基于工作流任务状态的访问控制模型及其应用研究
|
摘要
工作流(Workflow)技术通过运用计算机自动执行组织机构中的部分或全部业务流程,从而显著提高业务流程处理的性能和效率。在商业、保险、银行、行政管理等领域中,通过互联网得到越来越广泛的应用。与此同时,对系统的安全性的要求也变得越来越重要。
针对基于传统的访问控制模型中,自主访问控制(DAC)模型资源管理分散,强制访问控制(MAC)模型不能实现完整性访问控制;而基于角色的访问控制(RBAC)模型不能实现授权动态分配,以及基于任务的访问控制(TBAC)模型中授权管理过于复杂等缺点,提出了一种基于任务状态的访问控制模型(TSBAC)。
基于任务状态的权限分配模型中引入了角色,同时以任务状态为基础,用二维矩阵描述了角色与任务、任务与状态、状态与权限之间的关系,并将各种关系转换成对应的关系数据库表,然后利用关系数据库中表的连接运算,计算了在任意给定时刻角色、任务和权限之间的关系,从而更简单,清晰的反应出了角色、任务、权限之间的关系。这种模型实现了对角色权限的动态分配,提高了数据访问安全性。
Web下基于任务状态的访问控制技术结合了Web服务等技术的优点和基于任务状态访问控制技术的安全特性,所以在Web应用上有很好的应用前景。
Rhombus跨国销售管理信息系统中的安全控制系统采用的是一个基于任务状态的访问控制的系统。根据客户的需求,设计合理的访问控制系统结构,并慎重的考虑访问控制系统和业务系统之间的关系。合理的选择访问控制的粒度是该项目成功的关键。
Workflow is a technology to use the computer to process whole or part of application automatically in organization system and lead to significant increases in processing performance and efficiency. Using internet technology it has been applied in business, assurance, bank and administration management. At the same time, more and more attentions are paid to system security.
In the traditional access control models, Discretionary Access Control (DAC) is too dispersive in resource management, Mandatory Access Control (MAC) is short of integrality control; Role-based Access Control (RBAC) can't authorize privilege dynamically, and in Task-based Access Control (TBAC) the authorization is too complex, therefore, a Task Status-based Access (TSBAC) model is presented.
In TSBAC, the role is used and based on the status of the task, the relationship between the roles and tasks, the tasks and status, and the status and privilege are all depicted with the two-dimensional matrix, then use the tables of database to depict these relationships and using joint operation to calculate the relationship of the role, task and privilege, it’s more easily and clearly to depict the relationship of the role, task and privilege. This model can dynamically distribute the privilege and improve the security of the data access.
Task Status-based Access Control in web environment combines the merit of web system and the security of Task Status-based Access Control. So it has wide future in web application.
The Security system of the Rhombus sale management information system is a Task Status-based Access Control system. Base the requirement of the client to design a rational framework of the access control system. And the relationship between access control system and business application system should also be thought over. To select the suitable access control granularity is the key to design the security system.
针对基于传统的访问控制模型中,自主访问控制(DAC)模型资源管理分散,强制访问控制(MAC)模型不能实现完整性访问控制;而基于角色的访问控制(RBAC)模型不能实现授权动态分配,以及基于任务的访问控制(TBAC)模型中授权管理过于复杂等缺点,提出了一种基于任务状态的访问控制模型(TSBAC)。
基于任务状态的权限分配模型中引入了角色,同时以任务状态为基础,用二维矩阵描述了角色与任务、任务与状态、状态与权限之间的关系,并将各种关系转换成对应的关系数据库表,然后利用关系数据库中表的连接运算,计算了在任意给定时刻角色、任务和权限之间的关系,从而更简单,清晰的反应出了角色、任务、权限之间的关系。这种模型实现了对角色权限的动态分配,提高了数据访问安全性。
Web下基于任务状态的访问控制技术结合了Web服务等技术的优点和基于任务状态访问控制技术的安全特性,所以在Web应用上有很好的应用前景。
Rhombus跨国销售管理信息系统中的安全控制系统采用的是一个基于任务状态的访问控制的系统。根据客户的需求,设计合理的访问控制系统结构,并慎重的考虑访问控制系统和业务系统之间的关系。合理的选择访问控制的粒度是该项目成功的关键。
Workflow is a technology to use the computer to process whole or part of application automatically in organization system and lead to significant increases in processing performance and efficiency. Using internet technology it has been applied in business, assurance, bank and administration management. At the same time, more and more attentions are paid to system security.
