CN107679099B - Access control element graph construction method, policy description method, access control judgment method and framework - Google Patents

Access control element graph construction method, policy description method, access control judgment method and framework Download PDF

Info

Publication number
CN107679099B
CN107679099B CN201710815136.1A CN201710815136A CN107679099B CN 107679099 B CN107679099 B CN 107679099B CN 201710815136 A CN201710815136 A CN 201710815136A CN 107679099 B CN107679099 B CN 107679099B
Authority
CN
China
Prior art keywords
access control
subject
new
node
control element
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710815136.1A
Other languages
Chinese (zh)
Other versions
CN107679099A (en
Inventor
李�昊
陈震宇
张敏
付艳艳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Software of CAS
Original Assignee
Institute of Software of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Software of CAS filed Critical Institute of Software of CAS
Priority to CN201710815136.1A priority Critical patent/CN107679099B/en
Publication of CN107679099A publication Critical patent/CN107679099A/en
Application granted granted Critical
Publication of CN107679099B publication Critical patent/CN107679099B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/28Databases characterised by their database models, e.g. relational or object models
    • G06F16/284Relational databases
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/22Indexing; Data structures therefor; Storage structures
    • G06F16/2228Indexing structures
    • G06F16/2264Multidimensional index structures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/901Indexing; Data structures therefor; Storage structures
    • G06F16/9024Graphs; Linked lists

Landscapes

  • Engineering & Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses an access control element graph construction method, a strategy description method, an access control judgment method and a framework. The access control method of the invention comprises the following steps: creating a node index and a host-object state transition index of an access control element graph; for the received access request, searching the storage positions of the subject and the object in the access control element graph through the node ID according to the node index; then searching the latest subject and the latest object which are changed by the state of the subject according to the state transition index of the subject and the object; searching an access control strategy which is related to the access control judgment result and the latest subject, the latest object and the operation at the same time; and matching paths between the latest subject and the latest object in the access control element graph one by one according to the path mode of the access control condition part in the obtained access control strategy, if any path which accords with the path mode is found, allowing the access request, and otherwise, rejecting the access request.

