be accessed;

the terminal device allows the access device to configure the security resource in the terminal device, including:

the terminal device allows the access device to configure a target security resource in the terminal device, wherein the target security resource is a security resource which is allowed to be accessed and corresponds to the role of the access device.

The method of any of claims 1 to 4, wherein the access control list further comprises: the operation authority corresponding to the access control role;

the terminal device allows the access device to configure the security resource in the terminal device, including:

the terminal device allows the access device to perform configuration corresponding to a target operation authority on the security resource in the terminal device, wherein the target operation authority is an operation authority corresponding to a role of the access device.

The method of any of claims 1 to 5, wherein the method further comprises:

and the terminal equipment authenticates the role certificate of the access equipment according to the trust root so as to confirm the role of the access equipment.

The method of claim 6, wherein,

for access devices of different security domains, the trust roots are the same trust root, or

For access devices of different security domains, the trust roots are different trust roots.

The method of claim 6, wherein,

the trust root is preset in the terminal equipment; or

The root of trust is configured by the activation device.

The method of claim 2 or 8, wherein the activating device comprises:

the terminal equipment is used for activating a security domain in which the terminal equipment is located; or

And the terminal equipment activates other security domains except the security domain in which the terminal equipment is located.

The method of any of claims 1 to 9, wherein prior to the terminal device entering the secure domain, the method further comprises:

the terminal equipment reserves the configuration information corresponding to the security resource; or the terminal equipment initializes the configuration information corresponding to the security resource.

The method of claim 10, wherein the condition for reserving, by the terminal device, the configuration information corresponding to the secure resource comprises at least one of:

receiving a reservation instruction indicating to reserve the configuration information; and

an initialization instruction indicating initialization of the configuration information is not received.

The method according to claim 10, wherein the initialization condition for the terminal device to initialize the configuration information corresponding to the secure resource includes at least one of:

receiving an initialization instruction for initializing the configuration information; and

a reservation instruction indicating to reserve the configuration information is not received.

The method of any of claims 1 to 12, wherein the determining, by the terminal device, the role of the access device of the security domain comprises:

and the terminal equipment determines the role of the access equipment from the public field in the role certificate sent by the access equipment.

An access control method comprising:

the access equipment sends the role of the access equipment to the terminal equipment of the security domain; and the terminal device allows the access device to configure the security resource in the terminal device when the role of the access device is included in at least one access control role in an access control list of the terminal device, wherein the access control role is a role allowed to configure the security resource.

The method of claim 14, wherein the sending, by the access device, the role of the access device to the terminal device of the security domain includes:

and the access equipment sends a role certificate to the terminal equipment of the security domain, wherein the public field of the role certificate comprises the role of the access equipment.

The method of claim 14 or 15,

the roles of the access devices of different security domains are the same; or

The roles of the access devices of different security domains differ.

A method of access control, the method comprising:

the method comprises the steps that an activation device configures an access control list to a terminal device, wherein the access control list is used for at least one access control role of the access control list to comprise a role of the access device, the terminal device allows the access device to configure the security resources in the terminal device, and the access control role is a role which is allowed to configure the security resources.

The method of claim 17, wherein the access control list further comprises at least one of:

the security resources and the operation authority which are allowed to be accessed and correspond to the access control role.

The method of claim 17 or 18, wherein the method further comprises:

and the activation equipment configures a trust root to the terminal equipment, wherein the trust root is used for authenticating the role certificate of the access equipment by the terminal equipment so as to confirm the role of the access equipment.

A terminal device, comprising:

the role determining module is configured to determine the role of the access device of the security domain;

the access control module is configured to allow the access device to configure the secure resource in the terminal device when at least one access control role in the access control list of the terminal device includes the role of the access device, and the access control role is a role allowed to configure the secure resource.

The terminal device of claim 20,

the access control list is preset in the terminal equipment;

or the access control list is configured by an activation device.

The terminal device of claim 20 or 21,

for access devices of different security domains, the access control lists are the same access control list, and the roles of the access devices of the different security domains are the same; or

For access devices of different security domains, the access control lists are different access control lists, and roles of the access devices of the different security domains are different.

