CN100458813C - Method for role-based access control model with precise access control strategy - Google Patents

Abstract

The invention relates to a method for accessing control model based on identification, with accurate access control strategy, wherein the method comprises: accurate access control strategy and the projection function between function priority and accurate access control strategy; the control strategy is predefined operation dynamic strategy function, which comprises limit logic demanded by service logic on accurate control and the limit based on external condition and context information. The invention can fine the graininess of access control in the standard access control model.

Description

The method that has meticulous access control policy based on role's access control model

Technical field

The present invention relates to a kind of method of security certificate of the computer resource that is used to network, and a kind of technology that is used to provide to the meticulous access control of system resource is provided.

Background technology

Access control policy is that expression is authorized on security of system strategy level.Utilize strategy to visit main body (user, process) authorize, authentication, role assignments, make and have only legal visit main body just can enjoy service and resource that visit object (Resource Owner) provides.At present widely the access control policy of approval has three kinds: autonomous access control policy DAC, force access control policy MAC and based on role's access control policy RBAC.These three kinds of access control policies are to produce under different epoch, different environmental demand, are applicable in the different environment.In addition, also has multistage strategy.Multistage strategy is given level of confidentiality of each Target Assignment, and the Generally Recognized as safe attribute can be divided into four ranks: the highest confidential (Top-Secret), confidential (Secret), confidential (Confidence) and do not have rank level (Unclassified).Because the needs of security developments, the current file level of confidentiality expands to 0～255 grade by level Four.The refinement that level of confidentiality is divided is more convenient for carrying out the security mechanism of Multistage Control, and can satisfy country and individual's privacy requirements.Level of confidentiality forms a level, and each user is assigned with a corresponding level, has reflected this user's most basic Reliability, and this model is usually used in government secret department.

Autonomous access control model (DAC Model, Discretionary Access ControlModel) is a kind of model of setting up according to autonomous access control policy, basic thought is to allow the object of validated user with the identity access strategy regulation of user or user's group, stop unauthorized user capture object simultaneously, the present user of autonomous agent can also independently authorize other user the access rights of the own object that is had.Autonomous access control is called random access control again.The operating system of LINUX, UNIX, Windows NT or SERVER version all provides the function of autonomous access control.In realization, at first to differentiate, then the resource that just can use object according to user's that Access Control List (ACL) is given authority permission and limited subscriber to user's identity.The modification of main body control authority is realized by superuser or superuser group usually.The characteristics of autonomous access control model are the access rights that the subject of implementation of mandate independently is responsible for giving and reclaiming other main object resources.The DAC model generally adopts access control matrix and Access Control List (ACL) to deposit the access control information of different subjects, thereby reaches the restriction purpose to the principal access authority.Random access control makes the DAC model be widely used in the commercial and industrial environment to this mode of data access flexibly that the user provides.

Although the DAC model is achieved in many systems,, a deadly defect of this model can transmit yet being authorizing of access right.To be difficult to control in case access right passes, the management of access right is quite difficult, can bring serious safety problem.The DAC model is not protected the copy that shielded object produces on the other hand, and promptly a user can not visit a certain object, but can visit its copy, and this has more increased the difficulty of management.And enormous amount main in large scale system, object, no matter using the DAC of any form, the system overhead that is brought all is difficult to pay, and efficient is quite low, is difficult to satisfy the particularly needs of network application of large-scale application.

Mandatory Access Control Model (MAC Model, Mandatory Access ControlModel) is a kind of multistage access control policy, its principal feature is that system carries out the pressure access control to visit main body and controll plant, system distributes different security level attributes with controll plant in advance the visit main body, when implementing access control, system compares the security level attributes of visit main body and controll plant earlier, and can decision visit main body visit this controll plant again.MAC identifies two safety labels to visit main body and controll plant: one is the safe class mark with partial ordering relation; Another is non-grade separation mark.Subject and object all belongs to a fixing security class SC when adhering to different security class separately, SC just constitutes a partial ordering relation.When the security class of main body s is TS, and the security class of object o can be expressed as SC (s) 〉=SC (o) with partial ordering relation when being S.Consider partial ordering relation, the visit of main object mainly contains four kinds of modes:

(1) read (rd, read down) downwards: the main body level of security allows the read operation of consulting when being higher than the level of security of object information resources;

(2) upwards read (ru, read up): the read operation that the main body level of security allows when being lower than the level of security of object information resources;

(3) write (wd, write down) downwards: allow action or the write operation carried out when the main body level of security is higher than the level of security of object information resources;

(4) upwards write (wu, write up): allow action or the write operation carried out when the main body level of security is lower than the level of security of object information resources.