In the traditional access control models, Discretionary Access Control (DAC) is too dispersive in resource management, Mandatory Access Control (MAC) is short of integrality control; Role-based Access Control (RBAC) can't authorize privilege dynamically, and in Task-based Access Control (TBAC) the authorization is too complex, therefore, a Task Status-based Access (TSBAC) model is presented.
In TSBAC, the role is used and based on the status of the task, the relationship between the roles and tasks, the tasks and status, and the status and privilege are all depicted with the two-dimensional matrix, then use the tables of database to depict these relationships and using joint operation to calculate the relationship of the role, task and privilege, it’s more easily and clearly to depict the relationship of the role, task and privilege. This model can dynamically distribute the privilege and improve the security of the data access.
Task Status-based Access Control in web environment combines the merit of web system and the security of Task Status-based Access Control. So it has wide future in web application.
The Security system of the Rhombus sale management information system is a Task Status-based Access Control system. Base the requirement of the client to design a rational framework of the access control system. And the relationship between access control system and business application system should also be thought over. To select the suitable access control granularity is the key to design the security system.
引文
[1] 何克清, 何非, 李兵等. 面向服务的本体元建模理论与方法研究. 计算机学报, 2005, 28(4): 524~533
[2] 吕曦, 王化文. Web Service 的架构与协议. 计算机应用, 2002, 22(12): 61~64
[3] 吴文明, 翟裕忠, 董逸生. Web 服务及相关技术. 计算机应用与软件, 2004, 21(3): 14~15
[4] Robert Powell, Richard Weeks. C#和. NET 架构. 袁鹏飞译. 北京: 人民邮电出版社, 2002. 530~610
[5] 柴晓路, 梁宇奇. Web Services 技术, 架构和应用. 北京: 电子工业出版社, 2003. 630~663
[6] R. Drach. Serving Scientific Data over the Web. IEEE on Computing in Science & Engineering, 2000, 2(6): 14~18
[7] Sheila A, Tran C. Honglei Z. Semantic web services. IEEE Intelligent Systems, 2001, 16(2): 46~53
[8] 张尧庭, 方开泰. 多元统计分析引论. 第一版. 北京: 科学出版社, 1982. 440~444
[9] 刘大欣, 陈蔚芳. 基于 Petri 网工作流的动态访问控制. 微机发展, 2004, 14(2): 100~103
[10] Sandhu R, Conyne EJ, Lfeinstein H, et al. Role-based access control models. IEEE Computer, 1996, 29(2): 34~47
[11] 谭支鹏. 基于角色的工作流模型及其应用. 小型微型计算机系统, 2003, 24(6): 1064~1066
[12] 陈凤珍, 洪帆. 基于任务的访问控制(TBAC) 模型. 小型微型计算机系统, 2003, 24(3): 621~624
[13] 邓集波, 洪帆. 基于任务的访问控制模型. 软件学报, 2003, 14(01): 76~81
[14] 洪帆, 赵晓斐. 基于任务的访问控制模型及其实现. 华中科技大学学报(自然科学版), 2002, 30(1): 17~19
[15] 刘道斌, 白硕. 基于工作流状态的动态访问控制. 计算机研究与发展, 2003, 40(3): 417~421
[16] Gladney H M, Meyers J J, Worley E L. Access control mechanism for computing resources. IBM Systems Journal, 1975, 14(3): 212~228
[17] Snyder L. Formal models of capability-based protection systems. IEEE Trans. oncomputers, 1981, 30(3): 172~181
[18] Han Lansheng, Hong Fan, Asiedu B K. Least Privileges and Role's Inheritance of RBAC. Wuhan University Journal of Natural Sciences, 2006, 11(1): 185~187
