工作流系统中的PRBAC访问控制模型研究  被引量：3

作　　者：熊天虹 余阳[1] 娄定俊 XIONG Tianhong;YU Yang;LOU Dingjun(School of Data Science and Computer,Sun Yat-sen University,Guangzhou 510006,China)

机构地区：[1]中山大学数据科学与计算机学院,广州510006

出　　处：《应用科学学报》2020年第5期672-681,共10页Journal of Applied Sciences

基　　金：国家重点研发计划(No.2017YFB0202201);国家自然科学基金(No.61972427);NSFC-广东联合基金大数据科学中心项目(No.U1911205);广州市科技计划项目(No.201704020092)资助。

摘　　要：工作流管理系统(workflow management systems,WFMS)已被企业和政府广泛用于组织的业务流程管理,系统的任务分派一般采用基于角色的访问控制(role-based access control,RBAC)模型来解决授权控制问题,这为员工的角色或部门变更提供了良好的适应性.然而,随着竞争的加剧和改革的常态化,组织的结构和角色变化日益频繁.另外,一套流程系统实施到不同的组织,也要面对不同的组织结构和角色.RBAC模型导致业务流程定义中的任务授权严重依赖于组织,后者的频繁变化不但会引起授权体系的频繁变化,甚至因影响流程定义而引起执行期的异常.为此,提出了一种基于职位-角色的访问控制(position-role based access control,PRBAC)模型,将角色的粒度细化为组织职位,同时引入业务角色的概念,授权仅针对后者,并通过一个映射层来建立两者的对应关系.证明了PRBAC与RBAC在表达能力上的等价性,并对授权粒度和复杂度进行了分析.通过案例分析,演示了PRBAC模型可以有效提高WFMS应对组织变化的适应性和柔性,实现了组织模型与业务模型的解耦.Workflow management systems(WFMS)has been widely used in organizational business process management of enterprises and government,and role-based access control(RBAC)model is generally adopted in system tasks for solving the problem of authorization control,and performs good adaptability to the changes of employees’roles or departments.However,with the intensification of competition and the normalization of reform,the organization structures and roles are changing more and more frequently,thus a process system implemented to different organizations will face with much more serious variety of organization structures and roles.The RBAC model causes the task authorization in the business process definition to be heavily organization-dependent,thus the frequent changing of organization will require continuous changing of authorization system,or even worse,lead to its abnormal execution due to the improper process definition.For this problem,this paper proposes a position-role based access control(PRBAC)model,which divides the granularity of roles into organization positions,introduces the concept of business roles which are the only authorization objects,and establishes the corresponding relationship through a mapping layer.The equivalence of PRBAC and RBAC in expressivity is proved,and the granularity and complexity of authorization are analyzed.Through case analysis,we demonstrate that PRBAC model can effectively improve the adaptability and flexibility of WFMS in organizational changes,and realize the decoupling of organization model and business model.

关 键 词：工作流 PRBAC模型 组织职位 业务角色 授权 

分 类 号：P751.1[交通运输工程—港口、海岸及近海工程]