Role-based access control models

Security administration of large systems is complex, but it can be simplified by a role-based access control approach. This article explains why RBAC is receiving renewed attention as a method of security administration and review, describes a framework of four reference models developed to better understand RBAC and categorizes different implementations, and discusses the use of RBAC to manage itself     

基于角色的访问控制模型及其面向对象的建模

访问控制是信息安全的一个研究方向,基于角色的访问控制(RBAC)是目前理论研究和应用研究比较广泛的一种模型。详细介绍了RBAC96模型家族的特征和它所遵循的安全准则,并引入面向对象的思想,采用统一建模语言(UML)对RBAC96进行了静态和动态建模,这样就缩短了理论模型和实际系统开发之间的差距,有助于信息系统安全的面向对象的分析与设计。     

电子现金系统的RBAC管理方案

在基于电子现金的网络支付方案中,交易过程相关的多个实体有不同类型的权限和访问标准,如果各自进行安全管理,会使得整个系统的维护协调有很大难度。因此,横跨多个实体的权限管理带来了额外的安全性挑战。分析了基于RBAC的电子现金系统的权限管理策略,通过基于常规角色的授权实现了对电子现金系统内多个实体的访问控制,并设置与常规角色互斥的管理角色实现系统的分布式自行管理．     

一种分布式环境下基于角色的访问控制模型

针对访问控制模型在分布式系统下的局限性,提出一种分布式系统下的基于角色的访问控制模型。该模型以传统RBAC为基础,对其进行了扩展,一方面通过将角色扩展为职能角色和任务角色,另一方面为任务角色增加一个属性,用以标识该角色所赋予的主体属于本域还是外域,避免了采用对等角色直接进行角色分配的简单化处理。从而一方面有利于最小权限的实现,另一方面实现了对本域和外域的主体访问请求采用不同的策略,使基于角色的控制应用范围从集中式的控制领域扩展到分布式的控制领域,以适应不断发展的分布式环境系统的需求。     

基于角色的对OWL本体的访问控制模型

本体是对共享概念明确的形式化规范说明,是语义Web实现的关键技术。当前语义Web缺乏对本体有效的访问控制手段,因此本体的发布必然会导致相关领域敏感信息的泄露。提出了一个基于角色的OWL本体访问控制模型,该模型充分利用了本体元素之间的语义关联性,对传统的RBAC模型进行了扩展,能够对OWL本体以及本体元素的访问实施有效地控制,同时也解决了OWL本体访问控制中推理泄露的问题。     

具有时空约束的角色访问控制模型

信息技术的高度发展对信息安全提出了新的挑战,经典的基于角色的访问控制（RBAC）中缺乏对时间和空间的约束,使RBAC模型不能适应信息系统新的安全需求。在RBAC的基础上,引入了时空域的定义,对模型中各要素进行了时间和空间约束,提出了具有时空约束的角色访问控制模型（TSRBAC）。形式化地描述了TSRBAC,并定义了时空角色继承和时空职责分离,给出了时空访问控制算法。     

基于角色的Web Services动态访问控制模型

已有模型对Web Services的访问控制多数是静态的、粗粒度的,不能满足动态的面向服务的Web Services环境。为此提出了一个基于角色的Web Services动态访问控制模型(RBDAC),此模型可以根据用户访问时的上下文信息来激活角色分配和权限分配,并动态地做出访问控制决定。     

Role-based access control with X.509 attribute certificates

We adapted the standard X.509 privilege management infrastructure to build an efficient role-based trust management system in which role assignments can be widely distributed among organizations, and an XML-based local policy determines which roles to trust and which privileges to grant. A simple Java API lets target applications easily incorporate the system. The Permis API has already proven its general utility in four very different applications throughout Europe.     