Description

Access control element graph construction method, policy description method, access control judgment method and framework
Technical Field
The invention belongs to the field of access control, and particularly relates to an access control element graph construction method, an access control strategy description method, an access control judgment method and an access control framework.
Background
In the big data era, enterprises or organizations increasingly attach importance to the value of data, and gradually start to collect, store, analyze and utilize big data. Big data applications are "data processing" centric, i.e., multiple systems and multiple users typically access the same data set. During the data processing, various relations are established between subjects and objects, such as a "consultation relation" between "doctors" and "patients", and an "management relation" between a project manager and programmers. Meanwhile, the data processing flow can continuously change the security states of the host and the object. For example, the security status of users before and after accessing certain sensitive data is different. As another example, the security status of sensitive data before and after access by a user may be different. In big data applications, access control often requires consideration of the connections and state changes that occur during the processing of such data. For example, in a medical big data system, the data set surrounding an electronic payment bill has the following access control requirements: (1) doctors can only make an electronic payment bill for the patients who receive the treatment by themselves; (2) before taking medicine, the charging staff can modify the electronic payment bill according to the requirements of the patient; (3) the pharmacy nurse cannot access the unpaid bill and the paid bill. Therefore, in order to express such a need for access control involving association between subjects and changes in states of subjects in a data processing flow, research on new access control technologies is urgently needed.
Currently, there has been some research work involved.
First, graph-based authorization management research. Since graphs are good at expressing associations, there are some authorization management efforts in graph-based access control. The scheme fully utilizes the advantage of the graph without a fixed mode, and compared with the traditional authorization description modes such as an access control matrix and the like, the authorization information is expressed by the graph mode, so that the flexibility of authorization management can be improved. However, such schemes are only limited to describe the authorization relationship in the form of a graph, and lack an effective expression method for the context of the association relationship between the host and the object and the change of the state of the host and the object in the process of processing the big data, and thus cannot meet the aforementioned access control requirement.
Second, relationship-based access control research in social networks. Such studies also use relationships between agents to describe access control policies and enforce access control. For example, a description of access control requirements such as "friends of friends cannot access their own attribute data" and policy enforcement. While these studies extend the policy description and enforcement capabilities of access control to some extent, such studies are limited to associations between subjects, such as "friends" relationships, and lack methods for enforcing access control based on changes in the state of the subject and the associations between objects.
And thirdly, access control based on lineage data. The research of the access control describes the state change of the data object in the processing flow based on an OPM (open Provenance model), and provides a method for describing the data processing flow around the subject in the OPM. The method can effectively distinguish different security states of the object in the data processing process and refine the granularity of access control to different states of the object, for example, certain data X can be accessed by a user A and a user B at the same time, but once the access operation of 'submission' occurs, all people cannot access the data continuously. However, these studies based on the OPM graph cannot effectively describe the change of the state of the subject during data processing and the correlation between the subject and the object in one graph. That is, these studies can describe only access control elements such as object state changes (lineage data), and do not support the description of other access control elements. Thus, such access control research efforts utilizing graphs fail to meet the access control requirements of the aforementioned large data applications.
In summary, although the above research work uses a graph for authorization management and access control, none of these solutions meets the requirement of the big data application for access control in a "data processing" centric mode of operation, and cannot achieve this goal by simply expanding the above work. That is to say, there is no method that can describe the access control requirement and further implement the access control around the relationship change between subjects and objects and the security state change of subjects and objects generated in the data processing flow, and therefore, the present invention will provide a new graph-based access control framework and implementation method to implement the description and implementation of the access control requirement.
Disclosure of Invention
In view of the above technical problems, the present invention provides an access control framework based on a graph and an implementation method thereof for meeting the requirement of a large data application centered on "data processing" on fine-grained access control, so as to implement fine-grained policy expression and access control implementation on access control elements, such as association relationships between subjects and between objects, and security states of subjects and objects.
The basic principle of the technology is as follows: based on a graph and a path mode, an access control element graph construction method related to access control elements of incidence relations among subjects, relations among objects and security states of the subjects and the objects is provided, and the elements are described in a graph form; on the basis, an access control strategy description method, an access control judgment method and an access control implementation framework based on the graph are provided, so that authorization and access control based on the access control elements are realized, and the access control requirement of large data application taking 'data processing' as the center is met; furthermore, a hierarchical index construction method for the access control element diagram is provided to improve the implementation efficiency of access control; finally, on the basic access control frame based on the graph and the implementation method, an extension method aiming at role-based access control (RBAC) and Mandatory Access Control (MAC) is provided, and the support of the RBAC and the MAC is realized.
Specifically, in order to achieve the technical purpose, the invention adopts the following technical scheme:
a graph-based access control framework and an implementation method thereof comprise the following steps:
1) constructing an access control element graph;
the access control element diagram is used for describing the operation relationship between the host and the object, the generation and the change of the association relationship between the host and the object, and the change of the security state of the host and the object in the data processing flow, and is the core concept of the scheme. The history data generated from the operation of the subject to the object, that is, each operation of the subject to the object in the access control system, will result in the generation and change of the above-mentioned various association relationships and the change of the security state of the subject and the object, and these changes will be described in the form of a graph, that is, the access control element graph.
Further, the access control element graph is an attribute graph which is composed of nodes and edges, and each node or edge may contain an attribute set for describing the characteristics of the node or edge.
Further, the form of a single attribute in the attribute set is key value pair < key, value >, key is an attribute name, and value is an attribute value.
Further, the edge must have a start node and an end node, as well as a direction and a label. The direction may be unidirectional or bidirectional, indicated by a single arrow and a double arrow, respectively, and the label is used to indicate the semantic meaning of the edge.
Further, the access control element graph represents subjects, objects and operations by nodes, and is described by different shapes: the subject and object are depicted as circles and the operation as rectangles, as shown in fig. 1; the subject X operates the object A and the object B, an association relation is established between the object A and the object B, and then the subject Y operates the object B.
