摘要
对于基于组织的四层访问控制(OB4LAC)模型在跨域访问控制过程中如何依据外域用户的申请权限集构建本域内虚拟岗位的问题,提出基于如下三阶段的处理流程,包括申请权限集与角色集的匹配搜索阶段、角色集职责分离(SoD)约束和激活约束判断阶段以及虚拟岗位的生成和撤销阶段。针对申请权限集与角色集的匹配搜索阶段,分别给出了面向完全匹配、可用性优先匹配和最小特权优先匹配的搜索算法;针对角色集SoD约束和激活约束判断阶段,则通过定义SoD约束矩阵(SODM)、非连通继承关系矩阵(AIM)和基数约束矩阵(CCM)以及对应的约束判断流程予以解决;针对虚拟岗位的生成和撤销阶段,给出了完成这一过程所需的管理函数。通过上述具体处理流程和实现算法,很好地解决了OB4LAC模型跨域访问过程中虚拟岗位的构建问题。
For the problems of Organization Based 4 Levels Access Control (OB4LAC) model on how to build the virtual positions based on the requested permission sets from users in other domain, this paper proposed a detailed process based on the following three stages, which are the searching stage of the role sets based on the required permission, the determining stage of Separation of Duty (SoD) and activating constraints, the creation and revoke stage of virtual position. Aiming to the searching stage of the role sets based on the required permission, the authors gave three searching algorithms that match three different cases respectively, which are complete matching, available matching and least privilege matching; for the determining stage of SoD and activating constraints, the authors defines three kinds of matrixes which are Separate of Duty Matrix (SODM), Cardinality Constraint Matrix (CCM) and Anti-connection Inherit Matrix (AIM), then based on those matrixes and corresponding process to solve these problems of constraints; aiming to the creation and revoke stage of virtual position, this paper gave the management functions required for completing the process. Through these specific processes and realization algorithms, the authors resolved the problems of building the virtual positions in multi-domain environment for OB4LAC model.
出处
《计算机应用》
CSCD
北大核心
2014年第8期2345-2349,共5页
journal of Computer Applications
基金
国家自然科学基金资助重点项目(91024029)
中国博士后面上资助项目(2013M540273)
关键词
基于组织的四层访问控制模型
跨域访问
多域
虚拟岗位构建
权限管理
信息安全
Organization Based 4 Levels Access Control (OB4LAC) model
cross-domain access
muhi-domains
construction of virtual position
authorization management
information security