The terminal device of any of claims 20 to 22, wherein the access list comprises: a security resource corresponding to the access control role that is allowed to be accessed;

the authority management module is further configured to allow the access device to configure a target security resource in the terminal device, where the target security resource is a security resource allowed to be accessed corresponding to a role of the access device.

The terminal device of any of claims 20 to 23, wherein the access control list further comprises: the operation authority corresponding to the access control role;

the authority management module is also configured to allow the access device to perform configuration corresponding to a target operation authority on the secure resource in the terminal device, wherein the target operation authority is an operation authority corresponding to a role of the access device.

The terminal device of any of claims 20 to 24, wherein the terminal device further comprises:

and the role authentication module is configured to authenticate the role certificate of the access device according to the trust root so as to confirm the role of the access device.

The terminal device of claim 25, wherein,

for access devices of different security domains, the trust roots are the same trust root, or

For access devices of different security domains, the trust roots are different trust roots.

The terminal device of claim 25, wherein,

the trust root is preset in the terminal equipment; or

The root of trust is configured by the activation device.

The terminal device of claim 21 or 27, wherein the activation device comprises:

the terminal equipment is used for activating a security domain in which the terminal equipment is located; or

And the terminal equipment activates other security domains except the security domain in which the terminal equipment is located.

The terminal device of any of claims 20 to 28, wherein the terminal device further comprises:

a configuration update module configured to: before the terminal device enters the security domain, the configuration information corresponding to the security resource is reserved, or the configuration information corresponding to the security resource is initialized.

The terminal device of claim 29, wherein the reservation condition for reserving the configuration information corresponding to the secure resource by the terminal device includes at least one of:

receiving a reservation instruction indicating to reserve the configuration information; and

an initialization instruction indicating initialization of the configuration information is not received.

The terminal device of claim 29, wherein the initialization condition for the terminal device to initialize the configuration information corresponding to the secure resource includes at least one of:

receiving an initialization instruction for initializing the configuration information; and

a reservation instruction indicating to reserve the configuration information is not received.

The terminal device of any of claims 20 to 31, wherein the role management module is further configured to determine the role of the access device from a public field in a role certificate sent by the access device.

An access device, comprising:

the sending module is configured to send the role of the access device to the terminal device of the security domain; and the terminal device allows the access device to configure the security resource in the terminal device when the role of the access device is included in at least one access control role in an access control list of the terminal device, wherein the access control role is a role allowed to configure the security resource.

The access device of claim 33, wherein the sending module is further configured to send a role certificate to the terminal device, the role certificate including a role of the access device in a public field.

The access device of claim 33 or 34,

the roles of the access devices of different security domains are the same; or

The roles of the access devices of different security domains differ.

An activation device, comprising:

the access control module is configured to configure an access control list to a terminal device, where the access control list is used for at least one access control role in the access control list including a role of an access device, the terminal device allows the access device to configure a security resource in the terminal device, and the access control role is a role allowed to configure the security resource.

The activation device of claim 36, wherein said access control list further comprises at least one of:

and the security resource and the operation authority which are allowed to be accessed corresponding to the access control role.

The activation device of claim 36 or 37, wherein the activation device further comprises:

and the root configuration module is configured to configure a trust root for the terminal device, wherein the trust root is used for the terminal device to authenticate the role certificate of the access device so as to confirm the role of the access device.

A terminal device comprising a processor and a memory for storing a computer program capable of running on the processor, wherein,

the processor is adapted to perform the steps of the access control method of any of claims 1 to 13 when running the computer program.

An access device comprising a processor and a memory for storing a computer program capable of running on the processor, wherein,

the processor is adapted to perform the steps of the access control method of any of claims 14 to 16 when running the computer program.

An activation device comprising a processor and a memory for storing a computer program capable of running on the processor, wherein,

the processor is adapted to perform the steps of the access control method of any of claims 17 to 19 when running the computer program.

A storage medium storing an executable program which, when executed by a processor, implements the access control method of any one of claims 1 to 13.

A storage medium storing an executable program which, when executed by a processor, implements the access control method of any one of claims 14 to 16.

A storage medium storing an executable program which, when executed by a processor, implements the access control method of any one of claims 17 to 19.