基于角色访问控制的管理模型和委托模型的研究
|
摘要
访问控制是信息安全技术的重要组成部分,经历了多个发展阶段,当前访问控制的研究重点和热点是基于角色的访问控制(RBAC)。RBAC通过引入角色的概念实现了用户和权限的逻辑分离,近年来,RBAC模型因为可以更有效地实施组织的安全策略而得到了广泛的认可,在2004年正式成为ANSI标准。
RBAC模型的一个基本目标是提供一个有效的并且精确的方法来管理访问控制数据。标准的RBAC模型是一个策略无关的模型,在具体采用RBAC模型进行访问控制管理时,必须对模型中的各种要素加以扩展,对模型的某些方面重新描述,以适应具体应用的管理需要,业界对此进行了广泛的研究。而随着模型的重新描述,原有RBAC模型的一些显著特点也在新模型中明显降低,使得新扩展模型的应用不具有普遍性。因此,在不影响RBAC模型灵活性、策略无关性的基础上,对模型元素提供更细致的描述扩展,无疑有利于在实际的访问控制应用中采用RBAC模型。
在采用RBAC策略进行访问控制描述时会涉及到大量的用户、角色、权限、约束等基础数据。而随着访问控制处理的精细化,访问控制管理信息描述的粒度有越来越小的趋势,随之而来的则是访问控制信息的迅速膨胀。如何更好地解决RBAC的管理问题日益成为访问控制研究的新热点。
委托表示系统中某个处于活动状态的实体将自己的权力转授给其他活动实体,使被授予的实体可以代表授予实体执行相应的权力,目前研究的重点是基于角色的用户-用户委托。委托增加了访问控制中授权的灵活性,但同时对企业或组织的访问控制策略的维护提出了新的挑战。
针对上述三方面的问题,本文在不改变RBAC模型现有优点的前提下,给出了一个体现RBAC模型原有设计思想的统一解决方案。本文所完成的主要工作如下:
(1)基于委托是个体行为这一观点,剔除委托研究中的少量具有企业管理特征的行为,提出支持用户委托的RBAC模型——D-RBAC。模型的本质是在RBAC模型的基础上,增加一个委托支持模块,从而提供了用户-用户委托支持的扩展。模型本身具有策略无关、设计简单、适用面广的特点,支持现有研究中所有反映委托个体行为特征的委托操作。另外,模型还提供了管理员干预的支持,在尽量减少管理员管理工作的前提下,给出了有效的解决方案,使得管理员能够规范委托人的行为,从而达到既允许用户委托,又不破坏企业或组织的访问控制策略。
(2)提出了一个既适用于分布式管理又适用于集中式管理的全新管理角色层级划分方式——管理域的概念。管理域不但保留了RBAC的层级特征,而且有效地约束了管理员的权限,还很好地解决了管理员角色层级与系统角色层级之间的既有区别又有联系的关系。
(3)在管理域概念的支持下,提出了管理域支持的RBAC管理模型——D-ARBAC。模型避免了现有RBAC管理模型中的多步授权、访问信息存储冗余、进行分布式管理时管理员职责易于改变等问题。D-ARBAC模型能更好地完成RBAC管理工作,对管理员和常规用户之间的关系做出了规范,控制并拆分了管理员的权限,在系统管理方面为RBAC模型增加了安全性控制,并且与RBAC的实现方式无关,可以管理任何级别的RBAC模型及其扩展模型。
(4)提出了属性增强描述的RBAC模型,对RBAC的核心概念中的用户、角色、权限采用统一的属性进行描述,在不改变原有RBAC模型优点的同时,方便了模型的管理和实现,并有利于RBAC在不同环境下的应用。
(5)给出了属性及属性约束表达式的基于BNF规范的定义,属性支持数字、字符串、日期、时间等多种简单数据类型,还支持集合和区间这样的数据集定义,并定义了属性的可比性,以及属性之间的比较方式。
(6)给出了上述模型的一种实现样例。由于XML多用于对各种类型数据的表达,具有很好的开放性和通用性,标准化程度高,具有较强的描述性,论文中给出了用XML作为访问控制数据描述语言的一种实现,同时,也将XML作为委托模型和管理模型中扩展部分的描述语言。
(7)给出了采用D-ARBAC模型管理的属性描述增强的RBAC模型的实际应用实例,并在用户委托上采用D-RBAC委托模型。验证了采用D-ARBAC模型管理RBAC,以及采用D-RBAC委托模型的可行性、方便性和必要性。
以上的研究工作,对于完整地实现和管理RBAC给出了一个实现简单、功能强大、安全可靠地解决方案,对建立一个完整的RBAC解决方案架构进行了有益的探索。
The development of access control, which is an important information security technology, can be divided into many phases. In recent years, many researches are focused on role-based access control (RBAC). The concept of role is brought in to achieve the logical separation of the user from permission. RBAC has been generally recognized because it can more effectively implement the security policies. It became the ANSI standard in 2004.
One basic aim of the RBAC model is to provide an effective and precise way of managing access control data. The normal RBAC model is not dependent on policies. But in the specific access control administration by adopting RBAC model, it is necessary to extend its various factors and re-describe some aspects of the model in order to meet the administrative demands in its specific application. Plenty of research has been conducted. However, some remarkable virtues of the normal RBAC model becomes greatly unnoticeable in the new models. As a result, the new extended models have lost the universality. Therefore, it is essential to provide more scrupulous description of the RBAC model's factors without changing its flexibility and independence of policies. Undoubtedly this is also helpful to its application to the actual access control.
Large numbers of users, roles, permissions, and constraints are invovled in access control by adopting RBAC policy. With the refinement of access control administration, the descriptive granularity of access control administrative information has a tendency to become smaller. Consequently, the access control information rapidly explodes. How to better solve the RBAC administrative problems has become a new research hot spot in the area of access control.
Delegation is an important security policy that RBAC should support. Delegation means that an active entity in a system can delegate its privileges to other active entities, who are enabled to perform these privileges on behalf of the delegating entity. The role-based user-to-user delegation has gained the widest research. Delegation enhances the flexibility of permission in access control and poses some new challenges to the maintenance of access control policies.
Without changing the present virtues of RBAC model, this dissertation provides an overall solution that embodies its original design ideas. The main contributions of this dissertation are as follows.
(1) Based on the viewpoint that the delegation is a personal behavior, the dissertation proposes an improved D-RBAC (Delegation-supported RBAC) model. It adds a delegation-supported module to the RBAC model and accordingly provides a user-to-user delegation-supported extension. It is a policy-independent, simply designed and extensively applicable delegation model. It supports all personal delegation behaviors under the recent research. Furthermore, it supports administrator intervention, reducing his work as much as possible and enabling the administrator to regulate the delegators'behavior without violating the access control policies of an enterprise or an organization.
