基于情景约束的工作流柔性访问控制模型

针对现有的访问控制模型在工作流系统中，基于情景的动态授权和灵活的任务相关授权等问题，提出一个应用于工作流系统的基于情景约束的柔性访问控制模型.模型定义了基于情景约束的角色指派策略和角色授权策略,分析了策略间的关系,对策略间可能存在的冲突进行了分类,给出策略冲突的静态和动态检测规则,并提出优先级规则和冲突消解策略的概念,安全管理员可以根据系统需求灵活地确定冲突消解的方式；模型还给出基于最小角色指派策略集和最小角色授权策略集的角色分配与授权决策算法,实现了工作流系统中基于情景的动态授权,并支持用户-角色和角色-权限的自动指派.

Flexible context-constraint-based access control model for workflows

Access control models proposed so far provide no support for context-based dynamic authorization and flexible authorization policy definition for tasks. To address these issues, a flexible context-constraint-based access control model was proposed for workfolws. The concepts of context-constraint-based role assignment policy and context constraint based role authorization policy were defined. The interrelationships between policies were analyzed and the conflicts exhibited by policies were classified. Static and dynamic conflict detection methods were provided to maintain the consistency of policies. By the introduction of two new concepts, priority rule and conflict resolution policy, a flexible approach to resolve conflicts were provide. The security administrator can choose the method of resolving conflicts flexibly according to system requirements by defining priority rules and conflict resolution policies. Furthermore, the role assignment algorithm and the authorization decision algorithm based on the minimum sets of role assignment policies and role authorization policies were given. The model provides support for context-based dynamic authorization, automatic user-role and role-permission assignment.