A workflow authorization model based on credentials was proposesed. It can nicely satisfy the features that workflows in actual application should satisfying. This model uses access control list based on task state wh...A workflow authorization model based on credentials was proposesed. It can nicely satisfy the features that workflows in actual application should satisfying. This model uses access control list based on task state which nicely ensure synchronizing authorization flow with workflow; specifies authorization policy not only based on user identifiers but also based on user qualifications and characteristics; defines a set of constraint rules for a task and seek the eligible users to execute the task according to the type of each constraint rule which realize dynamic separation of duty; and realizes the access granularity of authorization ranging from objects to specific parts of objects which ensure the least privilege constraints much more better.展开更多
Separation issue is one of the most important problems about cloud computing security. Tenants should be separated from each other based on cloud infrastructure and different users from one tenant should be separated ...Separation issue is one of the most important problems about cloud computing security. Tenants should be separated from each other based on cloud infrastructure and different users from one tenant should be separated from each other with the constraint of security policies. Learning from the notion of trusted cloud computing and trustworthiness in cloud, in this paper, a multi-level authorization separation model is formally described, and a series of rules are proposed to summarize the separation property of this model. The correctness of the rules is proved. Furthermore, based on this model, a tenant separation mechanism is deployed in a real world mixed-critical information system. Performance benchmarks have shown the availability and efficiency of this mechanism.展开更多
文摘A workflow authorization model based on credentials was proposesed. It can nicely satisfy the features that workflows in actual application should satisfying. This model uses access control list based on task state which nicely ensure synchronizing authorization flow with workflow; specifies authorization policy not only based on user identifiers but also based on user qualifications and characteristics; defines a set of constraint rules for a task and seek the eligible users to execute the task according to the type of each constraint rule which realize dynamic separation of duty; and realizes the access granularity of authorization ranging from objects to specific parts of objects which ensure the least privilege constraints much more better.
基金supported by the Fundamental Research funds for the central Universities of China (No. K15JB00190)the Ph.D. Programs Foundation of Ministry of Education of China (No. 20120009120010)the Program for Innovative Research Team in University of Ministry of Education of China (IRT201206)
文摘Separation issue is one of the most important problems about cloud computing security. Tenants should be separated from each other based on cloud infrastructure and different users from one tenant should be separated from each other with the constraint of security policies. Learning from the notion of trusted cloud computing and trustworthiness in cloud, in this paper, a multi-level authorization separation model is formally described, and a series of rules are proposed to summarize the separation property of this model. The correctness of the rules is proved. Furthermore, based on this model, a tenant separation mechanism is deployed in a real world mixed-critical information system. Performance benchmarks have shown the availability and efficiency of this mechanism.
