角色互斥实现访问控制模型职责分离原则

在RBAC模型的基础上,提出一种利用角色互斥的方法来实现职责分离原则,将角色互斥分为静态和动态互斥并给出形式化描述 并进一步将权限在角色之间共享的约束关系划分为四种情况,分别进行了形式化描述。     

电子政务系统中角色网络扩展模型研究*

从当前角色网络模型(RNM)所存在的问题入手,通过加入时限约束和解决角色间继承关系上的缺陷对角色网络模型进行改进,并进一步提出基于时限约束的角色网络模型(TRNM)。该模型在继承角色网络模型全部优势的同时,一方面解决了原有RNM中角色间继承关系上的缺陷,使高层角色可以部分继承底层角色的权限;另一方面则通过对时限约束特征的定义和分析,给出了在时限约束条件下TRNM的组成成员和形式化描述,最后具体给出了TRNM的开发方法流程。     

RBAC模型时间约束的OCL描述

基于角色的访问控制模型以其灵活性、方便性和安全性在许多系统的权限管理中得到普遍应用,而引入时间约束后的角色访问控制更能增强系统的安全性和模型的描述能力。该文使用对象约束语言OCL来描述模型中的时间约束,使模型更加直观和精确。     

域间动态角色转换中的静态互斥角色约束违反

安全互操作是实现跨管理域的资源共享与保护的关键技术. Kapadia等人的IRBAC2000模型提供了一种灵活的通过角色关联和动态角色转换实现安全互操作的方法..廖俊国等人指出该模型可能违反静态互斥角色约束,对问题的原因进行了分析,提出了约束违反检测算法和添加角色关联的先决条件.首先指出廖俊国等人关于约束违反原因的分析是片面的,其检测算法和先决条件也不能保证系统不会违反约束;然后指出在给定角色关联的前提下,外域的用户/角色分配是造成约束违反的根本原因;进而提出动态角色转换违反静态互斥角色约束的充要条件和约束违反检测算法;给出了添加角色关联和用户/角色分配的先决条件,保证了模型状态始终满足静态互斥角色约束.     

基于时间约束的角色访问控制模型研究

基于角色的访问控制模型的研究工作近年来得到了广泛的重视,但主要工作均立足于与时间特性无关的其他方面,在现实生活中有很多与时间有关的访问控制不能够得到很好解决,特别是一些要求时间性很高或者周期性规律很强的访问控制,都需要进行时间约束的控制.为此形式化描述了一个引入时间后的角色访问控制,采用周期时间约束的方法描述了时间约束和时间约束模型,并构建了一个关于时间约束的角色访问控制系统,解决了一系列与时间有关的角色访问控制问题,增强了访同控制的力度.     

基于XML图的RBAC模型研究

针对传统XML描述的基于角色的访问控制(RBAC)模型在角色权限继承、约束方面支持的不足,提出了一种基于XML图的RBAC3模型。该模型通过属性引用的方式实现了多重继承并引入面向对象中私有继承的概念,使角色的私有权限得到保护。同时,通过引入互斥权限的概念简化了责任分离的实现。     

权限约束支持的基于角色的约束访问控制模型与实现

阐述现有基于角色的安全控制中的不足，通过分析角色间约束产生的根源，提出通过建立权限约束关系来支持角色之间的约束管理和实现访问控制，文中定义了权限约束支持的基于角色的约束访问控制模型及增强权限模型，并介绍这个约束访问控制模型在ZD－PDM中的应用，实践表明，这种访问控制模型型除了增强系统安全访问之外，还可以提供一种更灵活的授权机制，并降低安全管理员的工作复杂性。     

应用角色访问控制的工作流动态授权模型

形式化地描述了角色、用户、权限、任务单元、授权策略、授权约束等实体及其相互间的关系，提出将授权约束分为需求角色约束、需求用户约束、拒绝角色约束及拒绝用户约束，并在此基础上建立了授权约束的冲突检测规则．实现了授权流与工作流的同步，并通过授权约束的冲突检测确保了工作流的有效执行．文中模型具有全面性与实用性较强的特点．     

带时间特性的角色授权约束

授权约束是基于角色的访问控制模型中一个非常重要的部分.已经有方法来对约束进行形式化的描述,但主要集中在有关约束的静态特性的描述上.提出一套形式化地描述时间特性的模型,使之能够描述带时间特性的授权约束.对已有的角色授权约束模型,即约束描述语言进行了深入研究,并进行了相应的扩展.这种扩展后的语言称为RCLT(role-based constraints language with time-character).同时,对RCLT的时间效率的优化以及在RCLT规则被违反时如何恢复合法状态的问题进行了形式化的讨论.RLCT语言被证明可以很好地表示出对授权约束的时间特性的需求,但在效率优化和状态恢复方面要找到实用、高效的通用算法还需要作进一步的工作,这也是将来研究工作的主要目标.     

在角色访问控制系统中实现职责分离的方法

论文给出了在角色访问控制系统中实现职责分离的方法,在基本模型的基础上,形式化地描述了静态和动态的职责分离的原则及保证职责分离的需求得到满足的安全状态。在讨论了角色之间共享权限的约束关系后,从安全状态和互斥规则的关系这个角度给出了维持安全状态的充分条件和必要条件,并加以证明。     

A novel mobility model based on semi-random circular movement in mobile ad hoc networks

When simulating a mobile ad hoc network (MANET), it is important to use a realistic mobility model to reflect the actual performance of a mobile system. The spatial distribution of node locations in a mobile model plays a key role when investigating the characteristics of a MANET. However, most existing mobility models with random and simple straight line movement lead to unrealistic scenarios and non-uniform distributions, and can not describe the actual movement of Unmanned Aerial Vehicles (UAVs) connected via a MANET. To address this issue, a novel mobility model based on semi-random circular movement (SRCM) is presented. The approximate node distribution function in SRCM is derived within a 2D disk region. The relationship between application performance and node distribution is investigated for a UAV MANET, with focus on scan coverage and network connectivity. A simulation using the NS2 tool is conducted. It is shown that the presented model with a uniform distribution performs better than the popular Random Waypoint mobility model. The SRCM model with the NS2 simulator provides a realistic way for simulation and performance evaluation of UAV MANETs.     

Role mining using answer set programming

With the increasing adoption of role-based access control (RBAC) in business security, role mining technology has been widely applied to aid the process of migrating a non-RBAC system to an RBAC system. However, because it is hard to deal with a variety of constraint conflicts at the same time, none of existing role mining algorithms can simultaneously satisfy various constraints that usually describe organizations’ security and business requirements. To extend the ability of role mining technology, this paper proposes a novel role mining approach using answer set programming (ASP) that complies with constraints and meets various optimization objectives, named constrained role miner (CRM). Essentially, the idea is that ASP is an approach to declarative problem solving. Thus, either to discover RBAC configurations or to deal with conflicts between constraints, ASP programs do not need to specify how answers are computed. Finally, we demonstrate the effectiveness and efficiency of our approach through experimental results.     

角色访问控制

1 引言角色访问控制是一种介于传统的自主访问控制和强制访问控制机制之间的安全策略,越来越引起人们的重视。角色访问控制机制很自然映射到组织机构中,每个用户可以赋予一些角色,每个角色负责一些任务。在最近20年中,角色访问控制机制已经有各种不同形式的应用。本文介绍Sandhu在96年提出的角色访问控制形式化的定义和模型,指出了角色访问控制和用户组的不同之处,并结合Sandhu提出的模型,给出了角色继承和角色限制的定义以及形式化的描述,对角色限制中最重要的部分也就是任务分离作了详细的介绍。     

On the complexity of role updating feasibility problem in RBAC

In Role Based Access Control (RBAC) systems, it is necessary and important to update the role–permission assignments in order to reflect the evolutions of the system transactions. However, role updating is generally complex and challenging, especially for large-scale RBAC systems. This is because the resulting state is usually expected to meet various requirements and constraints. In this paper, we focus on a fundamental problem of role updating in RBAC, which determines whether there exists a valid role–permission assignment, i.e., whether it can satisfy all the requirements of the role updating and without violating any role–capacity or permission–capacity constraint. We formally define such a problem as the Role Updating Feasibility Problem (RUFP), and study the computational complexity of RUFP in different subcases. Our results show that although several subcases are solvable in linear time, this problem is NP-complete in the general case.     