Further, the access control element graph represents association relationships between subjects and between objects and state transition relationships between subjects and objects, respectively, with edges, and takes the name of the association relationship or a "state transition" keyword as a label of the edge, as shown in fig. 1.
Further, the access control element graph represents an initiating relationship between a subject and an operation and an action relationship between the operation and an object by using an edge, and takes an "initiating" or "action" keyword as a label of the edge, as shown in fig. 1.
2) Performing access control policy description based on the access control element graph;
before policy description, the path in the access control element graph needs to be described first with literal symbols.
Further, the path refers to a sequence of edges and nodes that pass through from one node to another node, and the text description method is as follows: the node describing the subject is indicated by a small bracket "()" and the letters therein indicate the ID of the subject, e.g., (a) indicates a subject or object whose ID is a; operations are described by "{ }" notation, the inner letter denotes the ID of the operation, e.g., { x } denotes an operation with an ID of x; an edge is represented by "- [ ] - >", the direction of which is represented by an arrow, and a key word inside a bracket "[ ]" is a label of the edge, for example, < - [ state transition ] -, indicates that one label is an edge of the state transition; and all edges must have a start node and an end node, e.g., (a) - [ initiate ] - > { b }, indicating that the body with ID a initiates an operation with ID b; attributes are separated from the ID or identity of a node or edge by the symbol "|" and the attributes and their values are described by a sequence of < key, value >, e.g. (a | < k1, v1> < k2, v2>) meaning a subject or object node with attribute k1 equal to v1, attribute k2 equal to v2, the ID of the node is a; the textual description of the path is a textual description of the sequence of edges and nodes contained in the path in the above-mentioned manner, for example, the path in fig. 2 can be represented by the text (a2| < k1, v1> < k2, v2>) < - [ state transition ] - (a1) - [ initiate ] - > { b } - [ effect ] - > (c1) - [ state transition ] - > (c 2).
The access control policy contains two parts: access control conditions, and access control determination results performed when the access control conditions are satisfied.
Further, the access control condition and the access control judgment result are described in the form of a path pattern based on the access control element graph.
Further, the path mode is an abstract description of path characteristics by using some special symbols. In the path pattern, the length range of the edge in the path is designated with the symbol "@", @ denotes any edge including 0, @ n denotes an n-edge, and @ n1 to n2 denote n1 to n2 edges, where n, n1 and n2 are integers greater than or equal to 0, and n1 is less than n2, for example (a | < k1, v1>) - [ state transitions @1 ~ 3] - > (b) denotes that a subject or object a whose attribute k1 is equal to v1 undergoes 1 to 3 state transitions to be converted into a new subject or object b. The symbol "$" is used to denote a node as a variable, e.g., $ a | < k1, v1>) denotes all subject or object nodes with attribute k1 equal to v 1.
Further, the access control policy is in the form of "access control condition" > access control determination result ", and the range of action of the variable in the policy is the whole policy, for example, the policy" ($ a) < - [ action ] - { x }, ($ a) - [ state transition ] - > ($ b) - [ state transition @ ] - > ($ c) <- [ action ] - { y } <- ($ d | < k1, v1> ", which means that the object can be executed by the host having the attribute k1 equal to v1 only after the operation having the ID x has been performed, and the operation having the ID y is executed. The strategy enables the object to have different access rights under different security states, and can be used for describing access control requirements such as 'reading' of an electronic payment bill by a pharmacy nurse only after 'submitting' operation in a medical big data application.
3) Performing access control judgment according to the strategy;
the user initiated access request can be represented by a triple (object, op, object), that is, an op operation request of the subject object to the object. After the access control system receives the request, the flow of performing access control determination is as follows:
step A1: according to the ID subject of the main body, a path matching query of the graph is carried out in the access control element graph according to a mode of state transition (subject) - [ state transition ] - > ($ subject _ new), the longest path (namely the longest path with the ID of the main body in the access request as a starting point and a label as an edge of the state transition) which is in accordance with the mode (subject) - [ state transition ] - > ($ subject _ new) is found, and the subject _ new variable refers to the latest main body formed by the state change of the main body passing through the longest path.
Step A2: according to the ID object of the object, a path matching query of the graph is carried out in the access control element graph according to the mode of state transition (object) - [ state transition '@ ] - > ($ object _ new)', the longest path which is in accordance with the mode is found, and the object ID indicated by the $ object _ new variable in the path is the latest object formed by the state change of the object.
Step A3: the policy library is searched to find those policies whose access control determination result part is related to the subject $ subject _ new, the object $ new, and the operation op at the same time, that is, the determination result parts of these policies are ($ subject _ new) - [ initiate ] - > { op } - [ act ] - > ($ object _ new).
Step A4: the path between the latest state subject node $ subject _ new and the latest state object node $ object _ new is traversed, one by one, according to the path pattern of the access control condition part in the policy. If a path meeting the path mode is found, the traversal is immediately stopped, and the result of the access control judgment is allowed; if no path satisfying the path mode is found at the end of the traversal, the determination process is ended, and the result of the access control determination is "reject".
4) A graph-based access control framework;
the access control framework comprises five components of access control judgment, access control implementation, access control policy management, access control element diagram management and access control feedback, and is shown in figure 3.
Further, the access control decision component is configured to receive an access request from a user, query a policy from the access control policy management component, execute a decision result of "allow/deny" for the access request by the access control decision process in 3), and finally forward the decision result to the access control implementation component.
Further, the access control implementation component is responsible for implementing or preventing the operation of the subject on the object according to the received judgment result, and sending the implementation result to the access control feedback component.
Further, the access control feedback component is responsible for modifying the access control element graph according to the access control implementation result.
Furthermore, the access control policy management component is responsible for providing storage, addition, deletion, modification and searching services of the policies.
Further, the access control element map management component is responsible for providing storage of the access control element map and services of adding, deleting, changing and checking the access control elements in the map.
Further, after the access control feedback component receives the access control result (s, op, O), that is, after the subject s successfully performs the op operation on the object set O, the update flow of the access control element graph is as follows:
step B1: based on the ID s of the subject, a graph path matching query is performed on the access control element graph according to a "state transition" pattern "(s) - [ state transition @ ] - > ($ s _ new)", and the longest path (that is, the longest path formed by using the ID of the subject s as a starting point and using the state transition as a label side) corresponding to the pattern is found, where the subject ID indicated by the $ s _ new variable in the path is the latest subject to which the subject s has passed through the state change.
Step B2: for each object O in the object set O, the following method is respectively adoptediAnd searching the corresponding latest state object. I.e. according to the ID o of the objectiAccording to the mode of "state transition" (o)i) - [ state transition @]->($oiNew) in the access control element graph, a path matching query of the graph is performed to find the longest path (i.e. with the object o) that matches the patterniID of (d) as the starting point and the label is the longest path of the edge of the state transition), $ o in the pathiThe object ID referred to by the _ new variable is object oiThe latest object is formed through state change.
