ISSN 1000-1239 CN 11-1777/TP

计算机研究与发展 ›› 2016, Vol. 53 ›› Issue (5): 1000-1008.doi: 10.7544/issn1000-1239.2016.20148288

• 信息安全 • 上一篇    下一篇

基于RBAC模型的权限高效管理方法

罗钧,赵传智,汪飞   

  1. (光电技术及系统教育部重点实验室(重庆大学) 重庆 400030) (luojun@cqu.edu.cn)
  • 出版日期: 2016-05-01
  • 基金资助: 
    重庆市经济和信息化委员会科技攻关计划项目(10-cxy-02)

An Efficient Privilege Manage Method Based on RBAC

Luo Jun, Zhao Chuanzhi, Wang Fei   

  1. (Key Laboratory of Optoelectronics Technology and System (Chongqing University), Ministry of Education, Chongqing 400030)
  • Online: 2016-05-01

摘要: 针对现有基于角色的访问控制模型(role-based access control,RBAC)服务请求中缺乏关键权限管理办法及其算法的指数级复杂度,设计了一种高效的管理方法.该方法是在简化的系统模型(simplify system model, SSM)上通过建立基于权限的访问控制列表(privilege-based access control list, PBACL)来管理关键权限;通过自定义的角色关系结构体将系统角色横向和纵向划分.该方法针对不同的外部服务请求,通过自定义的角色加法(role plus, RP)可以简单快速地查找出最佳角色集,其复杂度仅为多项式级;能够解决关键权限被赋予多个用户从而导致的安全冲突问题;支持系统模型在“不稳定型”系统中的快速重构.该方法同样适用于多域环境下的访问控制,能够有效地避免多域环境下关键权限多分配的问题,能够快速检测出由于域间映射带来安全冲突问题例如:循环继承冲突和角色互斥约束冲突等.

关键词: 角色模型, 访问控制, 角色管理, 关键权限, 安全冲突

Abstract: According to the exponential complexity and exile management measures of the most role-based access control model and algorithm when some services are requested, an efficient privilege manage method is put forward. After simplify system model (SSM) sets up, this paper proposes the privilege-based access control list (PBACL) and role plus(RP) aiming at managing the service authority effectively and more safely, then set up the structure of role relationship which divides the roles into transverse and longitudinal aiming at fast finding out the relationship of the roles. In view of different service request, the system can manage key privilege and correlated role by using PBACL; seek out the most appropriate roles set that satisfy the external service request by the user-defined RP algorithm, whose complexity is polynomial; resolve the conflict effectively because the key privilege is assigned to multiple users; support privilege fast reconstructed in the unstable systems. The scheme also adapts to access control in multi-domain. It can effectively avoid the problem that the key privilege is distributed to more than one user in multi-domain, and can also fast check out the security conflicts brought out by the roles mapped to other domains such as the cyclic inheritance conflict, the separation of duty, and so on.

Key words: role model, access control, role management, key privilege, security conflict

中图分类号: