基于雙層角色和組織的可擴(kuò)展訪問控制模型
doi: 10.11999/JEIT141255
基金項(xiàng)目:
國家863計(jì)劃項(xiàng)目(2012AA012704)和2014年河南省基礎(chǔ)研究計(jì)劃項(xiàng)目(142300413201)
Scalable Access Control Model Based on Double-tier Role and Organization
-
摘要: 針對現(xiàn)有基于角色的訪問控制(RBAC)研究存在角色設(shè)置單一使得適應(yīng)性差、多域環(huán)境下角色或權(quán)限冗余、對資源管理關(guān)注不夠等問題,論文提出支持資源管理的基于雙層角色和組織的訪問控制模型。通過雙層角色劃分,提出基于職能角色和任務(wù)角色的雙層角色架構(gòu),使得模型更加符合實(shí)際,也更具適應(yīng)性;引入組織的概念并與雙層角色相結(jié)合,對角色和權(quán)限的概念加以擴(kuò)展,形式化定義了提出的基于雙層角色和組織的訪問控制模型,描述了影響模型安全的職責(zé)分離約束和勢約束。對模型的表達(dá)能力、復(fù)雜度進(jìn)行了分析,分析表明該機(jī)制不僅保留了RBAC的特點(diǎn)與優(yōu)勢,且比RBAC具有較低的復(fù)雜度并更適合于由多個相似組織構(gòu)成的分布式多域環(huán)境。Abstract: For tackling the deficiencies of weak adaptability due to the singleness of the role establishment method, role or privilege redundancy, and little attention on resource management in the existing Role-Based Access Control (RBAC) researches, a Scalable Access Control model Based on Double-Tier Role and Organization (SDTR-OBAC) is proposed. Through double role partition, a double-tier role architecture of function role and task role is presented, solving the problem that the traditional role can not cover the requirements of both organizational level and application level at the same time. The concept of organization is introduced to integrate with the double-tier role and form an organization-role pair assigned to user instead of role only in RBAC, making model suitable to cross-domain access as well as a single domain. Through extending privileges as an operation and resource type pair, the model and its constraints including separation of duty and cardinality constraint are defined formally. The discussion of expressive power and complexity indicates that SDTR-OBAC retains all the advantages of RBAC, and can effectively reduce the administration complexity with better scalability and universality.
-
計(jì)量
- 文章訪問數(shù): 1112
- HTML全文瀏覽量: 175
- PDF下載量: 615
- 被引次數(shù): 0