(2) The dissertation proposes the concept of administrative domain which applies not only to centralized administration but also distributed administration. Administrative domain retains the stratified attribute of RBAC and effectively constrains the administrator's authority. It also resolves the problem that the administrator role and regular role are different but related.
(3) Based on the concept of the administrative domain, the dissertation proposes a D-ARBAC (Domain supported administration of RBAC) model. These problems are avoided: Multi-step user/permission assignments, the information of access control are redundant, and the permission of the administrator is unstable. D-ARBAC model can better fulfill the task of RBAC, regulate the relationship between the administrator and regular users, control and distribute administrator's permission. D-ARBAC model strengthens security control in the administration of the system, which has nothing to do with RBAC's realization manners and can administrate RBAC model and its extended models on any levels.
(4) The dissertation proposes an attribute supported RBAC model. The user, role and permission are described by using uniform enterprise or organizational attributes. It helps implement RBAC in a simple and universal way, and thus facilitates the administration and applications of RBAC on different platforms.
(5) The dissertation elaborates the definitions of attribute and constraint expression under the BNF criterion. The attribute value supports various data types, including number, date, time, string, set and range. And it defines comparability and comparison methods among attributes.
(6) The dissertation proposes a method for implementing a RBAC system, including RBAC model, RBAC delegation and RBAC administration. XML is used in the method because it has some virtues, such as openness, universality, standardization and portability, etc. The dissertation provides an access control realization by using XML as data description language in the delegation model and administration model.
(7) The dissertation presents an example of the strengthened RBAC system. It supports user-to-user delegation and is managed with the D-ARBAC model. It is verified that these models are feasible, convenient and essential.
The above research work is a helpful exploration of a complete RBAC solution. A simple, powerful, and secure solution is worked out.
RBAC模型的一个基本目标是提供一个有效的并且精确的方法来管理访问控制数据。标准的RBAC模型是一个策略无关的模型,在具体采用RBAC模型进行访问控制管理时,必须对模型中的各种要素加以扩展,对模型的某些方面重新描述,以适应具体应用的管理需要,业界对此进行了广泛的研究。而随着模型的重新描述,原有RBAC模型的一些显著特点也在新模型中明显降低,使得新扩展模型的应用不具有普遍性。因此,在不影响RBAC模型灵活性、策略无关性的基础上,对模型元素提供更细致的描述扩展,无疑有利于在实际的访问控制应用中采用RBAC模型。
在采用RBAC策略进行访问控制描述时会涉及到大量的用户、角色、权限、约束等基础数据。而随着访问控制处理的精细化,访问控制管理信息描述的粒度有越来越小的趋势,随之而来的则是访问控制信息的迅速膨胀。如何更好地解决RBAC的管理问题日益成为访问控制研究的新热点。
委托表示系统中某个处于活动状态的实体将自己的权力转授给其他活动实体,使被授予的实体可以代表授予实体执行相应的权力,目前研究的重点是基于角色的用户-用户委托。委托增加了访问控制中授权的灵活性,但同时对企业或组织的访问控制策略的维护提出了新的挑战。
针对上述三方面的问题,本文在不改变RBAC模型现有优点的前提下,给出了一个体现RBAC模型原有设计思想的统一解决方案。本文所完成的主要工作如下:
(1)基于委托是个体行为这一观点,剔除委托研究中的少量具有企业管理特征的行为,提出支持用户委托的RBAC模型——D-RBAC。模型的本质是在RBAC模型的基础上,增加一个委托支持模块,从而提供了用户-用户委托支持的扩展。模型本身具有策略无关、设计简单、适用面广的特点,支持现有研究中所有反映委托个体行为特征的委托操作。另外,模型还提供了管理员干预的支持,在尽量减少管理员管理工作的前提下,给出了有效的解决方案,使得管理员能够规范委托人的行为,从而达到既允许用户委托,又不破坏企业或组织的访问控制策略。
(2)提出了一个既适用于分布式管理又适用于集中式管理的全新管理角色层级划分方式——管理域的概念。管理域不但保留了RBAC的层级特征,而且有效地约束了管理员的权限,还很好地解决了管理员角色层级与系统角色层级之间的既有区别又有联系的关系。
(3)在管理域概念的支持下,提出了管理域支持的RBAC管理模型——D-ARBAC。模型避免了现有RBAC管理模型中的多步授权、访问信息存储冗余、进行分布式管理时管理员职责易于改变等问题。D-ARBAC模型能更好地完成RBAC管理工作,对管理员和常规用户之间的关系做出了规范,控制并拆分了管理员的权限,在系统管理方面为RBAC模型增加了安全性控制,并且与RBAC的实现方式无关,可以管理任何级别的RBAC模型及其扩展模型。
(4)提出了属性增强描述的RBAC模型,对RBAC的核心概念中的用户、角色、权限采用统一的属性进行描述,在不改变原有RBAC模型优点的同时,方便了模型的管理和实现,并有利于RBAC在不同环境下的应用。
(5)给出了属性及属性约束表达式的基于BNF规范的定义,属性支持数字、字符串、日期、时间等多种简单数据类型,还支持集合和区间这样的数据集定义,并定义了属性的可比性,以及属性之间的比较方式。
(6)给出了上述模型的一种实现样例。由于XML多用于对各种类型数据的表达,具有很好的开放性和通用性,标准化程度高,具有较强的描述性,论文中给出了用XML作为访问控制数据描述语言的一种实现,同时,也将XML作为委托模型和管理模型中扩展部分的描述语言。
(7)给出了采用D-ARBAC模型管理的属性描述增强的RBAC模型的实际应用实例,并在用户委托上采用D-RBAC委托模型。验证了采用D-ARBAC模型管理RBAC,以及采用D-RBAC委托模型的可行性、方便性和必要性。
以上的研究工作,对于完整地实现和管理RBAC给出了一个实现简单、功能强大、安全可靠地解决方案,对建立一个完整的RBAC解决方案架构进行了有益的探索。
The development of access control, which is an important information security technology, can be divided into many phases. In recent years, many researches are focused on role-based access control (RBAC). The concept of role is brought in to achieve the logical separation of the user from permission. RBAC has been generally recognized because it can more effectively implement the security policies. It became the ANSI standard in 2004.
One basic aim of the RBAC model is to provide an effective and precise way of managing access control data. The normal RBAC model is not dependent on policies. But in the specific access control administration by adopting RBAC model, it is necessary to extend its various factors and re-describe some aspects of the model in order to meet the administrative demands in its specific application. Plenty of research has been conducted. However, some remarkable virtues of the normal RBAC model becomes greatly unnoticeable in the new models. As a result, the new extended models have lost the universality. Therefore, it is essential to provide more scrupulous description of the RBAC model's factors without changing its flexibility and independence of policies. Undoubtedly this is also helpful to its application to the actual access control.
