|
|
|
RBAC based access control model for services compositions
cross multiple enterprises |
| ZHANG Shuai1, SUN Jian-ling1, XU Bin1, HUANG Chao1,2, KAVS Aleksander J2. |
1. College of Computer Science and Technology , Zhejiang University , Hangzhou 310027, China;
2. State Street Technology (ZheJiang) Co. Ltd, Hangzhou 310012, China |
|
|
|
Abstract A dynamic multiple domains access control model base on role based access control (RBAC) was proposed in order to solve the problem that current single domain based access control model cannot fulfill the authorization requirements for service compositions crossing multiple enterprises. The process structures were analyzed and a role mining algorithm was proposed to find the role set with minimized permissions that meet the access requirements of composite services. Authorization negotiations were set up among relevant domains for each cross domain operation in composite services and cross domain role mappings were built according the mined role sets with minimized cost to fulfill the cross domain operations. Based on this model, a runtime framework aligned with current industry standard was proposed to authorize dynamically based on the current running status of composite services. Simulation experiments showed the effectiveness of key part of the role mining algorithm.
|
|
Published: 11 December 2012
|
|
|
基于RBAC的跨多企业服务组合访问控制模型
为了解决单域环境下访问控制模型无法满足跨企业服务组合的访问授权需求的问题,提出一种以基于角色访问控制(RBAC)为基础的多域动态访问授权模型.根据组合服务的流程结构分析服务执行所需的权限,提出一个权限最小化的角色集挖掘算法,从原有的面向单域的角色授权关系中搜索满足服务执行的角色集.针对组合服务中的跨域操作进行端对端的域间自主授权协商,并根据挖据出的角色集建立最小成本的跨域角色映射以满足跨域访问授权需求.在此基础上提出一套与现有的工业标准相结合运行时框架,实现根据组合服务实际运行状态进行授权的动态访问控制机制.模拟实验结果验证模型中的该算法的主要部分在多种不同场景下的有效性.
|
|
| [1] PAPAZOGLOU M. Serviceoriented computing: concepts, characteristics and directions [C]∥ 4th International Conference on Web Information Systems Engineering. Rome, Italy: IEEE, 2003: 3-12.
[2] MILANOVIC N, MALEK M. Current solutions for Web service composition [J]. IEEE Internet Computing, 2004, 8(6): 51-59.
[3] SRIVATSA M, IYENGAR A, MIKALSEN T, et al, An access controlsystem for Web service compositions [C]∥ IEEE International Conference on Web Services . Salt Lake City, USA: IEEE, 2007: 1-8.
[4] 王雅哲,冯登国.域间授权互操作研究综述 [J]. 计算机研究与发展, 2010, 47(10):1673-1689.
WANG Yazhe, FENG Dengguo. A survey of research on interdomain authorization interoperation [J]. Journal of Computer Research and Development, 2010, 47(10):1673-1689.
[5] ZHANG Y , JOSHI J. A requestdriven secure interoperation framework in looselycoupled multidomain environments employing RBAC policies [C]∥ IEEE International Conference on Collaborative Computing: Networking, Applications and Worksharing. New York, USA: IEEE, 2007: 25-32.
[6] HU Jinwei, Li Ruixuan, LU Zhengding. Establishing RBACbased secure interoperability in decentralized multidomain environments [C]∥ Proceedings of the 10th international conference on Information security and cryptology. Heidelberg, Germany: SpringerVerlag Berlin, 2007 49-63.
[7] ZHANG Shuai, SUN Jianling, SHEN Yuanhong, et al, Optimizing performance of composite services in multiple networks enterprise environment [J]. Information Technology Journal, 2011(10): 807-815.
[8] DUSTDAR S , SCHREINER W, A survey on web services composition [J]. International Journal of Web and Grid Services 2005(1): 1-30.
[9] BEEK M, BUCCHIARONE A, GNESI S: Web service composition approaches: from industrial standards to formal methods [C]∥ Proceedings of the Second International Conference on Internet and Web Applications and Services 2007. Washington DC, USA: IEEE Computer Society, 15-21.
[10] CHAFLE G, CHANDRA S, MANN V, et al, Decentralized orchestration of composite web services [C]∥ Proceedings of the 13th international World Wide Web conference. New York, USA: ACM, 2004: 134-143.
[11] YILDIZ U, GODART C. Towards decentralized service orchestrations [C]∥ Proceedings of the 2007 ACM symposium on Applied computing. New York, USA: ACM, 1662-1666.
[12] SHAFIQ B, JOSHI J, BERTINO E, et al: Secure interoperation in a multi domain environment employing RBAC policies [J]. IEEE Transactions on Knowledge and Data Engineering 2005. 17(11): 1557-1577.
[13] SANDHU R, COYNE E, FEINSTEIN H, et al, Rolebased access control models [J]. IEEE Computer, 1996 29(2): 38-47.
[14] DAMIANI E, VIMERCATI S, PARABOSCHI S. et al. Fine grained access control for SOAP eservices [C]∥ 10th Int. Conference on World Wide Web (WWW). New York, USA: ACM, 2001: 504-513.
[15] WONOHOESODO R ,TARI Z, A role based access control for Web services [C]∥ IEEE International Conference on Services Computing 2004. Shanghai: IEEE, 2004:49-56.
[16] FISCHER J , MAJUMDAR R, A Theory of Role Composition [C]∥ IEEE International Conference on Web Services 2008. Beijing: IEEE, 320-328.
[17] HUANG Chao, SUN Jianling, WANG Xinyu, et al. Minimal role mining method for Web service composition [J]. Journal of Zhejiang UniversityScience C, 2010(11): 28-339.
[18] DU S , JOSHI J, Supporting authorization query and interdomain role mapping in presence of hybrid role hierarchy [C]∥ Proceedings of the 17th ACM symposium on Access control models and technologies. New York, USA: ACM, 2006: 228-236.
[19] OASIS, Security assertion markup language (SAML) [EB/OL]. [20050325]. http:∥saml.xml.org/aboutsaml.
[20] SALTZER J , SCHROEDER M, The protection of information in computer systems [J]. Proceedings of the IEEE, 1975(63): 1278-1308.
[21] MOSES T. eXtensible access control markup language (XACML) Version 20 [EB/OL]. [2005-02-01].http:∥docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf. |
|
Viewed |
|
|
|
Full text
|
|
|
|
|
Abstract
|
|
|
|
|
Cited |
|
|
|
|
| |
Shared |
|
|
|
|
| |
Discussed |
|
|
|
|
