XML数据库的扩展RBAC模型构建
摘要
随着Internet突飞猛进地发展,基于互联网的应用越来越深入,而XML无论是作为标记语言还是被作为存储结构的数据库都随着Internet上的各种应用增多而被越来越广泛的应用。为了解决XML作为信息载体的广泛应用带来的安全问题的安全服务模型——安全访问控制模型,已成为现在人们研究的焦点。
本课题将以传统的基于XML文档RBAC(基于角色的访问控制)模型作为文章研究的出发点,从而提出了基于XML文档数据库的扩展RBAC模型。该模型使用了Schema语言来定义了XML数据库文档结构,针对XML文档的特性,在分析基于XML的RBAC模型存在角色授权过于庞大和约束机制不完善的问题基础上,对其进行有效的改造和扩展,提出了一种新的基于XML文档的扩展RBAC模型。
文章分析了传统的RBAC模型存在的问题,并在此基础上针对这些问题提出了解决方案——基于XML文档的扩展RBAC模型,并对新的扩展RBAC模型进行完整的定义和详细的说明。论文中还结合了实例模型集中从基于XML文档的扩展RBAC模型的系统实现及其系统实现所需的主要技术支持进行考虑,针对基于XML文档的扩展RBAC模型的设计,结合一个简化的企业内部人员管理信息系统为访问控制模型的应用环境,进行更为直观和深入的描述并具体展示了在基于XML文档的数据库中,实现扩展的RBAC系统所使用的关键性技术。
本论文首先对访问控制模型中的客体按照其属性进行抽象归类,再将权限配置给一类客体,模型中的主体对客体的访问权限,是由主体对应的角色和访问域共同来确定,这样极大地减少了角色和权限的定义数量。其次文章采用的是职责关系隔离(separation of duties)规则来解决系统中角色间存在的利益冲突,以避免用户权限过大或者用户越位越权等现象出现,而影响系统的安全性能。文章还将使用schematron(基于规则的XML模式语言)来对约束规则进行形式化描述。
基于XML文档的扩展RBAC模型能够符合XML文档细粒度的访问控制需求,该模型结构简洁灵活且比较容易实现。
With the rapid development of Internet, more and more in-depth Internet-based applications, and XML is either as a markup language, or it is used as the stored structure of the databases on a variety of applications as the Internet has been growing more and more widely used. XML as an information carrier in order to solve the security problems caused by widely used security services model - secure access control model, has become the focus of research is now.
This paper takes the traditional role-based access control (RBAC) model as the starting point of the study,and puts forward the extended RBAC model that based on the XML document database.This model uses the Schema language to define the document structure of the XML database,according to the characteristics of the XML document,on the problem that the role model authorized redundantly and the constraint mechanism performed imperfectly of the RBAC model that based on XML,we put forward a new extended RBAC model that based on XML documents which is effective and expansive.
This paper analyzes existing problems of the traditional RBAC model, and on this basis puts forward the solution of these problems-the extended RBAC model that based on the XML documents, and completely defines and details to the new extended RBAC model. The paper combines instance model and focus from the implementation of system and needed technical supports for the extended RBAC model that based on the XML documents to consider, and directs at the design of the extended RBAC model that based on the XML documents, combines the technical support for the main consideration for the extension of RBAC-based XML document model design, and combined with a simplified internal staff management information system as the application environment to access control model to describe which more intuitive and in-depth,and definite shows that achieved the key technologies for the extended RBAC system on the database that based on the XML documents.
Firstly, in this paper,we classify the object of the access control model abstractly according to their attributes,then assign the permissions to a class of objects.The access permission of the subject to the object in the model is decided by the corresponding roles and access domain of the subject,this way can greatly reduce the number of the roles and permissions definitions. Secondly,this paper adopts the rules of separation of duties to solve the roles' interest conflict in the system,in order to avoid the phenomenon that the users have excessive permissions or the users beyond their authorities which affects the security performance of the system.In addition,this paper also uses the schematron(the XML schema language based on rules) to describe the constraint rules formally.
