基于属性扩展的ABAC协同设计访问控制研究

发布时间：2018-04-17 13:14

本文选题：协同设计 + 访问控制　；参考：《太原科技大学》2014年硕士论文

【摘要】：网络化协同设计(CSCD，CSCW in Design)是计算机支持的协同工作在产品设计领域的重要应用技术。协同设计支持多个时间上分离，空间上分布，工作上又相互依赖的协同设计成员间的相互协作。在设计过程中，设计任务状态是动态变化的，任务操作之间具有任务状态迁移和依赖约束的特点。协同设计系统必须保证合法用户在恰当的任务时间段具备动态访问和操作对象的能力。与设计任务状态关联的协同设计过程动态访问控制成为协同设计管理的重要研究内容之一。访问控制技术主要包括基于角色的访问控制（Role Based Access Control， RBAC）、基于任务的访问控制（Task Based Access Control， TBAC）、基于属性的访问控制（Attribute BasedAccess Control，ABAC）。RBAC适用于系统相对稳定的静态访问控制，但是对于复杂的分布式环境，缺乏对主客体的动态描述以及对上下文环境的关联。TBAC不能够细粒度的实现分布式环境下的访问控制问题。与其它访问控制模型相比，ABAC能够解决开放网络环境下资源保护所面临的细粒度问题以及网络系统所面临的大规模用户问题。本文对基于属性访问控制进行扩展，，应用于协同设计访问控制中，主要工作如下。（1）在分析了网络化产品协同设计访问控制中所具有的设计任务状态迁移与依赖约束关系特点基础上，提出了基于属性扩展的ABAC访问控制模型CSCD—ABAC模型，给出了模型中的设计主体、设计客体、设计环境以及设计动作之间的形式化描述，定义了访问控制规则以及访问控制策略。通过引入任务实例DTI，将任务实例状态迁移对访问权限的影响，动态描述为ABAC的上下文环境属性，通过环境属性的变化，来动态确定访问控制权限。将任务实例中设计任务间的依赖约束关系，描述为权限分配的策略判定规则，从而能够适应协同设计访问控制权限动态变化的特点，能够较好的解决协同设计过程中的动态访问控制问题。（2）在对模型访问控制流程分析的基础上，对ABAC扩展模型中的策略执行点PEP、策略判定点PDP、策略管理点PAP以及策略信息点PIP等各个功能模块进行详细设计，给出各功能单元的工作流程形式化描述。同时对于属性存储、判定规则描述以及判定过程进行研究。（3）在Web Service开源环境下，用SOAP协议，结合SAML、XACML在客户端通过SOAP来远程调用Web Service服务。实现了属性、规则的创建、以及PEP、PDP的执行策略，进行了测试与验证。
[Abstract]:CSCD / CSCW in Design is an important application technology of computer supported collaborative work in the field of product design.Collaborative design supports the cooperation of multiple collaborative design members, which are separated in time, distributed in space, and interdependent in work.In the design process, the design task state is dynamic, and the task operation has the characteristics of task state migration and dependency constraints.Collaborative design systems must ensure that legitimate users have the ability to access and manipulate objects dynamically at the appropriate task time.Dynamic access control of collaborative design process associated with design task state has become one of the important research contents of collaborative design management.Access control techniques include role Based Access control, task-based access control Based Access control, attribute-based access control, attribute BasedAccess control, ABAC. RBAC is suitable for static access control, which is relatively stable in the system.However, for complex distributed environments, there is a lack of dynamic description of the subject and object and the relevance of context. TBAC can not implement access control problem in distributed environment with fine granularity.Compared with other access control models, ABAC can solve the fine-grained problem of resource protection in open network environment and the large-scale user problem faced by network system.In this paper, attribute based access control is extended and applied to collaborative design access control. The main work is as follows.1) based on the analysis of the characteristics of design task state migration and dependency constraint in networked product collaborative design access control, the CSCD-ABAC model of ABAC access control model based on attribute extension is proposed.The formal description of the design subject, the design object, the design environment and the design action in the model is given, and the access control rules and access control policies are defined.By introducing the task instance, the influence of task instance state migration on access rights is dynamically described as the context attribute of ABAC, and the access control authority is dynamically determined by the change of environment attribute.This paper describes the dependency constraints between tasks in a task instance as a policy decision rule for privilege allocation, which can adapt to the dynamic change of access control rights in collaborative design.It can solve the problem of dynamic access control in collaborative design process.2) based on the analysis of the model access control flow, the function modules such as the policy execution point, the policy decision point, the policy management point PAP and the policy information point PIP in the extended ABAC model are designed in detail.The formal description of the workflow of each function unit is given.At the same time, the attribute storage, the description of decision rules and the process of decision are studied.In the open source environment of Web Service, the Web Service service is called remotely by the client through SOAP with the SOAP protocol and the SAMLO XACML.Property, rule creation, and PEPPDP execution strategy are implemented, tested and verified.
【学位授予单位】：太原科技大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】