共查询到20条相似文献,搜索用时 0 毫秒
1.
There has been an increasing need for accessing data of internal equipment and devices of a substation system from external systems as power grids evolve. This has also introduced growing concerns on data security. In response to the concerns, IEC 62351 has proposed role-based access control (RBAC) for substation automation. In this work, we present a novel approach for implementing RBAC based on IEC 62351 for substation automation using eXtensible Access Control Markup Language (XACML). We integrate the approach with IEC 61850 by extending Abstract Communication Service Interface (ACSI), Manufacturing Message Specification (MMS), and System Configuration Language (SCL). A major advantage of the approach is that it fully conforms to both IEC 61850 and IEC 62351 and highly compatible with SCL as both XACML and SCL are XML-based. We implement the approach using OpenIEC61850 which is an open source library for ACSI services and demonstrate the implementation. 相似文献
2.
访问控制和资源授权是网格系统中资源与用户的关系策略的集合,分析了访问控制与资源授权的设计原则,提出了一种基于禁止表和允许表的网格用户访问控制层次式AB4L访问控制模型.给出了该模型的形式化定义,叙述了基于Postgres数据库的资源访问控制模型和授权的实现方法,并从完备性、可扩展性、自主控制和安全性方面对该模型进行了性... 相似文献
3.
Role-based access control models 总被引:53,自引:0,他引:53
Security administration of large systems is complex, but it can be simplified by a role-based access control approach. This article explains why RBAC is receiving renewed attention as a method of security administration and review, describes a framework of four reference models developed to better understand RBAC and categorizes different implementations, and discusses the use of RBAC to manage itself 相似文献
4.
《Journal of Systems Architecture》2000,46(13):1175-1184
The explosive growth of the Web, the increasing popularity of PCs and the advances in high-speed network access have brought distributed computing into the mainstream. To simplify network programming and to realize component-based software architecture, distributed object models have emerged as standards. One of those models is distributed component object model (DCOM) which is a protocol that enables software components to communicate directly over a network in a reliable, and efficient manner. In this paper, we investigate an aspect of DCOM concerning software architecture and security mechanism. Also, we describe the concept of role-based access control (RBAC) which began with multi-user and multi-application on-line systems pioneered in the 1970s. And we investigate how we can enforce the role-based access control as a security provider within DCOM, specially in access security policy. 相似文献
5.
本体是对共享概念明确的形式化规范说明,是语义Web实现的关键技术。当前语义Web缺乏对本体有效的访问控制手段,因此本体的发布必然会导致相关领域敏感信息的泄露。提出了一个基于角色的OWL本体访问控制模型,该模型充分利用了本体元素之间的语义关联性,对传统的RBAC模型进行了扩展,能够对OWL本体以及本体元素的访问实施有效地控制,同时也解决了OWL本体访问控制中推理泄露的问题。 相似文献
6.
针对访问控制模型在分布式系统下的局限性,提出一种分布式系统下的基于角色的访问控制模型。该模型以传统RBAC为基础,对其进行了扩展,一方面通过将角色扩展为职能角色和任务角色,另一方面为任务角色增加一个属性,用以标识该角色所赋予的主体属于本域还是外域,避免了采用对等角色直接进行角色分配的简单化处理。从而一方面有利于最小权限的实现,另一方面实现了对本域和外域的主体访问请求采用不同的策略,使基于角色的控制应用范围从集中式的控制领域扩展到分布式的控制领域,以适应不断发展的分布式环境系统的需求。 相似文献
7.
In this paper, we propose a new role-based access control (RBAC) system for Grid data resources in the Open Grid Services
Architecture Data Access and Integration (OGSA-DAI). OGSA-DAI is a widely used framework for integrating data resources in
Grids. However, OGSA-DAI’s identity-based access control causes substantial administration overhead for the resource providers
in virtual organizations (VOs) because of the direct mapping between individual Grid users and the privileges on the resources.
To solve this problem, we used the Shibboleth, an attribute authorization service, to support RBAC within the OGSA-DAI. In
addition, access control policies need to be specified and managed across multiple VOs. For the specification of access control
policies, we used the Core and Hierarchical RBAC profile of the eXtensible Access Control Markup Language (XACML); and for
distributed administration of those policies and the user-role assignments, we used the Object, Metadata and Artifacts Registry
(OMAR). OMAR is based on the e-business eXtensible Markup Language (ebXML) registry specifications developed to achieve interoperable
registries and repositories. Our RBAC system provides scalable and fine-grain access control and allows privacy protection.
It also supports dynamic delegation of rights and user-role assignments, and reduces the administration overheads for the
resource providers because they need to maintain only the mapping information from VO roles to local database roles. Moreover,
unnecessary mapping and connections can be avoided by denying invalid requests at the VO level. Performance analysis shows
that our RBAC system adds only a small overhead to the existing security infrastructure of OGSA-DAI. 相似文献
8.
9.
10.
基于角色的访问控制模型及其面向对象的建模 总被引:6,自引:0,他引:6
张志勇 《计算机工程与设计》2004,25(8):1367-1369,1374
访问控制是信息安全的一个研究方向,基于角色的访问控制(RBAC)是目前理论研究和应用研究比较广泛的一种模型。详细介绍了RBAC96模型家族的特征和它所遵循的安全准则,并引入面向对象的思想,采用统一建模语言(UML)对RBAC96进行了静态和动态建模,这样就缩短了理论模型和实际系统开发之间的差距,有助于信息系统安全的面向对象的分析与设计。 相似文献
11.
电子现金系统的RBAC管理方案 总被引:1,自引:0,他引:1
在基于电子现金的网络支付方案中,交易过程相关的多个实体有不同类型的权限和访问标准,如果各自进行安全管理,会使得整个系统的维护协调有很大难度。因此,横跨多个实体的权限管理带来了额外的安全性挑战。分析了基于RBAC的电子现金系统的权限管理策略,通过基于常规角色的授权实现了对电子现金系统内多个实体的访问控制,并设置与常规角色互斥的管理角色实现系统的分布式自行管理. 相似文献
12.
信息技术的高度发展对信息安全提出了新的挑战,经典的基于角色的访问控制(RBAC)中缺乏对时间和空间的约束,使RBAC模型不能适应信息系统新的安全需求。在RBAC的基础上,引入了时空域的定义,对模型中各要素进行了时间和空间约束,提出了具有时空约束的角色访问控制模型(TSRBAC)。形式化地描述了TSRBAC,并定义了时空角色继承和时空职责分离,给出了时空访问控制算法。 相似文献
13.
基于属性的授权和访问控制研究 总被引:1,自引:0,他引:1
因开放环境的分布性、异构性和动态性,对访问控制提出了独特的安全挑战。基于属性的访问控制(ABAC)机制比基于身份的访问控制机制更能解决管理规模和系统灵活性问题,并提供细粒度的控制,已证明了对这种环境的适应性。讨论了ABAC的授权和访问控制机制、实现框架、属性管理等问题,并通过对关键技术的比较分析,提出了将来需要研究的内容,为该领域的进一步研究提供了思路。 相似文献
14.
15.
为更好地解决网格环境下分布式跨域授权问题、增强授权功能的可扩展性和可复用性,构建了基于可扩展访问控制标记语言(extensible access control markup language,XACML)规范的网格授权框架.在该框架的基础上,依照Web服务资源框架和Web服务通知规范,设计实现了基于XACML策略引擎的网格授权服务.将复杂的模块交互调用封装在授权框架内,通过简单易用的服务接口实现域间互操作时的权限分配.实现结果表明,该框架更加灵活,适用于动态、异构的网格环境. 相似文献
16.
17.
复合模式的网格系统信任授权模型 总被引:1,自引:0,他引:1
作为研究焦点的网格系统提供了一种受控的跨边界的资源共享的虚拟框架。对网格环境进行了分析,讨论了网格对信任管理的需求。在分析各种信任模型不足的基础上,基于网格具体的应用环境,并结合以PGP用户为中心的信任模型和SPKI授权证书机制各自的优势,提出了复合模式的网格信任授权模型,并完整设计了整个模型的可实现框架。 相似文献
18.
19.
Role-based access control with X.509 attribute certificates 总被引:2,自引:0,他引:2
We adapted the standard X.509 privilege management infrastructure to build an efficient role-based trust management system in which role assignments can be widely distributed among organizations, and an XML-based local policy determines which roles to trust and which privileges to grant. A simple Java API lets target applications easily incorporate the system. The Permis API has already proven its general utility in four very different applications throughout Europe. 相似文献
20.
Hristo Koshutanski Aliaksandr Lazouski Fabio Martinelli Paolo Mori 《International Journal of Information Security》2009,8(4):291-314
Nowadays, Grid has become a leading technology in distributed computing. Grid poses a seamless sharing of heterogeneous computational
resources belonging to different domains and conducts efficient collaborations between Grid users. The core Grid functionality
defines computational services which allocate computational resources and execute applications submitted by Grid users. The
vast models of collaborations and openness of Grid system require a secure, scalable, flexible and expressive authorization
model to protect these computational services and Grid resources. Most of the existing authorization models for Grid have
granularity to manage access to service invocations while behavioral monitoring of applications executed by these services
remains a responsibility of a resource provider. The resource provider executes an application under a local account, and
acknowledges all permissions granted to this account to the application. Such approach poses serious security threats to breach
system functionality since applications submitted by users could be malicious. We propose a flexible and expressive policy-driven
credential-based authorization system to protect Grid computational services against a malicious behavior of applications
submitted for the execution. We split an authorization process into two levels: a coarse-grained level that manages access
to a computational service; and a fine-grained level that monitors the behavior of applications executed by the computational
service. Our framework guarantees that users authorized on a coarse-grained level behave as expected on the fine-grained level.
Credentials obtained on the coarse-grained level reflect on fine-grained access decisions. The framework defines trust negotiations
on coarse-grained level to overcome scalability problem, and preserves privacy of credentials and security policies of, both,
Grid users and providers. Our authorization system was implemented to control access to the Globus Computational GRAM service.
A comprehensive performance evaluation shows the practical scope of the proposed system.
相似文献
Paolo MoriEmail: |