The extended RBAC model that based on XML document can satisfy the fine-grained access control requirements of the XML document.This model's structure is simple and flexible,and it's easy to be realized.
本课题将以传统的基于XML文档RBAC(基于角色的访问控制)模型作为文章研究的出发点,从而提出了基于XML文档数据库的扩展RBAC模型。该模型使用了Schema语言来定义了XML数据库文档结构,针对XML文档的特性,在分析基于XML的RBAC模型存在角色授权过于庞大和约束机制不完善的问题基础上,对其进行有效的改造和扩展,提出了一种新的基于XML文档的扩展RBAC模型。
文章分析了传统的RBAC模型存在的问题,并在此基础上针对这些问题提出了解决方案——基于XML文档的扩展RBAC模型,并对新的扩展RBAC模型进行完整的定义和详细的说明。论文中还结合了实例模型集中从基于XML文档的扩展RBAC模型的系统实现及其系统实现所需的主要技术支持进行考虑,针对基于XML文档的扩展RBAC模型的设计,结合一个简化的企业内部人员管理信息系统为访问控制模型的应用环境,进行更为直观和深入的描述并具体展示了在基于XML文档的数据库中,实现扩展的RBAC系统所使用的关键性技术。
本论文首先对访问控制模型中的客体按照其属性进行抽象归类,再将权限配置给一类客体,模型中的主体对客体的访问权限,是由主体对应的角色和访问域共同来确定,这样极大地减少了角色和权限的定义数量。其次文章采用的是职责关系隔离(separation of duties)规则来解决系统中角色间存在的利益冲突,以避免用户权限过大或者用户越位越权等现象出现,而影响系统的安全性能。文章还将使用schematron(基于规则的XML模式语言)来对约束规则进行形式化描述。
基于XML文档的扩展RBAC模型能够符合XML文档细粒度的访问控制需求,该模型结构简洁灵活且比较容易实现。
With the rapid development of Internet, more and more in-depth Internet-based applications, and XML is either as a markup language, or it is used as the stored structure of the databases on a variety of applications as the Internet has been growing more and more widely used. XML as an information carrier in order to solve the security problems caused by widely used security services model - secure access control model, has become the focus of research is now.
This paper takes the traditional role-based access control (RBAC) model as the starting point of the study,and puts forward the extended RBAC model that based on the XML document database.This model uses the Schema language to define the document structure of the XML database,according to the characteristics of the XML document,on the problem that the role model authorized redundantly and the constraint mechanism performed imperfectly of the RBAC model that based on XML,we put forward a new extended RBAC model that based on XML documents which is effective and expansive.
This paper analyzes existing problems of the traditional RBAC model, and on this basis puts forward the solution of these problems-the extended RBAC model that based on the XML documents, and completely defines and details to the new extended RBAC model. The paper combines instance model and focus from the implementation of system and needed technical supports for the extended RBAC model that based on the XML documents to consider, and directs at the design of the extended RBAC model that based on the XML documents, combines the technical support for the main consideration for the extension of RBAC-based XML document model design, and combined with a simplified internal staff management information system as the application environment to access control model to describe which more intuitive and in-depth,and definite shows that achieved the key technologies for the extended RBAC system on the database that based on the XML documents.
Firstly, in this paper,we classify the object of the access control model abstractly according to their attributes,then assign the permissions to a class of objects.The access permission of the subject to the object in the model is decided by the corresponding roles and access domain of the subject,this way can greatly reduce the number of the roles and permissions definitions. Secondly,this paper adopts the rules of separation of duties to solve the roles' interest conflict in the system,in order to avoid the phenomenon that the users have excessive permissions or the users beyond their authorities which affects the security performance of the system.In addition,this paper also uses the schematron(the XML schema language based on rules) to describe the constraint rules formally.
The extended RBAC model that based on XML document can satisfy the fine-grained access control requirements of the XML document.This model's structure is simple and flexible,and it's easy to be realized.
引文
[1]张敏,徐震,冯登国,数据库安全[M],北京,科学出版社,2005.7
[2]Ravi S. Sandhu, Edward J. Coyne, Hal L. Feinstein, et. al. Role-Based Access Control Models. IEEEC omputer,1996,V29(2):38-47
[3]Joon S.Park, R. Sandhu, and Gail-Joon Ahn, Role-Based Access Control on the Web, ACM Trans.Information and System Sec.,Vol.4,No.1,Feb.2002.
[4]ZHANG Xinwen Jaehong Park,Ravi Sandhu. Schema2based XML security RBAC approach [C]. Estes Park,Colorado,USA:17th IFIP WG11.3 Working Conf on Data and Application Security,2003.
[5]Damiani E,di Vimercati SDC,Paraboschi S,Samarati P.A fine-grained access control system for XML documents.ACM. Transactions on Information and System Security(TISSEC),2005,5:169-202
[6]Beritino E,Castano S,Ferrai E.Securing XML documents with Author-X. IEEE Internet Computing,May/June 2001.21-31
[7]Kuper G,Massacci F.Generalized XML Security Views. SACMAT 2005 In:10th ACM Symposium on Access Control Models and Technologies, Stockholm, Sweden, June,2005.77-84.
[8]B.Lampson.Proteetion[J].ACM Operation systems Rev,1974,8(1):18-24
[9]GS.Graham and P.J.Denning.Proteetion-principles and prattices[C].In AFIPS Spring Joint ComPuter Conference,1972:417-429.
[10]刘启原,刘怡.数据库与信息系统安全[M].北京:科学出版社,2000:70-100.
[11]Damiani E,Vimercati SDC,Paraboschi S,Samarati P.A fine-grained access control system for XML documents.ACM TISSEC,2002,5(2):169202.
[12]D.Denning.A Lattice Model of Secure Information Flow[J].Communicaions of the ACM,1976,19(5):236-243.
[13]D.F.Ferraiolo, D.R.Kuhn.Role-Based Aeeess Controls. Proceedings of 15th NISTNSA National Computer Security Conferenee, Baltimore, Maryland, 1992:554-563.
[14]R.S.Sandhu, E.J.Coyne, H.L.Fejnstein.Role-Based Access Control Models[[J] IEEE Computer,1996,29(2):38-47.
[15]R.S.Sandhu, V.Bhamidipati.The ARBAC97 Model for Role-Based Administrtion of Roles[J].ACM Transactions on Information and System Security,1999,2(1):105-135.
[16]Osbom S, Sandbu R, Munawer Q. Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM TISSEC,2000,3(2):85106.
[17]Ferraiolo D, Sandhu R, Gavrila S, et al. A proposed standard for role based access control.[J].ACM Transactions on Information and System Security. August,2001,4(3):224-274.
[18]Damiani E,Vimercati SDC,Paraboschi S,Samarati P.A fine-grained access control system for XML documents. ACM TISSEC,2002,5(2):169202.
[19]Ravi Sandhu, Qamar Munawer. The ARBAC99 Model for Administration of Roles[A].15th Annual Computer Security Applications Conference[C].IEEE Computer,1999:229-230.
[20]Jingzhu Wang, Sylvia L. Osbom. A RoleBased Approach to Access Control for XML Databases.Proceedings of the ninth ACM symposium on Access control models and technologies(SACMAT04),June2-4,2004,Yorktown Heights,New York,USA.
[21]钟华,冯玉琳,姜洪安.扩充角色层次关系模型及其应用[J].软件学报,2000,11(6):779-784
[22]聂伯敏,熊桂喜.分布式环境下基于角色访问控制的实现[J].计算机工程,2002,28(8):181-183.
[23]郭蕴华,陈定方,熊文龙.基于角色与基于规则相结合的访问控制模型[J],武汉理工大学学报,2003,27(5):678-681.
