基于组织的四层访问控制模型跨域访问过程中虚拟岗位构建方法

doi:10.11772/j.issn.1001-9081.2014.08.2345

摘要
图/表
参考文献(0)
相关文章 (15)

全文: PDF (746 KB) HTML (1 KB)
输出: BibTeX | EndNote (RIS)

摘要

对于基于组织的四层访问控制(OB4LAC)模型在跨域访问控制过程中如何依据外域用户的申请权限集构建本域内虚拟岗位的问题，提出基于如下三阶段的处理流程，包括申请权限集与角色集的匹配搜索阶段、角色集职责分离(SoD)约束和激活约束判断阶段以及虚拟岗位的生成和撤销阶段。针对申请权限集与角色集的匹配搜索阶段，分别给出了面向完全匹配、可用性优先匹配和最小特权优先匹配的搜索算法；针对角色集SoD约束和激活约束判断阶段，则通过定义SoD约束矩阵(SODM)、非连通继承关系矩阵(AIM)和基数约束矩阵(CCM)以及对应的约束判断流程予以解决；针对虚拟岗位的生成和撤销阶段，给出了完成这一过程所需的管理函数。通过上述具体处理流程和实现算法，很好地解决了OB4LAC模型跨域访问过程中虚拟岗位的构建问题。

	服务

	把本文推荐给朋友
	加入我的书架
	加入引用管理器
	E-mail Alert
	RSS
	作者相关文章
	彭友
	宋艳
	鞠航
	王延章

Abstract：

For the problems of Organization Based 4 Levels Access Control (OB4LAC) model on how to build the virtual positions based on the requested permission sets from users in other domain, this paper proposed a detailed process based on the following three stages, which are the searching stage of the role sets based on the required permission, the determining stage of Separation of Duty (SoD) and activating constraints, the creation and revoke stage of virtual position. Aiming to the searching stage of the role sets based on the required permission, the authors gave three searching algorithms that match three different cases respectively, which are complete matching, available matching and least privilege matching; for the determining stage of SoD and activating constraints, the authors defines three kinds of matrixes which are Separate of Duty Matrix (SODM), Cardinality Constraint Matrix (CCM) and Anti-connection Inherit Matrix (AIM), then based on those matrixes and corresponding process to solve these problems of constraints; aiming to the creation and revoke stage of virtual position, this paper gave the management functions required for completing the process. Through these specific processes and realization algorithms, the authors resolved the problems of building the virtual positions in multi-domain environment for OB4LAC model.

收稿日期: 2014-02-19 出版日期: 2014-08-10

基金资助:

国家自然科学基金资助重点项目;中国博士后面上资助项目

通讯作者: 彭友 E-mail: penggoto2008@sina.com

作者简介: 彭友（1981-），男，黑龙江哈尔滨人，博士，主要研究方向：电子政务、复杂信息系统整合、信息安全；宋艳（1974-），女，黑龙江哈尔滨人，教授，博士生导师，主要研究方向：应急管理、复杂信息系统；鞠航（1981-），女，黑龙江哈尔滨人，副教授，主要研究方向：应急管理、项目管理；王延章（1952-），男，辽宁大连人，教授，博士生导师，博士，主要研究方向：复杂信息系统整合、决策支持、电子政务。

引用本文:

彭友宋艳鞠航王延章. 基于组织的四层访问控制模型跨域访问过程中虚拟岗位构建方法[J]. 计算机应用, 2014, 34(8): 2345-2349. PENG You SONG Yan JU Hang WANG Yanzhang. Construction method of virtual position in process of cross-domain access control based on organization based 4 levels access control model. Journal of Computer Applications, 2014, 34(8): 2345-2349.

链接本文:

http://www.joca.cn/CN/10.11772/j.issn.1001-9081.2014.08.2345 或 http://www.joca.cn/CN/Y2014/V34/I8/2345

［1］	PENG Y. Research of the organization-based access control method and model for e-government ［D］. Dalian: Dalian University of Technology, 2012.(彭友.电子政务中基于组织的访问控制方法及模型研究［D］.大连:大连理工大学,2012.)
［2］	LI H. Research of organization based access control model for electronic government system ［D］. Dalian: Dalian University of Technology, 2009.(李怀明.电子政务系统中基于组织的访问控制模型研究［D］.大连:大连理工大学,2009.)
［3］	DING F. Research on model of government organization authoriza-tion system based on OB4LAC ［D］. Dalian: Dalian University of Technology, 2009.(丁锋.基于OB4LAC的政府组织授权系统模型研究［D］.大连:大连理工大学,2009.)
［4］	SHAFIQ B, JOSHI J B D, BERTINO E, et al. Secure interoperation in a multi-domain environment employing RBAC policies ［J］. IEEE Transactions on Knowledge and Data Engineering, 2005, 17(11):1557-1577.
［5］	ZHONG L. Research on role-based inter-domain access control model ［D］. Hangzhou: Zhejiang Normal University, 2011.(钟丽丽.基于角色的跨域访问控制模型研究［D］.杭州：浙江师范大学,2011.)
［6］	LIU M, WANG X, HUANG H, et al. A detection model based on Petri nets of SMER constrains violation in dynamic role translation ［J］. Journal of Computer Research and Development, 2012, 49(9):1991-1998.(刘猛,王轩,黄荷娇,等.基于Petri网的IRBAC 2000域间动态转换SMER约束违反检测［J］.计算机研究与发展,2012,49(9):1991-1998.)
［7］	LIAO J, HONG F, ZHU X, et al. Separation of duty in dynamic role translations between administrative domains ［J］. Journal ofComputer Research and Development, 2006, 43(6):1065-1070.(廖俊国,洪帆,朱贤,等.多域间动态角色转换的职责分离［J］.计算机研究与发展,2006,43(6):1065-1070.)
［8］	LIU S, HUANG H. Role-based access control for distributed cooperation environment ［C］// Proceedings of 2009 International Conference on Computational Intelligence and Security. Washington, DC: IEEE Computer Society, 2009: 455-459.
［9］	MA M, WOODHEAD S. Constraint enabled distributed RBAC for subscription-based remote network services ［C］// Proceedings of the Sixth IEEE International Conference on Computer and Information Technology. Washington, DC: IEEE Computer Society, 2006: 1-6.
［10］	PENG Y, JU H, SONG Y, et al. OB4LAC: an organization-based access control model for e-government system ［J］. Applied Mathematics and Information Science, 2014, 8(3): 1467-1474.
［11］	LI F, SU M, SHI G, et al. Research status and development trends of access control model ［J］. Acta Electronica Sinica, 2012, 40(4): 805-813.(李凤华,苏釯,史国振,等.访问控制模型研究进展及发展趋势［J］.电子学报,2012,40(4):805-813.)
［12］	RUSSELLO G, DULAY N. xDUCON: coordinating usage control policies in distributed domains ［C］// Proceedings of the Third International Conference on Network and System Security. Washington, DC: IEEE Computer Society, 2009: 246-253.
［13］	ZHANG G, GONG W, TIAN J. The research of cross-domain usage control model in Web services ［C］// Proceedings of the Second International Conference on e-Business and Information System Security. Piscataway: IEEE Press, 2010: 1-5.
［14］	DAI X, CHEN X, WANG Y, et al. An improved state transition-based security policy conflict detection algorithm ［C］// Proceedings of the 2010 International Conference on Computational and Information Sciences. Chengdu: [s.n.], 2010: 609-612.
［15］	WANG X, FU H, ZHANG L. Research progress on attribute-based access control ［J］. Acta Electronica Sinica, 2010, 38(7): 1660-1667.(王小明,付红,张立臣.基于属性的访问控制研究进展［J］.电子学报,2010,38(7):1660-1667.)