Large numbers of users, roles, permissions, and constraints are invovled in access control by adopting RBAC policy. With the refinement of access control administration, the descriptive granularity of access control administrative information has a tendency to become smaller. Consequently, the access control information rapidly explodes. How to better solve the RBAC administrative problems has become a new research hot spot in the area of access control.
Delegation is an important security policy that RBAC should support. Delegation means that an active entity in a system can delegate its privileges to other active entities, who are enabled to perform these privileges on behalf of the delegating entity. The role-based user-to-user delegation has gained the widest research. Delegation enhances the flexibility of permission in access control and poses some new challenges to the maintenance of access control policies.
Without changing the present virtues of RBAC model, this dissertation provides an overall solution that embodies its original design ideas. The main contributions of this dissertation are as follows.
(1) Based on the viewpoint that the delegation is a personal behavior, the dissertation proposes an improved D-RBAC (Delegation-supported RBAC) model. It adds a delegation-supported module to the RBAC model and accordingly provides a user-to-user delegation-supported extension. It is a policy-independent, simply designed and extensively applicable delegation model. It supports all personal delegation behaviors under the recent research. Furthermore, it supports administrator intervention, reducing his work as much as possible and enabling the administrator to regulate the delegators'behavior without violating the access control policies of an enterprise or an organization.
(2) The dissertation proposes the concept of administrative domain which applies not only to centralized administration but also distributed administration. Administrative domain retains the stratified attribute of RBAC and effectively constrains the administrator's authority. It also resolves the problem that the administrator role and regular role are different but related.
(3) Based on the concept of the administrative domain, the dissertation proposes a D-ARBAC (Domain supported administration of RBAC) model. These problems are avoided: Multi-step user/permission assignments, the information of access control are redundant, and the permission of the administrator is unstable. D-ARBAC model can better fulfill the task of RBAC, regulate the relationship between the administrator and regular users, control and distribute administrator's permission. D-ARBAC model strengthens security control in the administration of the system, which has nothing to do with RBAC's realization manners and can administrate RBAC model and its extended models on any levels.
(4) The dissertation proposes an attribute supported RBAC model. The user, role and permission are described by using uniform enterprise or organizational attributes. It helps implement RBAC in a simple and universal way, and thus facilitates the administration and applications of RBAC on different platforms.
(5) The dissertation elaborates the definitions of attribute and constraint expression under the BNF criterion. The attribute value supports various data types, including number, date, time, string, set and range. And it defines comparability and comparison methods among attributes.
(6) The dissertation proposes a method for implementing a RBAC system, including RBAC model, RBAC delegation and RBAC administration. XML is used in the method because it has some virtues, such as openness, universality, standardization and portability, etc. The dissertation provides an access control realization by using XML as data description language in the delegation model and administration model.
(7) The dissertation presents an example of the strengthened RBAC system. It supports user-to-user delegation and is managed with the D-ARBAC model. It is verified that these models are feasible, convenient and essential.
The above research work is a helpful exploration of a complete RBAC solution. A simple, powerful, and secure solution is worked out.
引文
1. Sandhu, R.& D.F.Ferraiolo & S.Gavrila. Proposed NIST standard for role-based access control [J]. ACM Trans on information and System Security,2001,4(3): 224-274.
2. ANSI INCITS 359-2004, American National Standard for Information Technology-Role Based Access Control[S].
3. 廖俊国,洪帆,朱贤,肖海军.多域间动态角色转换的职责分离[J].计算机研究与发展,2006,43(6):1065-1070.
4. Ferraiolo, D.F.& G.J.Ahn & R.Chandramouli & S.I.Gavrila. The Role Control Center: Features and Case Studies[C]. SACMAT'03, Como, Italy,2003.
5. Sandhu, R.& E.Coyne & H.Feinstein & C.Younman. Role-Based Access Control Models [J]. IEEE Computer,1996,29(2):38-47.
6. 梁彬,孙玉芳,石文昌,孙波.一种改进的以基于角色的访问控制实施BLP模型及其变种的方法[J].计算机学报,2004,27(5):636-644.
7. 龙勤,刘鹏,潘爱民.基于角色的扩展可管理访问控制模型研究与实现[J].计算机研究与发展,2005,42(5):868-876.
8. 王悦,高虎明.扩展式基于角色的访问控制模型的研究[J].计算机工程与设计,2008,29(2):309-311.
9. Sandhu, R.& V.Bhamidipati & Q.Munawer. The ARBAC97 model for role-based administration of roles [J]. ACM Transactions on Information and System Securty, 1999,2(1):105-135.
10. Crampton, J.& G.Loizou. Administrative Scope and Role Hierarchy Operations[C]. Proceeding 7th ACM Symposium on Access Control Models and Technologies, Monterey, California, USA,2002:145-154.
11. Crampton, J.& G.Loizou. Administrative Scope:A Foundation for Role-Based Administrative Models [J]. A CM Transactions on Information and System Security, 2003,6(2):201-231.
12. Sandhu, R.& Q.Munawer. The ARBAC99 model for administration of roles[C]. Proceedings of the Annual Computer Security Applications Conference, Phoenix, USA, 1999.
13. Oh, Sejong & R.Sandhu & X.Zhang. A Model for Role Administration Using Organization Structure[C]. Proceedings of 7th ACM Symposium on Access Control Models and Technologies, Monterey, California, USA,2002.
14. Oh, Sejong & R.Sandhu & X.Zhang. An Effective Role Administration Model Using Organization Structure [J]. ACM Transactions on Information and System Security, 2006,6:111-136.
15. Zhang, X.& S.Oh & R.Sandhu. PBDM:A Flexible Delegation Model in RBAC[C]. Proceedings of SACMAT'03, Como, Italy,2003:149-157.
16. Barka, E. & R.Sandhu. A role-based delegation model and some extensions[C]. Proceedings of 23rd National Information Systems Security Conference, Baltimore, USA,2000:101-114.
17. Zhang, L.& GJ.Ahn & B.T.Chu. A Rule-Based Framework for Role-Based Delegation and Revocation [J]. ACM Transactions on Information and System Security, 2003,6(3):404-441.
18. 李斓,冯登国,徐震.RBAC与MAC在多级关系数据库中的综合模型[J].电子学报,2004,32(10):1635-1639.
19. 李斓,何永忠,冯登国.面向XML文档的细粒度强制访问控制模型[J].软件学报,2004,15(10):1530-1536.
