摘要
商业信息系统与军事信息系统的不同 ,使得传统的基于主体、客体观点的访问控制技术不再适合于多点访问控制的信息处理 .针对一种新的授权策略——基于任务的授权策略 ,给出了一种形式化描述 ,用集合和关系的概念定义了该模型的基本性质、规则、操作 ,最后对其安全性进行了分析 .在该模型中 ,授权并不是简单地体现在静态的 (s,o,a)三元组中 ,而是有生命周期的 ,并伴随着任务实例的执行而改变状态 .它能使授权、跟踪资源的使用、收回许可等自动执行 。
Classical subject-object view of access control is no longer suitable for security issues in information processing activities with multiple points of access control because of the difference between the commercial information system and the military information system. A formal description of a new authorization policy, the task-based authorization, is presented in this paper. The fundamental properties, rules and operations of the model are defined by adoption of set and relation concept. Its security analysis is given at the end of the paper. In this model, authorization doesn't simply behave through static tuple of (s, o, a) but has lifecycle during which its status will be changed with the execution of task instance. The model also enables granting permission, tracking usage of materials and revoking permissions to be automated, and coordinates the proceeding of various task instances.
出处
《计算机研究与发展》
EI
CSCD
北大核心
2002年第8期998-1003,共6页
Journal of Computer Research and Development
基金
国家"八六三"高技术研究发展计划基金资助 ( 30 1-1-3)
关键词
授权模型
任务
计算机安全
军事信息系统
task-based authorization, task-flow, authorization-step, protection state
