云计算环境中基于用户访问需求的角色查找算法

提出了一种云计算环境中基于角色的访问控制模型CARBAC,将角色分为用户角色和资源拥有者管理角色。针对管理角色对用户访问的角色指派,提出了在混杂角色层次关系中基于用户权限的角色查找算法。对于一组给定的授权,该算法能在云计算系统的角色中选择一组数量最少的角色指派给用户。仿真实验表明,针对云计算环境中的海量用户访问,本算法能显著减少系统中角色的数量,缩短用户授权时间,提高系统运行效率。     

基于团队和任务的RBAC访问控制模型

文中提出了一个新的访问控制和授权管理模型,即基于团队和任务的RBAC模型（TT-RBAC）。通过在TT-RBAC模型中增加团队和任务,扩展了NISTRBAC模型。TT-RBAC的基本思想是将用户指派给角色和团队,角色和任务指派给团队,权限指派给角色和任务。通过为团队用户分配任务,使用户可以访问团队资源。但是,用户从团队获得的权限决定于用户的激活角色及团队的激活任务。所以TT-RBAC模型比传统的RBAC模型更加灵活。     

柔性信息管理系统中权限控制方法的应用

系统中的权限设计方法直接影响到系统的安全,为解决系统中权限控制的灵活性问题,结合柔性化软件开发策略提出了基于动态树模式的角色授权管理机制,系统管理员可以根据不同角色的需求,动态设置角色的权限。该授权方法突破了传统系统中角色不能更改的弊端,基于动态树模式的角色授权管理机制根据不同用户动态加载不同的菜单,实现了用户访问系统资源的可定制性、灵活性和可控性,解决了权限管理粒度与数量矛盾的问题。该方法具体应用于某高校信息管理系统中,实现了系统权限的灵活管理。     

面向多维数字媒体的访问控制机制

在多维数字媒体场景中,用户期望利用环境、时态等因素实现访问权限的自我约束。针对该需求,综合环境、时态、角色定义授权属性,提出面向多维数字媒体的访问控制机制,该机制定义用户—授权属性分配关系和授权属性—访问权限分配关系,根据用户的ID、属性信息、所处环境和时态、角色,用户—授权属性分配关系为用户分配相应授权属性;根据用户所赋予的授权属性,授权属性—访问权限分配关系为用户分配相应访问权限。引入约束条件,用户通过设置约束条件进行访问权限的自我约束,实现访问权限随环境、时态、角色等因素的变化而动态缩减。使用Z符号对该机制进行形式化描述,通过实例分析验证其可行性,与现有工作的比较表明所提机制支持最小权限、职责分离、数据抽象等安全原则,支持访问权限的动态缩减。     

云平台下CRM系统访问控制研究与设计

文章对比分析了主流的访问控制模型,以基于角色的访问控制模型为基础,设计了适合云平台下CRM系统的访问控制机制,该机制增加了用户组、部门、资源、操作等实体。在优先通过角色授权的基础上,允许对用户直接授权,在权限设计中增加了用户权限直接授权,用户角色权限的动态授权等。本文还介绍了云平台下CRM系统的访问流程,并实现了云平台下CRM系统的访问控制。     

RBAC模型在医疗系统中的研究与应用

基于角色的访问控制是目前应用在系统控制用户访问中比较主流的一门技术。在此针对医疗系统的特点,在基于角色的访问控制模型的基础上,分析医疗系统中的访问主体和客体,引入角色,将权限和角色相关联,重点研究不同用户对记录的访问控制,提出一个访问控制算法,通过分配用户适当的角色,然后授予用户适当的访问权限,使用户和访问权限逻辑分离,从而提高了在医疗系统中权限分配和访问控制的灵活性与安全性。     

计算机网络分布式系统中角色访问控制的授权策略

文章给出了一种基于角色的PMI系统的授权策略的构成与实现,可以为大型企业多种信息应用平台和网络中分布式应用系统提供一种用户权限的集中统一的管理。并从几个方面对怎样实现RBAC授权策略作了详细的说明,通过对策略的管理,能很好地实现基于RBAC的授权。     