[24]谢东文,刘民,吴橙.企业级信息系统中基于策略的访问控制[J].计算机集成制造系统200511(4):561-564.
[25]邢小永,陈性元,张斌,等.一种基于角色的访问控制扩展模型[J].微计算机信息,2006,22(11):73-75.
[26]夏鹏万,陈荣国,孙剑.增强的基于角色的数据库访问控制模型[J].计算机应 用,2007,27(3):597-600.
[27]World Wide Web Consortium(W3C), Extensible Markup Language(XML) 1.0. 2000. http://www.w3.org/TR/REC-xtnl
[28]LiLan,He Yong-Zhong,Feng Deng-Guo.A Fine-Grained Mandatory Access Control Model for XML Documents. Journal of Software,vol.15,No.10
[29]王国仁,XML数据管理技术[M],北京,电子工业出版社,2007.4
[30]Web的新生命——XML, http://www.sinocyber.com
[31]邓华梅, 李肖锋,袁海平.关于XML数据的存储研究[J].科技情报开发与经济.2008,18(24):153-155.
[32]彭其华.网络环境下基于X M L的异构数据交换的研究[J].西南民族大学学报:自然科学版2003,29(6):756—758.
[33]翁畅平.基于XML的数字图书馆信息组织[J].科技情报开发与经济,2008.18(16):12-14.
[34]World Wide Web Consortium (W3C), XML Schema PartO Primer.2001 http://www.w3.org/TR/xmlschema-0.
[35]] World Wide Web Consortium (W3C), XML Schema Part 1:Structures. 2001.http://www.w3.org/TR/xmlschema-1
[36]World Wide Web Consortium (W3C), XML Schema Part 2:Datatypes. 2001.http://www.w3.org/TR/xmlschema-2
[37]World Wide Web Consortium (W3C), XML Path Language (XPath).2002. http://www.w3.org/TR/xpath20
[38]World Wide Web Consortium (W3C), XML Query Language (XQuery).2005. http://www.w3.org/TR/xquery
[39]http://www.w3.org/Encryption/2001/,2002-12-31
[40]http://www.w3.org/Signature/,2002-12-31
[41]Entrust Technologies. XML Strategy for Authorization,2001-4
[42]VeriSign White Paper. XML Trust Services,2001-11
[43]cs-xacml-specification. http://www.oasis-open.org/committees/documents.php
[44]BELL,D.1987.Secure computer systems:A network interpretation.In Proceedings on 3rd Annual Computer Security Application Conference.32-39.
[45]SANDHU, R.AND SAMARATI,P1994.Acess control:Principles and practice IEEE Commun.Mag.32,9,40-48.
[46]Matunda Nyanchama,Sylvia Osborn.Modeling mandatory access control in role-based security systems,Proceedings of the ninth annual IFIP TC11 WG11.3 working conference on Database security IX:status and prospects:status and prospects,p.129-144, January 1996,Rennselaerville,New York,United States.
[47]David E.Bell and Leonard J.LaPadula. Secure Computer Systems:Mathematical Foundations.ESD-TR-73-278,Vol.I,AD 770 768,Electronic Systems Division,Air Force Systems Command,Hanscom Air Force Base,Bedford,MA,USA,Nov 1973.
[48]David E.Bell and Leonard J.LaPadula.SEcure Computer Systems:A Mathematical Model.ESD-TR-73-278,Vol.Ⅱ,AD 771 543,Electronic Systems Division,Air Force Systems Command,Hanscom Air Force Base,Bedford,MA,USA,Nov 1973.
[49]Ferraiolo D F,Kuhn D R.Role based access control[A].15th National Computer Security Conference[C].1992,554-563.
[50]Sandhu,R S,Coyne,E.J,Feinstein,H.L,and Youman,C.E.1996.Role-Based access Control Models. Computer 29,2(Feb.1996),38-47.
[51]ZHANG Xinwen, Jaehong Park, Ravi Sandhu. Schema2based XML security RBAC approach [C]. Estes Park, Colorado, USA: 17th EFIP WG11.3 Working Conf on Data and Application Security,2003.
