Please wait a minute...
J4  2010, Vol. 44 Issue (12): 2297-2308    DOI: 10.3785/j.issn.1008-973X.2010.12.011
自动化技术、计算机技术     
基于情景约束的工作流柔性访问控制模型
马晨华1, 王进1, 裘炅2, 陆国栋1
1.浙江大学 工程与计算机图形学研究所,浙江 杭州 310027; 2.杭州电子科技大学 计算机学院,浙江 杭州 310018
Flexible context-constraint-based access control model
for workflows
MA Chen-hua1, WANG Jing1, QIU Jiong2, LU Guo-dong1
1. Engineering and Computer Graphics Institute, Zhejiang University, Hangzhou 310027, China;
2. College of Computer, Hangzhou Danzi University, Hangzhou 310018,China
 全文: PDF  HTML
摘要:

针对现有的访问控制模型在工作流系统中,基于情景的动态授权和灵活的任务相关授权等问题,提出一个应用于工作流系统的基于情景约束的柔性访问控制模型.模型定义了基于情景约束的角色指派策略和角色授权策略,分析了策略间的关系,对策略间可能存在的冲突进行了分类,给出策略冲突的静态和动态检测规则,并提出优先级规则和冲突消解策略的概念,安全管理员可以根据系统需求灵活地确定冲突消解的方式;模型还给出基于最小角色指派策略集和最小角色授权策略集的角色分配与授权决策算法,实现了工作流系统中基于情景的动态授权,并支持用户-角色和角色-权限的自动指派.

Abstract:

Access control models proposed so far provide no support for context-based dynamic authorization and flexible authorization policy definition for tasks. To address these issues, a flexible context-constraint-based access control model was proposed for workfolws. The concepts of context-constraint-based role assignment policy and contextconstraintbased role authorization policy were defined. The interrelationships between policies were analyzed and the conflicts exhibited by policies were classified. Static and dynamic conflict detection methods were provided to maintain the consistency of policies. By the introduction of two new concepts, priority rule and conflict resolution policy, a flexible approach to resolve conflicts were provide. The security administrator can choose the method of resolving conflicts flexibly according to system requirements by defining priority rules and conflict resolution policies. Furthermore, the role assignment algorithm and the authorization decision algorithm based on the minimum sets of role assignment policies and role authorization policies were given. The model provides support for context-based dynamic authorization, automatic user-role and role-permission assignment.

出版日期: 2010-12-01
:  TP 309.2  
基金资助:

浙江省重大科技专项社会发展资助项目(2008C13073, 2009C03015-1).

通讯作者: 王进,男,讲师.     E-mail: dwjcom@zju.edu.cn
作者简介: 马晨华(1975—),女,山西晋城人,讲师,主要从事CSCW和信息安全. E-mail:mchma@zju.edu.cn
服务  
把本文推荐给朋友
加入引用管理器
E-mail Alert
RSS
作者相关文章  

引用本文:

马晨华, 王进, 裘炅, 陆国栋. 基于情景约束的工作流柔性访问控制模型[J]. J4, 2010, 44(12): 2297-2308.

MA Chen-hua, WANG Jing, QIU Jiong, LU Guo-dong. Flexible context-constraint-based access control model
for workflows. J4, 2010, 44(12): 2297-2308.

链接本文:

http://www.zjujournals.com/eng/CN/10.3785/j.issn.1008-973X.2010.12.011        http://www.zjujournals.com/eng/CN/Y2010/V44/I12/2297

[1] 李红臣,史美林,陈信祥,等.工作流系统中的业务过程描述及分析[J].计算机研究与发展,2001,38(7): 798-804.
LI Hongchen, SHI Meilin, CHEN Xinxiang, et al. Business process modeling and analysis in workflow systems[J]. Journal of Computer Research and Development, 2001, 38(7): 798-804.
[2] 刑光林,洪帆.基于角色和任务的工作流访问控制模型[J].计算机工程与应用,2001,38(7): 798-804.
XING Guanglin, HONG Fan. A workflow access control model based on role and task[J]. Computer Engineering and Application, 2001, 38(7): 798-804.
[3] 洪帆,赵晓斐.基于任务的访问控制模型及其实现[J].华中科技大学学报:自然科学版,2002,30(1): 17-19.
HONG Fan, ZHAO Xiaofei. Taskbased access control model and its implementation[J]. Journal of Huazhong University of Science and Technology: Nature Science Edition, 2002,30(1): 17-19.
[4] ATLURI V, HUANG W K. An authorization model for workflows[C]∥Proceedings of the 5th European Symposium on Research in Computer Security. Rome: SpringerVerlag, 1996: 44-64.
[5] THOMAS R K, SANDHU R S. Taskbased authorization controls (TBAC): a family of models for active and enterpriseoriented authorization management[C]∥Proceedings of the IFIP WG11.3 Workshop on Database Security. Vancouver, Canada: Chapman & Hall, Ltd., 1997: 11-13.
[6] 邓集波,洪帆.基于任务的工作流访问控制模型[J].软件学报,2003,14(1): 76-82.
DENG Jibo, HONG Fan. Taskbased access control model[J]. Journal of Software, 2003,14(1): 76-82.
[7] 尹建伟,徐争前,冯志林,等.增强权限约束支持的基于任务访问控制模型[J].计算机辅助设计与图形学学报,2006,18(1): 143-148.
YIN Jianwei, XU Zhengqian, FENG Zhilin, et al. Taskbased access control model supported by enhanced permission constraints[J]. Journal of ComputerAided Design and Computer Graphics, 2006, 18(1): 143-148.
[8] SEJONG O, SEOG P. Taskrolebased access control model[J]. Information Systems, 2003, 28(6): 533-562.
[9] DEY A K. Providing architectural support for building contextaware applications[D]. Atlanta: Georgia Institute of Technology, 2001: 3-5.
[10] 韩伟力.分布式环境下的约束访问控制技术研究[D].杭州:浙江大学,2003: 24-85.
HAN Weili. Research of constraint access control technology under distributed environment [D].Hangzhou: Zhejiang University, 2003: 24-85.
[11] HAN Weili, ZHANG Junjing, YAO Xiaobo. Context sensitive access control model and implementation[C]∥Proceedings of 5th International Conference on Computer and Information Technology. Shanghai, China: IEEE, 2005: 751-756.
[12] NEUMANN G, STREMBECK M. An approach to engineer and enforce context constraints in an RBAC environment[C]∥Proceedings of 8th ACM Symposium on Access Control Models and Technologies. Como, Italy: ACM, 2003: 65-79.
[13] ZHANG G. Dynamic Context aware access control for grid applications[D]. New Brunswick: The State University of New Jersey, 2003: 5-36.
[14] ZHANG G, PARASHAR M. Dynamic contextaware access control for grid applications[C]∥Proceedings of the 4th International Workshop on Grid Computing. Washington: ACM, 2003: 101-109.
[15] HULSEBOSCH R J, SALDEN A H, BARGH M S, et al. Context sensitive access control[C]∥ Proceedings of 10th ACM Symposium on Access Control Models and Technologies. Stockholm, Sweden: ACM, 2005: 111-119.
[16] BHATTI R, BERTINO E, GHAFOOR A. A trustbased contextaware access control model for webservices[J]. Distributed and Parallel Databases, 2005, 18(1): 83-105.
[17] 徐仁佐,郑红军,陈斌,等.基于角色和上下文的访问控制模型[J].计算机应用研究,2004(12): 140-142.
XU Renzuo, ZHENG Hongjun, CHEN Bin, et al. Role and contextbased access control model[J]. Application Research of Computers, 2004(12): 140-142.