Role-based access control for substation automation systems using XACML

There has been an increasing need for accessing data of internal equipment and devices of a substation system from external systems as power grids evolve. This has also introduced growing concerns on data security. In response to the concerns, IEC 62351 has proposed role-based access control (RBAC) for substation automation. In this work, we present a novel approach for implementing RBAC based on IEC 62351 for substation automation using eXtensible Access Control Markup Language (XACML). We integrate the approach with IEC 61850 by extending Abstract Communication Service Interface (ACSI), Manufacturing Message Specification (MMS), and System Configuration Language (SCL). A major advantage of the approach is that it fully conforms to both IEC 61850 and IEC 62351 and highly compatible with SCL as both XACML and SCL are XML-based. We implement the approach using OpenIEC61850 which is an open source library for ACSI services and demonstrate the implementation.     

Role-based access control for a Grid system using OGSA-DAI and Shibboleth

In this paper, we propose a new role-based access control (RBAC) system for Grid data resources in the Open Grid Services Architecture Data Access and Integration (OGSA-DAI). OGSA-DAI is a widely used framework for integrating data resources in Grids. However, OGSA-DAI’s identity-based access control causes substantial administration overhead for the resource providers in virtual organizations (VOs) because of the direct mapping between individual Grid users and the privileges on the resources. To solve this problem, we used the Shibboleth, an attribute authorization service, to support RBAC within the OGSA-DAI. In addition, access control policies need to be specified and managed across multiple VOs. For the specification of access control policies, we used the Core and Hierarchical RBAC profile of the eXtensible Access Control Markup Language (XACML); and for distributed administration of those policies and the user-role assignments, we used the Object, Metadata and Artifacts Registry (OMAR). OMAR is based on the e-business eXtensible Markup Language (ebXML) registry specifications developed to achieve interoperable registries and repositories. Our RBAC system provides scalable and fine-grain access control and allows privacy protection. It also supports dynamic delegation of rights and user-role assignments, and reduces the administration overheads for the resource providers because they need to maintain only the mapping information from VO roles to local database roles. Moreover, unnecessary mapping and connections can be avoided by denying invalid requests at the VO level. Performance analysis shows that our RBAC system adds only a small overhead to the existing security infrastructure of OGSA-DAI.     

Role-based access control for grid database services using the community authorization service

In this paper, we propose a role-based access control (RBAC) method for grid database services in open grid services architecture-data access and integration (OGSA-DAI). OGSA-DAI is an efficient grid-enabled middleware implementation of interfaces and services to access and control data sources and sinks. However, in OGSA-DAI, access control causes substantial administration overhead for resource providers in virtual organizations (VOs) because each of them has to manage a role-map file containing authorization information for individual grid users. To solve this problem, we used the community authorization service (CAS) provided by the globus toolkit to support the RBAC within the OGSA-DAI framework. The CAS grants the membership on VO roles to users. The resource providers then need to maintain only the mapping information from VO roles to local database roles in the role-map files, so that the number of entries in the role-map file is reduced dramatically. Furthermore, the resource providers control the granting of access privileges to the local roles. Thus, our access control method provides increased manageability for a large number of users and reduces day-to-day administration tasks of the resource providers, while they maintain the ultimate authority over their resources. Performance analysis shows that our method adds very little overhead to the existing security infrastructure of OGSA-DAI.     

Role-based access to facilities lifecycle information on RFID tags

Radio Frequency Identification (RFID) based systems have been used in different applications in the Architecture, Engineering, Construction, Owner and Operator (AECOO) industry. Applications are mainly designed for specific lifecycle stage of the facility and serve the needs of only one of the stakeholders. This would increase the cost and the labor for adding and removing tags and eliminate the chance of using shared resources. In this paper, the usage of tags permanently attached to components is proposed where the memory of the tags is used during the lifecycle by different stakeholders for data storage and handover. A Building Information Model (BIM) database is used for tackling the interoperability issues allowing different users to access and share the data. To securely and efficiently store data on RFID tags in ifcXML format, multi-level encryption together with role-based access control is applied on the data stored on RFID tags. Each user is assigned a certain role and can only access the part of data for which he has authorization according to a predefined role and the Access Control Policy. To explore the technical feasibility of the proposed approach, a case study considering both facilities management and emergency management has been implemented and tested at Concordia University.     

远程接入中的安全访问控制

以实际项目应用为例,利用VPN、防火墙、策略交换机等几种典型设备,对解决企业的远程办公接入问题进行深入探究。     

分布式访问控制

信息安全包括机密性、完整性和可用性,涉及到数据加密、访问控制等多个方面.其中访问控制模型从自主访问控制、强制访问控制发展到了基于角色的访问控制模型,提出了多种不同的框架,并对3种访问控制模型进行了比较和分析,指出了它们各自的优缺点,同时对分布式访问控制模型的研究现状进行了分析,并分别给出了自己的一些思想.     

基于角色的访问控制

1.引言基于角色的访问控制(Role-based Access Control,下简称RBAC),其核心概念是用户不能对应用对象随意访问。RBAC系统中,用户作为某种角色的成员,其访问权限在管理上与其角色相关。这种思想大大简化了用户授权的管理,为定义和实施系统安全策略提供极大的弹性。用户可根据权力和资格被赋予不同的角色,并且用户角色易于重新分配,无须改变基本访问结构。如果有其它应用程序或操作加入,可以往角色中添加或删除权限。目前RBAC机制己广泛应用于各种系统中,包括:Oracle,NetWare,Java,DG/UX,object-orientedsystems,databases,MS Windows NT,enterprise securitymanagement systems等等。     

图书馆门禁管理系统中的光电通道控制技术的实现

本文通过对通道控制方法的介绍,并经过实际应用,提出能满足图书馆门禁管理系统中的通道控制技术的需要,并对通道控制中可能遇到的一些实际问题给出了一种可行的解决方法.     

Delegation in role-based access control

User delegation is a mechanism for assigning access rights available to one user to another user. A delegation can either be a grant or transfer operation. Existing work on delegation in the context of role-based access control models has extensively studied grant delegations, but transfer delegations have largely been ignored. This is largely because enforcing transfer delegation policies is more complex than grant delegation policies. This paper, primarily, studies transfer delegations for role-based access control models. We also include grant delegations in our model for completeness. We present various mechanisms that authorize delegations in our model. In particular, we show that the use of administrative scope for authorizing delegations is more efficient than using relations. We also discuss the enforcement and revocation of delegations. Finally, we study delegation in the context of workflow systems. In particular, we demonstrate the application of the administrative scope and administrative domain concepts to control delegation of tasks in worklist-based workflow systems.     

基于角色的Agent-CGF研究

基于Agent的CGF已经成为军事仿真领域重要的研究方向,具有完全对等关系的分布式MAS系统在Agent-CGF的任务分配行为中并不完全适用。该文在简单说明了角色的概念后,提出了一种基于角色的ACGF任务分配模型,在这个模型中,任务并不直接分配给仿真实体,而是首先分配给角色,然后在具体的仿真过程中将角色与实体动态绑定。结合海军舰艇仿真方面的应用,文章最后提出了一个符合HLA接口规范的ACGF角色结构模型。基于该模型的ACGF实体在决策过程中要考虑到自身的战术角色,并据此做出相应的战术动作。     

基于特定角色上下文的多智能体Q学习

One of the main problems in cooperative multiagent learning is that the joint action space grows exponentially with the number of agents. In this paper, we investigate a sparse representation of the coordination dependencies between agents to employ roles and context-specific coordination graphs to reduce the joint action space. In our framework, the global joint Q-function is decomposed into a number of local Q-functions. Each local Q-function is shared among a small group of agents and is composed of a set of value rules. We propose a novel multiagent Q-learning algorithm which learns the weights in each value rule automatically. We give empirical evidence to show that our learning algorithm converges to the same optimal policy with a significantly faster speed than traditional multiagent learning techniques.     

一种隐私的角色认证方法

给出一种新的兼顾隐私保护的角色认证方洗该方法认证具有普遍意义的主体角色,既满足认证需求又保护用户身份隐私,还方便对主体进行角色授权.方法内嵌的用户身份标识具有随机性和唯一性,能唯一地确定角色拥有者.服务方不能统计或链接该标识以推测用户行为或揭露用户真实身份.对方法的相关分析表明,该方法兼顾认证及隐私需求,且实现流程简易,计算效率高,便于应用部署.