摘要
针对单纯的RBAC模型在动态授权、细粒度授权等方面存在的不足,将属性与RBAC相结合,并保持RBAC以角色为中心的核心思想,提出了两者结合的混合扩展访问控制模型HARBAC。模型支持基于属性的用户—角色分配、角色—权限分配、角色激活、会话角色权限缩减和权限继承等动态访问控制功能。对模型的元素、关系、约束和规则等进行了形式化描述。通过引入权限过滤策略对会话角色的有效权限进行进一步控制,分析研究了基于属性的会话权限缩减方法。应用实例表明HARBAC模型可有效实现动态授权和细粒度授权。HARBAC模型可与传统RBAC无缝集成,并在遵循其最小特权和职责分离等安全原则的基础上,有效降低管理复杂度,支持灵活、动态、可扩展的细粒度访问控制。
Aiming at tackling the deficiencies that the onefold role-based access control model can' t support dyna-mic and finer-grained authorization effectively, this paper proposed an attribute and RBAC-based hybrid access control modal (HAR- BAC). HARBAC integrated attribute with RBAC and retained the role centric concept of RBAC. The model supported dynamic access control of user-role assignment, role-privilege assignment, role activation, role' s available privileges reduction and privilege inheritance based on the integrated attributes. It formally defined the dements, relations, constraints and rules of HARBAC. It introduced privilege filter policy (PFP) to reduce the available privilege of role in a given session, followed with an attribute-based privilege reduction method. The example illustrates the effectiveness and feasibility of the proposed model in dynamic and finer-grained access control. Analysis implies that HARBAC model can integrate seamlessly with the NIST RBAC model, satisfy least privilege and separation of duty principles, and reduce the complexity of role management, satisfying the demand of flexible, dynamic, scalable and finer-grained access control.
出处
《计算机应用研究》
CSCD
北大核心
2016年第7期2162-2169,共8页
Application Research of Computers
基金
国家"863"计划资助项目(2012AA012704)
河南省基础研究计划资助项目(142300410093)
信息保障技术重点实验室资助项目(KJ-13-110)
关键词
基于角色的访问控制
属性
动态授权
细粒度授权
权限过滤策略
role-based access control(RBAC)
attribute
dynamic authorization
finer-grained authorization
privilege filter policy
