【作者】 马晨华；

【导师】 陆国栋；

【作者基本信息】 浙江大学 ， 机械设计及理论， 2011， 博士

【摘要】 随着计算机和网络技术的发展,传统的单机单用户工作模式已逐步发展为跨地域、跨组织的多用户协同群体工作模式。计算机支持的协同工作CSCW(Computer Supported Cooperative Work)支持地域上分散的群体共同协调与协作来完成一项任务,已广泛应用于协同产品设计、电子政务、电子商务、远程医疗和军事指挥等领域。协同工作环境群体性、交互性、分布性和协作性等特征使其面临着日益严峻的安全威胁。面向协同工作环境的访问控制技术研究具有重要的理论意义和应用价值。论文主要研究工作和创新点如下：从访问控制的角度,分析了协同环境中与访问控制策略有关的因素。在此基础上,将协同环境中的群体间协同工作模式分为：数据级协同(群体间可以共享数据资源,一个成员的行为会影响到其他成员,但各成员间可能没有共同的工作目标)、活动级协同(各成员在数据共享的基础上共同完成某个群体型活动)、流程级协同(成员间的协作具有结构化和流程化特点,协同任务可以分解为工作流中的一系列活动)和多域间的任务级协同(成员分属于不同的管理域,每个管理域按照其业务职能的不同,承担着协同工作中的不同任务)等四个层次。分析了四种模式的特点和访问控制需求。提出了基于特征码的共享数据角色访问控制模型,解决了复杂协同环境下角色和角色继承等实体关系的表达,适用于数据级的协同工作模式。引入了角色素数特征码、角色继承信息组和用户角色指派参数的概念。每个角色对应一个唯一的素数特征码；角色继承信息组由上层角色信息和下层角色信息组成,分别定义为该角色加入系统时其所有上层角色和下层角色的素数特征码乘积；用户角色指派参数为直接指派给用户的各角色素数特征码乘积。由于素数乘积的分解式是唯一的,因此,有效地简化了这些实体关系的刻画与表达。建立了面向群体协同活动的协作访问控制模型,解决了活动级协同模式下协作各方共有资源的安全保护问题。某些涉及群体共同利益的敏感活动是需要多用户参与的群体型协同活动。为了有效防止职权滥用和欺诈行为的发生,这些活动的执行权限或活动中共享数据的访问权限往往需要多用户共同参与授权决策。在特征码角色访问的基础上,将需要多用户协作决策的权限定义为协同权限,并引入权限权重概念来体现不同角色在访问相同协同权限时的信任度差异,建立了多用户共同参与决策的授权机制。通过至少2个不同用户的参与,有效保护了协同工作中共有敏感资源的安全,确保了协作各方的利益。提出了应用于工作流的柔性访问控制模型,实现了流程级协同模式下基于上下文的动态授权,支持授权流与与工作流的同步。模型通过引入角色授权策略的概念,定义了各活动执行期间各角色可被授予的权限及相应的上下文约束,实现了工作流中的动态访问控制和灵活的授权策略定义。提出了支持域间任务级协同的共享权限访问控制模型,解决了多域间协同时的资源共享与安全互操作问题。模型根据实际应用中本域对外域开放的资源和权限相对固定的情况,将域内权限分为私有权限和共享权限,避免了采用传统角色映射机制所带来的冲突和难以管理的问题。针对不同的共享权限,可以根据它的敏感性和重要性,定义对外域开放时的约束条件,包括：主体有效性约束、角色有效性约束、有效时间约束和最大数约束。实现了域间访问的最小权限原则。结合产品协同设计和民政电子政务等协同工作环境的特点,说明了本文研究的模型和方法在实际系统中的应用。更多还原

【Abstract】 With the fast development of the technologies of computer and networks, the traditional single-user work pattern has developed to multi-user group cooperative work pattern across multiple heterogeneous domains. The objective of Computer Supported Cooperative Work (CSCW) is to support groups of multiple users across different domains communicate and cooperate to complete common tasks via computers. CSCW label has been widely applied to many applications, such as collaborative design, e-government, e-business, distance learning, remote medical system and military aommanding automatization, etc. Since CSCW is targeted towards making information and resources available to collaborators who need it, CSCW applications are facing fiercer threats than before. Access control is one of the most important security services, and aims to ensure the confidentiality and intergrity of shared information. It is a great challenge and urgent mission to develop access control approaches for CSCW. The contributions are as following:1. From the access control structure point of view, we analyse the factors related to access control policies in collaborative environments, include administrative domains, tasks, workflows, activites, roles, users and sharing information. Based on the analysis, we classify cooperative work patterns into four forms:data-level collaboration that means people certainly have to share the same resource and they may have no common objective, activity-level collaboration which means more than two users need to partipate in completing an activity, workflow-level collaboration that means the common task can be divided into several activities of workflows, and task-level collaboration among multi-domains.2. To address the expression of roles, role-hierarchies and user-role assignments in collaborative environments with hundreds of roles, thousands of users and millions of permissions, we introduce the concepts of role characteristic code and role hierarchy information, and then propose an access control model which is suitable for data-level collaboration based on these concepts. Each role is associated with a characteristic code represented by a prime number. Different roles have different characteristic codes. Since the decomposition formula of the product of prime numbers is unique. It simplifies the expression of roles, role hierarchies and user-role assignments greatly.3. A collaborative access control model is proposed for activity-level collaboration. In collaborative environments, there exist cooperative activities requiring that two or more different independent parties be responsible for their completion since they are sensitive activities. To protect the confidentiality and integrity of sensitive resources in these activities, the cooperation of different subjects is required to reduce the risk of fraud or error. Permissions related to these sensitive data can be granted to a subject only with the agreement of other subjects. If different people must access a sensitive data, then committing fraud requires a conspiracy of at least two, which raises the risk of disclosure and capture significantly. In the model, the new concept of collaborative permission is introduced. Collaborative permission refers to the permission that can be granted only with the participation of multiple parties, and is defined as a regular RBAC permission which is constrained by a collaboration constraint specifying the conditions that should be satisfied by collaborators for gaining it. Moreover, permission weight is defined to reflect the trust degree of a role in gaining a collaborative permission. The model makes it possible to define the collaboration among multiple subjects in gaining a permission and can enable effective protection of joint-owned resources of collaborators in cooperative activities.4. A flexible access control model for workflows is presented. As an important collaborative technology, workflow management system has been widely used in collaborative environments. To address access requirements of workflows, we present a flexbile access control model by the introduction of the concept of role authorization policy, which define the authorization that can be performed during activity execution and the context constraints should be satisfied. The model can support context-aware dynamic authorization and the synchronization of authorization and the execution of workflows.5. A secure interoperation model for multidomain collaborative environments based on shared permittions is presented. The model can realize secure resource sharing and interoperation among different domains. It classifies permissions of an administrative domain into two categories:private permissions that can only be accessed by subjects within the domain, and sharing permissions which can be shared by other domains. Security administrators can define constraints for a sharing permission according to its sensitivity, including subject vadility constraints, role vadility constraints, time-interval constraints and cardinality constraints. The enforcement of these constraints supports the least priviledge principle among domains.6. According to the requirements of product collaborative design and e-government, a system prototype is given to illustrate the implementation of the theory and technologies presented in this dissertation.更多还原