RBAC访问控制方法的改进与应用

发布时间：2018-05-29 22:30

本文选题：角色访问控制 + 逻辑安全组　；参考：《曲阜师范大学》2015年硕士论文

【摘要】：人们对访问控制技术的探索已拥有很长的历史,各种访问控制模型层出不穷。伴随当今互联网技术、电子技术、无线网络技术以及分布式网络技术的逐渐成熟,物联网和云计算等新一波技术浪潮正席卷而来,构成了今天规模巨大而混杂的泛化WEB服务网络环境。网络系统发展的越快,其威胁也相应增多。生存于如此庞大的网络环境下的应用系统的脆弱性在所难免,如何保证信息系统的安全一直是长期备受关注的问题。访问控制技术的思想和方法以其强大的安全保护能力广泛应用于网络信息系统的各个领域,针对不同的网络环境出现了各种适用于特定网络环境下的访问控制模型。然而,单独使用一种访问控制模型已经不能适用于当今开放式、大规模的web服务网络环境,特别是当今分布式、移动性、云等各种计算模式的兴起,对细粒度、全面约束、多级安全的访问控制模型的研究提出了更高的要求。为了建立一个具备更全面约束能力、多级安全的访问控制模型,本文采用RBAC与ABAC、基于时态的访问模型相结合的思想对传统的基于角色的访问控制模型进行改进与扩展,充分考虑了时间属性约束,提出了一个新的基于角色的访问控制模型。基于角色的访问控制模型在当今复杂大型系统的应用中存在着授权机制不够灵活、授权模式单一、角色划分粒度不够细致、角色灵活性差、不能支持对时间敏感的应用等的不足,本文对其进行如下几方面的改进:1.对基于角色的访问控制模型中的用户角色、会话、权限等元素添加时间属性约束,设计适用于时间敏感的应用系统的访问控制模型。2.采用密级管理,实现用户、角色、权限以及文件的分级管理,将用户、角色以及文件密级分级对应,构建以密级划分的多级安全系统,解决粗粒度的角色划分。3.采用分级授权、自主授权、群组授权相结合的授权方式,提出授权模板概念,解决授权的重复问题,备份授权机制,简化授权流程,以提高授权效率。4.提出逻辑安全组概念对角色概念加以扩充,逻辑安全组可以临时被建立并在任务完成后被解散,以此解决临时授权问题,提高角色的灵活性。本文最后阐述了以上提出的模型在文档安全防护系统中的应用。另外,考虑到访问控制模型中不可避免的授权策略冲突问题,给出了一种适合于所改进的模型的冲突解决方法。
[Abstract]:The exploration of access control technology has a long history, and various access control models emerge in endlessly. With the maturity of Internet technology, electronic technology, wireless network technology and distributed network technology, a new wave of technology, such as Internet of things and cloud computing, is coming. Constitute today's large and hybrid WEB services network environment. The faster the network system develops, the more its threat will increase. It is hard to avoid the vulnerability of the application system in such a huge network environment. How to ensure the security of information system has always been a problem of concern for a long time. The idea and method of access control technology is widely used in various fields of network information system with its powerful security protection ability. For different network environment, there are various access control models suitable for specific network environment. However, using an access control model alone can no longer be applied to today's open, large-scale web service network environment, especially the rise of distributed, mobility, cloud and other computing modes, which is constrained by fine grained and comprehensive constraints. The research of multilevel security access control model puts forward higher requirements. In order to establish an access control model with more comprehensive constraint ability and multi-level security, this paper improves and extends the traditional role-based access control model with the idea of combining RBAC with ABAC and temporal access model. A new role-based access control model is proposed considering the time attribute constraints. In the application of role-based access control model in complex large-scale systems, the authorization mechanism is not flexible enough, the authorization mode is single, the granularity of role partition is not detailed, and the flexibility of role is poor. Can not support the shortcomings of time-sensitive applications and so on, this paper makes the following improvements in the following aspects: 1. Add time attribute constraints to user role, session, permission and other elements in role-based access control model, and design an access control model .2. which is suitable for time-sensitive application system. This paper adopts the management of secret level to realize the hierarchical management of users, roles, permissions and files, and to construct a multi-level security system based on the classification of users, roles and files, so as to solve the problem of coarse-grained role partitioning. With the combination of hierarchical authorization, autonomous authorization and group authorization, the concept of authorization template is put forward to solve the repeated authorization problem, backup authorization mechanism and simplify authorization process, so as to improve the efficiency of authorization. The concept of logical security group is proposed to extend the concept of role. Logical security group can be temporarily established and disbanded after the task is completed, so as to solve the problem of temporary authorization and improve the flexibility of role. At the end of this paper, the application of the above model in the document security protection system is described. In addition, considering the inevitable conflict of authorization policy in the access control model, a conflict resolution method suitable for the improved model is presented.
【学位授予单位】：曲阜师范大学
【学位级别】：硕士
【学位授予年份】：2015
【分类号】：TP393.08

【参考文献】