Extended role-based access control model
-
摘要: 提出了一种扩展的基于角色的访问控制RBAC(Role Based Access Control)模型——RTBAC (Role & Task Based Access Control)模型.该模型在RBAC96模型之上引入了任务和任务实例的概念,形式化地定义了任务和任务实例的层次结构,界定了传统会话同任务实例之间的关系以及任务实例同权限之间的关系,并且提供了几种辅助函数.该模型可以更为自然地描述业务流程和访问控制策略,更适合分布式协作应用,特别是工作流和组合服务.基于该模型定义了一种新的动态职责分离约束——基于任务的动态职责分离约束,并且同传统动态职责分离约束进行了比较.该约束可以更准确地刻画访问控制相关的系统运行时上下文的范围,从而提高运行时访问控制的效率.Abstract: An extended RBAC(role based access control) model, RTBAC (role & task based access control) model was presented. The model introduced the notions of task and task instance into RBAC96 model, formally defined the hierarchies of tasks and task instances, specified the relationships between traditional sessions and task instances as well as the relationships between task instances and permissions. Several assistant functions were defined. The model could be used to depict daily business procedures and related access control policies more naturally, so was more suitable for distributed collaborative applications, especially for workflows and service compositions. Based on this model, a new dynamic separation of duty constraint, namely task-based dynamic separation of duty constraint,was formally defined and compared with traditional dynamic separation of duty constraints using a typical example. The new constraint can specify access control related system runtime context more accurately. It can increase the efficiency of access control at runtime.
-
[1] Simon R T, Zurko M E. Separation of duty in role-based environments. In:Proceedings of Computer Security Foundations Workshop X. Washington:IEEE Computer Society, 1997.183~194 [2] Gligor V D, Gavrila S I, Ferraiolo D F. On the formal definition of separation-of-duty policies and their composition. In:Proceedings of 1998 Symposium on Research in Security and Privacy. Washington:IEEE Computer Society, 1998.172~185 [3] Crampton J. Specifying and enforcing constraints in role-based access control. In:Proceedings of ACM Symposium on Access Control Models and Technologies. New York:ACM Press, 2003.43~50 [4] Ahn G J, Sandhu R. Role-based authorization constraints specification. ACM Transactions on Information and System Security, 2000,3(4):207~226 [5] Sandhu R, Conyne E J, Lfeinstein H, et al. Role based access control models[J] IEEE Computer, 1996,29(2):38~47 [6] Ferraiolo D F, Sandhu R, Gavrila S, et al. Proposed NIST standard for role-based access control[J] ACM Transactions on Information and System Security, 2001,4(3):224~274 [7] Thomas R K, Sandhu R. Task-based authorization controls (TBAC):models for active and enterprise-oriented authorization management. In:Proceedings of the IFIP TC11 WG11.3 Eleventh International Conference on Database Securty XI:Status and Prospects. London:Chapman&Hall, 1998.262~275 [8] Thomas R K, Sandhu R. Task-based authorization:a research project in next-generation active security models for workflows. http://lsdis.cs.uga.edu/ activities/NSF-workflow/roshan.html, 1996-4-16/2003-6-20 [9] Thomas R K. Team-based access control (TMAC):a primitive for applying role-based access controls in collaborative environments. In:Proceedings of the Second ACM workshop on Role-based Access Control. New York:ACM Press, 1997.13~19
点击查看大图
计量
- 文章访问数: 3327
- HTML全文浏览量: 132
- PDF下载量: 740
- 被引次数: 0