基于角色的动态转授权模型的研究及应用
|
摘要
转授权是访问控制模型中十分重要的组成部分,已成为分布式计算环境下重要的访问控制管理机制,也是近年来访问控制授权研究的一个重点和热点课题。在分布式计算、大规模系统和协同计算系统中,用户之间的转授权对实现高效、灵活的访问控制具有特别重要的意义。
本文的主要内容包括:
(1)提出了一个新的模型:基于角色的动态转授权模型。
在对国内外具有代表性的角色转授权模型进行分析和比较之后,总结出目前模型中仍存在一些急需解决的问题。针对这些问题特别提出了基于角色的动态转授权模型。论文在对该模型进行形式化描述之后,详细阐述了在转授权、权限执行整个动态过程中,如何借助Agent实现带时间限制的部分角色转授权、重复角色转授权、双边协议以及在兼顾动态职责分离约束的同时,如何解决由权限共享引起的角色互斥问题。
(2)对区县级政府部门中行政人员的职能进行分析和归纳。
通过对区县级行政部门的组织结构以及行政审批流程进行分析之后,结合基于角色的动态转授权模型的思想,从新的角度对区县级政府部门中岗位、角色、权限之间的对应关系进行了分析和归纳,并指出在行政审批过程中实施转授权的必要性。
(3)采用多种方式对在区县级行政审批系统中实现转授权的具体细节进行阐述。
用XML对用户与Agent交互的信息格式进行了定义,借助伪代码、程序流程图将转授权实施、权限执行整个过程中的具体细节进行了描述。
Delegation is an indispensable part of access control model. It has become a crucial access control management mechanism in secure distributed computing environment as well as a hot topic in the field of access control authorization. In distributed system, large-scale system, cooperative computation system, delegation among different users plays an important role in realizing flexible and efficient access control.
The main content of this paper includes:
(1) Bring forward a new delegation model: Role-based Dynamic Delegation Model (RBDDM).
Firstly, the author analyzed and compared domestic and overseas role-based delegation models. Then summarized there were some problems need to be solved urgently yet. In order to solve such problems RBDDM was proposed. The paper described the model with mathematical expressions. Then it expatiated how to realize part-role delegation, repeated role delegation, bilateral protocol as well as how to solve the problems about dynamic restriction of separating responsibilities, permission sharing based on Agent technology in the whole delegation process.
(2) Analyzing and summarizing functions of official workers in local government.
After analyzing the structure of local government's administrative department and the process of administrative permit affairs the author gave a new reflection relationship among positions, roles and permissions combined with RBDDM. Then pointed out how important to carry out delegation in the procedure of administrative permit affairs.
(3) Expatiating the delegation process in local administrative permit management system by multiple ways.
The paper used XML to define the communication information format between users and Agent. Meanwhile it also used pseudocode and programme flow chart to describe the whole process of delegation.
本文的主要内容包括:
(1)提出了一个新的模型:基于角色的动态转授权模型。
在对国内外具有代表性的角色转授权模型进行分析和比较之后,总结出目前模型中仍存在一些急需解决的问题。针对这些问题特别提出了基于角色的动态转授权模型。论文在对该模型进行形式化描述之后,详细阐述了在转授权、权限执行整个动态过程中,如何借助Agent实现带时间限制的部分角色转授权、重复角色转授权、双边协议以及在兼顾动态职责分离约束的同时,如何解决由权限共享引起的角色互斥问题。
(2)对区县级政府部门中行政人员的职能进行分析和归纳。
通过对区县级行政部门的组织结构以及行政审批流程进行分析之后,结合基于角色的动态转授权模型的思想,从新的角度对区县级政府部门中岗位、角色、权限之间的对应关系进行了分析和归纳,并指出在行政审批过程中实施转授权的必要性。
(3)采用多种方式对在区县级行政审批系统中实现转授权的具体细节进行阐述。
用XML对用户与Agent交互的信息格式进行了定义,借助伪代码、程序流程图将转授权实施、权限执行整个过程中的具体细节进行了描述。
Delegation is an indispensable part of access control model. It has become a crucial access control management mechanism in secure distributed computing environment as well as a hot topic in the field of access control authorization. In distributed system, large-scale system, cooperative computation system, delegation among different users plays an important role in realizing flexible and efficient access control.
The main content of this paper includes:
(1) Bring forward a new delegation model: Role-based Dynamic Delegation Model (RBDDM).
Firstly, the author analyzed and compared domestic and overseas role-based delegation models. Then summarized there were some problems need to be solved urgently yet. In order to solve such problems RBDDM was proposed. The paper described the model with mathematical expressions. Then it expatiated how to realize part-role delegation, repeated role delegation, bilateral protocol as well as how to solve the problems about dynamic restriction of separating responsibilities, permission sharing based on Agent technology in the whole delegation process.
(2) Analyzing and summarizing functions of official workers in local government.
After analyzing the structure of local government's administrative department and the process of administrative permit affairs the author gave a new reflection relationship among positions, roles and permissions combined with RBDDM. Then pointed out how important to carry out delegation in the procedure of administrative permit affairs.
(3) Expatiating the delegation process in local administrative permit management system by multiple ways.
The paper used XML to define the communication information format between users and Agent. Meanwhile it also used pseudocode and programme flow chart to describe the whole process of delegation.
引文
[1] 赵庆松,张晓平.安全操作系统和安全模型,网络安全技术与应用.2003:18-21。
[2] 赵庆松,孙玉芳,孙波.基于系统先决条件的授权模型研究.计算机研究与发展.2003,40(3):406-412.
[3] Zhang L H, Ahn G J, Chu B T .A Rule-Based Framework for Role-Based Delegation and Revocation. ACM Transaction Information and System Security. 2003,6(3):404-441.
[4] Barka E, Sandhu R. Framework for Role-Based Delegation Models. In:Proceedings of the sixteenth Annual Computer Security Applications Conference. New Orleans:IEEE Computer Society Press, 2000:168-176.
[5] Barka E, Sandhu R.A Role-Based Delegation Model and Some Extensions. In:Proceedings of the twenty-third National information Systems Security Conference. Baltimore:IEEE Computer Society Press, 2000:101-114.
[6] Barka E, Sandhu R. Role-Based Delegation Model/Hierachial Roles. In:Proceedings of the twentieth Annual Computer Security Applications Conference. Tucson:IEEE Computer Society Press, 2004:396-404.
[7] Na S Y, Cheon S H. Role Delegation in Role-Based Access Control. In:Proceedings of th fifth ACM workshop on Role-based access control. New York:ACM Press, 2000:39-44.
[8] Zhang X Z, Oh S, Sandhu R. PBDM:A Flexible Delegation Model in RBAC. In: Proceedings of the eighth ACM symposium on Access control models and technologies. New York: ACM Press, 2003:149-157.
[9] Park D G, Lee Y R.A Flexible Role-Based Delegation Model Using Characteristics of Permissions. In:Database and Expert Systems Applications. Berlin:Springer-Verlag Berlin Heidelberg, 2005:310-323.
[10] Wainer J, Kumar A.A Fine-grained, Controllable, User-to-user Delegation Method in RBAC. In:Proceedings of the tenth ACM symposium control models and technologies. New York:ACM Press, 2005:59-66.
[11] Wang He, Osborn S L. Delegation in the Role Graph Model. In:Proceedings of the eleventh ACM symposium Access control models and technologies. New York:ACM Press, 2006:91-100.
[12] 王小明,赵宗涛,冯德民.一种动态角色委托代理授权模型.计算机科学.2002,29(2):66-68.
[13] 赵庆松,孙玉芳,孙波.RPRDM:基于重复和部分角色的转授权模型.计算机研究与发展.2003,40(2):221-227。
[14] 孙波,赵庆松,孙玉芳.TRDM-具有时限的基于角色的转授权模型.计算机研究与发展.2004,41(7):1104-1109.
[15] 李黎,王小明,张黎明.ARDM-基于代理的角色代理模型.计算机应用研究.2005,22(11):106-109.
[16] 李黎,王小明,张黎明.角色—角色的授权代理模型.微电子学与计算机.2005,22(28):76-84.
[17] 李黎,王小明,张黎明.一种具有自我管理能力的授权代理模型.计算机工程.2005,31(23):132-140.
[18] 徐震,李斓,冯登国.基于角色的受限委托模型.软件学报.2005,16(5):970-978.
[19] 张志勇,普杰信.一种扩展的委托授权模型及其面向对象的建模.计算机应用与软件.2005,22(9):30-32.
[20] 翟征德.基于量化角色的可控委托模型.计算机学报.2006,29(8):1401-1407.
[21] 张少敏,王保义,周利华.一种具有时间约束的基于角色的授权管理模型.武汉大学学报.2006,52(5):578-581.
[22] 张黎明.基于角色的权限代理模型及其实现:硕士学位论文.陕西:陕西师范大学,2005.
[23] Sandhu R.Lattice-Based Access Control Models.IEEE Computer.1993,26(11):9-19.
[24] 邓集波,洪帆.基于任务的访问控制模型.软件学报.2003,14(1):76-82.
[25] 李成锴,詹永照,茅兵等.基于角色的CSCW系统的访问控制模型.软件学报.2000,11(7):931-937.
[26] 任侠,谭庆平.基于任务和角色的分布式控制流授权模型.计算机工程.2006,32(5):80-82.
[27] 梅苏文,高县明,刘文林等.基于角色权限管理模型的设计与实现.现代计算机.2002,151(11):1-10.
[28] Sandhu R, Coyne e, Feinstein H et al. Role-Based Access Control Models. IEEE Computer. 1996,29(2):38-47.
[29] Sandhu R, Bhamidipati V, Munawer Q. The ARBAC97 Model for Role-Based Administration of Roles. ACM Transactions on Information and System Security. 1992, 2(1):105-135.
[30] Fernandez E B, Hawkins J C. Determining Role Rights from Use Cases. In:Proceedings of the second ACM workshop on Role-based access control. New York:ACM Press, 1997:121-125.
[31] Goh C, Baldwin A. Towards a more Complete Model of Role. In:Proceedings of the third ACM workshop on Role-based access control. New York:ACM Press, 1998:55-62.
[32] Moffett J D. Control Principles and Role Hierarchies. In:Proceedings of the third ACM workshop on Role-based Access Control. New York:ACM Press, 1998:63-69.
[33] Moffett J D, Lupu E C. The Uses of Role Hierarchies in Access Control. In:Proceedings of the fourth ACM workshop on Role-based access control. New York:ACM Press, 1999:153-160.
[34] Oh S, Sandhu R.A Model for Role Administration Using Organization Structure.In: Proceedings of the seventh ACM symposium on Access control models and technologies. NewYork:ACM Press, 2002:155-162.
[35] Bertino E, Bonatti P, Ferrari E. TRBAC: A Temporal Role-Based Access Control Model. ACM Transactions on Information and System Security. 2001,4(3):191-223.
[36] Freudenthal E, Pesin T, Port Let al. DRBAC:Distributed Role-Based Access Control for Dynamic Coalition Environments. TR2001-819,2001.
[37] 钟华,冯玉琳,姜洪安.扩充角色层次关系模型及应用。软件学报.2000,11(6):779-784.
[38] Cohen E, Thomas R K, Winsborough W et al. Models for Coalition based Access Control. In:Proceedings of the seventh ACM symposium on Access control models and technologies. New York:ACM Press, 2002:97-106.
[39] Ferraiolo D, Cugini J, Kuhn R. Role-Based Access Control:Features and Motivations. In: Proceedings of the eleventh Annual Computer Security Applications Conference. New Orleans:IEEE Computer Society Press, 1995:241-248.
[40] Park J S, Sandhu R. Role-Based Access Control on the web. ACM Transactions on Information and System Security. 2001,4(1):37-71.
[41] Ferraiolo D, Barkley J F, Kuhn R.A Role-Based Access Control Model and Reference Implementation Within a Corporate Intranet. ACM Transactions on Information and System Security. 1999,2(1):34-64.
[42] Bertino E, Ferrari E, Atluri V. The Specification and Enforcement of Authorization Constraints in Workflow Management Systems. ACM Transactions on Information and System Security. 1999,2(1):65-104.
[43] Longstaff J J, Lockyer M A, Capper G et al.A Model of Accountability, Confidentiality and Override for Healthcare and other Applications. In:Proceedings of the fifth ACM workshop on role-based access control. New York:ACM press, 2000:71-76.
[44] 李黎.基于角色的权限代理审计模型及其设计:硕士学位论文.陕西:陕西师范大学,2005.
[45] 刘克龙,冯登国等.安全操作系统原理与技术.北京:科学出版社.2004.
[46] 王小明.时态角色委托代理授权图模型及其分析研究:博士学位论文.陕西:西北大学,2004.
[47] (美)毕晓普.计算机安全学——安全的艺术与科学.北京:电子工业出版社.2005。
[48] Jennings N R, Sycara K, Wooldrige M.A Roadmap of Agent Research and Development. Autonomous Agents and Multi-Agent Systems. 1998,1(1): 7-38.
[49] 于淼,王延章.公文流转过程中活动的分解和管理研究.计算机机工程.2003,29(22):18-20。
[50] 中国电子政务应用示范工程总体组.中国电子政务应用示范工程总体建设方案.2002.
[51] 中华人民共和国行政许可法.
[52] 姚莉.智能协作信息技术。北京:电了工业出版社.2002.
[53] 赵灿,王万森.利用J2EE平台实现Agent.计算机系统应用.2005,(11):15-18.
[54] 沈兆阳.Java与XMI.数据库整合应用.北京:清华大学出版社.2002.
[2] 赵庆松,孙玉芳,孙波.基于系统先决条件的授权模型研究.计算机研究与发展.2003,40(3):406-412.
[3] Zhang L H, Ahn G J, Chu B T .A Rule-Based Framework for Role-Based Delegation and Revocation. ACM Transaction Information and System Security. 2003,6(3):404-441.
[4] Barka E, Sandhu R. Framework for Role-Based Delegation Models. In:Proceedings of the sixteenth Annual Computer Security Applications Conference. New Orleans:IEEE Computer Society Press, 2000:168-176.
[5] Barka E, Sandhu R.A Role-Based Delegation Model and Some Extensions. In:Proceedings of the twenty-third National information Systems Security Conference. Baltimore:IEEE Computer Society Press, 2000:101-114.
[6] Barka E, Sandhu R. Role-Based Delegation Model/Hierachial Roles. In:Proceedings of the twentieth Annual Computer Security Applications Conference. Tucson:IEEE Computer Society Press, 2004:396-404.
[7] Na S Y, Cheon S H. Role Delegation in Role-Based Access Control. In:Proceedings of th fifth ACM workshop on Role-based access control. New York:ACM Press, 2000:39-44.
[8] Zhang X Z, Oh S, Sandhu R. PBDM:A Flexible Delegation Model in RBAC. In: Proceedings of the eighth ACM symposium on Access control models and technologies. New York: ACM Press, 2003:149-157.
[9] Park D G, Lee Y R.A Flexible Role-Based Delegation Model Using Characteristics of Permissions. In:Database and Expert Systems Applications. Berlin:Springer-Verlag Berlin Heidelberg, 2005:310-323.
[10] Wainer J, Kumar A.A Fine-grained, Controllable, User-to-user Delegation Method in RBAC. In:Proceedings of the tenth ACM symposium control models and technologies. New York:ACM Press, 2005:59-66.
[11] Wang He, Osborn S L. Delegation in the Role Graph Model. In:Proceedings of the eleventh ACM symposium Access control models and technologies. New York:ACM Press, 2006:91-100.
[12] 王小明,赵宗涛,冯德民.一种动态角色委托代理授权模型.计算机科学.2002,29(2):66-68.
[13] 赵庆松,孙玉芳,孙波.RPRDM:基于重复和部分角色的转授权模型.计算机研究与发展.2003,40(2):221-227。
[14] 孙波,赵庆松,孙玉芳.TRDM-具有时限的基于角色的转授权模型.计算机研究与发展.2004,41(7):1104-1109.
[15] 李黎,王小明,张黎明.ARDM-基于代理的角色代理模型.计算机应用研究.2005,22(11):106-109.
[16] 李黎,王小明,张黎明.角色—角色的授权代理模型.微电子学与计算机.2005,22(28):76-84.
[17] 李黎,王小明,张黎明.一种具有自我管理能力的授权代理模型.计算机工程.2005,31(23):132-140.
[18] 徐震,李斓,冯登国.基于角色的受限委托模型.软件学报.2005,16(5):970-978.
[19] 张志勇,普杰信.一种扩展的委托授权模型及其面向对象的建模.计算机应用与软件.2005,22(9):30-32.
[20] 翟征德.基于量化角色的可控委托模型.计算机学报.2006,29(8):1401-1407.
[21] 张少敏,王保义,周利华.一种具有时间约束的基于角色的授权管理模型.武汉大学学报.2006,52(5):578-581.
[22] 张黎明.基于角色的权限代理模型及其实现:硕士学位论文.陕西:陕西师范大学,2005.
[23] Sandhu R.Lattice-Based Access Control Models.IEEE Computer.1993,26(11):9-19.
[24] 邓集波,洪帆.基于任务的访问控制模型.软件学报.2003,14(1):76-82.
[25] 李成锴,詹永照,茅兵等.基于角色的CSCW系统的访问控制模型.软件学报.2000,11(7):931-937.
[26] 任侠,谭庆平.基于任务和角色的分布式控制流授权模型.计算机工程.2006,32(5):80-82.
