摘要
在分析业务流程访问控制策略需求的基础上,对经典的XACML策略实施框架进行了扩展,提出一种能够根据业务流程执行状态管理策略的实施框架。通过在策略模式中引入<PolicyIssuer>元素和定义<Condition>元素的语义,使其能够描述访问策略和委托策略,并支持任务级最小特权的实现。给出了两种策略决策优化方法,针对策略集中无效策略数量过多的问题,采用逐步裁减法减少策略元素比对的次数,针对策略集中委托策略数量过多且需要验证可信性的问题,采用信任关联法减少策略匹配的次数,有效地提高了策略决策的效率。
By analyzing the requirements of access control for business process, an extended enforcement framework that supports policy management based on state of business process is proposed. By introducing elementand defining semantic of elementin policy schema, access control policy and delegation policy can both be described and least privilege at task level can be achieved. In order to reduce time cost of policy decision in case that numbers of unrelated policies and dele-gation policies are large, two methods which can reduce the numbers of matching policies and policy elements are proposed.
出处
《计算机工程与应用》
CSCD
2013年第19期83-87,共5页
Computer Engineering and Applications
基金
国家重点基础研究发展规划(973)(No.2011CB311801)
河南省科技人才创新计划(No.114200510001)
关键词
XACML策略
访问控制
业务流程
策略
委托
Extensible Access Control Makeup Language(XACML)
access control
business process
policy
delegation