[2]Ravi S. Sandhu, Edward J. Coyne, Hal L. Feinstein, et. al. Role-Based Access Control Models. IEEEC omputer,1996,V29(2):38-47
[3]Joon S.Park, R. Sandhu, and Gail-Joon Ahn, Role-Based Access Control on the Web, ACM Trans.Information and System Sec.,Vol.4,No.1,Feb.2002.
[4]ZHANG Xinwen Jaehong Park,Ravi Sandhu. Schema2based XML security RBAC approach [C]. Estes Park,Colorado,USA:17th IFIP WG11.3 Working Conf on Data and Application Security,2003.
[5]Damiani E,di Vimercati SDC,Paraboschi S,Samarati P.A fine-grained access control system for XML documents.ACM. Transactions on Information and System Security(TISSEC),2005,5:169-202
[6]Beritino E,Castano S,Ferrai E.Securing XML documents with Author-X. IEEE Internet Computing,May/June 2001.21-31
[7]Kuper G,Massacci F.Generalized XML Security Views. SACMAT 2005 In:10th ACM Symposium on Access Control Models and Technologies, Stockholm, Sweden, June,2005.77-84.
[8]B.Lampson.Proteetion[J].ACM Operation systems Rev,1974,8(1):18-24
[9]GS.Graham and P.J.Denning.Proteetion-principles and prattices[C].In AFIPS Spring Joint ComPuter Conference,1972:417-429.
[10]刘启原,刘怡.数据库与信息系统安全[M].北京:科学出版社,2000:70-100.
[11]Damiani E,Vimercati SDC,Paraboschi S,Samarati P.A fine-grained access control system for XML documents.ACM TISSEC,2002,5(2):169202.
[12]D.Denning.A Lattice Model of Secure Information Flow[J].Communicaions of the ACM,1976,19(5):236-243.
[13]D.F.Ferraiolo, D.R.Kuhn.Role-Based Aeeess Controls. Proceedings of 15th NISTNSA National Computer Security Conferenee, Baltimore, Maryland, 1992:554-563.
[14]R.S.Sandhu, E.J.Coyne, H.L.Fejnstein.Role-Based Access Control Models[[J] IEEE Computer,1996,29(2):38-47.
[15]R.S.Sandhu, V.Bhamidipati.The ARBAC97 Model for Role-Based Administrtion of Roles[J].ACM Transactions on Information and System Security,1999,2(1):105-135.
[16]Osbom S, Sandbu R, Munawer Q. Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM TISSEC,2000,3(2):85106.
[17]Ferraiolo D, Sandhu R, Gavrila S, et al. A proposed standard for role based access control.[J].ACM Transactions on Information and System Security. August,2001,4(3):224-274.
[18]Damiani E,Vimercati SDC,Paraboschi S,Samarati P.A fine-grained access control system for XML documents. ACM TISSEC,2002,5(2):169202.
[19]Ravi Sandhu, Qamar Munawer. The ARBAC99 Model for Administration of Roles[A].15th Annual Computer Security Applications Conference[C].IEEE Computer,1999:229-230.
[20]Jingzhu Wang, Sylvia L. Osbom. A RoleBased Approach to Access Control for XML Databases.Proceedings of the ninth ACM symposium on Access control models and technologies(SACMAT04),June2-4,2004,Yorktown Heights,New York,USA.
[21]钟华,冯玉琳,姜洪安.扩充角色层次关系模型及其应用[J].软件学报,2000,11(6):779-784
[22]聂伯敏,熊桂喜.分布式环境下基于角色访问控制的实现[J].计算机工程,2002,28(8):181-183.
[23]郭蕴华,陈定方,熊文龙.基于角色与基于规则相结合的访问控制模型[J],武汉理工大学学报,2003,27(5):678-681.
[24]谢东文,刘民,吴橙.企业级信息系统中基于策略的访问控制[J].计算机集成制造系统200511(4):561-564.
[25]邢小永,陈性元,张斌,等.一种基于角色的访问控制扩展模型[J].微计算机信息,2006,22(11):73-75.
[26]夏鹏万,陈荣国,孙剑.增强的基于角色的数据库访问控制模型[J].计算机应 用,2007,27(3):597-600.
[27]World Wide Web Consortium(W3C), Extensible Markup Language(XML) 1.0. 2000. http://www.w3.org/TR/REC-xtnl
[28]LiLan,He Yong-Zhong,Feng Deng-Guo.A Fine-Grained Mandatory Access Control Model for XML Documents. Journal of Software,vol.15,No.10
[29]王国仁,XML数据管理技术[M],北京,电子工业出版社,2007.4
[30]Web的新生命——XML, http://www.sinocyber.com
[31]邓华梅, 李肖锋,袁海平.关于XML数据的存储研究[J].科技情报开发与经济.2008,18(24):153-155.
[32]彭其华.网络环境下基于X M L的异构数据交换的研究[J].西南民族大学学报:自然科学版2003,29(6):756—758.
[33]翁畅平.基于XML的数字图书馆信息组织[J].科技情报开发与经济,2008.18(16):12-14.
[34]World Wide Web Consortium (W3C), XML Schema PartO Primer.2001 http://www.w3.org/TR/xmlschema-0.
[35]] World Wide Web Consortium (W3C), XML Schema Part 1:Structures. 2001.http://www.w3.org/TR/xmlschema-1
[36]World Wide Web Consortium (W3C), XML Schema Part 2:Datatypes. 2001.http://www.w3.org/TR/xmlschema-2
[37]World Wide Web Consortium (W3C), XML Path Language (XPath).2002. http://www.w3.org/TR/xpath20
[38]World Wide Web Consortium (W3C), XML Query Language (XQuery).2005. http://www.w3.org/TR/xquery
[39]http://www.w3.org/Encryption/2001/,2002-12-31
[40]http://www.w3.org/Signature/,2002-12-31
[41]Entrust Technologies. XML Strategy for Authorization,2001-4
[42]VeriSign White Paper. XML Trust Services,2001-11
[43]cs-xacml-specification. http://www.oasis-open.org/committees/documents.php
[44]BELL,D.1987.Secure computer systems:A network interpretation.In Proceedings on 3rd Annual Computer Security Application Conference.32-39.
[45]SANDHU, R.AND SAMARATI,P1994.Acess control:Principles and practice IEEE Commun.Mag.32,9,40-48.
[46]Matunda Nyanchama,Sylvia Osborn.Modeling mandatory access control in role-based security systems,Proceedings of the ninth annual IFIP TC11 WG11.3 working conference on Database security IX:status and prospects:status and prospects,p.129-144, January 1996,Rennselaerville,New York,United States.
[47]David E.Bell and Leonard J.LaPadula. Secure Computer Systems:Mathematical Foundations.ESD-TR-73-278,Vol.I,AD 770 768,Electronic Systems Division,Air Force Systems Command,Hanscom Air Force Base,Bedford,MA,USA,Nov 1973.
[48]David E.Bell and Leonard J.LaPadula.SEcure Computer Systems:A Mathematical Model.ESD-TR-73-278,Vol.Ⅱ,AD 771 543,Electronic Systems Division,Air Force Systems Command,Hanscom Air Force Base,Bedford,MA,USA,Nov 1973.
[49]Ferraiolo D F,Kuhn D R.Role based access control[A].15th National Computer Security Conference[C].1992,554-563.
[50]Sandhu,R S,Coyne,E.J,Feinstein,H.L,and Youman,C.E.1996.Role-Based access Control Models. Computer 29,2(Feb.1996),38-47.
[51]ZHANG Xinwen, Jaehong Park, Ravi Sandhu. Schema2based XML security RBAC approach [C]. Estes Park, Colorado, USA: 17th EFIP WG11.3 Working Conf on Data and Application Security,2003.
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |