摘要
基于角色的管理模型被用于管理大型RBAC(role-based access control)系统的授权关系,UARBAC具有可扩展、细粒度等优点.UARBAC的管理操作包含隐式授权.隐式授权分析说明UARBAC管理操作的两类缺陷,包括两个定义缺陷,即无法创建客体和虚悬引用,以及一个实施缺陷,即不支持最小授权.通过修改管理操作更正定义缺陷,提出实施缺陷的改进方案.定义实施最小授权的最小角色匹配问题,证明该问题是NP难,并给出基于贪心算法的可行方案,帮助管理员选择合适的管理操作将最小角色集合授予用户.
Role-Based administrative models have been discussed for decentralized management in large RBAC (role-based access control) systems. The latest UARBAC model has significant advantages over other models. Due to hierarchy relationships, administrative operations of UARBAC implicate permissions. By analyzing implicit authorization, two flaws in definition and an implemental flaw in UARBAC are found, including being unable to create object, dangling reference and not supporting the least authorization. The paper corrects definitions of administrative operations for the former two. The least authorization in UARBAC is defined as the minimal role match problem. The paper proves the problem is NP-hard and gives a feasible algorithm based on greedy. The method will help the administrator use appropriate operations to achieve the least role assignment.
出处
《软件学报》
EI
CSCD
北大核心
2009年第4期1048-1057,共10页
Journal of Software
基金
国家“十五”攻关计划No.2005BA113A02
中国科学院研究生创新资金~~
关键词
隐式授权
基于角色的管理模型
最小授权
基于角色的访问控制
implicit authorization
role-based administrative model
least authorization
role-based access control