20. 杨宗凯,李琴,肖宇,许炜.T-RBAC模型在ERP系统中的研究与实现[J].计算机技术与发展,2007,17(1):9-11.
21. 胡业发,汪绍峰.分布式环境下安全访问控制的实现技术[J].武汉理工大学学报(信息与管理工程版),2005,27(2):81-84.
22. 刘伟,孙玉芳.基于角色访问控制模型及其在操作系统中的实现[J].计算机科学,2003,30(8):166-168.
23. 沈海波,洪帆.基于企业环境的访问控制模型[J].计算机工程,2005,31(14):144-146.
24. 吕锋,闵朋,周晓东.基于用户群组RBAC模型的一种实现方法[J].武汉理工大学学报(信息与管理工程版),2004,26(10):70-73.
25. Sandhu, R.& A.Mohammad & A.Kahtani. Induced Role Hierarchies with Attribute-Based RBAC[C], SACMAT'03, Como, Italy,2003.
26. 马勇,卿斯汉,贺也平.一种基于RBAC的电子商务匿名性与可追究性实现方案[J],计算机科学,2007,34(7):86-89.
27. Ferraiolo, D.F.& J.F.Barkley & D.R.Kuhn. A role-based access control model and reference implementation within a corporate intranet [J]. ACM Transactions on Information and System Security,1999.
28. 李卉,王航宇,汪厚祥.G_ERBAC网格安全访问控制模型[J].计算机工程,2008,34(1):43-46.
29. 熊善清,张颖江.基于角色的访问控制模型分析及实现研究[J].武汉理工大学学报,2006,28(2):29-35.
30. 杨家海,王继龙,章勋.基于角色的一体化配置管理模型与实现[J].清华大学学报(自然科学版).2008,48(10):1667-1670.
31. 夏明超,吴俊勇,吴命利.基于角色访问控制在电力监控系统中的应用[J].电力系统及其自动化学报,2008,20(2):46-50.
32. 史永昌,陈和平.基于角色和Web Service的访问控制方法应用研究[J].武汉科技大学学报(自然科学版),2006,29(1):86-88.
33. 严晓光,王小刚,陈卓宁,张金.软件质量保障平台中基于RBAC的统一身份认证应用研究[J].计算机工程与科学,2009,31(3):97-100.
34. 郭天文,殷兆麟,范宝德.系统RBAC安全模型与其UML模型的集成[J].计算机工程与设计,2007,28(4):789-791.
35. 钟阿林,许方恒.一种利用角色管理增强ORACLE数据库安全性的方法[J].成都大学学报,2007,26(3):225-227.
36. 徐洪学.一种面向协同设计系统的访问控制模型[J].东北大学学报,2007,28(12):1733-1736.
37. Park, J.S.& GJ.Ahn & R.Sandhu. Role-based access control on the web using LDAP[C]. Proceedings of the fifteenth annual working conference on Database and application security, New York, USA,2001.
38. Muppavarapu, V.& S.M.Chung. Role-Based Access Control in a Data Grid Using the Storage Resource Broker and Shibboleth [J].J Grid Computing,2009,7(2):265-283.
39. 陈旺,李中学,张茂军.角色访问控制和强制访问控制的统一模型研究[J].小型微型计算机系统,2008,29(3):422-427.
40. Obelheiro, R.R.& J.S.Fraga. Role-based access control for CORBA distributed object systems [C]. Proceedings of the The Seventh IEEE International Workshop on Object-Oriented Real-Time Dependable Systems,2002,53-60.
41. Taylor K.& J.Murty. Implementing role based access control for federated information systems on the web[C]. Proceedings of the Australasian information security workshop conference on ACSW frontiers,2003.
42. 单智勇,孙玉芳.一个应用于操作系统的RBAC模型及其实施[J].计算机研究与发展,2004,41(2):287-298.
43. 陈伟鹤,殷新春,茅兵,谢立.基于任务和角色的双重Web访问控制模型[J].计算机研究与发展,2004,41(9):1466-1473.
44. 薛伟,怀进鹏.基于角色的访问控制模型的扩充和实现机制研究[J].计算机研究与发展,2003,40(11):1635-1642.
45. 覃嘉,刘刚,吕玉琴,孙剑锋.RBAC与SIP体系结合的PETRI网模型[J].中国电子科学研究院学报,2008,3(1):83-86.
46. 王俊彪,张建鑫,蒋建军,张世超.基于RBAC的柔性信息编码系统权限控制模型[J].西北工业大学学报,2008,26(4):419-424.
47. 焦振海,丁二玉,骆斌.工作流管理中基于规则策略的访问控制[J].计算机应用研究,2008,25(3):885-902.
48. 李键,陈杰.RBAC模型权限管理中三种新的角色继承机制和授权策略[J].四川大学学报(自然科学版),2007,44(3):522-524.
49. 吴江栋,李伟华,安喜锋.基于RBAC的细粒度访问控制方法[J].计算机工程,2008,34(20):52-54.
50. 鲁柯,周保群,王惠芳.基于带时间特性RBAC的使用控制模型及其管理[J].计算机工程,2008,34(6):170-172.
51. 刘军,张金奎,温占考,王兴伟.适用于WEB信息系统的访问控制模型RBACWIS[J].中国海洋大学学报,2008,38:37-40.
52. Shang, C.& Z.Yang & Q.Liu & C.Zhao. A Context Based Dynamic Access Control Model for Web Service [C]. Proceedings of the 2008 IEEE/IFIP International Conference on Embedded and Ubiquitous Computing,2008.
53. Kandala, S.& R.Sandhu. Secure role-based workflow models[C]. Proceedings of the fifteenth annual working conference on Database and application security,2001.
54. 王小明,赵宗涛,冯德民.一种动态角色委托代理授权模型[J].计算机科学,2002,29(2):66-68.
55. Oh, S. New role-based access control in ubiquitous e-business environment [J]. J Intell Manuf,2008.
56. Ahn, G.J.& R.Sandhu. The RSL99 Language for Role-Based Separation of Duty Constraints[C]. Proceedings of the fourth ACM workshop on Role-based access control, Fairfax, Virginia, United States,1999,43-54.
57. Ahn, G.J.& M.E.Shin. Role-based authorization constraints specification using Object Constraint Language[C]. Proceedings of the Tenth IEEE International Workshops on Enabling Technologies:Infrastructure for Collaborative Enterprises,2001:157-162.
58. Joshi, J.B.D.& B.Shafiq & A.Ghafoor & E.Bertino. Dependencies and separation of duty constraints in GTRBAC[C]. Proceedings of the eighth ACM symposium on Access control models and technologies, New York, USA,2003:51-64.
