【作者】 彭友；

【导师】 王延章；

【作者基本信息】 大连理工大学 ， 管理科学与工程， 2012， 博士

【摘要】 随着信息技术,特别是网络技术的飞速发展,电子政务系统也正经历着由过去单一、小规模的信息系统向现在大型、多应用、分布式的复杂信息系统发展的趋势,系统的规模和复杂度不断膨胀,随之而来的是业务领域的不断扩展、信息资源和工作人员的不断扩张,所有这些都导致了电子政务系统的安全维护变得越来越困难,系统中的权限管理和访问控制工作也变得越来越重要。因此,如何高效、严谨、实用地进行授权管理是电子政务系统建设和整合的关键所在,也是目前国内外专家学者研究工作的热点。近年来,基于角色的访问控制模型(Role-based Access Control, RBAC)受到了广泛的关注。该模型不但改善了传统信息系统中权限管理上的任意性和强制性,而且为解决分布式环境下的访问控制问题提供了便利。同时,国内外专家学者根据实际业务的需要,以RBAC模型为基础,对其转授权模型和跨组织、跨信息系统业务协作过程中的授权技术也进行了大量的研究,并取得了一定的研究成果。然而RBAC模型由于其自身特点,模型的复杂度与角色数目、权限数目、角色层次结构的规模密切相关,因此其普遍适用于规模相对较小,用户数、角色数相对有限的信息系统,而在面对当前多级、多部门、分布式的复杂电子政务系统时,由于此时的用户数目、角色数目和权限数目非常庞大,因此基于RBAC模型体系的系统性能会显著降低,并且其管理复杂度也会随之增加,这不但对电子政务系统的权限管理和访问控制工作造成了很大的困难,而且同样对以RBAC模型为基础的转授权模型和组织间业务协作授权技术带来了很多的问题。大连理工大学王延章教授采用系统工程的视角,从电子政务系统所具有的组织性角度出发,提出了一种以组织为权限管理核心的基于组织的访问控制方法(Organizaiton-based Access Control Method, OBACM)。OBACM采取以人为本、以管理为主线、以组织为核心的基本思想,一方面有效地解决了RBAC模型无法适应当前多级、多部门、分布式复杂电子政务系统的问题,另一方面与真实世界中政府的实际工作方式相吻合,因此能够更加高效地进行授权管理工作。本文的研究工作正是以王延章教授提出的基于组织的访问控制方法为基础,并将其应用到当前复杂电子政务系统组织内部和组织间授权、转授权业务的具体处理过程中来,论文的主要研究内容如下：(1)从RBAC模型在面对当前多级、多部门、分布式的复杂电子政务系统时所体现出的处理能力上的不足入手,通过深入分析组织、组织结构和岗位三者的概念和内涵以及组织在电子政务系统的权限管理和访问控制工作中所具有的核心地位,引入基于组织的访问控制方法,并基于此构建其实现模型-OB4LAC模型。通过对OB4LAC模型的具体分析,给出了其组成成员,形式化描述,以及其子模型UPA, PORA、PERA和RRA各自的运行和管理方式。(2)从基于RBAC的转授权模型在面对当前多级、多部门、分布式的复杂电子政务系统时所体现出的处理能力上的不足入手,采用基于组织的访问控制方法,构建了一个全新的转授权模型-基于组织的四层动态转授权模型(OB4LDDM)。模型一方面解决了RBAC模型无法适应当前多级、多部门、分布式复杂信息系统的问题；另一方面对转授权过程发起时授权双方协议的达成以及转授权过程发起后授权粒度的动态控制问题提供了支持,并且OB4LDDM模型良好的物理和时空特性也使转授权处理流程变得更加简单和可控。在对OB4LDDM模型的基本思想,组成成员和形式化模型进行充分阐述的基础上,通过具体示例给出了OB4LDDM模型在不同业务情况下转授权发起和撤销的具体实现过程。(3)电子政务系统出于对系统权限的可控性和资源的安全性等方面的考虑,其在授权、转授权的具体业务处理过程中不可避免的要受到时限约束、系统资源约束和互斥事件约束三者的统一作用,这里将其统称为复杂时空约束的作用。本文从上述实际问题入手,一方面分析和定义了复杂时空约束各自的特征和表现形式,另一方面则讨论了在复杂时空约束的作用下电子政务系统中授权、转授权业务发起和撤销的具体处理机制,并同时给出了其实现的详细算法流程。(4)分析了现有RBAC模型在处理组织间业务协作授权过程中所存在的两方面不足,一是其所采用的角色映射方法在角色穿越多个组织、多个应用边界后,角色所拥有的权限会发生膨胀；二是不同组织所具有的异构性会导致业务协作过程中授权的困难。针对上述问题,作者采用基于组织的访问控制方法,将岗位作为组织间业务协作的支点,并基于此提出了基于岗位映射的组织间业务协作授权模型-OB4LACpm。OB4LACpm模型一方面弥补了角色映射方法自身的不足,另一方面则通过岗位层的引入解决了不同组织异构性所造成的组织间业务协作上的困难。通过对OB4LACpm模型的深入分析,给出了其组成成员、形式化描述以及具体的实现过程。(5)通过应用实例：山西省行政审批电子政务系统,具体讨论了基于组织的访问控制电子政务系统的总体设计和技术体系,以及系统中组织人事管理子系统、资源角色管理子系统和分布式授权管理子系统各自的功能和具体实现方式,并通过大量的图例给出了系统的实现状况和应用效果,从实践的角度论证了基于组织的访问控制方法及模型的科学性和可行性。更多还原

