电力工作流中基于组织与任务的访问控制模型

An Access Control Model Based on Organization and Task in Workflow for Power System

传统的基于角色的访问控制应用于电力工作流系统中能大大简化用户的权限管理。然而,仅使用角色的概念不足以反映企业的组织结构,而且不能为任务指定组织单元,角色之间的权限继承关系与电力工作流应用实际不相符,静态的访问控制约束不能满足电力工作流的动态需求。因此,提出了一种基于组织和任务的访问控制模型。该模型去除了角色之间的权限继承关系,引入组织单元和任务的概念,将任务分为普通任务和专门任务,普通任务分配到组织单元,可以被继承,专门任务分配到组织单元中的角色,不能被继承,再将权限分配给任务,用户通过分配组织单元中的角色或组织单元来获得执行任务的权限。结合提出的模型,通过给每个任务定义黑名单数据结构,给出了一种动态的访问控制算法。最后以变电站设备检修工作流为例给出了具体的动态访问控制设计,实例表明该模型和算法可以实现动态的权责分离及权责绑定约束。

The application of traditional role-based access control in the workflow for power systems can reduce the complexity of permission management. However, using the role concept alone can hardly reflect the organizational structure of the enterprise, nor can it specify the organizational unit for a task. Moreover, the permission inheritance relation among roles is not in accord with the reality of the workflow for the power system, with the static access control constraints hardly meeting the dynamic requirements of the workflow. Hence the proposal for an organization-and-task-based access control model. By introducing organizational units and tasks, the model eliminates the permission inheritance relation among roles, divides the tasks into common ones and professional ones, with the former assigned to the organizational unit and capable of being inherited; the latter assigned to roles in the organizational unit and incapable of being inherited. Then permissions are assigned to tasks, while users get task permissions through roles or the organizational unit they belong to. Combined with the model proposed, through adding blacklists data to each task, a dynamic access control algorithm is given. Finally, a specific access control design for the facility maintenance workflow in the substation is presented, showing that the model and algorithm can realize dynamic constraints of separation and binding of duties.