Because MAC has realized the one-way flow of information by the safety label of classification, therefore it is adopted by the military always, the wherein foremost Bell-LaPadula of being model and Biba model: the Bell-LaPadula model has and only allows the characteristics reading, upwards write downwards, can prevent effectively that confidential information from revealing to subordinate; The Biba model then has the characteristics reading, upwards write of not allowing, the integrality of protected data effectively downwards.The essence of MAC is based on the acyclic unidirectional flow of information policy of lattice.

The RBAC96 model is based on role's the access control angle from the control main body, divide the role according to metastable powers and responsibilities in the management, access rights and role are interrelated, and it is different that this puts the mode of directly authorizing the user with authority with traditional MAC and DAC; It allows user and access rights interrelate by distribute suitable role to the user.At first introduce role's notion, the role is meant the name group that can finish certain affairs, and different roles carries out separately function by different affairs.Affairs are meant a process of finishing certain function, can be the parts of a program or program.The role represents a people or the people's of some attribute a class with certain ability abstract, passes through role association between visit main body and the controll plant in the access control.

The RBAC96 model is the RBAC model family that comprises four conception of species reference models and framework thereof.Wherein RBAC0 is the basic model of RBAC96, has defined the minimum key element of RBAC model among the RBAC0, is other three sub-model based; RBAC1 and RBAC2 have increased role succession and tied mechanism respectively on the basis of RBAC0; RBAC3 is the integration model of RBAC1 and RBAC2, and according to transitive relation, RBAC3 has comprised RBAC0.People such as Ravi.Sandhu has successively proposed ARBAC97 administrative model, ARBAC99 administrative model again on the basis of RBAC96.Four kinds of entities have been defined among the RBAC0: user, role, authority and session.In single system, the user be meant can access system in the main body of data or resource; The role represents the post function in the organizational structure, is authority and the responsibility with member of this role; Authority is certain ability of the executable operations in system; When the user activated one group of role who belongs to them, session was established, and each session all comprises a user and one or more role, and the user is the part or all of role in the active session simultaneously.Defined two kinds of role assignments relations among the RBAC0: the user distributes UA and right assignment PA.Dividing timing carrying out UA and PA, can be the relation of multi-to-multi, and promptly a user can be awarded a plurality of authorities simultaneously, and an authority can be distributed to a plurality of roles, and the user can open a plurality of sessions simultaneously.The user has different movable role's set in each session, and RBAC0 supports principle of least privilege, means that the user can only activate the necessary role that finishes the work.Can activate when needed and activate the role who distributes to the user again, can avoid misuse and illegal use of user like this authority.Definition can independently determine whether to activate the role among the RBAC0, promptly allows user's dynamically active or cancel the role in conversation procedure.RBAC1 has increased role succession on the RBAC model based, be divided into two big class, restricted type role succession and unrestricted type role successions.The restricted type role succession has been strengthened the structure of inheriting, and is normally simply just setting or anti-tree construction.What RBAC2 was different with RBAC0 is to have increased tied mechanism.RBAC2 increases a constrain set on the RBAC0 model based, these constraints have determined whether various assemblies can be accepted among the RBAC0, have only and just can carry out the operation of acceptable value.Constraint is maximum part that comes into question among the RBAC, also can think the major reason that RBAC is pushed.Typically example is, Merchandising Manager and cashier are the roles of mutual exclusion in the tissue, and usually, these two roles do not allow to distribute to same user, because this produces the swindle crime possibly.Constraint is a kind of strong mechanism in senior tissue, can realize the responsibility and right separation principle.Main tied mechanism comprises mutual exclusion role, constraint base, prerequisite constraint, session constraint and level restriction.The mutual exclusion role: in the set that is defined as the mutual exclusion role, each user can be assigned as one of them role at the most, has supported the responsibility and right separation principle like this.Similarly, also can define mutually exclusive privilege, in the mutually exclusive privilege set, each role can have an authority at the most.Constraint base: constraint base is the constraint that is defined on the user role distribution and the authorization role relations of distribution.User role allocation base constraint is meant that role's quantity that a user has is limited, and the constraint of authorization role allocation base is meant that the quantity that the role has an authority is limited.Prerequisite constraint: this mechanism has been stipulated the role that the user must have when carrying out certain operation.For instance, have only when user's tool is project team member role, could give this user allocator person role.RBAC3 is the pooled model of RBAC1 and RBAC2, comprises role's level and tied mechanism in the pooled model simultaneously.Constraint can be applied in role's level self equally, and role's level is a partial ordering relation, and this is the constraint of model inherence.And retrain role's number that can limit given role, perhaps limit some role and can not have sub-role.These constrained types are very useful under the situation that licenses to role's level that change has been assigned with for those.Between level and constraint, can produce trickle interaction.Under the mutual exclusion condition, can solve mutual exclusion by the privately owned role of constraint definition.

