机械产品协同设计环境访问控制技术研究

发布时间：2018-03-18 05:19

本文选题：协同设计环境　切入点：访问控制　出处：《西北工业大学》2015年博士论文　论文类型：学位论文

【摘要】：计算机支持的机械产品协同设计环境已经成为企业提高产品开发效率的重要手段。协同设计环境以数据共享为基础,大量工作人员在共享环境中交互协商、分工合作、共同完成任务,但是协作人员的交互方式会引发数据的安全问题。产品数据是企业的重要财富,必须保证数据的安全性,才能使协同设计环境得到实际应用和推广。访问控制是网络信息安全的核心环节,它防止非授权的信息泄露。不同行业的信息系统对访问控制有不同的需求,针对不同的需求研究访问控制模型以及实施方法是访问控制领域的发展趋势。机械产品协同设计环境具有群体性、分布性、交互性和协同性的特点,其访问控制有不同的需求。因此,开展机械产品协同设计环境的访问控制技术研究具有重要的理论意义和工程应用价值。论文主要研究工作和创新点如下:(1)基于属性和角色的访问控制模型。利用基于角色访问控制标准模型的抽象性和通用性,融入基于属性访问控制的思想,建立了基于属性和角色的访问控制模型(A-RBAC),以支持机械产品协同开发环境中的动态访问控制策略。给出了访问控制环境中“访控属性”的定义,提出了访控属性应具有的四个性质:非空性;唯一性;完备性;分离性。证明了属性在满足完备性和分离性时,以实体属性为基本元素所表达的权限符合完全仲裁原则。(2)基于属性和任务的工作流访问控制模型。将属性概念贯穿到任务权限的定义、配置和使用的整个过程中,为权限控制提供更加丰富的约束,以满足产品研发工作流中权限配置与使用的要求。提出了基于属性和任务的访问控制模型(A-TBAC),模型中将代表用户工作的进程作为执行访问的直接主体,引入了包含任务和任务状态信息的“任务步”概念,使进程和权限相关的任务步的匹配关系成为权限使用的先决条件,把权限的使用限制在与任务相关的工作中。在模型的实施机制中引入了“义务”概念,以支持动态的权限管理策略。(3)访问控制系统中的权限委托机制。从权限委托的可控性出发建立权限委托的实施机制,把权限委托的过程分为:委托声明;委托接受;委托撤销。引入“控制权限”的概念,限制权限委托的授予方式,定义了“强关系”和“委托消耗”概念,避免了权限委托的扩散。在委托声明步骤中,把权限委托的约束分为“全局约束”和“局部约束”,兼顾权限委托的可控性与灵活性。在委托接受步骤中,考虑了受托人的意愿。在委托撤销步骤中,总结了各种撤销委托的条件。(4)访问控制系统的统一实施框架。把访问控制的主、客体划分为不同的层次,总结了访问控制中的基本元素以及元素之间的关系,讨论了在访问控制系统中建立属性取值之间偏序关系的必要性。建立了一种能够表达多种访问控制策略的描述方法,提出了一种较为通用的访问控制实施框架(ACEF),阐述了经典访问控制模型和本文建立的访问控制模型在该框架下的表达方式。实现了访问控制实施框架的模块化设计,使访问控制与业务系统实现解耦。为了验证上述提出的模型、机制和实施框架的有效性,以“协同设计仿真集成平台”的访问控制系统为对象,对平台访问控制系统的关键技术、用户界面、安全架构和系统集成等进行了设计和实施。最后,对本文的研究工作进行总结,指出机械产品协同开发环境访问控制未来的研究方向。
[Abstract]:Mechanical products, computer supported collaborative design environment has become an important means for enterprises to improve the efficiency of product development. A collaborative design environment based on data sharing, a large number of staff mutual negotiation, in a shared environment division, to complete the task, but the interaction cooperation staff will lead to the problem of data security is an important wealth of the enterprise product data. The need to ensure the security of the data, in order to make collaborative design environment and promote the practical application. The access control is a key link of network information security, which prevents unauthorized disclosure of information. Information systems of different industries have different requirements for access control, according to the research needs of different access control models and implementation method is developed the trend of the access control domain. Mechanical product collaborative design environment with the group, the distribution characteristics of interaction and collaboration, The access control has different needs. Therefore, it has important theoretical significance and engineering application value to carry out research on the control technology of mechanical product collaborative design environment access. The main research work and innovations are as follows: (1) attribute and role based access control model. Using the role-based access control model of the abstract and general standard based on the integration of access control based on the idea of an attribute and role based access control model (A-RBAC), to dynamically access support mechanical product collaborative development environment in the control strategy is given. The access control environment "visit control attribute" definition, proposed four attributes should have properties of access controls non empty; uniqueness; completeness; separation. It is proved that satisfy the completeness and separability in attribute, entity attribute as the basic elements to express permission in accordance with complete arbitration principle (2). A workflow access control model based on attribute and task. The attribute concept definition to the task permission, configuration and use of the whole process, provide more constraints for access control, authorization configuration and use to meet product development workflow requirements. The attribute and task based access control model (A-TBAC). The model, on behalf of the user in the process of implementation as the main access directly, introduced contains task and task status information "task step" concept, make the task step process and the relevant authority for permission to use the matching relationship between the prerequisites, the authority to limit the use in task related work in the model. The implementation mechanism is introduced in the "obligation" concept, to support dynamic authorization strategies. (3) access control system of delegation mechanism. From the delegation can control a Development implementation mechanism of delegation, the delegation process is divided into: delegate declaration; accept commission; revocation. Introducing the concept of "control rights", commissioned by the restricted permission granted, the definition of "strong relationship" and "principal consumption" concept, to avoid the diffusion limit. In the right principal delegate declaration step, the delegation constraint is divided into "global constraints" and "local constraints", both controllability and flexibility. The delegation entrusted by step, consider the trustee's wishes. In the revocation process, summarizes the Commission revoked the conditions. (4) the unified access control system the implementation of the framework. The access control of the main object, divided into different levels, summarizes the relationship between the basic elements of access control and the elements, discusses the establishment of partial relation between attribute values in the access control system will To. To establish a new expression of a variety of access control policy description method, puts forward a general access control framework (ACEF), describes the expression of the classic access control model and access control model based on the framework. The access control implementation of modular design framework so, access control and service system is decoupled. In order to verify the effectiveness of the proposed model, mechanism and implementation framework, a collaborative design and simulation integrated platform access control system, key technology, the platform access control system user interface, security architecture and system integration of design and implementation at last, this paper summarizes the research work, points out the future direction of the Research on the access control of mechanical product collaborative development environment.

【学位授予单位】：西北工业大学
【学位级别】：博士
【学位授予年份】：2015
【分类号】：TH122;TP309

【参考文献】