基于角色的受限委托模型
作者:
基金项目:

Supported bythe National Natural Science Foundation of China under Grant Nos.60025205,60273027(国家自然科学基金);the National High-Tech Research and Development Plan of China under Grant No.2004AAl47070(国家高技术研究发展计划(863));the National Grand Fundamental Research 973 Program ofChina under Grant No.G1999035802(国家重点基础研究发展规划(973))

  • 摘要
  • | |
  • 访问统计
  • |
  • 参考文献 [26]
  • |
  • 相似文献 [20]
  • |
  • 引证文献
  • | |
  • 文章评论
    摘要:

    角色委托是RBAC模型需要支持的一种重要安全策略.它的主要思想是系统中的主动实体将角色委托给其他主动实体,以便以前者名义执行特定的工作.角色委托者要对委托角色的使用负责,所以对委托角色进行使用限制是整个模型的关键组成部分.目前已有一些模型扩展了RBAC模型以支持角色委托,但是这些模型对委托限制的支持非常有限.提出了角色委托限制的需求,包括临时性限制、常规角色关联性限制、部分性限制和传播限制.并且,给出了一个支持临时性限制和常规角色关联性限制的基于角色的委托模型.给出模型的形式化描述,为模型在实际环境中的应用奠定了基础.

    Abstract:

    Delegation is an important security policy that should be supported by RBAC model. The basic idea of delegation is that some active entity in a system delegates authority to another active entity to carry out some functions on behalf of the former. The grantor of the delegated roles should be responsible for the usage of them, so constraints on the usage of the delegated roles are critical components of the whole delegation model. Currently, there’re some models that extend RBAC model to support role delegation. However, their supports for constraints on the usage of delegated roles are very limited. This paper presents the requirements of role-based delegation, including temporary constraints, regular role dependency constraints, partial delegation constraints and propagation constraints. The former two kinds of constraints are modeled with a formal model – CRDM, which provides the foundation for applications in need of the constrained delegation.

    参考文献
    [1]Ferriaolo D, Cugini J,Kuhn R. Role-Based access control (RBAC): Features and motivations. In: Proc. of the 11th Annual Computer Security Application Conf. New Orleans: IEEE Computer Society Press, 1995. 241-248. http://csrc.nist.gov/rbac/ferraiolo-cugini-kuhn-95.pdf
    [2]Sandhu RS, Coyne EJ, Feinstein HL, Youman CE. Role-Based access control models. IEEE Computer, 1996,29(2):38-47.
    [3]Sandhu RS. Rationale for the RBAC96 family of access control models. In: Youman C, Sandhu R, Coyne E, eds. Proc. of the 1 st ACM Workshop on Role-Based Access Control. New York: ACM Press, 1996.
    [4]Ferraiolo D, Kuhn R. Role-Based access control. In: Proc. of the 15th National Computer Security Conf. 1992. 554-563. http://csrc.nist.gov/rbac/ferraiolo-kuhn-92.pdf
    [5]Zhang LH, Ahn G-J, Chu B-T. A rule-based framework for role-based delegation. In: Sandhu RS, Jaeger T, eds. Proc. of the 6th ACM Symp. on Access Control Models and Technologies. New York: ACM Press, 2001. 153-162.
    [6]Barka E, Sandhu R. Framework for role-based delegation models. In: Proc. of the 16th Annual Computer Security Application Conf.IEEE Computer Society Press, 2000. 168-176. http://csdl.computer.org/comp/proceedings/acsac/2000/0859/00/08590168.pdf
    [7]Barka E, Sandhu R. A role-based delegation model and some extensions. In: Proc. of the 23rd National Information Systems Security Conf. (NISSC 2000). 2000. http://www.list. gmu.edu/confrnc/nissc/rbdm00.pdf
    [8]Zhang XW, Oh S, Sandhu RS. PBDM: A flexible delegation model in RBAC. In: Ferrari E, Ferraiolo D, eds. Proc. of the 8th ACM Symp. on Access Control Models and Technologies. New York: ACM Press, 2003. 149-157.
    [9]ANSI INCITS 359-2004. Role Based Access Control. American National Standard for Information Technology, 2004.
    [10]Chen F, Sandhu R. Constraints for role-based access control. In: Youman C, Sandhu R, Coyne E, eds. Proc. of the 1st ACM Workshop on Role-Based Access Control. New York: ACM Press, 1996.
    [11]Simon RT, Zurko ME. Separation of duty in role-based environments. In: Proc. of the 10th Computer Security Foundations Workshop. Washington, DC: IEEE Computer Society Press, 1997. 183-194. http://csdl.computer.org/comp/proceedings/csfw/1997/7990/00/79900183.pdf
    [12]Gligor VD, Gavrila SI, Ferraiolo D. On the formal definition of separation-of-duty policies and their composition. In: Proc. of the1998 IEEE Computer Society Symp. on Research in Security and Privacy. Washington, DC: IEEE Computer Society Press, 1998.172-183.
    [13]Jaeger T. On the increasing importance of constraints. In: Proc. of the 4th ACM Workshop on Role-Based Access Control. New York: ACM Press, 1999.33-42. http://portal.acm.org/ft_gateway.cfm?id=319175&type=pdf
    [14]Bertino E, Bonatti PA, Ferrari E. TRBAC: A temporal role-based access control model. ACM Trans. on Information and System Security, 2001,4(3): 191-233.
    [15]Joshi JBD, Bertino E, Ghafoor A. Temporal hierarchy and inheritance semantics for GTRBAC. In: Proc. of the 7th ACM Symp. on Access Control Models and Technologies. New York: ACM Press, 2002. 74-83. http://shay. ecn.purdue. edu/~dmultlab/Security/sacmat2002.pdf
    [16]Joshi JBD, Shafiq B, Ghafoor A, Bertino E. Dependencies and separation of duty constraints in GTRBAC. In: Proc. of the 8th ACM Symp. on Access Control Models and Technologies. New York: ACM Press, 2003. 51-64. http://shay. ecn.purdue.edu/~dmultlab/Security/p313 -joshi.pdf
    [17]Ahn GJ, Sandhu R. Role-Based authorization constraints specification. ACM Trans. on Information and System Security, 2000,3(4):207-226.
    [18]Dong GY, Qing SH, Liu KL. Role-Based authorization constraint with time character. Journal of Software, 2002,13(8):1521-1527(in Chinese with English abstract). http://www.jos.org.cn/1000-9825/13/1521.pdf
    [19]Xu Z, Feng DG, Li L, Chen H. UC-RBAC: A usage constrained role-base access control model. In: Qing SH, Gollmann D, Zhou JY, eds. Proc. of the 5th Int'l Conf. on Information and Communications Security. LNCS 2836, Heidelberg: Springer-Verlag, 2003.337-347.
    [20]Gasser M, McDermott E. An architecture for practical delegation in a distributed system. In: Cooper D, Lunt T, eds. Proc. of the1990 IEEE Computer Society Symp. on Research in Security and Privacy. Oakland: IEEE Computer Society Press, 1990. 20-30.
    [21]Gladny HM. Access control for large collections. ACM Trans. on Information Systems, 1997,15(2):154-194.
    [22]Moffett JD, Sloman MS. The source ofauthority for commercial access control. IEEE Computer, 1988,21(2):59-69.
    [23]Nagaratnam N, Lea D. Practical delegation for secure distributed object environments. Distributed Systems Engineering, 1998,5(4):168-178.
    [24]Bandmann O, Dam M, Firozabadi BS. Constrained delegation. In: Proc. of thc 23rd Annual IEEE Symp. on Security and Privacy.Oakland: IEEE Computer Society Press, 2002. 131-143. http://csdl.computer.org/comp/proceedings/sp/2002/1543/00/15430131abs.htm
    [25]Niezette M, Stevenne J. An efficient symbolic representation of periodic time. In: Finin TW, Nicholas CK, Yesha Y, eds. Proc. of the 1st Int'l Conf. on Information and Knowledge Management. LNCS 752, Springer-Verlag, 1992.附中文参考文献:
    [26]董光宇,卿斯汉,刘克龙.带时间特性的角色授权约束.软件学报,2002,13(8):1521-1527.http://www.jos.org.cn/1000-9825/13/1521.pdf
    网友评论
    网友评论
    分享到微博
    发 布
引用本文

徐震,李斓,冯登国.基于角色的受限委托模型.软件学报,2005,16(5):970-978

复制
分享
文章指标
  • 点击次数:4813
  • 下载次数: 5998
  • HTML阅读次数: 0
  • 引用次数: 0
历史
  • 收稿日期:2003-11-20
  • 最后修改日期:2004-08-10
文章二维码
您是第19794259位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号