RBAC is received to ANSI INCITS 359-2004 standard by the American National Standard Committee (ANSI) and the IT international standard council (INCITS) up in February, 2004.Four layers of new NIST recommended standard were proposed again afterwards.These 4 layers of standards are respectively core RBAC, level type RBAC, static responsibility separation relation and dynamic responsibility separation relation.In the NIST kernel model authority is refined as object set and operational set, all the other and RBAC0 are basic identical.Level type RBAC and RBAC1 are similar, have increased role hierarchy on core RBAC, and are divided into common layering and limited layering.Role's multiple inheritance is supported in common layering, and limited layering only supports role's substance to inherit.Constraint RBAC has increased the responsibility separation, comprises that static responsibility separation (SSD) separates (DSD) with dynamic responsibility.The SSD limited subscriber can not be assigned conflicting role simultaneously, and DSD only limits a user can not activate conflicting role simultaneously in a session.NIST RBAC model also is divided into four layers.Be respectively core RBAC, level type RBAC, static responsibility separation relation and dynamic responsibility separation relation.Four kinds of models of NIST RBAC model have comprised four models of RBAC96 model, and introduce new mechanism respectively.In the NIST kernel model authority is refined as object set and operational set, all the other and RBAC0 are basic identical.Level type RBAC and RBAC1 are similar, have increased role hierarchy on core RBAC, and are divided into common layering and limited layering.Role's multiple inheritance is supported in common layering, and limited layering only supports role's substance to inherit.Constraint RBAC has increased the responsibility separation, comprises that static responsibility separation (SSD) separates (DSD) with dynamic responsibility.The SSD limited subscriber can not be assigned conflicting role simultaneously, and DSD only limits a user can not activate conflicting role simultaneously in a session.NIST suggestion model does not provide administrative model, but has provided management function, divides management order, system to support function and query function.Introduced role's notion among the RBAC, visit the powers and responsibilities that main body has with role representation, express and realized the security strategy of enterprise neatly, the System Privileges management is carried out on this higher abstract set of organize views of enterprise, thereby simplified the management that authority is provided with, from this angle, RBAC has solved the problem that number of users is many in the management information system in enterprise, change is frequent well.

Classical RBAC model can solve the mandate demand of coarseness.Promptly with the tlv triple of role (Role), operation (Option) and object (Object) composition for fine granularity authority, can control to certain role certain operation to certain object.Yet the basic point of departure of RBAC model is to be the access control that whole security system is considered at the center with the main body, so only further investigate at the security feature of relevant main body, and there are not the object in the relevant access control and the contents such as security feature of access constraints condition, so just ignored in the access control process control to the security feature of object and accessing work, thereby may cause the security strategy imbalance of whole security system, reduce expressiveness and the availability of model real world.For large-scale enterprise-level application, its system logic complexity, branch offices is numerous, and a large amount of centralized stores and the processing of information data in this case, are had higher requirement to access control simultaneously.In the RBAC of classics model, definition to object is generally tables of data, data message for centralized stores, comprised numerous dimensions in logic, as enterprise for sub-agencies subsector, the data of its logical centralization must comprise mechanism and department information, and the application of data is also needed to divide and control by dimension.Such as data query demand for certain department of certain branch offices, the low rights user will be restricted to corresponding bodies and agencies, the user of the high authority of this mechanism does not then need restriction department, as long as the restriction institution where he works, may not should add any restriction for more senior user, and allow the data of the full linchpin of its inquiry.Classical RBAC model just need split by dimension object if address this problem, and tears enough thin granularity open.Yet for large-scale system, the data object all is high-dimensional, and consider that different operating has different dimension demands for control with different subjects to object, thereby caused the fractionation of object too complicated, cause permission system to become and be difficult to safeguard, deviate from and reach the purpose that reduces the empowerment management complicacy, lose the meaning of using RBAC.Generation for fear of above problem, give full play to the advantage of RBAC, the present invention is directed to notions such as the PERMISSION of RBAC model and ROLE improves, obtained a kind of RBAC model of extended pattern, this model is applicable to the requirement that in the large-scale enterprise data object is had the access control of multidimensional fine granularity, is referred to as to have the access control model of meticulous access control policy.

