Access control model for government collaboration

doi:10.11772/j.issn.1001-9081.2024010133

Journal of Computer Applications ›› 2025, Vol. 45 ›› Issue (1): 162-169.DOI: 10.11772/j.issn.1001-9081.2024010133

• Cyber security • Previous Articles Next Articles

Access control model for government collaboration

Dayan ZHAO¹^,²^,³, Huajun HE¹^,²^,³, Yuping LI²^,³, Junbo ZHANG¹^,²^,³(), Tianrui LI¹, Yu ZHENG¹^,²^,³

^1.School of Computing and Artificial Intelligence，Southwest Jiaotong University，Chengdu Sichuan 611756，China
^2.JD Intelligent Cities Research，Beijing 100176，China
^3.JD iCity （Beijing） Digital Technology Company Limited，Beijing 100176，China

Received:2024-02-05 Revised:2024-03-21 Accepted:2024-03-21 Online:2024-05-09 Published:2025-01-10
Contact: Junbo ZHANG
About author:ZHAO Dayan， born in 1999， M. S. candidate. Her research interests include urban computing， access control.
HE Huajun， born in 1996， Ph. D. candidate. His research interests include urban computing， spatio-temporal data management， distributed database.
LI Yuping， born in 1997， M. S. His research interests include machine learning， spatio-temporal data mining.
LI Tianrui， born in 1969， Ph. D.， professor. His research interests include big data intelligence， urban computing， granular computing and rough set.
ZHENG Yu， born in 1979， Ph. D.， professor. His research interests include urban computing， intelligent cities， big data analytics， spatio-temporal data mining.
Supported by:
National Natural Science Foundation of China(72242106)

面向政务协同的访问控制模型

赵大燕¹^,²^,³, 何华均¹^,²^,³, 李宇平²^,³, 张钧波¹^,²^,³(), 李天瑞¹, 郑宇¹^,²^,³

^1.西南交通大学计算机与人工智能学院，成都 611756
^2.北京京东智能城市大数据研究院，北京 100176
^3.京东城市（北京）数字科技有限公司，北京 100176

通讯作者: 张钧波
作者简介:赵大燕（1999—），女，江苏淮安人，硕士研究生，CCF学生会员，主要研究方向：城市计算、访问控制；
何华均（1996—），男，四川遂宁人，博士研究生，CCF学生会员，主要研究方向：城市计算、时空数据管理、分布式数据库；
李宇平（1997—），男，湖南岳阳人，硕士，主要研究方向：机器学习、时空数据挖掘；
李天瑞（1969—），男，福建莆田人，教授，博士，主要研究方向：大数据智能、城市计算、粒计算与粗糙集；
郑宇（1979—），男，湖南衡阳人，教授，博士，主要研究方向：城市计算、智能城市、大数据分析、时空数据挖掘。
基金资助:
国家自然科学基金资助项目(72242106)

Abstract

Abstract:

To address characteristics of government collaborative scenarios， such as diverse and complex requirements， difficulty in managing personnel turnover， high data privacy level， and large data size， a Government-Based Access Control （GBAC） model for government collaboration was proposed. Access control in government collaborative scenarios must meet requirement for multiple departments performing different operations to the same resource. The existing access control technologies face issues of inadequate granularity and high maintenance costs， lacking secure， flexible， and precise access control model. Therefore， combining operating mechanisms of government departments， firstly， government organizational structure and administrative division structure were integrated into the access control model， and a belonging relationship tree of government staff， organizations， resources， and administrative divisions was constructed. Secondly， combined with attributes of organizations and positions which the government staff belongs to， a joint subject was constructed to achieve automatic granting and revoking permission. Thirdly， based on organizing functions and administrative division levels， a subject-object attribute matching strategy was designed to break data barriers and improve authentication efficiency. Finally， by introducing idea of permission hierarchy， data levels and functional levels were set for resources to control the access threshold of the subject， which enhanced model flexibility and further ensured data security. Experimental results show that compared with benchmark models such as Role-Based Access Control （RBAC） and Attribute-Based Access Control （ABAC）， GBAC model reduces memory consumption and access latency significantly. It can be seen that the proposed model implements access management in government collaborative scenarios securely， effectively and flexibly.

Key words: access control, access policy, government collaboration, data sharing, Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC)

摘要：

针对政务协同场景需求复杂多样、人员流动管理困难、数据隐私度高和数据量大的特点，提出面向政务协同办公的访问控制（GBAC）模型。政务协同场景中的访问控制需要实现多部门对同一资源进行不同操作的需求，而现有的主流访问控制技术面临访问控制粒度不够精细和管理维护成本过高的问题，缺乏安全、灵活、精准的访问控制模型。因此，结合政务部门的运行机制，首先，将政府组织结构和行政区划结构融入访问控制模型，并构建政务人员、组织、资源和行政区划的归属关系树；其次，结合政务工作人员所属组织和岗位等属性，构建联合主体，以实现自动化的权限授予和解除；然后，根据组织职能和行政区划等级设计主客体属性匹配策略，从而打通数据壁垒，并提高鉴权效率；最后，引入权限分级思想，为资源设置数据级别和功能级别，以控制主体的访问阈值，从而提高模型灵活性，并进一步保障数据安全。实验结果表明，与基准模型如基于角色的访问控制（RBAC）和基于属性的访问控制（ABAC）相比，GBAC模型的内存消耗大幅减小，访问时延更低。可见，所提模型能安全、高效、灵活地实现政务协同场景下的权限管理。

关键词: 访问控制, 访问策略, 政务协同, 数据共享, 基于角色的访问控制, 基于属性的访问控制

CLC Number:

TP309.2

Dayan ZHAO, Huajun HE, Yuping LI, Junbo ZHANG, Tianrui LI, Yu ZHENG. Access control model for government collaboration[J]. Journal of Computer Applications, 2025, 45(1): 162-169.

赵大燕, 何华均, 李宇平, 张钧波, 李天瑞, 郑宇. 面向政务协同的访问控制模型[J]. 《计算机应用》唯一官方网站, 2025, 45(1): 162-169.

Figures/Tables 12

Fig. 1 Architecture of RBAC

Fig. 2 Structure of GBAC model

Fig. 3 Organizational form of joint subject

Fig. 4 Mapping between objects and regional resources

Tab. 1 Samples of functional levels

名称	功能级别数值	名称	功能级别数值
查看	1	修改	4
写入	2	删除	8

Fig. 5 Strategic pathway between subjects and objects

Tab. 2 Experimental environment configuration

名称	详细配置
硬件	Intel Core i7-8550U @ 1.80 GHz CPU； 16 GB 内存
操作系统	Windows 10
编程语言	Java
实验开发软件	IntelliJ IDEA Community 2023.3.8
数据库	MySQL 8.4.3

Tab. 3 Strategic rule overview

岗位	数据级别	操作
$t 1$	级别1	读
$t 2$	级别2	读
$t 3$	级别3	读
$t 4$	级别4	读、写
$t 5$	级别4	读、写、改
$t 6$	级别4	读、写、改、删

Tab. 3 Strategic rule overview

岗位	数据级别	操作
$t 1$	级别1	读
$t 2$	级别2	读
$t 3$	级别3	读
$t 4$	级别4	读、写
$t 5$	级别4	读、写、改
$t 6$	级别4	读、写、改、删

Tab. 4 Memory overhead comparison

场景	GBAC数	RBAC数	ABAC数
场景一	2	20 302	850
场景二	1	2 001	50
场景三	6	2 006	50~300

Tab. 5 Number comparison of operations among different models

人员变动数	RBAC	ABAC
50	50~100	50
100	100~200	100
200	200~400	200

Tab. 6 Data of personnel accessing resources

公职人员	所属区域	所属部门职能标签	岗位
$u 1$	Y区	卫健委 $l 1$	$t 2$
$u 2$	Y区	卫健委 $l 1$	$t 7$
$u 3$	Y区	教育局 $l 2$	$t 4$
$u 4$	Y区	卫健委 $l 1$	$t 2$

Tab. 6 Data of personnel accessing resources

公职人员	所属区域	所属部门职能标签	岗位
$u 1$	Y区	卫健委 $l 1$	$t 2$
$u 2$	Y区	卫健委 $l 1$	$t 7$
$u 3$	Y区	教育局 $l 2$	$t 4$
$u 4$	Y区	卫健委 $l 1$	$t 2$

Fig. 6 Comparison of access delay

References 20

1	郑宇.城市知识体系［J］.武汉大学学报（信息科学版）， 2023， 48（1）： 1-16.
	ZHENG Y. The knowledge system for intelligent cities ［J］. Geomatics and Information Science of Wuhan University， 2023， 48（1）： 1-16.
2	王龙，王娜，李辉，等.内部横向视角下政府数据跨部门协同治理的过程分析［J］.电子政务， 2023（5）： 76-87.
	WANG L， WANG N， LI H， et al. Process analysis of cross-sectoral collaborative governance of government data from an internal horizontal perspective ［J］. E-Government， 2023（5）： 76-87.
3	FERRAIOLO D， SANDHU R， GAVRILA S， et al. Proposed NIST standard for role-based access control ［J］. ACM Transactions on Information and System Security， 2001， 4（3）： 224-274.
4	HU V C， FERRAIOLO D， KUHN R， et al. Guide to Attribute Based Access Control （ABAC） definition and considerations ［R/OL］. ［2024-07-30］. .
5	马海英，李金舟，杨及坤.基于区块链可撤销属性的去中心化属性基加密方案［J］.计算机应用， 2023， 43（9）： 2789-2797.
	MA H Y， LI J Z， YANG J K. Blockchain-based decentralized attribute-based encryption scheme for revocable attributes ［J］. Journal of Computer Applications， 2023， 43（9）： 2789-2797.
6	林莉，毛新雅，储振兴，等.混合云环境下面向数据生命周期的自适应访问控制［J］.软件学报， 2024， 35（3）： 1357-1376.
	LIN L， MAO X Y， CHU Z X， et al. Adaptive access control oriented to data life cycle in hybrid cloud environment ［J］. Journal of Software， 2024， 35（3）： 1357-1376.
7	SANDHU R， BHAMIDIPATI V， MUNAWER Q. The ARBAC97 model for role-based administration of roles ［J］. ACM Transactions on Information and System Security， 1999， 2（1）： 105-135.
8	郁宁，王高才.基于可信期望的跨域访问安全性研究［J］.计算机应用研究， 2020， 37（11）： 3406-3410.
	YU N， WANG G C. Study on cross-domain access security based on trusted expectations ［J］. Application Research of Computers， 2020， 37（11）： 3406-3410.
9	陈美宏，袁凌云，夏桐.基于主从多链的数据分类分级访问控制模型［J］.计算机应用， 2024， 44（4）： 1148-1157.
	CHEN M H， YUAN L Y， XIA T. Data classification and graded access control model based on master-slave multi-chain ［J］. Journal of Computer Applications， 2024， 44（4）： 1148-1157.
10	钟奇.一种基于区域的权限控制模型研究及应用［D］.北京：北京邮电大学， 2018： 18-24.
	ZHONG Q. Research and implementation of an access control model based on region ［D］. Beijing： Beijing University of Posts and Telecommunications， 2018： 18-24.
11	BARKHA P， SAHANI G. Analysis of various RBAC and ABAC based access control models with their extension ［J］. International Journal of Engineering Development and Research， 2017， 5（2）： 487-492.
12	葛丽娜，胡雨谷，张桂芬，等.云计算环境基于客体属性匹配的逆向混合访问控制方案［J］.计算机应用， 2021， 41（6）： 1604-1610.
	GE L N， HU Y G， ZHANG G F， et al. Reverse hybrid access control scheme based on object attribute matching in cloud computing environment ［J］. Journal of Computer Applications， 2021， 41（6）： 1604-1610.
13	刘炜，盛朝阳，佘维，等.基于智能合约的分类分级属性访问控制方法［J］.计算机应用研究， 2022， 39（5）： 1313-1318.
	LIU W， SHENG Z Y， SHE W， et al. Classified and hierarchical attribute access control method based on smart contract ［J］. Application Research of Computers， 2022， 39（5）： 1313-1318.
14	FERRAIOLO D， CHANDRAMOULI R， HU V， et al. A comparison of Attribute Based Access Control （ABAC） standards for data service applications ［R/OL］. ［2024-07-30］. .
15	GOYAL V， OMKANT P， SAHAI A， et al. Attribute-based encryption for fine-grained access control of encrypted data ［C］// Proceedings of the 13th ACM Conference on Computer and Communications Security. New York： ACM， 2006： 89-98.
16	OSTROVSKY R， SAHAI A， WATERS B. Attribute-based encryption with non-monotonic access structures ［C］// Proceedings of the 14th ACM Conference on Computer and Communications Security. New York： ACM， 2007： 195-203.
17	BETHENCOURT J， SAHAI A， WATERS B. Ciphertext-policy attribute-based encryption ［C］// Proceedings of the 2007 IEEE Symposium on Security and Privacy. Piscataway： IEEE， 2007： 321-334.
18	熊厚仁，陈性元，张斌，等.基于双层角色和组织的可扩展访问控制模型［J］.电子与信息学报， 2015， 37（7）： 1612-1619.
	XIONG H R， CHEN X Y， ZHANG B， et al. Scalable access control model based on double-tier role and organization ［J］. Journal of Electronics and Information Technology， 2015， 37（7）： 1612-1619.
19	刘芹，李鹏举，余纯武.云计算中属性基数据与权限混合访问控制方案［J］.计算机工程与应用， 2024， 60（13）： 276-286.
	LIU Q， LI P J， YU C W. Attribute-based data and privilege hybrid access control scheme in cloud computing ［J］. Computer Engineering and Applications， 2024， 60（13）： 276-286.
20	苏秋月，陈兴蜀，罗永刚.大数据环境下多源异构数据的访问控制模型［J］.网络与信息安全学报， 2019， 5（1）： 78-86.
	SU Q Y， CHEN X S， LUO Y G. Access control model for multi-source heterogeneous data in big data environment ［J］. Chinese Journal of Network and Information Security， 2019， 5（1）： 78-86.

