CN102957697A - Multi-domain RBAC (Role-Based Access Control) model-based access control policy composition method - Google Patents

Multi-domain RBAC (Role-Based Access Control) model-based access control policy composition method Download PDF

Info

Publication number
CN102957697A
CN102957697A CN2012104180004A CN201210418000A CN102957697A CN 102957697 A CN102957697 A CN 102957697A CN 2012104180004 A CN2012104180004 A CN 2012104180004A CN 201210418000 A CN201210418000 A CN 201210418000A CN 102957697 A CN102957697 A CN 102957697A
Authority
CN
China
Prior art keywords
role
authority
mapping
roles
domain
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN2012104180004A
Other languages
Chinese (zh)
Inventor
潘理
訾小超
周鑫
张清源
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Jiaotong University
Original Assignee
Shanghai Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Jiaotong University filed Critical Shanghai Jiaotong University
Priority to CN2012104180004A priority Critical patent/CN102957697A/en
Publication of CN102957697A publication Critical patent/CN102957697A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

A multi-domain RBAC model-based access control policy composition method includes the following steps: tree merge is carried out in a single domain, indirect permission sets of roles, i.e. A inherited permission set and I inherited permission set, are then calculated, finally, the permission sets of the inter-domain rolles are recursively compared, the roles to be divided are determined, inter-domain role mapping is established, and a global access policy is generated. The multi-domain RBAC model-based access control policy composition method inputs the RBAC policies of multiple domains to be composed as a method, establishes inter-domain role mapping sets according to the role permission assignment relations, the role hierarchies and the inter-role SOD (Separation of Duties) constraints in the original domains, and generates and outputs a global access control policy.

Description

Between a kind of multiple domain based on the access control policy synthetic method of RBAC model
Technical field
Of the present invention is a kind of tactful synthetic method of access to netwoks control field, specifically, is based on role's the tactful synthetic method of access control (RBAC) between a kind of multiple domain.
Background technology
Development along with the Internet and society, collaborative work between every field becomes more and more important, therefore increasing resource need to just need to a kind ofly can keep autonomy in the territory in different inter-domain sharing, satisfies to greatest extent again the access control policy that inter-domain resource is shared simultaneously.Access control (RBAC) based on the role has role's level, least privilege, and the flexible nature such as authority separation are adapted at using in the multi-domain environment, formulate the global safety strategy that satisfies safety mutual action need between the territory.At present, the synthetic principle of RBAC strategy mainly is role's mapping between the territory, and its method comprises based on authority and non-based on authority two classes.Non-synthetic method based on authority is carried out role's mapping based on grade or credit, granularity is thicker, and the present invention is a kind of RBAC strategy synthetic method based on authority, be characterized in that the authority that role mapping in the method all is based on the role carries out, its target is to guarantee that the role can not obtain the authority that did not originally have after strategy is synthetic, therefore be more suitable for being applied to for the high environment of security requirement.
Find through the literature search to prior art, Shafiq in 2005 etc. have proposed a kind of multi-domain Access Control Policies synthetic method based on the RBAC strategy in " Secure Interoperation in a Multi-Domain Environment Employing RBAC Policies " literary composition that " Knowledge and Data Engineering " delivers, its main thought is to create new role according to the public authority of role between two territories and public sub-role to shine upon, and it is with hierarchical structure all identical that mapping process has guaranteed to set up between the role of mapping authority, and fail safe is higher.But it only supports the authority inheritance hierarchy, and the strategy of not supporting to activate on role's level is synthetic, and can introduce a large amount of new roles and complicated role hierarchy, the method reduced complexity that it is exponential practicality.
Summary of the invention
The present invention has proposed a kind of comparatively perfect RBAC strategy synthetic method on the basis of above-mentioned research.At first, for the fail safe that guarantees that the role is shone upon, the present invention satisfies the principle that role's mapping should always be carried out towards the direction of authority reduction.Secondly, in order to improve the synthetic flexibility of strategy, the complexity of reduction method, the present invention proposes role's mapping should be according to transitivity, inherit type, directivity is classified, and this is applied in the tactful synthetic method, set up dissimilar role's mapping according to the relation of role-security collection, considered that simultaneously the succession ring (Cyclic inheritance) that occurs in role's mapping process separates (SoD) conflict with authority.Compare with the method for Shafiq, the present invention has introduced less new role and new inheritance, has better performance.
For achieving the above object, the technical solution used in the present invention is: needs are carried out the RBAC strategy in two synthetic territories of strategy as the input of method, according to the role-authority relation in the former territory and role hierarchy, set up role's mapping set between the territory, simultaneously issuable policy conflict in the mapping process is detected, form the output of global access control strategy, then this global policies is used for realizing interoperability between the territory.The basic thought of setting up role's mapping is the authority set that relatively will set up two roles of mapping relations, according to comparative result, sets up dissimilar mapping.Owing to having used role's splitting technique, having guaranteed that authority is fully equal between the mapping role.
The several related definitions of given first.Traditional RBAC96 model can be expressed as 3 yuan of set of (RH, UA, PA), and it is defined as follows:
Definition 1
1) Users, Roles, Operations and Objects represent respectively the set of all users, role, operation and object.
2) (Operations * Objects) represents the set of all authorities to Permissions=2.
3)
Figure BDA00002314083200021
The multi-to-multi mapping of gathering role's set from authority, the authority that the expression role is endowed.
4)
Figure BDA00002314083200022
The multi-to-multi mapping of gathering role's set from the user, the role that the expression user is endowed.
5)
Figure BDA00002314083200023
An inheritance in role's level, be denoted as≤.
The present invention is mainly based on present widely used ERBAC model, this model on the basis of RBAC96 model, role succession divided for A inherit (≤ A) and the I succession (≤ I), these two kinds of succession modes are corresponding respectively Role Activation and direct inherited rights, then above RH can be divided into RH AAnd RH I, represent that respectively A inherits set and I inherits set.Therefore can be shown (RH to an ERBAC system table A, RH I, UA, PA) quaternary set.Wherein A-succession and I-inherit and are defined as follows:
Definition 2: when
Figure BDA00002314083200031
(u, r) ∈ UA, and r≤ ADuring r ', user u can activate role r; When (u, r) ∈ UA, and r≤ IDuring r ', user u can have authority p by activating role r ',
(p, r) ∈ PA wherein.
Based on above-mentioned definition, a role's authority is divided into explicit permissions and indirect authority, and its indirect authority set is divided into again I and inherits the authority and the A that obtain and inherit the authority that obtains.For various authority sets, be defined as follows:
Definition 3
1) explicit permissions collection P D(r): if (p, r) ∈ is PA, p ∈ P then D(r).
2) indirect authority set P U(r): after the user activates role r, by the authority that the inheritance of r in role's level obtains, comprise the sub-role's that r directly can obtain authority and need r to activate just obtainable authority of sub-role.
3) I inherited rights collection P UI(r): after the user activates role r, the authority that directly obtains by the inheritance of r in role's level.
4) A inherited rights collection P UA(r): after the user activates role r, in role's level, activate just obtainable authority of other sub-roles by r.
Based on above-mentioned explanation, the method for the invention comprises the steps:
Step 1: in individual domain, carry out the role and set merging;
Step 2: calculate the indirect authority set of role, A inherited rights collection, I inherited rights collection;
Step 3: role's authority set between the comparison domain of recurrence, definite role that need to divide sets up role's mapping between the territory, forms the global access strategy.
Described step 1 is specially: the RBAC strategy combination in the territory is become a RBAC role tree, as the synthetic input of RBAC strategy.Wherein for the situation that has a plurality of high-grade roles in the territory, can create a new role, inherit simultaneously this several high-grade roles, as the tree root of role tree.
Described step 2 is specially: calculate the indirect authority set of all roles in two territories, and I inherited rights collection, A inherited rights collection gets up as former role's property store, offers the comparison that step 3 is carried out authority set.
Described step 3 is specially: mainly comprised the role-security collection relatively, and role's division, policy conflict detects and sets up the role shines upon four aspects.Here definition and three attributes of given first role mapping:
Definition 4
Role mapping refers in order to realize safety mutual operation between the territory, the role succession relation of setting up between the role of same area not according to certain rule.The present invention (r 1, A, r 2, B, trans, inher, direc) and r of seven element group representations of form 1To r 2Role mapping, r wherein 1Be the role in the A territory, r 2Be r 2Role in the territory, trans, inher, direc represent respectively the transitivity that the role is shone upon, and inherit type, directivity.Among the present invention also r in the A territory 1Arrive r in the B territory 2Role's mapping relations be designated as r A1→ r B2
1) transitivity: show whether whether role's mapping inherits the role hierarchy in the former territory, inherit role's indirect authority in other words.For role's mapping relations r A1→ r B2If this mapping has transitivity, then r 1To have r 2All explicit permissions and indirect authority, otherwise r 1Can only obtain r 2Explicit permissions.
2) inherit type: show that between two roles of role's mapping be direct authority inheritance or the relation of Role Activation.For role's mapping relations r A1→ r B2If this mapping has A inheritance, then r 1To r 2Access need to be undertaken by Role Activation, otherwise r 1Can directly obtain r 2Corresponding authority.
3) directivity: whether show between two roles of role mapping equity, if one role's mapping is two-way, two relations that the role is a kind of mutual mapping then, they can be changed mutually or activate, otherwise then can only or activate the opposing party by side conversion.
According to top definition, respectively the explicit permissions of role between the territory being gathered indirect authority set compares, determine according to comparative result whether role's mapping of needs foundation has transitivity and whether needs carry out role's division, and the role of needs is carried out role's division.Then in former territory, whether existing the SoD(authority to separate to the role) relation is judged, thus the succession type of definite mapping of setting up.If there is the SoD relation, then set up A and inherit mapping, inherit mapping otherwise set up I.At last, set up role's mapping between the territory according to top result, form the global access control strategy.
Compared with prior art, the present invention has following beneficial effect: 1. kept role and inheritance in the former territory fully, namely global policies can not affect the execution of local policy; 2. set up role mapping based on four kinds of authority sets of role, thinner than the granularity of in the past method; 3. avoided that the conflict of issuable succession ring separates conflict in the tactful building-up process with authority; 4. produce still less new role and new inheritance than in the past method, therefore have better performance.
In a word, compare with relevant tactful synthetic method, the role's mapping among the present invention all is based on role's authority to be carried out, and guarantees that the role can not obtain the authority that did not originally have after strategy is synthetic, therefore be more suitable for being applied to for the high environment of security requirement; The present invention can form perfect global access control strategy not setting up more reasonably role's mapping between same area, realizes that the safety mutual between the territory operates, and in cross-domain cooperation today more and more frequently, has very widely application prospect.
Description of drawings
By reading the detailed description of non-limiting example being done with reference to the following drawings, it is more obvious that other features, objects and advantages of the present invention will become:
Fig. 1 is the merging schematic diagram of role tree in the territory.
Fig. 2 shines upon Establishing process figure for the role.
Fig. 3 is the role tree in the synthetic the first two territory of strategy among the embodiment.
Fig. 4 is the global role tree that obtains among the embodiment.
Embodiment
The present invention is described in detail below in conjunction with specific embodiment.Following examples will help those skilled in the art further to understand the present invention, but not limit in any form the present invention.Should be pointed out that to those skilled in the art, without departing from the inventive concept of the premise, can also make some distortion and improvement.These all belong to protection scope of the present invention.
Step 1: the main purpose of this step is that the RBAC strategy in the territory is merged into role tree, namely exist a highest role as the root role succession other all roles.For the situation of originally just only having a highest role in the territory, this step can be skipped.For the situation that has a plurality of high-grade roles in the territory, can create a new role, inherit simultaneously all high-grade roles, as the tree root of role tree.
As shown in Figure 1, it is that the role sets A and the role sets the synthetic result of B that the role sets C, and wherein root role is the root role who newly creates, and has inherited root role r1 and the r4 of tree A and tree B, and the tree C after synthesizing is as the input of tactful synthetic method.
Step 2: this step calculates mainly that three kinds of authority sets of all roles offer the comparison that step 3 is carried out authority set in two territories.:
1. calculate role's indirect authority set.Set every sub-role of this role of traversal according to the role, every sub-role's explicit permissions addition is this role's indirect authority set.
2. calculate role's I inherited rights collection.Set every sub-role of this role of traversal according to the role, if this sub-role's inheritance be directly to inherit, but not need other roles of activation, explicit permissions addition that then will this sub-role, finally acquired results is this role's I inherited rights collection.
3. calculate role's A inherited rights collection
Directly calculate role A inherited rights rally more complicated, but because role's indirect authority set is exactly the union of I inherited rights collection and A inherited rights collection, therefore the above-mentioned indirect authority set of this role that has calculated is deducted this role I inherited rights collection, acquired results is this role's A inherited rights collection.
Needing to calculate above-mentioned three kinds of authority set result of calculations for each role in two synthetic territories of needs, to be used for the back strategy as role's attribute synthetic.
Step 3: this step is main part of the present invention, mainly is according to the role-authority relation in the former territory and role hierarchy, sets up role's mapping set between the territory.Its basic thought is the authority set that relatively will set up two roles of mapping relations, sets up dissimilar mapping according to comparative result.Used simultaneously role's splitting technique, guaranteed that authority is fully equal between the mapping role.The core of this method is how to judge the type of the role's mapping that needs foundation, and main determination methods is as follows:
1. two roles' direct and indirect authority all equates.Between two roles, set up this moment and transmit mapping.
2. two roles' indirect authority equates, explicit permissions does not wait.The method that adopt first the role to divide this moment is separated the public part in two role's explicit permissions, and then explicit permissions is equated that two roles of (comprising the role that division produces) set up the transmission mapping.
3. two roles' indirect authority is unequal, only considers explicit permissions this moment.Processing method is similar to 2, carries out first role's division, carries out role's mapping again, sets up non-transmission mapping this moment.
4. before setting up role's mapping, judge whether two roles exist the SoD relation in former territory, shine upon if exist then set up the A-succession, inherit mapping otherwise set up I-.
Fig. 2 is the flow chart of setting up mapping relations between two roles.For two given roles, at first compare their indirect authority, determine the transitivity of role's mapping of foundation; Then the explicit permissions that compares them determines whether to carry out role's division.Carry out role's division such as needs, then correspondence position produces respectively a new role in two described role trees of role, and its explicit permissions is the common factor of former two roles' explicit permissions.Former role is as the senior role of new role, and affiliated authority is constant.Whether then needs are set up the role of shining upon exists the authority separation relation to determine the succession type of role's mapping of foundation with other roles in this territory; Set up at last role's mapping of respective type according to front determined attribute of several steps.
The below is the false code of the present embodiment strategy synthetic method, and the method input is the root role in two territories, and the role begins comparison from root, and then the role who traverses all two territories (30-33 is capable) of recurrence finishes two role's mappings between the territory.For two roles of same area not, judge at first whether two roles exist authority separation relation (1-3 is capable) with other roles in the territory separately, set up in the back according to judged result that A inherits mapping or I inherits mapping; Follow relatively two roles' indirect authority set (4,6,17 row), set up according to comparative result and transmit or non-transmission mapping, and then compare role's explicit permissions (7-16,18-29 is capable), determine whether to carry out role's division according to comparative result.The main function of using in the false code as shown in Table 1.
Role-Integrate(root1,root2)
1:Bool?Inheri=0
2:if(root1?has?a?SoD?relation?or?root1has?a?SoD?relation)
3:Inheri=1
4:if(PD(root1)=PD(root2)and?PUI(root1)=PUI(root2)and?PUA(root1)=PUA(root2))
5:Create_Mapping(root2,root?1,TRANSITIVE,Inheri,BIDIREC)
6:else?if(PUI(root1)=PUI(root2)and?PUA(root1)=PUA(root2))
7:
Figure BDA00002314083200071
8:newRole=Role-Split(root1,PDSet(root2))
9:Create_Mapping(newRole,root2,TRANSITIVE,Inheri,BIDIREC)
10:
11:newRole=Role-Split(root2,PDSet(root1))
12:Create_Mapping(root1,newRole,TRANSITIVE,Inheri,BIDIREC)
13:else
14:newRole1=Role-Split(root1,Common-PSet(root1,root2))
15:newRole2=Role-Split(root2,Common-Pset(root1,root2))
16:Create_Mapping(newRole1,newRole2,TRANSITIVE,Inheri,BIDIREC)
17:else
18:if(PD(root1)=PD(root2))
19:Create_Mapping(root2,root1,UNTRANSITIVE,Inheri,BIDIREC)
20:
Figure BDA00002314083200073
21:newRole=Role-Split(root1,PDSet(root2))
22:Create_Mapping(newRole,root2,UNTRANSITIVE,Inheri,BIDIREC)
23:
Figure BDA00002314083200081
24:newRole=Role-Split(root2,PDSet(root1))
25:Create_Mapping(root?1,newRole,UNTRANSITIVE,Inheri,BIDIREC)
26:else
27:newRole1=Role-Split(root1,Common-Pset(root1,root2))
28:newRole2=Role-Split(root2,Common-Pset(root1,root2))
29:Create_Mapping(newRole1,newRole2,UNTRANSITIVE,Inheri,BIDIREC)
30:for?each?childRole?in?ChildrenRole(root2)
31:Role-Integrate(root1,childRole)
32:for?each?childRole?in?ChildrenRole(root1)
33:Role-Integrate?(childRole,root2)
The used function of table one method
Figure BDA00002314083200082
Wherein, the major function of Role-Split (r, P) function is to carry out role's division, the corresponding description in its processing procedure such as the step 3.
Based on above-mentioned technical descriptioon, the below provides an example validity of the present invention is described.Need to prove, the parameter of using in the experiment does not affect generality of the present invention.
Fig. 3 and Fig. 4 are the particular content of example.Two role trees among Fig. 3 represent respectively role's level in two territories, wherein r 1, r aBe respectively the highest role in two territories, in the territory of on the left side, role r 4, r 5Have the authority separation relation, so they and r 2The pass be that A inherits.
Fig. 4 is for these two territories being used the global role tree that obtains after the tactful synthetic method of the present invention, and shown in Fig. 4 (a), too complicated for avoiding figure, role's mapping relations of setting up directly are not drawn on the global role tree, but represent with Fig. 4 (b).The global role tree that can see formation has mainly comprised two aspects: 1. former r 1, r aTwo high-grade roles are split into for two roles, and form inheritance as shown in Figure 4, wherein the new role r of division generation 7, r gRepresent with two circles; 2. seven role's mappings have been set up between two territories.Can see, comprised four kinds of dissimilar mappings in these seven role's mappings, the below describes respectively:
The transparent double-head arrow of 1 solid line represents that I inherits the two-way mapping of non-transmission, when mapping role explicit permissions equates, and should set up this mapping when not existing SoD to concern, All belong to this mapping.Be characterized in: the mapping role directly inherits mapped role's authority according to the direction of arrow in the mode that I-inherits, and can only inherit explicit permissions.
The opaque double-head arrow of 2 solid lines represents that I-inherit to transmit two-way mapping, should set up this mapping when all authority homogeneous phases of mapping role etc. and when not existing SoD to concern,
Figure BDA00002314083200092
Belong to this type of mapping.Be characterized in, the mapping role directly inherits mapped role's authority according to the direction of arrow in the mode that I inherits, and inherits simultaneously direct and indirect authority.
The transparent double-head arrow of 3 dotted lines represents that A inherits the two-way mapping of non-transmission.When mapping role explicit permissions equates, and should set up this mapping when existing SoD to concern,
Figure BDA00002314083200093
Belong to this mapping.Be characterized in: be the Role Activation relation between mapping role and mapped role, and can only have mapped role's explicit permissions after activating.
The opaque double-head arrow of 4 dotted lines represents that A inherits the two-way mapping of transmission.When mapping role all authority homogeneous phases etc., and should set up this mapping when existing SoD to concern,
Figure BDA00002314083200094
Belong to this mapping.Be characterized in: be the Role Activation relation between mapping role and mapped role, and have mapped role's direct and indirect authority after activating.
Above specific embodiments of the invention are described.It will be appreciated that, the present invention is not limited to above-mentioned specific implementations, and those skilled in the art can make various distortion or modification within the scope of the claims, and this does not affect flesh and blood of the present invention.

Claims (6)

  1. Between a multiple domain based on the access control policy synthetic method of RBAC model, it is characterized in that comprising the steps:
    Step 1: in individual domain, carry out the role and set merging;
    Step 2: calculate the indirect authority set of role, A inherited rights collection, I inherited rights collection;
    Step 3: role's authority set between the comparison domain of recurrence, definite role that need to divide sets up role's mapping between the territory, forms the global access strategy.
  2. 2. method according to claim 1, it is characterized in that, described step 1, be specially: the RBAC strategy combination in the territory is become a RBAC role tree, as the synthetic input of RBAC strategy, wherein for the situation that has a plurality of high-grade roles in the territory, can create a new role, inherit simultaneously this several high-grade roles, as the tree root of role tree.
  3. 3. method according to claim 1 is characterized in that, described step 2, be specially: the indirect authority set that calculates all roles in two territories, I inherited rights collection, A inherited rights collection gets up as former role's property store, offers the comparison that step 3 is carried out authority set; Role's authority set is divided into the explicit permissions collection, indirect authority set, I inherited rights collection, A inherited rights collection.
  4. 4. method according to claim 3 is characterized in that, described step 2, and four kinds of authority sets of role are defined as follows:
    1) explicit permissions collection P D(r): if (p, r) ∈ is PA, p ∈ P then D(r);
    2) indirect authority set P U(r): after the user activates role r, by the authority that the inheritance of r in role's level obtains, comprise the sub-role's that r directly can obtain authority and need r to activate just obtainable authority of sub-role;
    3) I inherited rights collection P UI(r): after the user activates role r, the authority that directly obtains by the inheritance of r in role's level;
    4) A inherited rights collection P UI(r): after the user activates role r, in role's level, activate just obtainable authority of other sub-roles by r.
  5. 5. method according to claim 1 is characterized in that, described step 3, be specially: relatively will set up two roles' of mapping relations authority set, according to comparative result, set up dissimilar mapping, use simultaneously role's splitting technique, guaranteed that authority is fully equal between the mapping role; The type that the role that wherein adopting following methods to judge needs foundation is shone upon:
    Two roles' direct and indirect authority all equates, sets up related two-way mapping this moment between two roles;
    Two roles' indirect authority is equal, and explicit permissions does not wait, and the method that adopt first the role to divide this moment is separated the public part in two role's explicit permissions, and then two roles that explicit permissions is equated set up related two-way mapping;
    Two roles' indirect authority is unequal, and only consider explicit permissions this moment, carries out first role's division, carries out role's mapping again, sets up the two-way mapping of dereferenced this moment;
    Before setting up role's mapping, judge whether two roles exist the SoD relation in former territory, shine upon if exist then set up the A-succession, inherit mapping otherwise set up I-.
  6. 6. method according to claim 5 is characterized in that, for two given roles, at first compares their indirect authority, determines the transitivity of role's mapping of foundation; Then the explicit permissions that compares them determines whether to carry out role's division; Carry out role's division such as needs, then correspondence position produces respectively a new role in two described role trees of role, and its explicit permissions is the common factor of former two roles' explicit permissions.Former role is as the senior role of new role, and affiliated authority is constant; Whether then needs are set up the role of shining upon exists the authority separation relation to determine the succession type of role's mapping of foundation with other roles in this territory; Set up at last role's mapping of respective type according to determined attribute.
CN2012104180004A 2012-10-26 2012-10-26 Multi-domain RBAC (Role-Based Access Control) model-based access control policy composition method Pending CN102957697A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2012104180004A CN102957697A (en) 2012-10-26 2012-10-26 Multi-domain RBAC (Role-Based Access Control) model-based access control policy composition method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2012104180004A CN102957697A (en) 2012-10-26 2012-10-26 Multi-domain RBAC (Role-Based Access Control) model-based access control policy composition method

Publications (1)

Publication Number Publication Date
CN102957697A true CN102957697A (en) 2013-03-06

Family

ID=47765922

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2012104180004A Pending CN102957697A (en) 2012-10-26 2012-10-26 Multi-domain RBAC (Role-Based Access Control) model-based access control policy composition method

Country Status (1)

Country Link
CN (1) CN102957697A (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103281259A (en) * 2013-05-20 2013-09-04 中国科学院信息工程研究所 Inter-domain access control method based on dynamic self regulation
CN104917767A (en) * 2015-06-11 2015-09-16 杭州东信北邮信息技术有限公司 Family business access control method based on RBAC (Role-based Access Control) model
WO2016011888A1 (en) * 2014-07-21 2016-01-28 华为技术有限公司 Policy conflict resolution method and device
CN108492084A (en) * 2018-03-02 2018-09-04 信阳师范学院 A kind of decomposed based on Boolean matrix excavates optimization method with the role of gesture constraint
CN108540427A (en) * 2017-03-02 2018-09-14 株式会社理光 Collision detection method and detection device, access control method and access control apparatus
CN110659465A (en) * 2019-09-25 2020-01-07 四川长虹电器股份有限公司 RBAC-based personalized authority management method
CN113127890A (en) * 2019-12-31 2021-07-16 北京懿医云科技有限公司 Access authority management method and device
CN113329052A (en) * 2020-04-29 2021-08-31 夏寿民 Group inheritance method for multiple roles of interactive computer system

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101262474A (en) * 2008-04-22 2008-09-10 武汉理工大学 A cross-domain access control system for realizing role and group mapping based on cross-domain authorization
US7913300B1 (en) * 2005-04-08 2011-03-22 Netapp, Inc. Centralized role-based access control for storage servers

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7913300B1 (en) * 2005-04-08 2011-03-22 Netapp, Inc. Centralized role-based access control for storage servers
CN101262474A (en) * 2008-04-22 2008-09-10 武汉理工大学 A cross-domain access control system for realizing role and group mapping based on cross-domain authorization

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
周鑫: "基于混合角色层次的多域间策略合成机制研究", 《中国优秀硕士学位论文全文数据库 信息科技辑 (月刊 ) 2012 年 第 07 期 》 *
周鑫等: "一种基于RBAC的多域间角色映射机制", 《信息安全与通信保密》 *
张清源: "基于RBAC多域间策略合成机制研究与实现", 《中国优秀硕士学位论文全文数据库 信息科技辑 (月刊 )2010 年》 *
邹林等: "基于角色访问控制系统中角色结构安全性分析问题的模型检测验证", 《上海交通大学学报》 *

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103281259A (en) * 2013-05-20 2013-09-04 中国科学院信息工程研究所 Inter-domain access control method based on dynamic self regulation
CN103281259B (en) * 2013-05-20 2016-05-18 中国科学院信息工程研究所 Access control method between a kind of territory based on Dynamic Self-Adjusting
WO2016011888A1 (en) * 2014-07-21 2016-01-28 华为技术有限公司 Policy conflict resolution method and device
US10193755B2 (en) 2014-07-21 2019-01-29 Huawei Technologies Co., Ltd. Policy conflict resolution method and apparatus
CN104917767A (en) * 2015-06-11 2015-09-16 杭州东信北邮信息技术有限公司 Family business access control method based on RBAC (Role-based Access Control) model
CN104917767B (en) * 2015-06-11 2017-11-28 杭州东信北邮信息技术有限公司 home business access control method based on RBAC model
CN108540427A (en) * 2017-03-02 2018-09-14 株式会社理光 Collision detection method and detection device, access control method and access control apparatus
CN108492084A (en) * 2018-03-02 2018-09-04 信阳师范学院 A kind of decomposed based on Boolean matrix excavates optimization method with the role of gesture constraint
CN108492084B (en) * 2018-03-02 2021-05-28 信阳师范学院 Role mining optimization method based on Boolean matrix decomposition and potential constraint
CN110659465A (en) * 2019-09-25 2020-01-07 四川长虹电器股份有限公司 RBAC-based personalized authority management method
CN113127890A (en) * 2019-12-31 2021-07-16 北京懿医云科技有限公司 Access authority management method and device
CN113127890B (en) * 2019-12-31 2023-08-29 北京懿医云科技有限公司 Access right management method and device
CN113329052A (en) * 2020-04-29 2021-08-31 夏寿民 Group inheritance method for multiple roles of interactive computer system
CN113329052B (en) * 2020-04-29 2024-04-12 夏寿民 Method for group inheritance of multiple roles of interactive computer system

Similar Documents

Publication Publication Date Title
CN102957697A (en) Multi-domain RBAC (Role-Based Access Control) model-based access control policy composition method
US9712534B2 (en) Modifying permission trees in a virtualization environment
US20090187964A1 (en) Applying Security Policies to Multiple Systems and Controlling Policy Propagation
TW200830141A (en) Analyzing access control configurations
CN106598743A (en) Attribute reduction method for information system based on MPI parallel solving
Wu et al. ACaaS: Access control as a service for IaaS cloud
WO2007070555A1 (en) Building alternative views of name spaces
CN105653962B (en) A kind of user role access authorization for resource model management method of object-oriented
López-Ibáñez et al. A template for designing single-solution hybrid metaheuristics
CN1787456A (en) Method for controlling five layer resource access based on extending role
CN110505096B (en) Internet of things equipment management method, device, equipment and medium
CN110826027B (en) Method and system for distributing computer software user permission
Logrippo Multi-level access control, directed graphs and partial orders in flow control for data secrecy and privacy
Rosa et al. Declarative access control for aggregations of multiple ownership data
Anciaux et al. Tutorial: Managing Personal Data with Strong Privacy Guarantees.
Qiu et al. A survey on access control in the age of IoT
CN109214555A (en) Generation method, terminal device and the medium of working region
CN104113460A (en) Design of tenant exclusive VPN under cloud computation
Yang et al. An improved BLP model with more flexibility
Yin et al. Mcacm: A cloud storage access control model for multi-clouds environment based on XACML
Rao et al. Multi-Tenancy authorization system in multi cloud services
Yuyan et al. A Theoretical Outline for National Security Studies for the New Era
Lv et al. A multi-level cross-domain access control model based on role mapping
Lukinova The Issues of Designing Digital Platforms in the Paradigm of Open Systems
Bañares et al. Economics of Grids, Clouds, Systems, and Services: 19th International Conference, GECON 2022, Izola, Slovenia, September 13–15, 2022, Proceedings

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C12 Rejection of a patent application after its publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20130306