Step B3: the main body $ s _ new of the current state, the operation op, are connected with edges in the access control element graph, constructing a path "($ s _ new) - [ initiate ] - []->{ op } "(i.e., construct an edge starting at $ s _ new, ending at op, and starting at tag), and then join the operation op with the edge at $ o for each object in the object setiN new, the following pathway "{ op } - [ action ] was constructed]->($oiNew) "(i.e., construct an edge that starts at op, ends at $ oi _ new, and has the label as the role).
Step B4: adding a subject node s _ add of a new state to the access control element graph, and connecting the current subject node $ s _ new with the newly added subject node s _ add by an edge, a path "($ s _ new) - [ state transition ] - > (s _ add)" is constructed (i.e., an edge with $ s _ new as a starting point and s _ add as an end point and a label as a state transition).
Step B5: adding a new object node o for each object in the object set in the access control element graphiExtended and edge connected to current guest node $ oiNew and its corresponding newly added object node oiExtended, construct the path "($ o)iN (N) - [ State transition ]]->(oi"add", i.e., constructed at $ oiNew is the starting point, oi"addend" is the end point and the label is the edge of the state transition.
Step B6: if the execution of the operation op establishes the incidence relation among objects in the object set O, connecting the object nodes with the incidence relation by using edges, and constructing a path (O)i_added)-[Tag]->(oj"added" (i.e., o)iA _ ded is a starting point, ojAnd _ extended is the end point and the label is the edge of the Tag), wherein the Tag is the label of the association relationship between two nodes.
Further, the object set O in the steps B1 to B6 may include a subject, that is, the subject may be regarded as a special object and may be subjected to an access operation.
5) A hierarchical index construction method for an access control element graph;
the steps a1, a2, B1 and B2 all need to search the latest state subject or object node corresponding to the subject or object in the access control element graph by means of path matching. In order to improve efficiency, the method can directly query the subject or object node in the latest state by adopting a hierarchical index mode, and the path matching in the steps A1, A2, B1 and B2 is omitted.
Further, the hierarchical index includes two parts: the node index and the guest-state transition index of the access control element graph are shown in fig. 4.
Further, the node index of the access control element graph is an index constructed from node IDs of all subject and object nodes in the graph, and is in the form of (node ID, node location). The index can be directly located to the storage position of the node in the graph through the node ID by utilizing the layer.
Further, the host-object state transition index is an index constructed according to host-object IDs of all hosts and objects in the system, and is in the form of (host-object ID, node ID of the latest state host-object). With this layer of indexes, it is possible to locate their latest state nodes directly by the ID of the host object.
Further, the path matching process of the steps a1, a2, B1, and B2 may be replaced by "querying a node ID of the host and the object in the latest state corresponding to the host and the object by using the host-object state transition index, and then querying a storage location of the node ID in the access control element graph by using the node index of the access control element graph", so as to improve efficiency.
6) An extension method for role-based access control (RBAC);
the expansion method aiming at the RBAC comprises four parts of role definition, role authorization, authorization change and role activation change;
further, the role definition means that a set of permissions is assigned to a role, and the description form of the set of permissions is a binary group (role name). The role-defined change is a direct modification of the "set of permissions" in the tuple.
Further, the role authorization refers to assigning a role to the user, that is, establishing an association between the user and the role. This association will be described using attributes of the subject nodes in the access control element graph in the form of (a | < role, role name list > < active role, role name >). Wherein the attribute < role, role name list > describes the set of roles that the user is assigned by the security administrator; the attribute < active role, role name > describes the role that the user is active at the current time.
Further, the authorization change refers to the modification of the role set owned by the user by the security administrator, which causes the change of the security state of the user. This change in security state can be described by a change in the access control element graph, which follows the following flow:
step C1: and searching the latest main body node (a | < role, role name list > < activated role, role name >) corresponding to the user in the access control element graph according to the hierarchical index, and obtaining the < role, role name list >.
Step C2: according to the inquired < role, role name list > and the modification requirement, a new subject node (a _ added < role, new role name list > < active role, role name >) is created.
Step C3: the two subject nodes are connected by edges to construct a state transition path "(a | < role, role name list > < activation role, role name >) - [ state transition ] - > (a _ add | < role, new role name list > < activation role, role name >)".
Further, the active role change means that the user changes the current active role of the user in order to obtain different rights, and the change will cause the change of the security state of the user. This change in security state can be described by a change in the access control element graph, which follows the following flow:
step D1: and searching the latest main body node (a | < role, role name list > < activated role, role name >) corresponding to the user in the access control element graph according to the hierarchical index, and obtaining the < role, role name list >.
Step D2: verifying whether the role to be activated is in the role name list of the (role, role name list), and if not, terminating the change process; otherwise, a new subject node is created (a _ added | < role, role name list > < active role, new role name >).
Step D3: the two subject nodes are connected by edges, and a state transition path is constructed (a | < role, role name list > < activated role, role name >) - [ state transition ] - > (a _ add | < role, role name list > < activated role, new role name >) ".
Further, when performing access control determination, in addition to the steps a1 to a5, a new step needs to be added between a2 and A3 in the flow:
step AR 1: inquiring the attribute < activated role, role name > of the ($ subject _ new) node, and inquiring the role definition (role name, authority set) stored in a binary form according to the role name to obtain the authority set.
Step AR 2: and judging whether the subject object can access the object or not according to the permission set. If yes, executing A3; if not, the judging process is terminated, and the judgment result of 'refusal' is directly returned.
7) An extension method for mandatory access control, MAC;
the expansion method aiming at the MAC comprises four parts of mark giving, subject mark changing, object mark changing and subject current mark changing.
Further, the tagging refers to assigning a security tag to each host and each object in the system to support mandatory access control. The security label of the host is described by the attribute of the node of the host in the access control element graph.
Further, the security mark of the main body is composed of a mark range and a current mark, and has a form of < mark range, security mark set > < current mark, security mark >. Where the current tag describes the current security level and scope of the subject, and the tag scope is a set of tags that limits the current tag that the subject can specify to necessarily be in the set.
Further, the form of the security label of the object is < label, security label >, which describes the current security level and category of the object.
Further, a security label change of a principal refers to a security administrator's modification of the security label owned by the principal, which causes a change in the principal's security state. This change in security state can be described by a change in the access control element graph, which follows the following flow:
step E1: and finding the latest subject node (a | < marking range, security mark set > < current mark, security mark >) corresponding to the subject in the access control element graph according to the hierarchical index, and obtaining < marking range, security mark set >.
Step E2: and creating a new subject node (a _ added | < tag scope, new security tag set > < current tag, security tag >) according to the queried < tag scope, security tag set > and modification requirements.
Step E3: the two subject nodes are connected by edges to construct a state transition path "(a | < marking range, security marker set > < current marker, security marker >) - [ state transition ] - > (a _ add | < marking range, new security marker set > < current marker, security marker >)".
Further, a security label change of an object refers to a security administrator modifying a security label owned by the object, which causes a security state change of the object. This change in security state can be described by a change in the access control element graph, which follows the following flow:
step F1: and finding the latest object node (a | < mark, security mark >) corresponding to the object in the access control element graph according to the hierarchical index.
Step F2: a new object node (a _ added | < tag, new security tag >) is created.
Step F3: the two object nodes are connected by edges to construct a state transition path (a | < mark, security mark >) - [ state transition ] - > (a _ extended | < mark, new security mark >) ".
Further, the change of the current mark of the main body means that the main body adjusts the access authority of the main body according to needs to change the current mark, which causes the change of the security state of the main body. This change in security state can be described by a change in the access control element graph, which follows the following flow:
step G1: and finding the latest subject node (a | < marking range, security mark set > < current mark, security mark >) corresponding to the subject in the access control element graph according to the hierarchical index, and obtaining < marking range, security mark set >.
Step G2: verifying whether the current mark to be used is in a safety mark set of < mark range, safety mark set >, and if not, terminating the change process; otherwise, a new subject node is created (a _ added | < scope of markup, set of security markup > < current markup, new security markup >).
Step G3: the two subject nodes are connected by edges to construct a state transition path "(a | < marking range, security marker set > < current marker, security marker >) - [ state transition ] - > (a _ add | < marking range, security marker set > < current marker, new security marker >)".
Further, when performing access control determination, in addition to the steps a1 to a5, a new step needs to be added between a2 and A3 in the flow:
step AM 1: attribute of query ($ subject _ new) node<Current signatures, security signatures>This security mark is designated as LableS
Step AM 2: attribute for query ($ object _ new) node<Marking, security marking>This security mark is designated as LableO
Step AM 3: examination of LableSAnd LableSWhether the dominance relationship between conforms to the mandatory access control policy. If the policy is met, A3 is executed; if not, the judgment flow is terminated, and the judgment result of 'refusal' is directly returned.
The invention has the following beneficial effects:
the method comprises the following steps that (I) a graph mode is adopted to describe the security state transition of a subject and an object, so that the description and implementation of fine-grained access control strategies aiming at the level of the security state of the subject and the security state of the object are supported, and the new requirement of large data application centering on data processing on access control is met;
and (II) the association relationship between the subjects and the objects is described by adopting a graph mode, so that the access control strategy description and implementation are supported according to the complex association relationship of the subjects and the objects, and the influence of the wide association relationship between the subjects and the objects on the access control in the big data application is realized.
(III) extended support aiming at the current mainstream access control technology is provided, such as support for role-based access control and mandatory access control, so that the method can be compatible with the existing mainstream access control method;
and (IV) the construction and the use method of the access control element graph and the definition of the path mode are provided, so that the access control judgment is evolved into the path mode matching on the graph, and the efficiency of the access control system adopting the access control strategy is greatly improved.
Drawings
FIG. 1 is a diagram of access control elements proposed by the present invention;
FIG. 2 is a path in an access control element graph;
FIG. 3 is a graph-based access control framework proposed by the present invention;
FIG. 4 is a hierarchical index proposed by the present invention;
fig. 5 is an example of access control element diagram for a big data medical application presented by the present invention.
Detailed Description
The following is an illustrative explanation of embodiments of the key techniques and methods in this summary, but the scope of the invention is not limited by this explanation.
1) Background introduction
Taking a scenario of medical big data application as an example, the data set surrounding the electronic payment bill has the following access control requirements: (1) doctors can only make an electronic payment bill for the patients who receive the treatment by themselves; (2) before taking medicine, the charging staff can modify the electronic payment bill according to the requirements of the patient, such as refunding for part of payment items; (3) the pharmacy nurse cannot access the unpaid bill.
Among these needs, subjects include doctors, patients, toll employees, pharmacy nurses; the related operations comprise creating an electronic payment bill, paying for the electronic payment bill, modifying the electronic payment bill and taking medicine according to the payment bill; the object is an electronic payment bill.
2) Access control element graph
Fig. 5 shows a common operation relationship between subjects and objects, generation and change of association between subjects and objects, and change of safety states of subjects and objects in a process of paying for and taking medicine for a patient during medical care. The specific process comprises the following steps: a doctor receives a patient; the doctor generates a payment bill for the patient; charging by charging staff and marking the electronic payment bill as paid; the patient checks the payment bill to find that the payment bill has errors; the charging staff modifies the electronic payment bill; the pharmacy nurse takes the medicine according to the payment order.
3) Access control policy based on access control element graph
The access control policy corresponding to the above access control requirement is as follows, and each requirement can be expressed by adopting a plurality of policy description modes:
(1) the method comprises the following steps: doctors can only make an electronic payment bill for the patients who receive the treatment.
Strategy 1: ($ a) < - [ state transition @ ] - ($ b) - [ initiate ] - > { pickup } - [ action ] - > ($ c) - [ state transition @ ] - > ($ d) ═ a) - [ initiate ] - > ($ a) - [ initiate ] - > (charge sheet creation } -) - > ($ d), ($ a) - [ initiate ] - > - ((charge sheet creation } -) - > ($ e).
Explanation 1: the strategy is defined by the operational relationship between the host and the object, namely, a doctor ($ a) can create a payment order ($ e) for a patient ($ d), and if and only if a path containing a { consultation } node exists between ($ a) and ($ d).
Strategy 2: ($ a) <- [ state transition @ ] - ($ b) - [ treatment relationship ] - > ($ c) - [ state transition @ ] - > ($ d) = > ($ a) - [ initiate ] - > (charge sheet creation } - [ action ] - > ($ d), ($ a) - [ initiate ] - > (charge sheet creation } - > ($ e)).
Explanation 2: the strategy is defined by the association between the subject and the object, namely, a doctor ($ a) can create a payment order ($ e) for a patient ($ d), and if and only if a path containing a- [ treatment relation ] - > edge exists between ($ a) and ($ d).
(2) The method comprises the following steps: before taking medicine, the charging staff can modify the electronic payment bill according to the requirements of the patient, such as refunding for part of payment items.
Strategy: { take a charge according to the bill } - [ action @0] - > ($ a) - [ state transition @ ] - > ($ b) ═ > ($ c) - [ initiate ] - > { modify the bill } - [ action ] - > ($ b).
Explanation: the strategy is defined by the state transition of the object, namely, the electronic payment bill ($ b) can be operated to act as the { payment bill modification }, and if and only if the state transition path ($ b) does not contain a node { take medicine according to the payment bill }.
(3) The method comprises the following steps: the pharmacy nurse cannot access the unpaid bill.
Strategy: { token payment } - [ action ] - > ($ a) - [ state transition @ ] - > ($ b) ═ c) - [ initiative ] - > ([ action ] - > ($ b) according to payment receipt } - >.
Explanation: the strategy is defined by the state transition of the object, namely, the electronic payment bill ($ b) can be operated { drug taking according to the payment bill }, and if and only if the state transition path of ($ b) contains a node { mark payment }.
The above embodiments are only for illustrating the technical solution of the present invention and not for limiting the same, and a person skilled in the art can make modifications or equivalent substitutions to the technical solution of the present invention without departing from the spirit and scope of the present invention, and the scope of the present invention should be determined by the claims.

Claims (11)

1. An access control policy description method for an access control element graph, comprising the steps of:
describing a path in the access control element graph; the path refers to a sequence formed by edges and nodes passing through from one node to another node; the method for constructing the access control element graph comprises the following steps: extracting historical data of the operation of a subject on an object in the access control system according to a data processing flow; generating or updating the association relationship between subjects and objects and the security states of the subjects and the objects according to the historical data of each operation to obtain an access control element diagram; the access control element graph is an attribute graph formed by nodes and edges, the nodes and the edges respectively comprise a corresponding attribute set, and the nodes comprise subjects, objects and operations; generating edges according to state transition between subjects and objects, and generating edges according to incidence relations between subjects and operations and between operations and objects, wherein each edge has a start node, an end node, the direction and the label of the edge, and the label is used for indicating the semantic meaning of the edge;
describing the access control conditions of each access control strategy by adopting a path mode, and judging the access control result when the access control conditions are met; in the path mode, the length range of the edge in the path is specified by a set symbol, and the set symbol represents a node as a variable; in the path mode, a length range of an edge in a path is specified by a set symbol @; where @ denotes any side including 0, where @ n denotes an n side, where @ n1 to n2 denote sides n1 to n2, where n, n1, and n2 are integers greater than or equal to 0, and where n1 is less than n2, and where the control condition (a | < k1, v1>) - [ state transition @ n ] - > (b) denotes that a subject or guest a whose attribute k1 is equal to v1 undergoes n state transitions to become a new subject or guest b; the control condition (a | < k1, v1>) - [ state transition @ n 1-n 2] - > (b) represents that the host or object a with the attribute of k1 being equal to v1 passes through n 1-n 2 state transitions and is converted into a new host or object b; the control condition (a | < k1, v1>) - [ state transition @ ] - > (b) indicates that the subject or guest a with the attribute k1 equal to v1 is transformed into a new subject or guest b through any state transition including 0; nodes are represented by the set symbol $ as variables, ($ a | < k1, v1>) represents all subject or object nodes with attribute k1 equal to v 1.
2. The method for describing access control policy according to claim 1, wherein the method for describing the path by text is: describing the node of the subject or object by small brackets, wherein the small brackets are the ID of the subject or object, namely, (a) represents that one ID is a subject or object; describing an operation by { }, and { x } representing an operation with an ID of x; the side is expressed by- [ ] - > and the keywords in the [ ] are the labels of the side; the attribute set of nodes and edges is described by a < key, value > sequence, namely (a | < k1, v1> < k2, v2> … < ki, vi >) represents a node with an attribute of k1 equal to v1, an attribute of k2 equal to v2, … and an attribute of ki equal to vi, and the ID of the node is a.
3. An access control decision method based on an access control policy generated by the access control policy description method of claim 1, comprising the steps of:
1) for a received access request, the access request includes a triple (object, op, object), that is, an op operation request from a subject object to an object; searching the longest path of an edge which takes the ID of a main body in the access request as a starting point and takes a label as a state transition in the access control element graph; the latest subject to which the state change of the subject through the longest path becomes is $ subject _ new;
2) according to the ID of the object in the access request, searching a longest path which takes the ID of the object in the access request as a starting point and takes a label as an edge of state transition in an access control element graph, wherein the latest object formed by the object passing through the state transition of the longest path is $ object _ new;
3) searching for an access control strategy of which the access control judgment result is simultaneously related to the subject $ subject _ new, the object $ object _ new and the operation op;
4) matching paths between $ subject _ new and $ object _ new in the access control element map according to the path mode of the access control condition part in the access control policy obtained in the step 3), and allowing the access request if any path conforming to the path mode is found; rejecting the access request if the path patterns of the access control conditions of the access control policies obtained in step 3) do not match the path between the $ subject _ new of the latest subject node and $ object _ new of the latest object node.
4. An access control decision method based on an access control policy generated by the access control policy description method of claim 1, comprising the steps of:
1) creating a node index and a host-object state transition index of an access control element graph;
2) for a received access request, the access request includes a triple (object, op, object), that is, an op operation request from a subject object to an object; searching the storage positions of the subject object and the object in the access control element graph through the node ID according to the node index; then, searching the latest subject $ subject _ new to which the subject state is changed and the latest object $ subject _ new to which the object state is changed according to the subject-object state transition index;
3) searching for an access control strategy of which the access control judgment result is simultaneously related to the subject $ subject _ new, the object $ object _ new and the operation op;
4) matching paths between $ subject _ new and $ object _ new in the access control element map according to the path mode of the access control condition part in the access control policy obtained in the step 3), and allowing the access request if any path conforming to the path mode is found; rejecting the access request if the path patterns of the access control conditions of the access control policies obtained in step 3) do not match the path between the $ subject _ new of the latest subject node and $ object _ new of the latest object node.
5. A method for expanding the method of any one of claims 1 to 4 towards mandatory access control, wherein a security label is respectively arranged on each of the subject and the object; the security mark of the main body consists of a mark range and a current mark, and the form is < mark range, security mark set > < current mark, security mark >; wherein the current tag describes the current security level and category of the subject, the tag scope is a set of tags that restrict the current tag that the subject can specify from having to be in the set; the form of the security label of the object is < label, security label >, which describes the current security level and category of the object.
6. The method of claim 5, wherein the security label of the subject is updated by: searching the latest main body node corresponding to the main body in the access control element graph, and acquiring a mark range and a security mark set of the main body; and according to the inquired < marking range, safety marking set > and modification requirements, creating a new main body node (a _ added < marking range, new safety marking set > < current marking, safety marking >) and connecting the new main body node with the latest main body node by using edges to construct a state migration path.
7. The method of claim 5, wherein the updating of the security label of the object is by: searching the latest object node corresponding to the object in the access control element graph; and creating a new object node (a _ added | < mark, new security mark >) and connecting the latest object node with an edge to construct a state transition path.
8. The method of claim 5, wherein the current mark change method of the subject is: searching the latest main body node corresponding to the main body in the access control element graph, and acquiring a mark range and a security mark set of the main body; verifying whether a current tag to be used is in a security tag set of < tag range, security tag set >; if not, the change process is terminated, otherwise, a new main body node (a _ added | < mark range, security mark set > < current mark, new security mark >) is created and connected with the latest main body node by using an edge, and a state transition path is constructed.
9. An access control system comprising an access control decision component, an access control enforcement component, an access control policy management component, an access control element graph management component, and an access control feedback component; wherein the content of the first and second substances,
the access control element map management component is used for storing the access control element map and adding, deleting, changing and searching services for the access control elements in the access control element map; the method for constructing the access control element graph comprises the following steps: extracting historical data of the operation of a subject on an object in the access control system according to a data processing flow; generating or updating the association relationship between subjects and objects and the security states of the subjects and the objects according to the historical data of each operation to obtain an access control element diagram; the access control element graph is an attribute graph formed by nodes and edges, the nodes and the edges respectively comprise a corresponding attribute set, and the nodes comprise subjects, objects and operations; generating edges according to state transition between subjects and objects, and generating edges according to incidence relations between subjects and operations and between operations and objects, wherein each edge has a start node, an end node, the direction and the label of the edge, and the label is used for indicating the semantic meaning of the edge;
the access control policy management component is used for storing the access control policy generated by the access control policy description method according to claim 1, and adding, deleting, changing and searching service services for the access control policy;
the access control judgment component is used for inquiring the access control strategy from the access control strategy management component by adopting the access control judgment method according to claim 3 or 4 and forwarding a judgment result to the access control implementation component;
the access control implementation component is responsible for implementing or preventing the operation of the subject on the object according to the received judgment result and sending the implementation result to the access control feedback component;
and the access control feedback component is responsible for modifying the access control element graph according to the access control implementation result.
10. The access control system of claim 9, wherein the access control feedback component updates the access control element map after receiving the access control result (s, op, O), that is, after the subject s successfully performs the op operation on the object set O, by:
searching the longest path of an edge which takes the ID of the main body s as a starting point and takes a label as a state transition in the access control element graph; the latest body to which the state change of the body s through the longest path is changed is $ s _ new;
look up with the object o in the access control element graphiThe ID of (1) is a starting point and the label is the longest path of the side of the state transition; the object oiThe newest object to change through the state of the longest path is $ oi_new;
In the access control element diagram, the main body $ s _ new and the operation op in the current state are connected by edges, the edges with the $ s _ new as the starting point, the op as the end point and the label as the starting point are constructed, and the operation op and the corresponding object $ o are connected by the edgesiConstructing an edge with the op as a starting point, the $ oi _ new as an end point and the label as an action;
adding a main body node s _ add in a new state in the access control element graph, connecting the current main body node $ s _ new with the newly added main body node s _ add by using an edge, and constructing an edge which takes $ s _ new as a starting point, s _ add as an end point and a label as state transition;
adding a new object node o for each object in the object set in the access control element graphiExtended and edge connected to current guest node $ oiNew and its corresponding new added object node oiExtended, constructed at $ oiNew is the starting point, oiThe _ addend is an end point, and the label is a side of state transition;
if the execution of the operation op establishes the incidence relation among objects in the object set O, connecting the object nodes with the incidence relation by using edges, andconstruction with oi_ add is the starting point, ojAnd _ extended is the end point, and the label is the edge of Tag, wherein Tag is the label of the incidence relation between two nodes.
11. The access control system of claim 9, wherein the access control feedback component updates the access control element map after receiving the access control result (s, op, O), that is, after the subject s successfully performs the op operation on the object set O, by:
creating a node index and a host-object state transition index of an access control element graph;
searching the storage positions of the subject s and the object in the access control element graph through the node ID according to the node index; then, the latest subject $ s _ new changed from the subject s state and the latest object $ o changed from the object state are searched according to the subject-object state transition indexi_new;
In the access control element diagram, the main body $ s _ new and the operation op in the current state are connected by edges, the edges with the $ s _ new as the starting point, the op as the end point and the label as the starting point are constructed, and the operation op and the corresponding object $ o are connected by the edgesiConstructing an edge with the op as a starting point, the $ oi _ new as an end point and the label as an action;
adding a main body node s _ add in a new state in the access control element graph, connecting the current main body node $ s _ new with the newly added main body node s _ add by using an edge, and constructing an edge which takes $ s _ new as a starting point, s _ add as an end point and a label as state transition;
adding a new object node o for each object in the object set in the access control element graphiExtended and edge connected to current guest node $ oiNew and its corresponding new added object node oiExtended, constructed at $ oiNew is the starting point, oiThe _ addend is an end point, and the label is a side of state transition;
if the operation op establishes the incidence relation among objects in the object set O, connecting the object nodes with the incidence relation by using edges, and constructing the object set Oi_ add is the starting point, ojAn extended is an end point, a label is an edge of Tag, wherein
Tag is a label of an association between two nodes.
CN201710815136.1A 2017-09-12 2017-09-12 Access control element graph construction method, policy description method, access control judgment method and framework Active CN107679099B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710815136.1A CN107679099B (en) 2017-09-12 2017-09-12 Access control element graph construction method, policy description method, access control judgment method and framework

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710815136.1A CN107679099B (en) 2017-09-12 2017-09-12 Access control element graph construction method, policy description method, access control judgment method and framework

Publications (2)

Publication Number Publication Date
CN107679099A CN107679099A (en) 2018-02-09
CN107679099B true CN107679099B (en) 2021-07-30

Family

ID=61135690

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710815136.1A Active CN107679099B (en) 2017-09-12 2017-09-12 Access control element graph construction method, policy description method, access control judgment method and framework

Country Status (1)

Country Link
CN (1) CN107679099B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111563529A (en) * 2020-03-31 2020-08-21 中国科学院信息工程研究所 Data category attribute representation method and access control method

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1885297A (en) * 2006-06-02 2006-12-27 石杰 Method for role-based access control model with precise access control strategy
CN101771698A (en) * 2010-01-15 2010-07-07 南京邮电大学 Grid visit control method based on extendible markup language security policy
CN101794312A (en) * 2010-03-08 2010-08-04 上海交通大学 XML (Extensive Makeup Language) access control method based on security view
WO2015168386A2 (en) * 2014-04-30 2015-11-05 Cubic Corporation Failsafe operation for unmanned gatelines
CN105357201A (en) * 2015-11-12 2016-02-24 中国科学院信息工程研究所 Access control method and system for object cloud storage
CN106713313A (en) * 2016-12-22 2017-05-24 河海大学 Access control method based on origin graph abstractness

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1885297A (en) * 2006-06-02 2006-12-27 石杰 Method for role-based access control model with precise access control strategy
CN101771698A (en) * 2010-01-15 2010-07-07 南京邮电大学 Grid visit control method based on extendible markup language security policy
CN101794312A (en) * 2010-03-08 2010-08-04 上海交通大学 XML (Extensive Makeup Language) access control method based on security view
WO2015168386A2 (en) * 2014-04-30 2015-11-05 Cubic Corporation Failsafe operation for unmanned gatelines
CN105357201A (en) * 2015-11-12 2016-02-24 中国科学院信息工程研究所 Access control method and system for object cloud storage
CN106713313A (en) * 2016-12-22 2017-05-24 河海大学 Access control method based on origin graph abstractness

Also Published As

Publication number Publication date
CN107679099A (en) 2018-02-09

Similar Documents

Publication Publication Date Title
Crampton et al. Path conditions and principal matching: a new approach to access control
US9430662B2 (en) Provisioning authorization claims using attribute-based access-control policies
JP4896541B2 (en) Discoverability and enumeration mechanisms in hierarchically secure storage systems
WO2020081240A1 (en) Multi-tenant authorization
US20130238659A1 (en) Access control for entity search
US20120047114A1 (en) Enforcing query policies over resource description framework data
US20160036860A1 (en) Policy based data processing
Zeng et al. Access control for big data using data content
BRPI0614674A2 (en) double layer access control list
Ahmed et al. Classifying and comparing attribute-based and relationship-based access control
Kirrane et al. Secure manipulation of linked data
US10609041B1 (en) Enforcing granular access control policy
EP2212808A1 (en) Method, system and computer program for storing information with a description logic file system
US20230403283A1 (en) Enforcing granular access control policy
WO2021188199A1 (en) Efficient retrieval and rendering of access-controlled computer resources
US8214382B1 (en) Database predicate constraints on structured query language statements
Lopes et al. A logic programming approach for access control over RDF
Stoller An administrative model for relationship-based access control
Cheng et al. Extended ReBAC administrative models with cascading revocation and provenance support
CN107679099B (en) Access control element graph construction method, policy description method, access control judgment method and framework
Kirrane Linked data with access control
Crampton et al. A logic of access control
Blanco et al. Security policies by design in NoSQL document databases
US10616228B2 (en) Enhanced permissions for enabling re-purposing of resources while maintaining integrity
Bennett et al. Analysis of a relationship based access control model

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant