电力信息系统中基于属性的访问控制模型的设计

电力信息系统构成一个复杂的多域环境，它为电力行业进行信息交换和协作带来便捷的同时，也带来了极大的安全隐患。由于多域环境下存在多种应用系统，且用户数目众多、来源广泛，给传统的基于角色访问控制（RBAC）模型带来了用户 — 角色赋值工作量大、多域间映射困难等问题。文中针对多域环境设计了一种基于属性的访问控制模型，属性是在角色的基础上扩展得来的，并提出利用元属性和元策略分别对域内的属性和策略进行描述，充分满足电力信息系统所处的异构环境和所有者对资源进行自主管理的需求，保证了域内、域外用户对系统资源进行访问的安全。

Design of Attribute-based Access Control Model for Power Information Systems

The power information system constitutes a complex multi-domain environment. While providing convenient information exchange and coordination to the power industry, it also brings some security problems, especially the access control issues. As there are quite a lot of application systems in the multi-domain environment, and the accessing users may be from different domains, the traditional RBAC model is confronted with problems, such as the tedious user-role assignment and mapping difficulty across different domains. So an attribute-based access model for multi-domain control is designed. Extended from roles, attributes can overcome these shortcomings of RBAC and make access control more flexible, dynamic and finegrained. Meta-attribute and meta-policy are presented to describe the attributes and policies in local domains. It can adapt well to the distributed environment, satisfy the dynamic and heterogeneity character and the self-management to their resources.