针对某军用信息系统访问控制复杂性需求,基于现有的访问控制模型,在角色管理中引入了区域角色、角色时限控制、角色条件继承、角色级和角色组的概念。任务管理中基于其访问控制策略,从任务分类、任务分割、任务时限控制、任务模板这4个方面进行研究,进而对基于任务一角色的访问控制模型作出了改进。将“任务”和“角色”都提到访问控制策略的中心地位,体现主动访问控制与被动访问控制相结合、静态授权与动态授权并存的访问控制思想,构造了一种适用某军用信息系统的基于任务一角色的访问控制模型,并给出其形式化定义及静态、动态的模型设计。
Abstract
For the complexity of access control mechanism of military information system, the concepts of domain role, role time-limit control, role conditional mneritance, role level and role group were in?troduced into the role management based on the available access control model. And task classification, task fraction, task time-based control and task template in the task management were studied accord?ing to the access control tactics, thus improving the task-role-based access control model. “Task and role are referred to the centre of access control tactics to embody the access control thought involved the combination of active and passive access-visit, and the coexistence of static and dynamic authoriza?tion. Then a task-role-based access control model (M-TRBAC) was build to meet the demand of mili?tary information system. The formalized definition and the static and dynamic model design of M- TR- BAし were given.
关键词
计算机应用 /
访问控制模型 /
任务管理 /
区域角色 /
任务分割
{{custom_keyword}} /
Key words
computer application /
access-control model /
task management /
domain role /
task fraction
{{custom_keyword}} /
基金
国家“863”计划项目(2007AA701311)
{{custom_fund}}
{{custom_sec.title}}
{{custom_sec.title}}
{{custom_sec.content}}
参考文献
[I] WFMC TCOO—1019 Workflow management coalition workflow security considerations white paper[S]. 1998.
[2] Elisa Bertino, LIena Ferrari, Vijay Atlur1. The specification and enforcement of authorization constrains in workflow management system [ J ]. ACM Transactions on Information and System Securi?ty, 1999, 2(1): 65-104.
[3] David F Ferraiolo, Ravi S^ndhu, Serban Gavrila. Proposed NIST standard for role-based access control [ J ]. ACM Transactions on Information and System Security, 2001,4(3): 60 — 110.
[4] Shi M L, Yang G X,Xiang Y,et al. WsMS: the manage system of workflow[J]. Chinese Journal of Computer, 1999,22(3) : 325 —334.
[5] Sandhu R S. Access control: the neglected frontier[ C] // Infor-mation Security and Privacy, First Australasian Conference, Wol?longong .NSW, Australia: ACISP?1996:219- 227.
[6j Sandhu R S,Coyne E,FeiMtein HL, et al. Role-based access control models[J]. IEEE Computer, 1996,29(2) :38 — 47.
[7] Sandhu R S,Ferraiolo D, Kuhn R. The NIST model for role- based access control: towards a unified standard[C] //Proceedings of the Fifth ACM Workshop on Role Based Access Control. Berlin, Germany: ACM, 2000: 47 - 63.
[8] Axel Kern. Advanced features for enterprise-wide role-based ac?cess control[C]//Proceedings of 18th Annual Computer Security Application Conference. Washington, US: IEEE Computer Soci?ety, 2002:333-342.
[9] Thomas R K, Sandhu R S. Toward a task-based paradigm for flexible and adaptable access control in distributed applications[C] //Proceedings of the 1992—1993 ACM SIGSAC New Security Paradigms Workshops. New York, NY: ACM, 1993 : 138 — 142.
[10] Kem A, Schaad A, Moffelt J D. An administration concept for the enterprise role-based access control modelLC] // Proceedings of the Eighth ACM Symposium on Access Control Models and Technologies. Como, Italy: ACM, 2003:3- 11.
[11] 甘泉,贺也平,韩乃平.一种改进的基于角色的访问控制[J]. 计算机工程,2006,32(7): 140-168.
GAN Quan, HE Ye-ping, HAN Nai-ping. An improved role based access control [ J ]. Computer Engineering, 2006,32 ( 7 ): 140 一 168. (in Chinese)
[12] 田敬东,张毓森.一种适合军用的访问控制模型[J].电子科 技,2004,(6):18-22.
TlAN jing-dong, ZHANG Yu-sen. A study of the access control of role-based JVlAC [ J]. Electronic Science and Technology, 2004, (6):18-22. (in Chinese)
[13] 邢光林,洪帆.基于角色和任务的工作流访问控制模型[J]. 计算机工程与应用,2005,(2): 210-213.
XINLT guang-lin,HONG Fan. A workflow access control model based on role and task[J] . Computer Engineering and Applica?tions, 2005,(2): 210 ~ 213. (in Chinese)
[14] 韩若飞,汪厚祥.基于任务一角色的访问控制模型'研究[J]. 计算机工程与设计,2007,28(4):800 - 807.
HAN Ruo-fei, WANG Hou-xiang. Research of task-role-based access control model [ J ]. Computer Engineering and Design, 2007,28(4):800 - 807. (in Chinese)
{{custom_fnGroup.title_cn}}
脚注
{{custom_fn.content}}