59. 夏鲁宁,荆继武.一种基于层次命名空间的RBAC管理模型[J].计算机研究与发展,2007,42(12):2020-2027.
60. Kern, A.& A.Schaad & J.Moffett. An administration concept for the enterprise role-based access control model[C]. Proceedings of the eighth ACM symposium on Access control models and technologies,2003.
61. Dekker, M.A.C.& J.Crampton & S.Etalle. RBAC Administration in Distributed Systems[C]. SACMAT'08, Estes Park, Colorado, USA,2008.
62. Gasser, M.& E.Mcdermott. An Architecture for practical Delegation in Distributed System[C]. Proceedings of IEEE Computer Society Symposium on Research Security and Privacy, Oakland, USA,1990.
63. Stein, L.A. Delegation Is Inheritance[C]. Proceedings on Object-oriented programming systems, languages and applications, New York, USA,1987:138-146.
64. 徐洪学,刘永贤,郭秀英,盛忠起.一种CSCD系统的角色委托授权模型[J].东北大学学报(自然科学版),2006,27(5):548-550.
65. 徐蕾,丁国辉,高利军.一个新的基于权限的委托模型CPPBDM[J].计算机应用与软件,2009,26(1):273-276.
66. 邓勇,陈建刚,王汝传,张琳.网格计算环境的一种基于信任度的授权委托机制[J].通信学报,2008,29(9):10-17.
67. 道炜,汤庸,冀高峰,杨虹轶.基于时限的角色访问控制委托模型[J].计算机科学,2008,35(3):277-282.
68. 王瑞民,杜鹃,王黎明,孙伟.基于门限的委托模型[J],计算机工程与设计,2009,30(5):1054-1064.
69. Barka, E.& R.Sandhu. Framework for role-based delegation model[C]. Proceedings of 23rd National Information Systems Security Conference, Baltimore, USA,2000: 101-114.
70. 赵青松,孙玉芳,孙波.RPRDM:基于重复和部分角色的转授权模型[J].计算机研究与发展,2003,40(2):221-227.
71. 翟征德.基于量化角色的可控委托模型[J].计算机学报,2006,29(8):1401-1407.
72. Na, S.Y.& S.H.Cheon. Role delegation in role-based access control[C]. Proceeding of the fifth ACM workshop on Role-based access control, Berlin, Germany,2000:39-44.
73. Tamassia, R.& D.Yao & W.H.Winsborough. Role-based cascade delegation[C]. Proceedings of the 9th ACM Symposium on Access Control Models and Technologies, USA,2004.
74. Wainer, J. A.Kumar. A Finegrained, Controllable, UsertoUser Delegation Method in RBAC[C]. SACMAT'05, Stockholm, Sweden,2005.
75. Chou, S.& E.J.L.Lu & Y.H.Chen. X-RDR:a role-based delegation process for web-based information systems[J]. ACM SIGOPS Operating Systems Review,2005, 39(1):4-21.
76. Suh, Y.H.& D.I.Lee. A delegation model in the mobile agent-based workflow management systems[C], Proceedings of the IEEE Region 10 Conference,1999: 202-205.
77. Li, J.& GChang. An Extended Delegation Model Based On RBAC[C].2008 International Workshop Information Technology and Security, Shanghai, China,2008.
78. Ahn, GJ.& R.Sandhu. Role-based authorization constraints specification[J]. ACM Transactions on Information and System Security,2000.
79. Bertino, E.& P.A.Bonatti & E.Ferrari. TRBAC:A Temporal Role-Based Access Control Model [J]. ACM Transactions on Information and System Security,2001,4(3): 191-223.
80. Jbd, J.& E.Bertino & A. Ghafoor. Temporal hierarchy and inheritance semantics for GTRBAC[C]. Proceeding of the 7th ACM Symp. on Access Control Models and Technologies, New York,2002:74-83.
81. Li, J.& GChang. An Administration Model for RBAC Using Hierarchical Structure[C].2008 International Conference on Security Technology, Sanya, Hainan Island, China,2008.
82. Kahtani, M.A.A.& R.Sandhu. A Model for Attribute-Based User-Role Assignment[C]. Proceedings of the 18th Annual Computer Security Applications Conference, Lasvegas, Nevada, USA,2002:353-362.
83. Shang, Q.& X.Wang. Constraints for Permission-Based Delegations[C]. Proceedings of the 2008 IEEE 8th International Conference on Computer and Information Technology Workshops,2008.
84. Ray, I.& N.Li & R.France & D.K.Kim. Using UML To Visualize Role-Based Access Control Constraints[C]. SACMAT'04, New York, USA,2004.
85. Abiteboul, S.& S.Grumbach. A rule-based language with functions and sets [J]. ACM Transactions on Database Systems,1991,16(1):1-30.
86. Ahn, G.J. Specification and classification of role-based authorization policies[C]. Proceedings of the Twelfth IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises,2003:202-207.
87. Li, N.& J.Feigenbaum. A Logic-based Knowledge Representation for Authorization with Delegation[C]. Proceedings of the 12th IEEE Computer Security Foundations Workshop, US A,1999.
88. Li, N.& B.N.Grosof & J.Feigenbaum. Delegation logic:A logic-based approach to distributed authorization[J]. ACM Transaction on Information and System Security, 2003.
89. 叶春晓.基于角色访问控制(RBAC)中属性约束委托模型研究[D].重庆:重庆大学,2005:31-42,119-123.
90. Ray, I.& N.Li & R.France & D.K.Kim. Using uml to visualize role-based access control constraints[C]. Proceedings of the ninth ACM symposium on Access control models and technologies,2004.
91. He, H.& R.K Wong. A role-based access control model for XML repositories[C]. Proceedings of the First International Conference on Web Information Systems Engineering, USA,2000:138-145.
92. Wang, J.& S.L.Osborn. A role-based approach to access control for XML databases[C]. Proceedings of the ninth ACM symposium on Access control models and technologies, Sweden,2004.
93. Zhang, X.& J.Park & R.Sandhu. Schema based XML Security:RBAC Approach[C]. Proceedings of the IFIP WG,2003.
94. Meng, X.F.& Luo D.F.& J.B.Ou. An Extended Role Based Access Control Method for XML Documents[J]. Wuhan University Journal of Natural Sciences,2004,9(5): 740-744.
95. 杜萍,刘弘.协同设计系统中基于XML的访问控制实现[J].计算机应用研究,2007,1:174-176.
96. 何杰光,傅秀芬.基于面向对象特性和XML的RBAC模型[J].2009,29(1):334-336.
97. 郭禾,单慧英,陈锋,刘天阳.基于角色访问控制的改进[J].大连理工大学学报,2003,43(增刊1):87-89.