一个可行的基于角色的PMI授权管理方案

本文描述的权限管理基础设施(PMI)的总体框架,不同于以前的授权管理方案,使用属性证书表示用户的权限,使用XML格式的策略表示受控资源的访问规则。最后,提出了一个可行的属性证书发放中心(AA)的构建方案,AA采用基于角色的授权管理模型,能够为权限管理框架上的业务系统提供属性证书管理。     

保护用户隐私的数据加密与安全存储方案

文中提出了一套保护用户隐私的数据加密与安全存储方案,选择了适合的加密算法和密钥管理方案。通过对比分析不同加密算法的安全性和效率,最终选择了AES 256,RSA等加密算法,并设计了三级密钥管理方案,实现了对密钥的安全存储和分发。在数据存储方面,以eMMC存储器为存储介质,实现了基于角色和权限的访问控制机制,确保用户只能访问其被授权的数据。     

基于ASP模式下UD_RBAC模型的研究与实现

随着应用服务提供商(ASP)模式的发展,为解决集成了越来越多应用服务的ASP平台与用户之间复杂的管理需求,提出了一种ASP模式下用户授权代理机制的角色访问控制(UD-RBAc)模型.文中对UD_RBAC模型形式化描述,细致地分析了其构成要素、用户授权代理管理模式和实施策略.采用LDAP目录访问协议统一存储用户身份和权限信息,通过代理策略保护应用服务资源,实现对用户的访问进行分级授权和控制.     

基于规则的自动化授权方法研究

论文深入剖析了RB—RBAC此完成权限自动分配的授权管理方法。难以解决的授权管理问题。模型并结合用户的身份管理,提出了一种根据用户属性它能满足分布环境、用户数量巨大、权限分配关系复杂、制定授权规则,并据使用传统的管理方法     

Distributed policy processing in active‐service based infrastructures

More and more applications in the Internet are requiring an intelligent service infrastructure to provide customized services. In this paper, we present an infrastructure, which can transparently and effectively provide customized active‐services to end users and dynamically adapt to changing customized policies in large distributed heterogeneous environments. The infrastructure consists of two components: the policy agent and middleware box. Particularly, our technologies include: (1) Generic active‐service based infrastructure, where the policy agent can integrate policies requested by applications, and middleware boxes can transparently execute services and (2) Distributed policy processing in the middleware box. We study two policy partitioning schemes to achieve conflict‐free policies for distributed policy processing and guarantee the correctness of the policy execution. We conduct extensive performance evaluations on different schemes proposed. Our experimental results demonstrate that our policy partitioning schemes can effectively generate partition‐capable and conflict‐free policy sets. The evaluation results also show that distributed policy processing can achieve over 70% increase in performance/price ratio with proper assignment of the policy distribution degree compared to a purely centralized approach. Copyright © 2005 John Wiley & Sons, Ltd.     

一个带有性能权衡的反射式中间件权限管理框架

将信任管理引入中间件可以解决分布环境下的代理和授权问题，但带来了性能损失．本义通过分析权限管理系统中使用的代理链搜索算法，在改进算法的基础上提出一种通过调节信任度阀门、牺牲一部分系统可用性来提升系统性能的方法；并给出反射式中间件上带有性能权衡的权限管理框架；框架在J2EE中间件PKUAS上得到实现，并通过实验证明了框架的可行性和有效性．     

涉密信息系统安全保密管理人员的职责要求与权限划分

涉密信息系统的安全保密管理人员包括系统管理员、安全保密管理员和安全审计员。本文分别对国家保密标准中所规定的这三类安全保密管理人员进行研究,分析各自职责。并以涉密信息系统用户账号和授权管理流程为例,说明了安全保密管理人员的权限划分原则。以此促进涉密信息系统建设使用单位对标准要求的理解和落实,同时也为涉密信息系统内业务应用系统和安全保密产品的设计开发提出了相应的功能要求。     

Cross-Layer QoS Enabled SDN-Like Publish/Subscribe Communication Infrastructure for IoT

Publish/subscribe paradigm is often adopted to create the communication infrastructure of the Internet of Things(IoT)for many clients to access enormous real-time sensor data.However,most current publish/subscribe middlewares are based on traditional ossified IP networks,which are difficult to enable Quality of Service(QoS).How to design the next generation publish/subscribe middleware has become an urgent problem.The emerging Software Defined Networking(SDN)provides new opportunities to improve the QoS of publish/subscribe facilities for delivering events in IoT owing to its customized programmability and centralized control.We can encode event topics,priorities and security policies into flow entries of SDN-enabled switches to satisfy personalized QoS needs.In this paper,we propose a cross-layer QoS enabled SDN-like publish/subscribe communication infrastructure,aiming at building an IoT platform to seamlessly connect IoT services with SDN networks and improving the QoS of delivering events.We first present an SDN-like topic-oriented publish/subscribe middleware architecture with a cross-layer QoS control framework.Then we discuss prototype implementation,including topic management,topology maintenance,event routing and policy management.In the end,we use differentiated services and cross-layer access control as cross-layer QoS scenarios to verify the prototype.Experimental results show that our middleware is effective.     

Personalized privacy protection method for group recommendation

To address the problem that most of the existing privacy protection methods can not satisfy the user’s personalized requirements very well in group recommendation,a user personalized privacy protection framework based on trusted client for group recommendation (UPPPF-TC-GR) followed with a group sensitive preference protection method (GSPPM) was proposed.In GSPPM,user’s historical data and privacy preference demands were collected in the trusted client,and similar users were selected in the group based on sensitive topic similarity between users.Privacy protection for users who had privacy preferences in the group was realized by randomization of cooperative disturbance to top k similar users.Simulation experiments show that the proposed GSPPM can not only satisfy privacy protection requirements for each user but also achieve better performance.     

电子病历存储云系统访问控制研究

随着医疗信息化的快速发展,现行EMR系统在信息共享和安全性方面无法很好地满足医疗和患者的需要。文中基于云计算技术提出一种EMR存储云系统,为患者和医院提供统一的电子病历注册和使用服务,并重点对电子病历的访问控制策略进行了讨论,采用一般角色访问控制和用户个性化逐级授权相结合的策略,有效解决了动态授权和用户个性化需求问题,满足了患者对于信息安全性和隐私保护方面的需求。     

PriMa: a comprehensive approach to privacy protection in social network sites

With social networks (SNs) allowing their users to host large amounts of personal data on their platforms, privacy protection mechanisms are becoming increasingly important. The current privacy protection mechanisms offered by SNs mostly enforce access control policies based on users’ privacy settings. The task of setting privacy preferences may be tedious and confusing for the average user, who has hundreds of connections (e.g., acquaintances, colleagues, friends, etc.) and maintains an extensive profile on his main SN. Hence, users often end up with policies that do not sufficiently protect their personal information, thus facilitating potential privacy breaches and information misuse. In this paper, we propose PriMa (Privacy Manager), a privacy protection mechanism that supports semiautomated generation of access rules for users’ profile information, filling the gap between the privacy management needs of SN users and the existing SNs’ privacy protection mechanisms. PriMa access rules are generated using a multicriteria algorithm, so as to account for an extensive set of criteria to be considered when dealing with access control in SN sites. The resulting rules are simple yet powerful specifications, indicating the adequate level of protection for each user, and are dynamically adapted to the ever-changing requirements of the users’ preferences and SN configuration. We have implemented PriMa on a Drupal platform and as a third-party Facebook application. We have evaluated the performance of the PriMa application with respect to access rule generation.     

Light-Weight Selective Image Encryption for Privacy Preservation

To protect personal privacy and confidential preservation, access control is used to authorize legal users for safe browsing the authorized contents on photos. The access control generates an authorization rule according to each permission assignment. However, the general access control is inappropriate to apply in some social services (e.g., photos posted on Flickr and Instagram, personal image management in mobile phone) because of the increasing popularity of digital images being stored and managed. With low maintenance loads, this paper integrates the data hiding technique to propose an access control mechanism for privacy preservation. The proposed scheme changes the partial regions of a given image as random pads (called selective image encryption) and only allows the authorized people to remedy the random pads back to meaningful ones which are with similar visual qualities of original ones.     

基于资源抽象的RBAC模型

论文提出一种新的访问控制模型—基于资源抽象的角色访问控制模型(RD_RBAC)。该模型在对角色授权以及实现系统安全策略的过程中,通过对资源的二次抽象,实现减少冗余角色、降低管理复杂度,并在高校管理系统的实例中得到验证。与传统的RBAC相比,RD_RBAC具有更好的适应性和安全性。