基于多亲树的RBAC角色可视化管理

基于角色的访问控制(RRAC)被广泛地应用于各类复杂信息系统中,通过对用户指派角色进行授权以访问系统中的特定数据或资源。一些问题已在应用过程中逐渐暴露:如何较好地展现角色层次关系、用户角色指派和角色指派中约束如何体现、冗余的角色授权如何检测与解除等。从可视化的角度采用层次信息可视化技术来辅助RRAC中的角色管理。首先阐述了所研究的问题,并定义了可视化过程中使用的多亲树结构;然后给出一个多亲树规范化过程,以建立一个符合可视化要求的标准角色层次;随后提出一种双层可视化范例来展示角色管理过程,其中下层用于展示角色层次和权限,上层用于配置用户节点;此外,针对所述问题给出若干交互方法,以可视地辅助解决角色管理中的约束和冗余问题。     

基于角色的权限管理系统的研究与设计

介绍RBAC模型的主要思想,对基于角色的权限管理系统进行研究与设计,分别对系统体系结构、功能模块、数据库设计等方面进行分析。在该权限控制模型中,应用角色继承、角色委托以及激活时间范围约束几个方案,结合数据库的设计对该模型进行阐述。最后,对获取用户权限的算法、用户组设置等问题进行论述。     

Association-Based Active Access Control models with balanced scalability and flexibility

In existing Active Access Control (AAC) models, the scalability and flexibility of security policy specification should be well balanced, especially: (1) authorizations to plenty of tasks should be simplified; (2) team workflows should be enabled; (3) fine-grained constraints should be enforced. To address this issue, a family of Association-Based Active Access Control (ABAAC) models is proposed. In the minimal model ABAAC₀, users are assigned to roles while permissions are assigned to task-role associations. In a workflow case, to execute such an association some users assigned to its component role will be allocated. The association's assigned permissions can be performed by them during the task is running in the case. In ABAAC₁, a generalized association is employed to extract common authorizations from multiple associations. In ABAAC₂, a fine-grained separation of duty (SoD) is enforced among associations. In the maximal model ABAAC₃, all these features are integrated, and similar constraints can be specified more concisely. Using a software workflow, case validation is performed. Comparison with a representative association based AAC model and the most scalable AAC model so far indicates that: (1) enough scalability is achieved; (2) without decomposition of a task, different permissions can be authorized to multiple roles in it; (3) separation of more fine-grained duties than roles and tasks can be enforced.     

Modeling process-related RBAC models with extended UML activity models

Context

Business processes are an important source for the engineering of customized software systems and are constantly gaining attention in the area of software engineering as well as in the area of information and system security. While the need to integrate processes and role-based access control (RBAC) models has been repeatedly identified in research and practice, standard process modeling languages do not provide corresponding language elements.

Objective

In this paper, we are concerned with the definition of an integrated approach for modeling processes and process-related RBAC models - including roles, role hierarchies, statically and dynamically mutual exclusive tasks, as well as binding of duty constraints on tasks.

Method

We specify a formal metamodel for process-related RBAC models. Based on this formal model, we define a domain-specific extension for a standard modeling language.

Results

Our formal metamodel is generic and can be used to extend arbitrary process modeling languages. To demonstrate our approach, we present a corresponding extension for UML2 activity models. The name of our extension is Business Activities. Moreover, we implemented a library and runtime engine that can manage Business Activity runtime models and enforce the different policies and constraints in a software system.

Conclusion

The definition of process-related RBAC models at the modeling-level is an important prerequisite for the thorough implementation and enforcement of corresponding policies and constraints in a software system. We identified the need for modeling support of process-related RBAC models from our experience in real-world role engineering projects and case studies. The Business Activities approach presented in this paper is successfully applied in role engineering projects.     

浅析动画影片中配角的作用及影响

动画配角在动画中起着非常重要的作用,文章通过对动画配角的概念和具体事例的分析,概括出了动画配角的两个方面的重要作用——即动画配角对于主角的性格、心理、世界观的塑造作用和对于整部动画影片在丰富性及调节叙事节奏方面的重要作用。并且,强调了动画配角对于动画影片的故事深度、真实性、丰富性等的重要影响,在最后提出动画配角的设计方法。     

属性RBAC策略的OWL表示和推理

将属性作为授权约束,给出了属性扩展的RBAC模型。提出了一种基于OWL的属性RBAC策略定义和表示方法。该方法支持复杂属性表达式、属性值偏序关系、角色层次关系和约束的定义;在推理机的支持下,可以执行访问控制决策推理,属性表达式支配关系判定和策略知识一致性检测。具体应用案例说明了该方法的可行性。