[19] Ferraiolo D F, Sandhu R, Guirila S, et al. Proposed NIST standard for Role-based access control. ACM Transactions on Information and System Security, 2001, 4(3) : 224~274
[20] Sejong Oh, Seog Park. Task-role-based access control model. Information systems, 2002, 28(3): 533~562
[21] Synder. Formal Models of Capability-based protection system. IEEE Transactions on Computer, 1981, 30(3): 172~181
[22] 洪帆, 陈凤珍. 基于任务的访问控制系统. 计算机与现代化, 2001, 4: 39-72
[23] Ferraiolo D F, Barkley J F, Kuhn D R. A Role-based access control model and reference implementation within a Corporate Intranet. ACM Transactions on information Systems Security, 1999, 2(1): 34~64
[24] 许峰, 赖海光, 黄皓等. 面向服务的角色访问控制技术研究. 计算机学报, 2005, 28(4): 686~693
[25] Vinoski S. Web Services, Interaction Models, Part 1: Current Practice Toward Integration. IEEE Internet Computing, 2002, 6 (3): 89~91
[26] Vogels W. Web Services Are Not Distributed Objects. IEEE Internet Computing, 2003, 7(6): 59~66
[27] Natanya Pitts. XML 轻松进阶. 第一版. 许菊芳, 王雪松译. 北京: 电子工业出版社, 2000. 1~20
[28] Egyedi1 T M, Loeffen A G A J. Succession in standardization: grafting XML onto SGML. Computer Standards & Interfaces, 2002, 24(4): 279~290
[29] 陈思敏. XML 文档对象模型的应用与研究. 苏州大学学报(自然科学版), 2001, 17(2): 48~53
[30] 李勇军, 冀汶莉, 马光思. 用 DOM 解析 XML 文档. 计算机应用, 2001, 21(8): 103~105
[31] 李京, 庄成三, 徐彧等. 利用 XML DOM 创建强大的 XML 应用. 计算机应用研究, 2002, 19(2): 62~64
[32] 刘宏. 基于 DOM 读取 XML 文件方法研究. 辽宁师范大学学报(自然科学版), 2003, 26(4): 375~377
[33] 陈奇. XSLT, XPath 和 DOM 的应用研究. 计算机工程, 2003, 29(3): 14~16
[34] 冯锡炜, 贾传荧, 金昆. 基于 Web Services 服务集成的设计与实现. 微计算机技术, 2006, 26(3): 258~260
[35] 林杰, 张丽峰, 薛行. 基于 UDDI 的分布模型管理. 计算机集成制造系统, 2004, 10(3): 276~280
[36] 赵娟, 郝克刚, 葛玮. 语义 Web 在 Web 服务中的应用. 计算机技术与发展, 2006, 16(2): 7~13
[37] 熊善清, 张颖江. 基于角色的访问控制模型分析及实现研究. 武汉理工大学学报, 2006, 28(2): 29~31
[38] Prabhkar S, Pankantis, Jan A, et al. Security and privacy concerns. IEEE Security and Privacy, 2003, 1(2): 33~42
[39] Denning D E. Alattice model of secure information flow. Communications of the ACM, 1976, 19(5): 236~243
[40] 赵 亮, 茅兵, 谢立. 访问控制研究综述. 计算机工程, 2004, 30(2): 1~2
[41] Jajodia S, Samarati P, Sapino M L, et al. Flexible support for multiple access control. ACM Transactions on database system, 2001, 26(2): 214~260
[42] Ferraio D, Sandhu R. Proposed NIST Standard for Role-based Access Control. ACM transactions on information and system security, 2001, 4(3): 224~274
[43] Chang J M, Dae H P, Song J P, et al. Symmetric RBAC model that takes the separation of duty and role hierarchies into consideration. Computer and Security, 2004, 23(1): 126~136
[44] Sandhu R., Edward C, Hal F, et al. Role-based access control. IEEE Computer, 1996, 29(2): 38~47
[45] 黄婴. 基于角色的认证访问控制方案. 安徽电子信息职业技术学院学报, 2004, 3(15): 88~89
[46] 王必友. 管理信息系统中基于角色的访问控制与应用. 南京师范大学学报(工程技术版), 2003, 3(4): 41~44
[47] 刘宏月, 范九伦, 马建峰. 访问控制技术的研究进展. 小型微型计算机系统, 2004, 25(1): 56~59
[48] 汪厚祥, 李卉. 基于角色的访问控制研究. 计算机应用研究, 2005, 4: 125~127