【Abstract】 Following the rapid development of the information technology and network technology, E-government system has changed a lot, from single and small to large and complex. Business scope, information resources and staff expend with the increase of size and complexity of the system, which make the safe of e-government system harder and harder, thus the authorization management and access control become more and more important. So, how to carry out these works efficiently become the key to the construction and integration of E-government system, and which is also the important work to the research all over the world.In recent years, the Role-based Access Control model got much attention, which not only improves the randomicity and mandatory of authorization management in traditional information system, but also do a great performance in distributed environment. Thus, the researchers all over the world do a great deal of extended work based on the RBAC model due to the need of real business, and also got much progress. However, because of the characteristics of RBAC, whose complexity is related to the number of users, roles and permissions closely, so it is more suitable to the smaller information system than others. When RBAC model facing the multi-level and distributed E-government system, its performance is worse and the complexity of management will also increasing greatly. These not only take great troubles to authorizaiton management work, but also bring a lot of problems to the delegation model and authorization technologies between organiziations based on RBAC model. The Professor Yanzhang Wang from Dalian university of technology adopt the view of the system engineering, from the organizational perspective of E-government and puts forward the organizaiton-based access control method, which adopt the people-oriented, make the manage as the main line, on one hand it solve the problem that RBAC modle can not adapt to the current multi-level, complex and distributed e-government system, on the other it coincide with the real work method in the real government, thus it can be more efficient.The main work of this essay is using the organization based access control method; apply it to the authorization and delegation among organizations, the work of this essay are as follows:(1) Through the research about the organization of government and its work flow, this article believes that the reasons which caused the present problems of RBAC model are due to the conflict in work patterns between the model and the real world. So, this article proposes a new access control method-Organization Based Access Control method and its implementation model-OB4LAC model. OB4LAC model adopt the authorizaiton management based on the organization, and put each departments in the organization into great play, make the entire organization achieve the best working condition finally. This essay also analyzes the member, formal description and sub-models UPA, PORA and PERA of OB4LAC model.(2) For the purpose of solving the current problems in the delegation model based on RBAC, this paper do a deep analysis with RBAC and introduce the organization-based access control method, based on it to build a new delegation model-organization-based four levels dynamic delegation model(OB4LDDM).OB4LDDM not only solves the problems that RBAC model can not adapt on the current complex information system, but also provides fine-grained dynamic control and the approach for two sides to reach agreement in delegation process. OB4LDDM also have good physical and temporal characteristics which make the delegation process more simple and controllable, this paper give specific examples on the delegation process to prove it.(3) Considering the controllability of authority and the security of resources in E-government system, the business processes have to be constrained by the time, system resources and conflict events. From these practical problems, this paper gives the realization and detailed algorithm about the authorization and delegation model under the complex temporal constraints.(4) Through the analysis of RBAC model in the process of collaboration among organizations, this essay put forwards two deficiencies:first, the permission of role would swell when crossing multiple organizations using role mapping methods; second, the heterogeneous among organizations also bring problems in the process of authorization. Thus, this essay using the organization-based access control method, and propose a new business collaboration authorization model-OB4LACpm. OB4LACpm model not only make the lack of role mapping method, but also solve the heterogeneity among organzations through the introduction of positions.(5) Through the application:Shanxi administrative approval E-government system, this essay discuss the system design and technology system of the organization-based access control system, and the personnel management subsystems, the resource management subsystem and the distributed authorizaiton management subsystem. Through a lot of illustrations, this essay demonstrates the characters of science and feasibility from the view of practical.更多还原