Summary of the invention

Coarseness problem when the data object being visited at existing model, the invention provides a kind of method that has meticulous access control policy based on role's access control model, solved standard based on access control coarse size in role's the access control model, can only be accurate to certain role and certain object has been carried out certain operate this atomic size, make the granularity of access control can do more accurate division.

The invention provides a kind of method that has meticulous access control policy, comprising: with object and operational contact is got up and two tuples of composition function, to describe the permission that object is operated based on role's access control model; Role and function connected by mapping and two tuples of composition function authority, have authority the object executable operations to describe the role; Function privilege and meticulous access control policy are connected and form two tuples of meticulous access control by mapping, to realize in the running environment access control of object being accurate to a part and even the most fine-grained control of object; According to getting in touch between request client and role and role and the function, and the meticulous access control of foundation is authorized the visit of the object of being interviewed.

Wherein, dynamic strategy function when meticulous access control policy is the operation that pre-defines, and it comprises two aspect contents, the one, the user who describes the service logic requirement has a set of authority visit object, according to the difference of meticulous access control policy when executable operations, access rights suffer restraints, with subclass, empty set or the complete or collected works of visit object, two are based on the constraint of external environment condition and contextual information, determine the subclass of visit object when operation; And described function privilege all has unique meticulous access control policy corresponding with it to the injection relation that is mapped as of meticulous access control policy for any function privilege.

In addition, described meticulous access control also can be regarded the four-tuple that object, operation, role and meticulous access control policy make up according to hierarchical relationship as.

The role is the job function of clear definition responsibility and right in particular organization, represents a kind of qualification, right and responsibility, and role's set is a role set.Function is the access permission to protected data in the computer system or resource, and the set of function is the function collection, and the function collection is the power set of the cartesian product of object collection and operation set.The mapping of operating function obtains the operational set of appointed function; Function obtains the object set of appointed function to the mapping of object; The role obtains the set of mapping method to the mapping of function.Be the relation of multi-to-multi between role and the function, a function can be assigned to one or more roles, and a role also can be assigned one or more functions.

Compare with standard RBAC modelling technique, the invention has the beneficial effects as follows:

1. add this element of meticulous access control policy, be used in the limitation standard RBAC model by role, object, operate the function privilege that this element constitutes, reached the purpose of function privilege being carried out refinement.

2. in the RBAC of role's hierarchical structure model, comprise restricted type role succession and unrestricted type role succession, role's partial ordering relation has driven the variation of extent of competence, certain role succession other role can obtain other role's function, yet meticulous access control policy element and role, object, operate the relation that this tlv triple has constituted injection, promptly for any function, there is unique meticulous access control policy corresponding with it, so meticulous access control policy does not transmit with role's succession.

3. in restricted type RBAC model, the role has been made static responsibility separated the restriction that separates with dynamic responsibility, made certain user can not have several affined roles simultaneously.For meticulous access control policy, do not have direct mapping relations with user element, but with role, object, operate the relation that this tlv triple has been set up injection, so not separated and the dynamically constraint of responsibility separation limit by static responsibility.

Description of drawings

Fig. 1 is the access control model figure based on the role that has meticulous access control policy;

Fig. 2 is the typical structure synoptic diagram that can implement in the infosystem of the present invention.

