一种通用访问控制管理模型  被引量：8

作　　者：李晓峰[1,2] 冯登国[1,2] 徐震[1,2] 

机构地区：[1]中国科学院软件研究所信息安全国家重点实验室,北京100080 [2]中国科学院研究生院信息安全国家重点实验室,北京100049

出　　处：《计算机研究与发展》2007年第6期947-957,共11页Journal of Computer Research and Development

基　　金：国家自然科学基金项目(60603017);国家"八六三"高技术研究发展计划基金项目(2004AA147070)~~

摘　　要：目前的访问控制管理模型都是针对某种特定的访问控制模型提出的,不能适应多访问控制模型共存于一个大型系统的情况,一个管理模型不能同时适用于多访问控制模型的主要原因是管理者管理范围定义包含了某种访问控制模型中特有的组件.通过使用各种访问控制模型中共有的主体和权限来定义管理模型中的管理范围,将管理模型与访问控制模型之间的关系抽象为一个用于计算策略相关管理范围的函数,提出了一种能够用来管理不同访问控制模型的通用访问控制管理模型,为了便于模型实际使用,在模型中引入管理空间的概念与实际组织结构相对应,形成分布式访问控制管理结构,同时模型严格区分了管理空间的直接管理者和间接管理者在管理权限上的不同,使得管理者具有一定的自治性.最后讨论了管理模型中的管理规则和语义,证明了模型的完备性,并讨论和分析了针对不同访问控制模型的policy*算法.Current access control administration models that are designed to manage given access control models are not suitable for enterprise environment in which different access control models coexist. An administration model is needed for efficiently administrating different access control models in enterprise environment. The main reason why an administration model can＇t be used to manage other access control models is that the administration scopes defined in the model include characteristic components of the given access control model. This paper uses subiect and permission that are common in different access control models to describe administration scope, abstracts interface between administration model and access control model to policy ~ functions and proposes a generic administration model. The model introduces the concept of management space that corresponds with real enterprise structure and makes the model easily understood by managers, and the administration tasks are achieved hierarchically. For autonomy, the model differentiates the direct manager＇s administration privileges from the indirect manager＇s administration privileges of one management space. Also discussed are the administration rules and semantics of the model. The model soundness is proved, and policy~ algorithms of RBAC, MAC and HRU are analyzed. This model can be used to administrate different access control model in an enterprise environment. An example is given, which explains how to use this model to manage RBAC, MAC and HRU.

关 键 词：访问控制 管理模型 基于角色的访问控制 信息安全 强制访问控制 

分 类 号：TN918.91[电子电信—通信与信息系统] TP309[电子电信—信息与通信工程]