For tackling the deficiencies of weak adaptability due to the singleness of the role establishment method, role or privilege redundancy, and little attention on resource management in the existing Role-Based Access Control (RBAC) researches, a Scalable Access Control model Based on Double-Tier Role and Organization (SDTR-OBAC) is proposed. Through double role partition, a double-tier role architecture of function role and task role is presented, solving the problem that the traditional role can not cover the requirements of both organizational level and application level at the same time. The concept of organization is introduced to integrate with the double-tier role and form an organization-role pair assigned to user instead of role only in RBAC, making model suitable to cross-domain access as well as a single domain. Through extending privileges as an operation and resource type pair, the model and its constraints including separation of duty and cardinality constraint are defined formally. The discussion of expressive power and complexity indicates that SDTR-OBAC retains all the advantages of RBAC, and can effectively reduce the administration complexity with better scalability and universality.
熊厚仁,陈性元,张斌,杜学绘. 基于双层角色和组织的可扩展访问控制模型[J]. 电子与信息学报, 2015, 37(7): 1612-1619.
Xiong Hou-ren, Chen Xing-yuan, Zhang Bin, Du Xue-hui. Scalable Access Control Model Based on Double-tier Role and Organization. JEIT, 2015, 37(7): 1612-1619.
ANSI. 2004. American national standard for information technology-role based access control[S]. ANSI INCITS 359, 2004.
[2]
Gofman M I and Yang Ping. Effecient policy analysis for evolving administrative role based access control[J]. International Journal of Software Informatics, 2014, 8(1): 95-131.
[3]
Liu Meng and Wang Xuan. Alternative representation of periodic constraint on role enabling in TRBAC and GTRBAC[J]. Journal of Computational Information Systems, 2013, 9(24): 9909-9918.
[4]
Abdunabi R, Al-Lail M, Ray I, et al.. Specification, validation, and enforcement of a generalized spatio-temporal role-based access control model[J]. IEEE Systems Journal, 2013, 7(3): 501-515.
[5]
Muhammad Asif-habib. Mutually exclusive permissions in RBAC[J]. International Journal of Internet Technology and Secured Transactions, 2012, 4: 207-220.
[6]
Ma Li, Zhou Yan-jie, and Duan Wei. Extended RBAC model with task-constraint rules[C]. Proceedings of 8th Future Information Technology: Lecture Notes in Electrical Engineering, Gwangju, Korea, 2014, 276: 245-250.
[7]
Zu Xiang-rong, Liu Lian-zhong, and Bai Yan. A role and task-based workflow dynamic authorization modeling and enforcement mechanism[C]. The 1st International Conference on Information Science and Engineering (ICISE2009), Nanjing, China, 2009: 1593-1596.
[8]
Sohr K, Kuhlmann M, and Gogolla M. Comprehensive two-level analysis of role-based delegation and revocation policies with UML and OCL[J]. Information and Software Technology, 2012, 54(12): 1396-1417.
[9]
Liu Xin-xin and Tang Shao-hua. Analysis of role-based trust management policy using description logics[J]. Journal of Computational Information Systems, 2012, 8(13): 5445-5452.
[10]
Unal D and Caglayan M U. A formal role-based access control model for security policies in multi-domain mobile networks[J]. Computer Networks, 2013, 57(1): 330-350.
[11]
Zhang Da-na, Ramamohanarao K, Zhang Rui, et al.. Efficient graph based approach to large scale role engineering[J]. Transactions on Data Privacy, 2014, 7(1): 1-26.
[12]
Ranise S, Truong A, and Armando A. Scalable and precise automated analysis of administrative temporal role-based access control[C]. SACMAT’14, London, Ontario, Canada, 2014: 103-114.
[13]
崔鸿飞. ARBAC 权限泄漏分析及改进[D]. [硕士论文], 天津大学, 2012.
Cui Hong-fei. Analysis of permission leakage in ARBAC and improvement[D]. [Master dissertation], Tianjin University, 2012.
Ren Zhi-yu, Chen Xing-yuan, and Shan Di-bin. Cross-domain authorization management model based on two-tier role mapping[J]. Joumal of Computer Applications, 2013, 33(9): 2511-2515.
[15]
Zhang Zhi-xiong. Scalable role & organization based control and its administration[D]. [Ph.D. dissertation], George Mason University, 2008.