基于双层角色和组织的可扩展访问控制模型

doi:10.11999/JEIT141255

摘要
图/表
参考文献(15)
相关文章 (15)

全文: PDF (275 KB)
输出: BibTeX | EndNote (RIS)

摘要

针对现有基于角色的访问控制(RBAC)研究存在角色设置单一使得适应性差、多域环境下角色或权限冗余、对资源管理关注不够等问题，论文提出支持资源管理的基于双层角色和组织的访问控制模型。通过双层角色划分，提出基于职能角色和任务角色的双层角色架构，使得模型更加符合实际，也更具适应性；引入组织的概念并与双层角色相结合，对角色和权限的概念加以扩展，形式化定义了提出的基于双层角色和组织的访问控制模型，描述了影响模型安全的职责分离约束和势约束。对模型的表达能力、复杂度进行了分析，分析表明该机制不仅保留了RBAC的特点与优势，且比RBAC具有较低的复杂度并更适合于由多个相似组织构成的分布式多域环境。

	服务

	把本文推荐给朋友
	加入我的书架
	加入引用管理器
	E-mail Alert
	RSS
	作者相关文章
	熊厚仁
	陈性元
	张斌
	杜学绘

关键词 ：网络信息安全, 基于角色的访问控制, 双层角色, 组织, 角色继承, 职责分离

Abstract：

For tackling the deficiencies of weak adaptability due to the singleness of the role establishment method, role or privilege redundancy, and little attention on resource management in the existing Role-Based Access Control (RBAC) researches, a Scalable Access Control model Based on Double-Tier Role and Organization (SDTR-OBAC) is proposed. Through double role partition, a double-tier role architecture of function role and task role is presented, solving the problem that the traditional role can not cover the requirements of both organizational level and application level at the same time. The concept of organization is introduced to integrate with the double-tier role and form an organization-role pair assigned to user instead of role only in RBAC, making model suitable to cross-domain access as well as a single domain. Through extending privileges as an operation and resource type pair, the model and its constraints including separation of duty and cardinality constraint are defined formally. The discussion of expressive power and complexity indicates that SDTR-OBAC retains all the advantages of RBAC, and can effectively reduce the administration complexity with better scalability and universality.

Key words： Network information security Role-Based Access Control (RBAC) Double-tier role Organization Role inheritance Separation of duty

收稿日期: 2014-09-25 出版日期: 2015-06-02

PACS:

TP393.08

基金资助:

国家863计划项目(2012AA012704)和2014年河南省基础研究计划项目(142300413201)

通讯作者: 熊厚仁：男，1986年生，博士生，研究方向为授权、访问控制与资源管理. E-mail: xionghouren@163.com

作者简介: 熊厚仁：男，1986年生，博士生，研究方向为授权、访问控制与资源管理. 陈性元：男，1963年生，教授，博士生导师，研究方向为网络信息安全. 张斌：男，1969年生，教授，博士生导师，主要研究方向为网络信息安全. 杜学绘：女，1968年生，教授，博士生导师，主要研究方向为网络信息安全.

引用本文:

熊厚仁,陈性元,张斌,杜学绘. 基于双层角色和组织的可扩展访问控制模型[J]. 电子与信息学报, 2015, 37(7): 1612-1619. Xiong Hou-ren, Chen Xing-yuan, Zhang Bin, Du Xue-hui. Scalable Access Control Model Based on Double-tier Role and Organization. JEIT, 2015, 37(7): 1612-1619.

链接本文:

http://jeit.ie.ac.cn/CN/10.11999/JEIT141255 或 http://jeit.ie.ac.cn/CN/Y2015/V37/I7/1612

[1]	ANSI. 2004. American national standard for information technology-role based access control[S]. ANSI INCITS 359, 2004.
[2]	Gofman M I and Yang Ping. Effecient policy analysis for evolving administrative role based access control[J]. International Journal of Software Informatics, 2014, 8(1): 95-131.
[3]	Liu Meng and Wang Xuan. Alternative representation of periodic constraint on role enabling in TRBAC and GTRBAC[J]. Journal of Computational Information Systems, 2013, 9(24): 9909-9918.
[4]	Abdunabi R, Al-Lail M, Ray I, et al.. Specification, validation, and enforcement of a generalized spatio-temporal role-based access control model[J]. IEEE Systems Journal, 2013, 7(3): 501-515.
[5]	Muhammad Asif-habib. Mutually exclusive permissions in RBAC[J]. International Journal of Internet Technology and Secured Transactions, 2012, 4: 207-220.
[6]	Ma Li, Zhou Yan-jie, and Duan Wei. Extended RBAC model with task-constraint rules[C]. Proceedings of 8th Future Information Technology: Lecture Notes in Electrical Engineering, Gwangju, Korea, 2014, 276: 245-250.
[7]	Zu Xiang-rong, Liu Lian-zhong, and Bai Yan. A role and task-based workflow dynamic authorization modeling and enforcement mechanism[C]. The 1st International Conference on Information Science and Engineering (ICISE2009), Nanjing, China, 2009: 1593-1596.
[8]	Sohr K, Kuhlmann M, and Gogolla M. Comprehensive two-level analysis of role-based delegation and revocation policies with UML and OCL[J]. Information and Software Technology, 2012, 54(12): 1396-1417.
[9]	Liu Xin-xin and Tang Shao-hua. Analysis of role-based trust management policy using description logics[J]. Journal of Computational Information Systems, 2012, 8(13): 5445-5452.
[10]	Unal D and Caglayan M U. A formal role-based access control model for security policies in multi-domain mobile networks[J]. Computer Networks, 2013, 57(1): 330-350.
[11]	Zhang Da-na, Ramamohanarao K, Zhang Rui, et al.. Efficient graph based approach to large scale role engineering[J]. Transactions on Data Privacy, 2014, 7(1): 1-26.
[12]	Ranise S, Truong A, and Armando A. Scalable and precise automated analysis of administrative temporal role-based access control[C]. SACMAT’14, London, Ontario, Canada, 2014: 103-114.
[13]	崔鸿飞. ARBAC 权限泄漏分析及改进[D]. [硕士论文], 天津大学, 2012.
	Cui Hong-fei. Analysis of permission leakage in ARBAC and improvement[D]. [Master dissertation], Tianjin University, 2012.
[14]	任志宇, 陈性元, 单棣斌. 基于双层角色映射的跨域授权管理模型[J]. 计算机应用, 2013, 33(9): 2511-2515.
	Ren Zhi-yu, Chen Xing-yuan, and Shan Di-bin. Cross-domain authorization management model based on two-tier role mapping[J]. Joumal of Computer Applications, 2013, 33(9): 2511-2515.
[15]	Zhang Zhi-xiong. Scalable role & organization based control and its administration[D]. [Ph.D. dissertation], George Mason University, 2008.