98. 王海波 耿晖.基于XML的角色访问控制(RBAC)[J],计算机应用研究,2002,(14-16).
99. 努尔买买提·黑力力,罗振兴,林作铨.基于XACML的访问控制与RBAC限制[J].计算机工程,2008,34(8):19-21.
100. Sun, G.& Y.Chen & Z.Zhou & Z.Min. A configurable access control system for networked manufacturing monitoring using XML [J]. The International Journal of Advanced Manufacturing Technology,2008,39(12):1252-1261.
101. Bao, Y.& J.Song & D.Wang & D.Shen & GYu. A Role and Context Based Access Control Model with UML [C]. Proceedings of the 9th International Conference for Young Computer Scientists,2008.
102. Bhatti, R.& E.Bertino & A.Ghafoor & J.B.D.Joshi. XML-Based Specification for Web-Services Document Security[J]. Computer,2004,37(4):41-49.
103. Bhatti, R.& J.B.D.Joshi & E.Bertino & A.Ghafoor. Access Control in Dynamic XML-based Web-Services with X-RBAC[C]. Proceedings of the First International Conference on Web Services, Las Vegas, USA,2003.
104. Joshi, J.B.D. Access-Control Language for Multidomain Environments [J]. IEEE Internet Computing,2004,8(6):40-50.
105. Bhatti, R.& A.Ghafoor & E.Bertino & J.B.D.Joshi. X-GTRBAC:an XML-based policy specification framework and architecture for enterprise-wide access control[J]. ACM Transactions on Information and System Security,2005.
106. Vakali, A.I.& K.E.Stoupa & F.Li & GAndreadis. Web-based delegation using XML[C]. IEEE International Conference on Systems, Man and Cybernetics,2004: 5189-5194.
2. ANSI INCITS 359-2004, American National Standard for Information Technology-Role Based Access Control[S].
3. 廖俊国,洪帆,朱贤,肖海军.多域间动态角色转换的职责分离[J].计算机研究与发展,2006,43(6):1065-1070.
4. Ferraiolo, D.F.& G.J.Ahn & R.Chandramouli & S.I.Gavrila. The Role Control Center: Features and Case Studies[C]. SACMAT'03, Como, Italy,2003.
5. Sandhu, R.& E.Coyne & H.Feinstein & C.Younman. Role-Based Access Control Models [J]. IEEE Computer,1996,29(2):38-47.
6. 梁彬,孙玉芳,石文昌,孙波.一种改进的以基于角色的访问控制实施BLP模型及其变种的方法[J].计算机学报,2004,27(5):636-644.
7. 龙勤,刘鹏,潘爱民.基于角色的扩展可管理访问控制模型研究与实现[J].计算机研究与发展,2005,42(5):868-876.
8. 王悦,高虎明.扩展式基于角色的访问控制模型的研究[J].计算机工程与设计,2008,29(2):309-311.
9. Sandhu, R.& V.Bhamidipati & Q.Munawer. The ARBAC97 model for role-based administration of roles [J]. ACM Transactions on Information and System Securty, 1999,2(1):105-135.
10. Crampton, J.& G.Loizou. Administrative Scope and Role Hierarchy Operations[C]. Proceeding 7th ACM Symposium on Access Control Models and Technologies, Monterey, California, USA,2002:145-154.
11. Crampton, J.& G.Loizou. Administrative Scope:A Foundation for Role-Based Administrative Models [J]. A CM Transactions on Information and System Security, 2003,6(2):201-231.
12. Sandhu, R.& Q.Munawer. The ARBAC99 model for administration of roles[C]. Proceedings of the Annual Computer Security Applications Conference, Phoenix, USA, 1999.
13. Oh, Sejong & R.Sandhu & X.Zhang. A Model for Role Administration Using Organization Structure[C]. Proceedings of 7th ACM Symposium on Access Control Models and Technologies, Monterey, California, USA,2002.
14. Oh, Sejong & R.Sandhu & X.Zhang. An Effective Role Administration Model Using Organization Structure [J]. ACM Transactions on Information and System Security, 2006,6:111-136.
15. Zhang, X.& S.Oh & R.Sandhu. PBDM:A Flexible Delegation Model in RBAC[C]. Proceedings of SACMAT'03, Como, Italy,2003:149-157.
16. Barka, E. & R.Sandhu. A role-based delegation model and some extensions[C]. Proceedings of 23rd National Information Systems Security Conference, Baltimore, USA,2000:101-114.
17. Zhang, L.& GJ.Ahn & B.T.Chu. A Rule-Based Framework for Role-Based Delegation and Revocation [J]. ACM Transactions on Information and System Security, 2003,6(3):404-441.
18. 李斓,冯登国,徐震.RBAC与MAC在多级关系数据库中的综合模型[J].电子学报,2004,32(10):1635-1639.
19. 李斓,何永忠,冯登国.面向XML文档的细粒度强制访问控制模型[J].软件学报,2004,15(10):1530-1536.
20. 杨宗凯,李琴,肖宇,许炜.T-RBAC模型在ERP系统中的研究与实现[J].计算机技术与发展,2007,17(1):9-11.
21. 胡业发,汪绍峰.分布式环境下安全访问控制的实现技术[J].武汉理工大学学报(信息与管理工程版),2005,27(2):81-84.
22. 刘伟,孙玉芳.基于角色访问控制模型及其在操作系统中的实现[J].计算机科学,2003,30(8):166-168.
23. 沈海波,洪帆.基于企业环境的访问控制模型[J].计算机工程,2005,31(14):144-146.
24. 吕锋,闵朋,周晓东.基于用户群组RBAC模型的一种实现方法[J].武汉理工大学学报(信息与管理工程版),2004,26(10):70-73.
25. Sandhu, R.& A.Mohammad & A.Kahtani. Induced Role Hierarchies with Attribute-Based RBAC[C], SACMAT'03, Como, Italy,2003.
26. 马勇,卿斯汉,贺也平.一种基于RBAC的电子商务匿名性与可追究性实现方案[J],计算机科学,2007,34(7):86-89.
27. Ferraiolo, D.F.& J.F.Barkley & D.R.Kuhn. A role-based access control model and reference implementation within a corporate intranet [J]. ACM Transactions on Information and System Security,1999.
28. 李卉,王航宇,汪厚祥.G_ERBAC网格安全访问控制模型[J].计算机工程,2008,34(1):43-46.
29. 熊善清,张颖江.基于角色的访问控制模型分析及实现研究[J].武汉理工大学学报,2006,28(2):29-35.
30. 杨家海,王继龙,章勋.基于角色的一体化配置管理模型与实现[J].清华大学学报(自然科学版).2008,48(10):1667-1670.
31. 夏明超,吴俊勇,吴命利.基于角色访问控制在电力监控系统中的应用[J].电力系统及其自动化学报,2008,20(2):46-50.
32. 史永昌,陈和平.基于角色和Web Service的访问控制方法应用研究[J].武汉科技大学学报(自然科学版),2006,29(1):86-88.
33. 严晓光,王小刚,陈卓宁,张金.软件质量保障平台中基于RBAC的统一身份认证应用研究[J].计算机工程与科学,2009,31(3):97-100.
34. 郭天文,殷兆麟,范宝德.系统RBAC安全模型与其UML模型的集成[J].计算机工程与设计,2007,28(4):789-791.
35. 钟阿林,许方恒.一种利用角色管理增强ORACLE数据库安全性的方法[J].成都大学学报,2007,26(3):225-227.
36. 徐洪学.一种面向协同设计系统的访问控制模型[J].东北大学学报,2007,28(12):1733-1736.
37. Park, J.S.& GJ.Ahn & R.Sandhu. Role-based access control on the web using LDAP[C]. Proceedings of the fifteenth annual working conference on Database and application security, New York, USA,2001.
38. Muppavarapu, V.& S.M.Chung. Role-Based Access Control in a Data Grid Using the Storage Resource Broker and Shibboleth [J].J Grid Computing,2009,7(2):265-283.
39. 陈旺,李中学,张茂军.角色访问控制和强制访问控制的统一模型研究[J].小型微型计算机系统,2008,29(3):422-427.
40. Obelheiro, R.R.& J.S.Fraga. Role-based access control for CORBA distributed object systems [C]. Proceedings of the The Seventh IEEE International Workshop on Object-Oriented Real-Time Dependable Systems,2002,53-60.
41. Taylor K.& J.Murty. Implementing role based access control for federated information systems on the web[C]. Proceedings of the Australasian information security workshop conference on ACSW frontiers,2003.
42. 单智勇,孙玉芳.一个应用于操作系统的RBAC模型及其实施[J].计算机研究与发展,2004,41(2):287-298.
43. 陈伟鹤,殷新春,茅兵,谢立.基于任务和角色的双重Web访问控制模型[J].计算机研究与发展,2004,41(9):1466-1473.
44. 薛伟,怀进鹏.基于角色的访问控制模型的扩充和实现机制研究[J].计算机研究与发展,2003,40(11):1635-1642.
45. 覃嘉,刘刚,吕玉琴,孙剑锋.RBAC与SIP体系结合的PETRI网模型[J].中国电子科学研究院学报,2008,3(1):83-86.
46. 王俊彪,张建鑫,蒋建军,张世超.基于RBAC的柔性信息编码系统权限控制模型[J].西北工业大学学报,2008,26(4):419-424.
47. 焦振海,丁二玉,骆斌.工作流管理中基于规则策略的访问控制[J].计算机应用研究,2008,25(3):885-902.
48. 李键,陈杰.RBAC模型权限管理中三种新的角色继承机制和授权策略[J].四川大学学报(自然科学版),2007,44(3):522-524.
49. 吴江栋,李伟华,安喜锋.基于RBAC的细粒度访问控制方法[J].计算机工程,2008,34(20):52-54.
50. 鲁柯,周保群,王惠芳.基于带时间特性RBAC的使用控制模型及其管理[J].计算机工程,2008,34(6):170-172.
51. 刘军,张金奎,温占考,王兴伟.适用于WEB信息系统的访问控制模型RBACWIS[J].中国海洋大学学报,2008,38:37-40.
52. Shang, C.& Z.Yang & Q.Liu & C.Zhao. A Context Based Dynamic Access Control Model for Web Service [C]. Proceedings of the 2008 IEEE/IFIP International Conference on Embedded and Ubiquitous Computing,2008.
53. Kandala, S.& R.Sandhu. Secure role-based workflow models[C]. Proceedings of the fifteenth annual working conference on Database and application security,2001.
54. 王小明,赵宗涛,冯德民.一种动态角色委托代理授权模型[J].计算机科学,2002,29(2):66-68.
55. Oh, S. New role-based access control in ubiquitous e-business environment [J]. J Intell Manuf,2008.
56. Ahn, G.J.& R.Sandhu. The RSL99 Language for Role-Based Separation of Duty Constraints[C]. Proceedings of the fourth ACM workshop on Role-based access control, Fairfax, Virginia, United States,1999,43-54.
57. Ahn, G.J.& M.E.Shin. Role-based authorization constraints specification using Object Constraint Language[C]. Proceedings of the Tenth IEEE International Workshops on Enabling Technologies:Infrastructure for Collaborative Enterprises,2001:157-162.
58. Joshi, J.B.D.& B.Shafiq & A.Ghafoor & E.Bertino. Dependencies and separation of duty constraints in GTRBAC[C]. Proceedings of the eighth ACM symposium on Access control models and technologies, New York, USA,2003:51-64.
59. 夏鲁宁,荆继武.一种基于层次命名空间的RBAC管理模型[J].计算机研究与发展,2007,42(12):2020-2027.
60. Kern, A.& A.Schaad & J.Moffett. An administration concept for the enterprise role-based access control model[C]. Proceedings of the eighth ACM symposium on Access control models and technologies,2003.
61. Dekker, M.A.C.& J.Crampton & S.Etalle. RBAC Administration in Distributed Systems[C]. SACMAT'08, Estes Park, Colorado, USA,2008.
62. Gasser, M.& E.Mcdermott. An Architecture for practical Delegation in Distributed System[C]. Proceedings of IEEE Computer Society Symposium on Research Security and Privacy, Oakland, USA,1990.
63. Stein, L.A. Delegation Is Inheritance[C]. Proceedings on Object-oriented programming systems, languages and applications, New York, USA,1987:138-146.
64. 徐洪学,刘永贤,郭秀英,盛忠起.一种CSCD系统的角色委托授权模型[J].东北大学学报(自然科学版),2006,27(5):548-550.
65. 徐蕾,丁国辉,高利军.一个新的基于权限的委托模型CPPBDM[J].计算机应用与软件,2009,26(1):273-276.
66. 邓勇,陈建刚,王汝传,张琳.网格计算环境的一种基于信任度的授权委托机制[J].通信学报,2008,29(9):10-17.
67. 道炜,汤庸,冀高峰,杨虹轶.基于时限的角色访问控制委托模型[J].计算机科学,2008,35(3):277-282.
68. 王瑞民,杜鹃,王黎明,孙伟.基于门限的委托模型[J],计算机工程与设计,2009,30(5):1054-1064.