Embodiment

Now reaching embodiment in conjunction with the accompanying drawings is described in further detail the present invention.Embodiment 1 is with reference to figure 1, as shown in Figure 1:

1. the user collects 104: the user be exactly one can the independent access protected data or the main body of resource, it can be people or program, simplifies to be the people herein, represents user's set with USERS, represents that with u the user gathers a user among the USERS, that is:

$\∃u\∈\mathrm{USERS}$

2. role set 103: the role is the job function of clear definition responsibility and right in particular organization, and it represents a kind of qualification, right and responsibility, represents role's set with ROLES, represents a role among the role set ROLES with r, that is:

$\∃r\∈\mathrm{ROLES}$

3. role assignments 108 is role's multi-to-multi mappings to the user: be a binary relation between USERS and the ROLES, promptly use $\mathrm{UA}\⊆\mathrm{USERS}\×\mathrm{ROLES}$ Represent that a user role appoints set, with (u, r) ∈ UA represents that user u has been appointed a role r, is the relation of multi-to-multi between user and the role.A user can be assigned to a plurality of roles, and a role also can be tasked a plurality of users by branch.

Assign user method to be defined as to the role:

assigned_user：(r：ROLES)→2 ^users

This method obtains the user set of assigned role, that is:

assigned_user(r)＝{u∈USERS|(u，r)∈UA}

4. function 112: function is the access permission to protected data in the computer system or resource.Represent the set of function with PERMISSIONS, represent certain function among the PERMISSIONS with p, promptly $\∃p\∈\mathrm{PERMISSIONS}.$

The function collection is the power set of the cartesian product of object collection and operation set:

PRMS＝2 ^(OPSxOBS)

The RBAC model is the model of " strategy is neutral "; it does not do concrete definition to authority; therefore the essence of authority is open; can define according to different application and security strategy; usually authority can be regarded as one two tuple (Obj, Opt), wherein Obj is object or object identifier; just protected system data or resource, and Opt is the non-NULL access module collection of Obj.

5. operate the mapping method of function:

$\mathrm{Op}(p:\mathrm{PRMS})\→\{\mathrm{op}\⊆\mathrm{OPS})$

This method obtains the operational set of appointed function.

Function arrives the mapping method of object:

$\mathrm{Ob}(p:\mathrm{PRMS})\→\{\mathrm{ob}\⊆\mathrm{OBS})$

This method obtains the object set of appointed function.

6. function distributes 110: the expression role is to the mapping of function, and the role-security relations of distribution are defined as two tuples between ROLES and the PERMISSIONS, promptly represents that with following formula a role-security appoints set.

$\mathrm{PA}\⊆\mathrm{PRMS}\×\mathrm{ROLES}$

A role r has a function p, is expressed as:

(t，p)∈PA

7. between role and the function relation of multi-to-multi.A function can be assigned to one or more roles, and a role also can give one or more functions.

The function of the operation that is associated with function is returned in definition:

$\mathrm{Op}(p:\mathrm{PRMS})\→\{\mathrm{op}\⊆\mathrm{OPS})$

The function of the object that is associated with function is returned in definition:

$\mathrm{Ob}(p:\mathrm{PRMS})\→\{\mathrm{ob}\⊆\mathrm{OBS})$

assigned_permissions(r：ROLES)→2 ^PRMS

This method obtains the set of role-map function, is:

assigned_permissions(r)＝{p∈PRMS|(p，r)∈PA}

8. session collection 105 is group session set that the user calls, and user and session are the relations of one-to-many, and each user needs to call a cover session, and defined function is mapped to user u in the one cover session:

user_sessions(u：USERS)→2 ^SESSIONS

This method obtains the session aggregation of designated user.

Defined function is mapped to session s among the one cover role:

session_roles(s：SESSIONS)→2 ^ROLES

This method obtains role's set of specified session, that is:

$\mathrm{session}\_\mathrm{roles}\left(s_i\right)\⊆\{r\∈\mathrm{ROLES}|(\mathrm{session}\_\mathrm{users}\left(s_i\right),r\∈\mathrm{UA}\}$

The user is available role's define method in specified session:

avail_session_persm(s：SESSIONS)→2 ^roles

This method obtains user's the session that is activated.

The authority definition that the user is had in a session is:

avail_session_persm(s：SESSIONS)→2 ^PRMS

The authority definition that the user has in whole sessions is:

$\underset{r\∈\mathrm{session}\_\mathrm{roles}\left(s\right)}{Y}\mathrm{assigned}\_\mathrm{permissions}\left(r\right)$

9. role succession 109 relation tables are shown:

$\mathrm{RH}\⊆\mathrm{ROLES}\×\mathrm{ROLES}$

RH is the partial ordering relation on the ROLES, has described the institutional framework relation that authorizes responsibility, has defined the inheritance between the role, comprises plain edition and restricted type two classes.

