基于属性的访问控制策略合成代数

访问控制策略合成是确定分布式聚合资源访问控制策略的关键.为了规范策略合成和保障策略合成正确性,基于属性刻画了实体间的授权关系,通过属性值的计算结构扩展了现有的策略合成形式化框架,建立了新的基于属性的策略合成代数模型APoCA(attribute-base access control policy composition algebra).通过示例分析说明APoCA具有更强的策略合成描述能力和普适性,适应于更为复杂的应用场景.用代数表达式形式化地描述聚合资源的访问控制策略,讨论了策略表达式的若干代数性质,说明可借助策略表达式的代数性质去验证策略合成结果是否符合各方对聚合资源的保护性需求.给出了将代数表达式翻译成逻辑程序的翻译器,为聚合资源的访问控制策略评估和应用提供基础.

Attribute-Based Access Control Policies Composition Algebra

The composition of access control policies is the key to determine access control policies for distributed aggregated resource. To regulate policy composition and guarantee its correctness, an algebraic model called APoCA (attribute-based access control policy composition algebra) is proposed for composing access control policy. In APoCA, an authorization relation between entities is described at the attribute level. APoCA fertilizes the existing formal frameworks by taking into account the computation of attribute values. Several examples are given to demonstrate the expressiveness of ApoCA. ApoCA can be used for more complex applications. In addition, access control policies of aggregated resources can be formulated as expressions of the algebra. Several algebraic properties of policy expressions are discussed. It shows that the algebraic properties of policy expressions can be used to verify whether policy composition results meet the protection needs of each party. Furthermore, a translator is devised to convert the policy expressions into logic programs, which provides the basis for the evaluation and application of access control policies for aggregated resources.