基于双层角色和组织的可扩展访问控制模型

针对现有基于角色的访问控制(RBAC)研究存在角色设置单一使得适应性差、多域环境下角色或权限冗余、对资源管理关注不够等问题，论文提出支持资源管理的基于双层角色和组织的访问控制模型。通过双层角色划分，提出基于职能角色和任务角色的双层角色架构，使得模型更加符合实际，也更具适应性；引入组织的概念并与双层角色相结合，对角色和权限的概念加以扩展，形式化定义了提出的基于双层角色和组织的访问控制模型，描述了影响模型安全的职责分离约束和势约束。对模型的表达能力、复杂度进行了分析，分析表明该机制不仅保留了RBAC的特点与优势，且比RBAC具有较低的复杂度并更适合于由多个相似组织构成的分布式多域环境。

Scalable Access Control Model Based on Double-tier Role and Organization

For tackling the deficiencies of weak adaptability due to the singleness of the role establishment method, role or privilege redundancy, and little attention on resource management in the existing Role-Based Access Control (RBAC) researches, a Scalable Access Control model Based on Double-Tier Role and Organization (SDTR-OBAC) is proposed. Through double role partition, a double-tier role architecture of function role and task role is presented, solving the problem that the traditional role can not cover the requirements of both organizational level and application level at the same time. The concept of organization is introduced to integrate with the double-tier role and form an organization-role pair assigned to user instead of role only in RBAC, making model suitable to cross-domain access as well as a single domain. Through extending privileges as an operation and resource type pair, the model and its constraints including separation of duty and cardinality constraint are defined formally. The discussion of expressive power and complexity indicates that SDTR-OBAC retains all the advantages of RBAC, and can effectively reduce the administration complexity with better scalability and universality.