In plain edition role succession relation, role r ₁Inherit r ₂Be defined as:

r ₁ φr ₂

R then ₁The user belong to r ₂User and r ₂Authority belong to r ₁Authority.

$r_1\underset{\‾}{\mathrm{\φ}}{r}_2\⇒\mathrm{authorized}\_\mathrm{permissions}\left(r_2\right)\⊆\mathrm{authorized}\_\mathrm{permissions}\left(r_1\right)$

$^\mathrm{authorized}\_\mathrm{users}\left(r_1\right)\⊆\mathrm{authorized}\_\mathrm{users}\left(r_2\right)$

The user definition of authorizing is:

authorized_users(r)＝{u∈USERS|r′ φr(u，r′)∈UA}

The functional definition of authorizing is:

authorized_permissions(r：ROLES)→2 ^PRMS

authorized_permissions(r)＝{p∈PRMS?|r′ φr，(p，r′)∈PA}

In the restricted type role succession relation, role r ₁Inherit r ₂Satisfy formula 3-24.

$\∀r,r_1,r_2\∈\mathrm{ROLES},r\underset{\‾}{\mathrm{\φ}}{r}_1^r\underset{\‾}{\mathrm{\φ}}{r}_2\⇒r_1=r_2$

The user definition of assigned role is:

authorized_users(r)＝{u∈USERS|r′ φr(u，r′)∈UA}

This method obtains the user of assigned role.

Role and permissions mapping contextual definition are:

authorized_permissions(r：ROLES)→2 ^PRMS

This method obtains the authority set of assigned role, promptly

authorized_permissions(r)＝{p∈PRMS|r′ φr，(p，r′)∈PA

10. static responsibility constraint: SSD represents static allocation of duties set 107, is defined as:

$\mathrm{SSD}\⊆\left(2^{\mathrm{ROLES}}\mathrm{xN}\right)$

A user does not allow to be assigned with the role of definition conflict among the SSD

11. dynamically responsibility constraint: DSD represents dynamic allocation of duties set 106, is defined as:

$\mathrm{DSD}\⊆\left(2^{\mathrm{ROLESxN}}\right)$

$\∀\mathrm{rs}\∈2^{\mathrm{ROLES}},n\∈N,(\mathrm{rs},n)\∈\mathrm{DSD}\⇒n\≥2^\left|\mathrm{rs}\right|\≥n,\mathrm{and}$

$\∀s\∈\mathrm{SESSIONS},\∀\mathrm{rs}\∈2^{\mathrm{ROLES}},\∀\mathrm{role}\_\mathrm{subset}\∈2^{\mathrm{ROLES}},$

$\mathrm{role}\_\mathrm{subset}\⊆\mathrm{rs},\∀n\∈N,(\mathrm{rs},n)\∈\mathrm{DSD},$

$\mathrm{role}\_\mathrm{subset}\&SubsetEqual;\mathrm{session}\_\mathrm{role}\left(s\right)\&DoubleRightArrow;|\mathrm{role}\_\mathrm{subset}|<n$

Allow a user to be assigned with conflicting role among the DSD, but do not allow to concentrate activation a session.

12. function privilege 111: function privilege is described certain role and is carried out this semanteme of certain function, is the set of the binary relation of role and function, and the element of function privilege set is two tuples of role and function, both:

(r，p)∈RIGHTS

13. meticulous access control policy 108: meticulous access strategy is defined as with role, object, operates the element that this tlv triple is associated.This element has been described the access control restriction to the meticulous access strategy of object and context environmental, and the mapping of this element and authority has realized the fine-grained of access control is handled, and has promptly made up meticulous authority.Represent a meticulous access strategy set with FG_POLICIES, represent a policy elements among the meticulous access strategy collection FG_POLICIES with f:

$\&Exists;f\&Element;\mathrm{FG}\_\mathrm{POLICIES}$

14. meticulous access control policy distributes the mapping of the meticulous access strategy of 113 expressions to authority, promptly meticulous authority: the contextual definition of meticulous access strategy and authority:

FG_POLICIES→RIGHTS

Promptly shine upon to set RIGHTS by set FG_POLICIES.According to definition, for authority r arbitrarily, all there is unique meticulous access control policy f corresponding with it, promptly function F A satisfies injection.

Embodiment 2 is as shown in Figure 2: the user is generally the user of service of system, object is generally database table, but be not limited thereto, the user can be a program, object also can be data file, XML file and any computer resource, operation also is not limited to listed operation, can expand arbitrarily according to the real application systems needs.

For example in management information system, function items is divided into four big classes: system management class, code table administrative class, data processing class and report query class according to the division of coarseness.Usually the role of corresponding four big classes, i.e. system management relative role, code table is managed relative role, data processing relative role and report query relative role.

System management is used for the user who uses native system is increased newly, changes, checks, inquires about and system journal monitoring, Subscriber Locked and release etc.The role that system management class authority relates to comprises the role that the system manager is correlated with, and operation comprises increase, deletion, modification, inquiry, and object comprises subscriber's meter, role's table, operation table, object table, system's table etc.

The function of code table management mainly comprises maintenance and the inquiry to various code tables.The role who relates to comprises the role that the code table keeper is correlated with, and operation comprises increase, deletion, modification, inquiry, audit etc., and object comprises all kinds of code tables, as production number table, currency table etc.

Data processing function be used for to business datum newly-increased, change, audit, inquiry and to the various processing of business datum.The role that the function of data processing class relates to comprises Various types of data processing relative role, and operation comprises increase, deletion, modification, inquiry, audit, processing etc., and object comprises each tables of data or data file etc.

The report query function is that the data item after the processing is represented into form.Role that report query class function relates to and operation are less, mainly concentrate on the query manipulation of decision maker and leadership, and object comprises all kinds of forms.

For above-mentioned fine granularity access control requirement, adopt the meticulous access strategy of FG_RBAC model to realize, promptly still be accurate to object for functional access control, set up the corresponding relation of role and function, and for the fine granularity access control of object, then by setting in advance meticulous access strategy function, when authorizing, the policy function that pre-sets is joined in the meticulous authority set, finish access control with role, object, operation, this four-tuple of meticulous strategy, can satisfy the demands.

But because meticulous authority is the cartesian product of a plurality of set, its element is numerous relatively, be difficult to safeguard, so the diagonal angle color dimension adopts the acquiescence mode to handle, promptly determine a tlv triple earlier, as object, operation, meticulous strategy, perhaps role, object, meticulous access strategy or the like, for a remaining dimension, be defaulted as the meticulous access strategy that uses in the same existing tlv triple as role's dimension or operation dimension, change if desired, then do the adjustment of strategy again, greatly reduce the cost of maintenance like this at concrete power limit.

For the function of system management, object has only this dimension of affiliated subsystem.If the role of visit main body is the super keeper 232 in the role set 230, object element role table 211 in the object collection 210 is carried out increase by 222 operations, meticulous access strategy element in the then corresponding meticulous access strategy collection 240 is not done any restriction 242, if the role of visit main body is management subsystem person 231, then meticulous access strategy function 241 returns limit entry, requires the system property of object to want and the affiliated systems compliant of visit main body.

Function for the code table management, if a certain code table 212 of object also has only this dimension of affiliated subsystem, setting up meticulous access strategy element 241 revises a certain code table 254 these function privilege elements with the code table keeper and is associated, return a constraint, require the system property of object to want and the affiliated systems compliant of visit main body.

For the function of data processing, its object is a business datum, and data volume is huge and dimension is various, sets up meticulous access strategy element and this function association, according to predefined business rule, the different operating of different subjects is returned different restrictive conditions.For example, the teller role of subbranch 234 user carries out the operation of inquiry 221, modification 223, deletion 224 certain tables of data 213, limit the data that it can only operate own typing, and promptly data typing person equals calling party 243; User as the auditor role of subbranch 235 inquires about 221 operations, then will limit its data that can only inquire about this mechanism and affiliated institutions 244; If compound member 236 roles' of head office user inquires about 221 operations, then do not do any restriction 242.

For the function of report query, its object is the form of handling through processing 214, though data volume is little, but dimension is abundanter, set up meticulous access strategy element and this function association,, different restrictive conditions are returned in inquiry 221 operations of different subjects according to predefined business rule.For example, reports user 237 roles' of branch main body is inquired about 221 a certain forms 214, and the bore of meticulous access strategy restriction form is bank's bore and is the data 245 of the data of form for the visit main body institution where he works and affiliated institutions; The reports user of head office 238 roles' main body is done the operation of inquiry 221 a certain forms 214 in this way, does not then impose any restrictions 242.

Meticulous access strategy element is generally a policy function, and input can be output as access constraints for parameters such as elements such as user, role, operation, object and context environmentals, limits certain coverage of once carrying out of certain function.

The above embodiment only is two embodiment of the present invention; and be not limited to the foregoing description; for persons skilled in the art; the any conspicuous change of under the prerequisite that does not deviate from the principle of the invention it being done all belongs to the protection domain of design of the present invention and claims.

Claims (10)

1. the method based on role's access control model that has meticulous access control policy is characterized in that, comprises the steps:

Object and operational contact are got up and two tuples of composition function, to describe the permission that object is operated;

Role and function connect and two tuples of composition function authority by mapping, have authority to the object executable operations to describe the role;

Function privilege and meticulous access control policy connect and form two tuples of meticulous access control by mapping, to realize in the running environment access control of object being accurate to a part and even the most fine-grained control of object;

According to getting in touch between request client and role and role and the function, and the meticulous access control of foundation authorizes the visit of the object of being interviewed, wherein,

Dynamic strategy function when meticulous access control policy is the operation that pre-defines, and it comprises two aspect contents, the one, the user who describes the service logic requirement is when executable operations, a set of authority visit object is arranged, according to the difference of meticulous access control policy, access rights suffer restraints, with subclass, empty set or the complete or collected works of visit object, two are based on the constraint of external environment condition and contextual information, determine the subclass of visit object when operation;

Function privilege is to the injection relation that is mapped as of meticulous access control policy.

2. the method for access control model as claimed in claim 1 is characterized in that: described role is the job function of clear definition responsibility and right in particular organization, represents a kind of qualification, right and responsibility, and role's set is a role set.

3. the method for access control model as claimed in claim 1; it is characterized in that: described function is the access permission to protected data in the computer system or resource; the set of function is the function collection, and the function collection is the power set of the cartesian product of object collection and operation set.

4. the method for access control model as claimed in claim 1 is characterized in that: operate the mapping of function, obtain the operational set of appointed function; Function obtains the object set of appointed function to the mapping of object.

5. the method for access control model as claimed in claim 1 is characterized in that: the role obtains the set of mapping method to the mapping of function; Be the relation of multi-to-multi between role and the function, a function can be assigned to one or more roles, and a role also can be assigned one or more functions.

6. the method based on role's access control model that has meticulous access control policy is characterized in that, comprises the steps:

Object and operational contact are got up and two tuples of composition function, to describe the permission that object is operated;

Role and function connect and two tuples of composition function authority by mapping, have authority to the object executable operations to describe the role;

Object, operation, role and meticulous access control policy are built into the four-tuple of meticulous access control according to hierarchical relationship, to realize in the running environment access control of object being accurate to a part and even the most fine-grained control of object;

According to getting in touch between request client and role and role and the function, and the meticulous access control of foundation authorizes the visit of the object of being interviewed, wherein,

Dynamic strategy function when meticulous access control policy is the operation that pre-defines, and it comprises two aspect contents, the one, the user who describes the service logic requirement is when executable operations, a set of authority visit object is arranged, according to the difference of meticulous access control policy, access rights suffer restraints, with subclass, empty set or the complete or collected works of visit object, two are based on the constraint of external environment condition and contextual information, determine the subclass of visit object when operation.

7. the method for access control model as claimed in claim 6 is characterized in that: described role is the job function of clear definition responsibility and right in particular organization, represents a kind of qualification, right and responsibility, and role's set is a role set.

8. the method for access control model as claimed in claim 6; it is characterized in that: described function is the access permission to protected data in the computer system or resource; the set of function is the function collection, and the function collection is the power set of the cartesian product of object collection and operation set.

9. the method for access control model as claimed in claim 6 is characterized in that: operate the mapping of function, obtain the operational set of appointed function; Function obtains the object set of appointed function to the mapping of object.

10. the method for access control model as claimed in claim 6 is characterized in that: the role obtains the set of mapping method to the mapping of function; Be the relation of multi-to-multi between role and the function, a function can be assigned to one or more roles, and a role also can be assigned one or more functions.

Images