[1]	Meihong CHEN, Lingyun YUAN, Tong XIA. Data classified and graded access control model based on master-slave multi-chain [J]. Journal of Computer Applications, 2024, 44(4): 1148-1157.
[2]	Xin LI, Liyong BAO, Hongwei DING, Zheng GUAN. MAC layer scheduling strategy of roadside units based on MEC server priority service [J]. Journal of Computer Applications, 2024, 44(4): 1227-1235.
[3]	Sunjie YU, Hui ZENG, Shiyu XIONG, Hongzhou SHI. Incentive mechanism for federated learning based on generative adversarial network [J]. Journal of Computer Applications, 2024, 44(2): 344-352.
[4]	Huan ZHANG, Jingyu WANG, Lixin LIU, Xiaoyu JIANG. Multi-organization collaborative data sharing scheme with dual authorization [J]. Journal of Computer Applications, 2024, 44(10): 3307-3314.
[5]	Haiying MA, Jinzhou LI, Jikun YANG. Blockchain-based decentralized attribute-based encryption scheme for revocable attributes [J]. Journal of Computer Applications, 2023, 43(9): 2789-2797.
[6]	Meng CAO, Sunjie YU, Hui ZENG, Hongzhou SHI. Hierarchical access control and sharing system of medical data based on blockchain [J]. Journal of Computer Applications, 2023, 43(5): 1518-1526.
[7]	Jie ZHANG, Shanshan XU, Lingyun YUAN. Internet of things access control model based on blockchain and edge computing [J]. Journal of Computer Applications, 2022, 42(7): 2104-2111.
[8]	Yang LI, Long XU, Yanqiang LI, Shaopeng LI. Smart contract-based access control architecture and verification for internet of things [J]. Journal of Computer Applications, 2022, 42(6): 1922-1931.
[9]	Chao LIN, Debiao HE, Xinyi HUANG. Blockchain‑based electronic medical record secure sharing [J]. Journal of Computer Applications, 2022, 42(11): 3465-3472.
[10]	Li LI, Yi WU, Zhikun YANG, Yunpeng CHEN. Medical electronic record sharing scheme based on sharding-based blockchain [J]. Journal of Computer Applications, 2022, 42(1): 183-190.
[11]	GE Jihong, SHEN Tao. Energy data access control method based on blockchain [J]. Journal of Computer Applications, 2021, 41(9): 2615-2622.
[12]	DU Xinyu, WANG Huaqun. Dynamic group based effective identity authentication and key agreement scheme in LTE-A networks [J]. Journal of Computer Applications, 2021, 41(6): 1715-1722.
[13]	GE Lina, HU Yugu, ZHANG Guifen, CHEN Yuanyuan. Reverse hybrid access control scheme based on object attribute matching in cloud computing environment [J]. Journal of Computer Applications, 2021, 41(6): 1604-1610.
[14]	ZHANG Lihua, WANG Xinyi, HU Fangzhou, HUANG Yang, BAI Jiayi. Data sharing model of smart grid based on double consortium blockchains [J]. Journal of Computer Applications, 2021, 41(4): 963-969.
[15]	BAO Yulong, ZHU Xueyang, ZHANG Wenhui, SUN Pengfei, ZHAO Yingqi. Formal verification of smart contract for access control in IoT applications [J]. Journal of Computer Applications, 2021, 41(4): 930-938.

Access control model for government collaboration

面向政务协同的访问控制模型

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 12

References 20

Related Articles 15

Recommended Articles

Metrics