[18] TONINELLI A, MONTANARI R, KAGAL L, et al. A semantic contextaware access control framework for secure collaborations in pervasive computing environments[C]∥Proceedings of 5th International Semantic Web Conference. Athens, GA, USA: SpringerVerlag, 2006: 473-486.
[19] KULKARNI D, TRIPATHI A. Contextaware rolebased access control in pervasive computing system[C]∥Proceedings of 13th ACM Symposium on Access Control Models and Technologies. Estes Park, CO, USA: ACM, 2008: 113-122.
[20] 姚寒冰,胡和平,李瑞轩.上下文感知的动态访问控制模型[J].计算机工程与科学,2007,29(5): 1-7.
YAO Hanbing, HU Heping, LI Ruixuan. A dynamic contextaware access control model[J]. Computer Engineering & Science, 2007, 29(5): 1-7.
[21] ALKAHTANI M. A family of models for rulebased userrole assignment[D]. Washington: George Mason University, 2004: 10-40.
[22] KERN A, WALHORN C. Rule support for rolebased access control[C]∥Proceedings of the 10th ACM Symposium on Access Control Models and Technologies. Stockholm, Sweden: ACM, 2005: 130-138.
[23] 林植.基于策略的访问控制关键技术研究[D].武汉:华中科技大学,2006: 28-114.
LIN Zhi. Research on key technologies of policybased access control[D]. Wuhan: Huazhong University of Science and Technology, 2006: 28-114.
[24] 焦振海,丁二玉,骆斌.工作流管理中基于规则策略的访问控制[J].计算机应用研究,2008,25(3): 885-902.
JIAO Zhenhai, DING Eryu, LUO Bin. Access control in workflow management systems based on rule strategy[J]. Application Research of Computers, 2008,25(3): 885-902.
[25] 张健,孙吉贵,李妮娅,等.工作流系统中一个基于多权角色和规则的条件化RBAC安全访问控制模型[J].通信学报,2008,29(2): 8-16.
ZHANG Jian, SUN Jigui, LI Niya, et al. Conditioned secure access control model based on multiweighted roles and rules in workflow system[J]. Journal on Communications, 2008, 29(2): 8-16.
[26] DUNLOP N, INDULSKA J, RAYMOND K. Dynamic conflict detection in policybased management systems[C]∥Proceedings of the 6th International Enterprise Distributed Object Computing Conference. \
[S.l.\]: IEEE, 2002: 15-26.
[27] DUNLOP N, INDULSKA J, RAYMOND K. Methods for conflict resolution in policybased management system[C]∥Proceedings of the 7th International Enterprise Distributed Object Computing Conference. \
[S.l.\]: IEEE, 2003: 98-109.
[28] 何再朗,田敬东,张毓森.策略冲突分析、检测及解决方案[J].兰州理工大学学报,2005,31(5): 83-86.
HE Zailang, TIAN Jingdong, ZHANG Yusen. Analysis, detection and solution of policy conflict[J]. Journal of Lanzhou University of Technology, 2005, 31(5): 83-86.
[29] 姚键,茅兵,谢立.一种基于有向图模型的安全策略冲突检测方法[J].计算机研究与发展,2005, 42(7): 1108-1114.
YAO Jiang, MAO Bing, XIE Li. A Dagbased security policy conflict detection method[J]. Journal of Computer Research and Development, 2005, 42(7): 1108-1114.
[30] 魏雁平.基于有向图覆盖关系的安全策略冲突检测模型[D].成都:四川大学, 2006: 7-72.
WEI Yanping. A policy conflict detection model based on directgraph with cover relation[D]. Chengdu: Sichuan University, 2006: 7-72.
[31] 姜琳.基于概念格的策略分类与冲突检测研究[D].长春:吉林大学,2006: 28-55.
JIANG Lin. The research of policy classification and conflict detection based on concept lattice[D]. Changchun: Jilin University, 2006: 28-55.
[32] BERTINO E. RBAC models: concepts and trends[J]. Computers and Security, 2003, 22(6): 511-514.

[1] 陈珂, 胡天磊, 陈刚. 基于角色的信任证覆盖网络中高效信任链搜索[J]. J4, 2010, 44(12): 2241-2250.
[2] 余利华, 陈刚, 王伟, 陈柯, 董金祥. 一种基于容器的自组织存储模型[J]. J4, 2010, 44(5): 915-922.
[3] 江颉, 张杰, 陈德人. 基于推理的上下文感知RBAC模型设计和实现[J]. J4, 2009, 43(09): 1609-1614.
[4] 陈珂, 邵峰, 陈刚, 等. XML结构化匹配中的位图过滤加速法[J]. J4, 2009, 43(09): 1549-1556.