[49] Joshi J, Aref W, Ghafoor A, et al. Security model for web-based applications. Communications of the ACM, 2001, 44(1): 38~44
[50] 乔颖, 须德, 戴国忠. 一种基于角色访问控制的新模型及其实现机制. 计算机研究与发展, 2000, 37(1): 37~44
[51] Botha R A. Access control in document centric workflow systems: an agent-based approach. Computers and Security, 2001, 20(6): 525~532
[52] Wang H J, Cheng H K, Zhao J L, et al. Web services enabled E-market access control model. International Journal of Web Services Research, 2004, 1(1): 21~40
[53] 胡和平, 汪传武. 一种基于角色访问控制的新模型. 计算机工程与科学, 2002, 24(4): 1~3
[54] 陈丽侠, 陈刚, 董金祥. 基于任务的工作流访问控制模型和实现框架. 计算机应用研究, 2003. 42~44
[55] 刘建勋, 张申生, 步丰林. 基于角色访问控制在工作流管理系统中的应用研究. 小型微型计算机系统, 2003, 24(6): 1067~1070
[56] Atluri V, Huang W K. A petri net-based safety analysis of workflow authorization models. Journal of computer security, 2000, 8(2): 83~94
[2] 吕曦, 王化文. Web Service 的架构与协议. 计算机应用, 2002, 22(12): 61~64
[3] 吴文明, 翟裕忠, 董逸生. Web 服务及相关技术. 计算机应用与软件, 2004, 21(3): 14~15
[4] Robert Powell, Richard Weeks. C#和. NET 架构. 袁鹏飞译. 北京: 人民邮电出版社, 2002. 530~610
[5] 柴晓路, 梁宇奇. Web Services 技术, 架构和应用. 北京: 电子工业出版社, 2003. 630~663
[6] R. Drach. Serving Scientific Data over the Web. IEEE on Computing in Science & Engineering, 2000, 2(6): 14~18
[7] Sheila A, Tran C. Honglei Z. Semantic web services. IEEE Intelligent Systems, 2001, 16(2): 46~53
[8] 张尧庭, 方开泰. 多元统计分析引论. 第一版. 北京: 科学出版社, 1982. 440~444
[9] 刘大欣, 陈蔚芳. 基于 Petri 网工作流的动态访问控制. 微机发展, 2004, 14(2): 100~103
[10] Sandhu R, Conyne EJ, Lfeinstein H, et al. Role-based access control models. IEEE Computer, 1996, 29(2): 34~47
[11] 谭支鹏. 基于角色的工作流模型及其应用. 小型微型计算机系统, 2003, 24(6): 1064~1066
[12] 陈凤珍, 洪帆. 基于任务的访问控制(TBAC) 模型. 小型微型计算机系统, 2003, 24(3): 621~624
[13] 邓集波, 洪帆. 基于任务的访问控制模型. 软件学报, 2003, 14(01): 76~81
[14] 洪帆, 赵晓斐. 基于任务的访问控制模型及其实现. 华中科技大学学报(自然科学版), 2002, 30(1): 17~19
[15] 刘道斌, 白硕. 基于工作流状态的动态访问控制. 计算机研究与发展, 2003, 40(3): 417~421
[16] Gladney H M, Meyers J J, Worley E L. Access control mechanism for computing resources. IBM Systems Journal, 1975, 14(3): 212~228
[17] Snyder L. Formal models of capability-based protection systems. IEEE Trans. oncomputers, 1981, 30(3): 172~181
[18] Han Lansheng, Hong Fan, Asiedu B K. Least Privileges and Role's Inheritance of RBAC. Wuhan University Journal of Natural Sciences, 2006, 11(1): 185~187
[19] Ferraiolo D F, Sandhu R, Guirila S, et al. Proposed NIST standard for Role-based access control. ACM Transactions on Information and System Security, 2001, 4(3) : 224~274
[20] Sejong Oh, Seog Park. Task-role-based access control model. Information systems, 2002, 28(3): 533~562
[21] Synder. Formal Models of Capability-based protection system. IEEE Transactions on Computer, 1981, 30(3): 172~181
[22] 洪帆, 陈凤珍. 基于任务的访问控制系统. 计算机与现代化, 2001, 4: 39-72
[23] Ferraiolo D F, Barkley J F, Kuhn D R. A Role-based access control model and reference implementation within a Corporate Intranet. ACM Transactions on information Systems Security, 1999, 2(1): 34~64
[24] 许峰, 赖海光, 黄皓等. 面向服务的角色访问控制技术研究. 计算机学报, 2005, 28(4): 686~693
[25] Vinoski S. Web Services, Interaction Models, Part 1: Current Practice Toward Integration. IEEE Internet Computing, 2002, 6 (3): 89~91
[26] Vogels W. Web Services Are Not Distributed Objects. IEEE Internet Computing, 2003, 7(6): 59~66
[27] Natanya Pitts. XML 轻松进阶. 第一版. 许菊芳, 王雪松译. 北京: 电子工业出版社, 2000. 1~20
[28] Egyedi1 T M, Loeffen A G A J. Succession in standardization: grafting XML onto SGML. Computer Standards & Interfaces, 2002, 24(4): 279~290
[29] 陈思敏. XML 文档对象模型的应用与研究. 苏州大学学报(自然科学版), 2001, 17(2): 48~53
[30] 李勇军, 冀汶莉, 马光思. 用 DOM 解析 XML 文档. 计算机应用, 2001, 21(8): 103~105
[31] 李京, 庄成三, 徐彧等. 利用 XML DOM 创建强大的 XML 应用. 计算机应用研究, 2002, 19(2): 62~64
[32] 刘宏. 基于 DOM 读取 XML 文件方法研究. 辽宁师范大学学报(自然科学版), 2003, 26(4): 375~377
[33] 陈奇. XSLT, XPath 和 DOM 的应用研究. 计算机工程, 2003, 29(3): 14~16
[34] 冯锡炜, 贾传荧, 金昆. 基于 Web Services 服务集成的设计与实现. 微计算机技术, 2006, 26(3): 258~260
[35] 林杰, 张丽峰, 薛行. 基于 UDDI 的分布模型管理. 计算机集成制造系统, 2004, 10(3): 276~280
[36] 赵娟, 郝克刚, 葛玮. 语义 Web 在 Web 服务中的应用. 计算机技术与发展, 2006, 16(2): 7~13
[37] 熊善清, 张颖江. 基于角色的访问控制模型分析及实现研究. 武汉理工大学学报, 2006, 28(2): 29~31
[38] Prabhkar S, Pankantis, Jan A, et al. Security and privacy concerns. IEEE Security and Privacy, 2003, 1(2): 33~42
[39] Denning D E. Alattice model of secure information flow. Communications of the ACM, 1976, 19(5): 236~243
[40] 赵 亮, 茅兵, 谢立. 访问控制研究综述. 计算机工程, 2004, 30(2): 1~2
[41] Jajodia S, Samarati P, Sapino M L, et al. Flexible support for multiple access control. ACM Transactions on database system, 2001, 26(2): 214~260
[42] Ferraio D, Sandhu R. Proposed NIST Standard for Role-based Access Control. ACM transactions on information and system security, 2001, 4(3): 224~274
[43] Chang J M, Dae H P, Song J P, et al. Symmetric RBAC model that takes the separation of duty and role hierarchies into consideration. Computer and Security, 2004, 23(1): 126~136
[44] Sandhu R., Edward C, Hal F, et al. Role-based access control. IEEE Computer, 1996, 29(2): 38~47
[45] 黄婴. 基于角色的认证访问控制方案. 安徽电子信息职业技术学院学报, 2004, 3(15): 88~89
[46] 王必友. 管理信息系统中基于角色的访问控制与应用. 南京师范大学学报(工程技术版), 2003, 3(4): 41~44
[47] 刘宏月, 范九伦, 马建峰. 访问控制技术的研究进展. 小型微型计算机系统, 2004, 25(1): 56~59
[48] 汪厚祥, 李卉. 基于角色的访问控制研究. 计算机应用研究, 2005, 4: 125~127
[49] Joshi J, Aref W, Ghafoor A, et al. Security model for web-based applications. Communications of the ACM, 2001, 44(1): 38~44
[50] 乔颖, 须德, 戴国忠. 一种基于角色访问控制的新模型及其实现机制. 计算机研究与发展, 2000, 37(1): 37~44
[51] Botha R A. Access control in document centric workflow systems: an agent-based approach. Computers and Security, 2001, 20(6): 525~532
[52] Wang H J, Cheng H K, Zhao J L, et al. Web services enabled E-market access control model. International Journal of Web Services Research, 2004, 1(1): 21~40
[53] 胡和平, 汪传武. 一种基于角色访问控制的新模型. 计算机工程与科学, 2002, 24(4): 1~3
[54] 陈丽侠, 陈刚, 董金祥. 基于任务的工作流访问控制模型和实现框架. 计算机应用研究, 2003. 42~44
[55] 刘建勋, 张申生, 步丰林. 基于角色访问控制在工作流管理系统中的应用研究. 小型微型计算机系统, 2003, 24(6): 1067~1070
[56] Atluri V, Huang W K. A petri net-based safety analysis of workflow authorization models. Journal of computer security, 2000, 8(2): 83~94