69. Barka, E.& R.Sandhu. Framework for role-based delegation model[C]. Proceedings of 23rd National Information Systems Security Conference, Baltimore, USA,2000: 101-114.
70. 赵青松,孙玉芳,孙波.RPRDM:基于重复和部分角色的转授权模型[J].计算机研究与发展,2003,40(2):221-227.
71. 翟征德.基于量化角色的可控委托模型[J].计算机学报,2006,29(8):1401-1407.
72. Na, S.Y.& S.H.Cheon. Role delegation in role-based access control[C]. Proceeding of the fifth ACM workshop on Role-based access control, Berlin, Germany,2000:39-44.
73. Tamassia, R.& D.Yao & W.H.Winsborough. Role-based cascade delegation[C]. Proceedings of the 9th ACM Symposium on Access Control Models and Technologies, USA,2004.
74. Wainer, J. A.Kumar. A Finegrained, Controllable, UsertoUser Delegation Method in RBAC[C]. SACMAT'05, Stockholm, Sweden,2005.
75. Chou, S.& E.J.L.Lu & Y.H.Chen. X-RDR:a role-based delegation process for web-based information systems[J]. ACM SIGOPS Operating Systems Review,2005, 39(1):4-21.
76. Suh, Y.H.& D.I.Lee. A delegation model in the mobile agent-based workflow management systems[C], Proceedings of the IEEE Region 10 Conference,1999: 202-205.
77. Li, J.& GChang. An Extended Delegation Model Based On RBAC[C].2008 International Workshop Information Technology and Security, Shanghai, China,2008.
78. Ahn, GJ.& R.Sandhu. Role-based authorization constraints specification[J]. ACM Transactions on Information and System Security,2000.
79. Bertino, E.& P.A.Bonatti & E.Ferrari. TRBAC:A Temporal Role-Based Access Control Model [J]. ACM Transactions on Information and System Security,2001,4(3): 191-223.
80. Jbd, J.& E.Bertino & A. Ghafoor. Temporal hierarchy and inheritance semantics for GTRBAC[C]. Proceeding of the 7th ACM Symp. on Access Control Models and Technologies, New York,2002:74-83.
81. Li, J.& GChang. An Administration Model for RBAC Using Hierarchical Structure[C].2008 International Conference on Security Technology, Sanya, Hainan Island, China,2008.
82. Kahtani, M.A.A.& R.Sandhu. A Model for Attribute-Based User-Role Assignment[C]. Proceedings of the 18th Annual Computer Security Applications Conference, Lasvegas, Nevada, USA,2002:353-362.
83. Shang, Q.& X.Wang. Constraints for Permission-Based Delegations[C]. Proceedings of the 2008 IEEE 8th International Conference on Computer and Information Technology Workshops,2008.
84. Ray, I.& N.Li & R.France & D.K.Kim. Using UML To Visualize Role-Based Access Control Constraints[C]. SACMAT'04, New York, USA,2004.
85. Abiteboul, S.& S.Grumbach. A rule-based language with functions and sets [J]. ACM Transactions on Database Systems,1991,16(1):1-30.
86. Ahn, G.J. Specification and classification of role-based authorization policies[C]. Proceedings of the Twelfth IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises,2003:202-207.
87. Li, N.& J.Feigenbaum. A Logic-based Knowledge Representation for Authorization with Delegation[C]. Proceedings of the 12th IEEE Computer Security Foundations Workshop, US A,1999.
88. Li, N.& B.N.Grosof & J.Feigenbaum. Delegation logic:A logic-based approach to distributed authorization[J]. ACM Transaction on Information and System Security, 2003.
89. 叶春晓.基于角色访问控制(RBAC)中属性约束委托模型研究[D].重庆:重庆大学,2005:31-42,119-123.
90. Ray, I.& N.Li & R.France & D.K.Kim. Using uml to visualize role-based access control constraints[C]. Proceedings of the ninth ACM symposium on Access control models and technologies,2004.
91. He, H.& R.K Wong. A role-based access control model for XML repositories[C]. Proceedings of the First International Conference on Web Information Systems Engineering, USA,2000:138-145.
92. Wang, J.& S.L.Osborn. A role-based approach to access control for XML databases[C]. Proceedings of the ninth ACM symposium on Access control models and technologies, Sweden,2004.
93. Zhang, X.& J.Park & R.Sandhu. Schema based XML Security:RBAC Approach[C]. Proceedings of the IFIP WG,2003.
94. Meng, X.F.& Luo D.F.& J.B.Ou. An Extended Role Based Access Control Method for XML Documents[J]. Wuhan University Journal of Natural Sciences,2004,9(5): 740-744.
95. 杜萍,刘弘.协同设计系统中基于XML的访问控制实现[J].计算机应用研究,2007,1:174-176.
96. 何杰光,傅秀芬.基于面向对象特性和XML的RBAC模型[J].2009,29(1):334-336.
97. 郭禾,单慧英,陈锋,刘天阳.基于角色访问控制的改进[J].大连理工大学学报,2003,43(增刊1):87-89.
98. 王海波 耿晖.基于XML的角色访问控制(RBAC)[J],计算机应用研究,2002,(14-16).
99. 努尔买买提·黑力力,罗振兴,林作铨.基于XACML的访问控制与RBAC限制[J].计算机工程,2008,34(8):19-21.
100. Sun, G.& Y.Chen & Z.Zhou & Z.Min. A configurable access control system for networked manufacturing monitoring using XML [J]. The International Journal of Advanced Manufacturing Technology,2008,39(12):1252-1261.
101. Bao, Y.& J.Song & D.Wang & D.Shen & GYu. A Role and Context Based Access Control Model with UML [C]. Proceedings of the 9th International Conference for Young Computer Scientists,2008.
102. Bhatti, R.& E.Bertino & A.Ghafoor & J.B.D.Joshi. XML-Based Specification for Web-Services Document Security[J]. Computer,2004,37(4):41-49.
103. Bhatti, R.& J.B.D.Joshi & E.Bertino & A.Ghafoor. Access Control in Dynamic XML-based Web-Services with X-RBAC[C]. Proceedings of the First International Conference on Web Services, Las Vegas, USA,2003.
104. Joshi, J.B.D. Access-Control Language for Multidomain Environments [J]. IEEE Internet Computing,2004,8(6):40-50.
105. Bhatti, R.& A.Ghafoor & E.Bertino & J.B.D.Joshi. X-GTRBAC:an XML-based policy specification framework and architecture for enterprise-wide access control[J]. ACM Transactions on Information and System Security,2005.
106. Vakali, A.I.& K.E.Stoupa & F.Li & GAndreadis. Web-based delegation using XML[C]. IEEE International Conference on Systems, Man and Cybernetics,2004: 5189-5194.