[27] 梅苏文,高县明,刘文林等.基于角色权限管理模型的设计与实现.现代计算机.2002,151(11):1-10.
[28] Sandhu R, Coyne e, Feinstein H et al. Role-Based Access Control Models. IEEE Computer. 1996,29(2):38-47.
[29] Sandhu R, Bhamidipati V, Munawer Q. The ARBAC97 Model for Role-Based Administration of Roles. ACM Transactions on Information and System Security. 1992, 2(1):105-135.
[30] Fernandez E B, Hawkins J C. Determining Role Rights from Use Cases. In:Proceedings of the second ACM workshop on Role-based access control. New York:ACM Press, 1997:121-125.
[31] Goh C, Baldwin A. Towards a more Complete Model of Role. In:Proceedings of the third ACM workshop on Role-based access control. New York:ACM Press, 1998:55-62.
[32] Moffett J D. Control Principles and Role Hierarchies. In:Proceedings of the third ACM workshop on Role-based Access Control. New York:ACM Press, 1998:63-69.
[33] Moffett J D, Lupu E C. The Uses of Role Hierarchies in Access Control. In:Proceedings of the fourth ACM workshop on Role-based access control. New York:ACM Press, 1999:153-160.
[34] Oh S, Sandhu R.A Model for Role Administration Using Organization Structure.In: Proceedings of the seventh ACM symposium on Access control models and technologies. NewYork:ACM Press, 2002:155-162.
[35] Bertino E, Bonatti P, Ferrari E. TRBAC: A Temporal Role-Based Access Control Model. ACM Transactions on Information and System Security. 2001,4(3):191-223.
[36] Freudenthal E, Pesin T, Port Let al. DRBAC:Distributed Role-Based Access Control for Dynamic Coalition Environments. TR2001-819,2001.
[37] 钟华,冯玉琳,姜洪安.扩充角色层次关系模型及应用。软件学报.2000,11(6):779-784.
[38] Cohen E, Thomas R K, Winsborough W et al. Models for Coalition based Access Control. In:Proceedings of the seventh ACM symposium on Access control models and technologies. New York:ACM Press, 2002:97-106.
[39] Ferraiolo D, Cugini J, Kuhn R. Role-Based Access Control:Features and Motivations. In: Proceedings of the eleventh Annual Computer Security Applications Conference. New Orleans:IEEE Computer Society Press, 1995:241-248.
[40] Park J S, Sandhu R. Role-Based Access Control on the web. ACM Transactions on Information and System Security. 2001,4(1):37-71.
[41] Ferraiolo D, Barkley J F, Kuhn R.A Role-Based Access Control Model and Reference Implementation Within a Corporate Intranet. ACM Transactions on Information and System Security. 1999,2(1):34-64.
[42] Bertino E, Ferrari E, Atluri V. The Specification and Enforcement of Authorization Constraints in Workflow Management Systems. ACM Transactions on Information and System Security. 1999,2(1):65-104.
[43] Longstaff J J, Lockyer M A, Capper G et al.A Model of Accountability, Confidentiality and Override for Healthcare and other Applications. In:Proceedings of the fifth ACM workshop on role-based access control. New York:ACM press, 2000:71-76.
[44] 李黎.基于角色的权限代理审计模型及其设计:硕士学位论文.陕西:陕西师范大学,2005.
[45] 刘克龙,冯登国等.安全操作系统原理与技术.北京:科学出版社.2004.
[46] 王小明.时态角色委托代理授权图模型及其分析研究:博士学位论文.陕西:西北大学,2004.
[47] (美)毕晓普.计算机安全学——安全的艺术与科学.北京:电子工业出版社.2005。
[48] Jennings N R, Sycara K, Wooldrige M.A Roadmap of Agent Research and Development. Autonomous Agents and Multi-Agent Systems. 1998,1(1): 7-38.
[49] 于淼,王延章.公文流转过程中活动的分解和管理研究.计算机机工程.2003,29(22):18-20。
[50] 中国电子政务应用示范工程总体组.中国电子政务应用示范工程总体建设方案.2002.
[51] 中华人民共和国行政许可法.
[52] 姚莉.智能协作信息技术。北京:电了工业出版社.2002.
[53] 赵灿,王万森.利用J2EE平台实现Agent.计算机系统应用.2005,(11):15-18.
[54] 沈兆阳.Java与XMI.数据库整合应用.北京:清华大学出版社.2002.