基于RBAC的工作流存取控制管理

【作者】 马荣芳；

【导师】 谭浩；

【作者基本信息】 电子科技大学 ， 计算机应用技术， 2009， 硕士

【摘要】 商业竞争日益激烈的今天,企业纷纷采用了工作流技术来提高自己的生产和服务效率,然而工作流系统中不同的业务流程之间资源的共享必然会引起一系列安全问题,安全策略在工作流系统中集中表现为存取控制策略。但传统的访问控制模型很难满足复杂的企业工作系统的环境需要。基于工作流系统中的特殊安全需求,本文简要的介绍了工作流系统访问控制要求及传统访问控制模型现状,并指出工作流系统中存取控制管理的不足之处,继而给出了一种改进后的基于角色的工作流系统存取控制模型,即XPDLRBAC。XPDLRBAC在RBAC模型的基础上,将授权方式分为静态授权和动态授权,使其能够满足工作流系统中的静态控制和基于任务进行分配的动态存取控制要求,确保系统满足权限控制的最小特权原则。XPDLRBAC模型是支持大规模网络协作式内容创作中子模块,因此如何有效的管理大量人员和角色是XPDLRBAC模型面对的一个问题。系统实现过程中,组织结构构建模块采用树型结构的实现方式,同时还创建了用户组的概念,将为了完成某一个项目或者工作流流程实例而创建的临时的组织结构里的成员称为用户组,并给用户组分配相应角色,进一步简化角色分配操作。在权限分配模块中,XPDLRBAC模型充分考虑到静态和动态授权方式,即在对静态数据信息、资源等进行静态授权的同时,引入任务来扩充RBAC模型的动态性。工作流可以视为若干个任务的集合,任务是工作流系统中一个节点。用户获得了该任务的执行权,就获得了完成该任务所需要资源的权限,一旦任务完成,则取消授权。此外,模型中引入权限约束来描述职责分离。该XPDLRBAC模型已经在大规模网络协作式内容创作过程项目中成功实施,很好的保证了工作流系统中的访问控制和数据完整性。更多还原

【Abstract】 Today, the commercial competition becomes more and more fierce, and enterprises come to improve their product and service efficiency by using workflow technology. But the share of resource which is between the different business workflow in the workflow system always arouse a series of safe problems, which is described as the access and control strategy. But the traditional access control model is difficult to satisfy the environment need in complicated enterprise system.Due to the special security requirement for working flow system, this dissertation briefly introduces the access control model against the current prevailing ones. In order to improve the inefficient performance on access control of the current working flow system, an enhanced access control model XPDLRBAC based on roles of working flow system is put forward. Standing upon RBAC, XPDLRBAC divides the privilege authorization into two categories, static authorization and dynamic authorization so as to make sure meeting the requirement of combining the features of dynamic task allocation and static access control together for working flow system as well as meeting the requirement of the lowest access privilege principle which is indispensable for this system.XPDLRBAC module is the sub-module of project which is named of content creation which is supported massive network cooperation, so the important problem which is in front of XPDLRBAC module is how to manage massive people and role efficiently. In the realizations of project, the module of organization management module uses the tree-shape realization method, and also creates the conception of user-group, which is the muster of people who will finish a project or workflow instance together. The XPDLRBAC module also assign role to user-group, and modify the operation of role assignment.In privilege distribution module, XPDLRBAC takes advantage of task to strengthen the dynamics feature of RBAC model by taking the features of static and dynamic privilege control into account while granting privileges to static data and resources. Here task is the element of workflow, and workflow could be considered as a set of several tasks, each of which is a node of this system. From task’s point of view, if a client gets the privilege of executing a task, he gets the privilege of accessing all the resources to complete the task as well. In other word, once the task is completed, the privilege on the client is revoked. Since it is necessary to clear the duties, privilege restraints are introduced into system as the aid.This XPDLRBAC module has been implemented successfully in the project of content creation which is supported massive network cooperation, and can assure the access control and data Integrity.更多还原