检索规则说明:AND代表“并且”;OR代表“或者”;NOT代表“不包含”;(注意必须大写,运算符两边需空一格)
检 索 范 例 :范例一: (K=图书馆学 OR K=情报学) AND A=范并思 范例二:J=计算机应用与软件 AND (U=C++ OR U=Basic) NOT M=Visual
机构地区:[1]北京交通大学计算机与信息技术学院,北京100044 [2]北京大学软件与微电子学院,北京102600
出 处:《北京交通大学学报》2011年第5期21-25,共5页JOURNAL OF BEIJING JIAOTONG UNIVERSITY
基 金:长江学者和创新团队发展计划项目资助(IRT0707);北京市教育委员会学科建设与研究生教育建设项目资助
摘 要:针对复杂的应用系统,提出了一种基于风险分析的访问控制模型,该模型通过风险概念建立了业务目标和访问控制策略间的直接对应关系,以业务流程运营绩效指标作为风险度量的基准,并将风险计算作为访问控制授权决策的约束方程,同时,在最小权限原则和职责分离原则基础上,还给出了"业务-安全"均衡原则,并建立了相应授权决策规则.本文的研究成果有助于摈弃"安全或不安全"的二元制授权决策规则,建立适应业务灵活性和互操作性发展的柔性授权决策方法.Facing to the complex application systems, an access control model based on the risk analysis is proposed. The directed connection between the business objectives and the access control strategies is established in the model according to the concept of risk, with business process operational performance indicators as a basis on the risk measurement and the risk calculation as the constraint equation of the access control authorization decision. At the same time, besides the principle of least privilege and the principle of responsibility of separation, the principle of "business-security" equilibrium is also given, and the appropriate authorization decision rules are also established. The research results in the article aid to establish a flexible decision-making method to adapt the development of the business flexibility and interoperability, as well as get rid of the "safe or unsafe" dual authorization decision rule.
关 键 词:风险分析 访问控制 基于角色的访问控制 基于任务的访问控制
分 类 号:TP309[自动化与计算机技术—计算机系统结构]
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在链接到云南高校图书馆文献保障联盟下载...
云南高校图书馆联盟文献共享服务平台 版权所有©
您的IP:216.73.216.249