工作流系统上下文相关访问控制模型

访问控制是提高工作流系统安全性的重要机制。基于角色的访问控制（RBAC）被绝大多数工作流系统所采用，已成为工作流领域研究的热点。但是，现有的基于角色的访问控制模型没有考虑工作流上下文对任务执行授权安全的影响，容易造成权限冗余，也不支持职责分离策略。该文提出一种工作流上下文相关访问控制模型WfCAC，首先，定义该模型的构成要素和体系结构，然后讨论工作流职责分离和访问控制机制，并对模型性质进行分析。WfCAC模型支持用户组及其层次结构，支持最小权限授权策略和职责分离策略，实现了工作流上下文相关访问控制。

A Context-sensitive Access Control Model for Workflow System

Access control is an important mechanism for enhancing workflow system security, Role-based access control model (RBAC)is used in the most of workflow systems, and it has become a research topic in the area of workflow. However, in the existing role-based access control models, the influence produced by workflow context and task histories to authorization security is not token into account, redundant properties for running workflow tasks are produced easily, and the policies of separation of duties are not effectively supported. In this paper, a context-related access control model for workflow system is proposed, named as WfCAC. Firstly, the elements and architecture of this model are defined, respectively. Secondly, the mechanisms for achieving the policies of separation of duties and access control mechanism are discussed. Finally, the properties of this model are analyzed. WfCAC model supports the policy of the user group with hierarchy structure, the context-sensitive access control of workflow, the minimizing authorization policies and the policies of separation of duties, respectively.