基于角色的工作流系统访问控制模型的研究
|
摘要
随着企业信息系统的发展,工作流系统的访问控制问题越来越引起研究者的关注。目前,在基于工作流的访问控制技术中大都采用以角色为基础的访问控制模型。当前研究的一个主要工作是在RBAC参考模型之上扩展的表达能力,然而其重点几乎都集中在对权限和角色的表达能力的扩展上,对于用户(User)却很少有深入的研究。
一个应用软件系统开发的目的就是为特定问题域中的用户提供所需的特殊服务,使用户通过人机交互能安全高效地履行其角色的职责。因此,扩展用户集的表达能力是一个非常值得关注的重要问题,尤其是在基于工作流的访问控制技术中,而当前的研究几乎都忽略了这一点。此外,在RBAC应用于诸如工作流系统的研究中,很少考虑企业组织结构对RBAC实现的影响,对于企业信息系统中角色和权限的特点也未作研究,而如何设置角色与权限对一个实际系统实施基于角色的访问控制起着至关重要的作用。
本论文对工作流系统访问控制技术进行了较深入的研究。通过分析影响工作流系统访问控制的各种因素,在借鉴传统访问控制模型的基础上,从用户角度出发,引入企业人员的组织方式,提出了基于用户集扩展的角色访问控制模型,从而扩展了用户集的表达能力、考虑了企业组织结构对访问控制实现的影响,并以此为基础,将静态和动态授权融合在同一个访问控制系统之中,进而结合了当前被动和主动安全模型的优点。
访问控制的实现是本文的另一个研究重点。通过较深入的研究与分析目前各种不同的实现访问控制的方法,本文针对被动式的基于角色访问控制在企业环境中的应用,设计出了一种基于加密权限代码的访问控制方法,并利用加密技术,以提高权限数据的安全性。文中结合信息系统开发实例,详细介绍了该方法在被动式的基于角色访问控制中的实现原理及其使用方法。
最后,对该方法在主动式的基于任务访问控制中的应用进行了探讨。该方法已应用于《旅馆业治安管理信息系统》,此软件已通过公安部安全与警用电子产品质量检测中心(公京检062038号)的检测,且在应用中取得了较好的效果。
With the development of enterprise information system, access control problems for workflow system attract more and more attentions of researchers. At present, role-based access control model is mainly adopted in workflow-based access control technology. The most important task is expanding the expression ability based on the current RBAC Reference Model, but the task almost always focuses on the expression ability based on permission and role much more than user-set.
The aim of exploring an application software system is to provide special service for users in special domain, where users can carry out their responsibility securely and efficiently as a particular role through Man-Machine Interaction. Therefore, to expand the expression ability of the user-set is a very important issue which must be paid much more attention to, especially in workflow-based access control technology. It is a pity that researchers overlook this point. Furthermore, in the research of RBAC application, like workflow system, few researchers think over the effect of RBAC due to implement due to enterprise organization structure.They ignore the characteristic of permission and role in enterprise information system, while how to set role and permission play a very important role in a real system which implement role-based access control.
In this paper, many research works have been done on the traditional access control technologies in workflow- management system. By analyzing factors related to access control in the enterprise environment, and presenting organizational structure, a task-role-based access control model with expanded user set is introduced based on using the model of traditional access control for reference. As a result, the expression ability of user-set is expanded and the effect of access control implement is thought over due to enterprise organization structure. Furthermore, by integrating static authorization and dynamic authorization in the same access control system, the new model combines the merit of passive and active security model.
The implementation of access control is an other emphasis in the research of this paper. By researching and analyzing various implementation methods of access control, an access control method based on encrypted authorization code is put forward to meet the requirement of application for passive role-based access control in the enterprise circumstance. Encrypted technology is also incorporated into this method to strength the security of data. The realization theory and access mechanism of the method in passive role-based access control are elaborated by an information system development example.
The application in active task-based access control of the method is also discussed in the end.The method was applied in Management Information System on the Public Security of Hotel.The system achieved examinations of Police Security & Electronic Production Quality Examination Center(GJJ 062038).And it achieves better effect in the application.
一个应用软件系统开发的目的就是为特定问题域中的用户提供所需的特殊服务,使用户通过人机交互能安全高效地履行其角色的职责。因此,扩展用户集的表达能力是一个非常值得关注的重要问题,尤其是在基于工作流的访问控制技术中,而当前的研究几乎都忽略了这一点。此外,在RBAC应用于诸如工作流系统的研究中,很少考虑企业组织结构对RBAC实现的影响,对于企业信息系统中角色和权限的特点也未作研究,而如何设置角色与权限对一个实际系统实施基于角色的访问控制起着至关重要的作用。
本论文对工作流系统访问控制技术进行了较深入的研究。通过分析影响工作流系统访问控制的各种因素,在借鉴传统访问控制模型的基础上,从用户角度出发,引入企业人员的组织方式,提出了基于用户集扩展的角色访问控制模型,从而扩展了用户集的表达能力、考虑了企业组织结构对访问控制实现的影响,并以此为基础,将静态和动态授权融合在同一个访问控制系统之中,进而结合了当前被动和主动安全模型的优点。
访问控制的实现是本文的另一个研究重点。通过较深入的研究与分析目前各种不同的实现访问控制的方法,本文针对被动式的基于角色访问控制在企业环境中的应用,设计出了一种基于加密权限代码的访问控制方法,并利用加密技术,以提高权限数据的安全性。文中结合信息系统开发实例,详细介绍了该方法在被动式的基于角色访问控制中的实现原理及其使用方法。
最后,对该方法在主动式的基于任务访问控制中的应用进行了探讨。该方法已应用于《旅馆业治安管理信息系统》,此软件已通过公安部安全与警用电子产品质量检测中心(公京检062038号)的检测,且在应用中取得了较好的效果。
With the development of enterprise information system, access control problems for workflow system attract more and more attentions of researchers. At present, role-based access control model is mainly adopted in workflow-based access control technology. The most important task is expanding the expression ability based on the current RBAC Reference Model, but the task almost always focuses on the expression ability based on permission and role much more than user-set.
The aim of exploring an application software system is to provide special service for users in special domain, where users can carry out their responsibility securely and efficiently as a particular role through Man-Machine Interaction. Therefore, to expand the expression ability of the user-set is a very important issue which must be paid much more attention to, especially in workflow-based access control technology. It is a pity that researchers overlook this point. Furthermore, in the research of RBAC application, like workflow system, few researchers think over the effect of RBAC due to implement due to enterprise organization structure.They ignore the characteristic of permission and role in enterprise information system, while how to set role and permission play a very important role in a real system which implement role-based access control.
In this paper, many research works have been done on the traditional access control technologies in workflow- management system. By analyzing factors related to access control in the enterprise environment, and presenting organizational structure, a task-role-based access control model with expanded user set is introduced based on using the model of traditional access control for reference. As a result, the expression ability of user-set is expanded and the effect of access control implement is thought over due to enterprise organization structure. Furthermore, by integrating static authorization and dynamic authorization in the same access control system, the new model combines the merit of passive and active security model.
The implementation of access control is an other emphasis in the research of this paper. By researching and analyzing various implementation methods of access control, an access control method based on encrypted authorization code is put forward to meet the requirement of application for passive role-based access control in the enterprise circumstance. Encrypted technology is also incorporated into this method to strength the security of data. The realization theory and access mechanism of the method in passive role-based access control are elaborated by an information system development example.
The application in active task-based access control of the method is also discussed in the end.The method was applied in Management Information System on the Public Security of Hotel.The system achieved examinations of Police Security & Electronic Production Quality Examination Center(GJJ 062038).And it achieves better effect in the application.
引文
[1]董巧玉,欧阳昱,刘玉树.工作流系统访问控制技术.计算机应用,2003,23(10):126-128
[2]WfMC TC 1019-1998.Workflow Security Considerations-White Paper
[3]许春根.访问控制技术的理论与方法的研究:[南京理工大学博士学位论文].南京:南京理工大学,2003
[4]张栋,刘飞,宋豫川等.基于角色的访问控制机制在工作流平台下扩展的研究.制造业自动化,2004,26(5):53-57
[5]Sejong Oh,Seog Park.Task-role-based Access Control Model.Information System,2003,28(6):533-562
[6]Sandhu R.S.,Edward J.C.,Hal L.F.,et al.Role-based Access Control Models.IEEE Computer,1996,29(2):38-47
[7]David F.F.,Sandhu R.S.Proposed NIST Standard for Role-Based Access Control.ACM Transactions on Information and System Securitv(TISSEC).2001.4(3):224-274
[8]沈海波,洪帆.访问控制模型研究综述.计算机应用研究,2005,22(6):9-11
[9]曾炜,阎保平.工作流模型研究综述.计算机应用研究,2005,21(5):11-13、22
[10]Wil vander Aalst.工作流管理——模型、方法和系统.北京:清华大学出版社,2004
[11]范玉顺.企业建模理论与方法学导论.北京:清华大学出版社,2001
[12]范玉顺,吴澄.工作流管理技术研究与产品现状及发展趋势.计算机集成制造系统,2000,6(1):1-7、13
[13]范玉顺,吴澄.工作流技术综述.软件学报,2000,11(7):899-907
[14]陈浩,刘念,胡艳军等.基于工作流的知识建模研究.制造业自动化,2005,27(5):8-12
[15]张晓刚,李明树.基于工作流的知识流建模与控制.软件学报,2005,16(2):184-193
[16]张世栋,彭朝晖,杨少军等.支持多群体同步协同的工作流若干关键技术研究.系统仿真学报,2003,15(4):519-522
[17]邓集波,洪帆.基于任务的访问控制模型.软件学报,2003,14(1):76-81
[18]任莹.工作流管理系统访问控制技术:[清华大学工程硕士学位论文].北京:清华大学软件学院,2005
[19]赵亮,茅兵.访问控制研究综述.计算机工程,2004,30(2):1-2、89
[20]严悍.基于角色的访问控制对象建模及实现.计算机学报,2000,23(10):1064-1071
[21]史美林,杨光信,向勇等.WfMS:工作流管理系统.计算机学报,1999,22(3):321-334
[22]范玉顺.工作流管理技术基础——实现企业业务过程重组、过程管理与过程自动化的核心技术.北京:清华大学出版社,2001
[23]WfMC TC00-1003-1994.The Workflow Reference Model
[24]W.M.P.van der Aalst,K.M.van Hee.Workflow Management:Models,Methods,and Systems.MIT press,Cambridge,MA,2002
[25]WfMC.Workflow Management Coalition Terminology & Glossary,Document Number WFMC-TC-1011,Document Status-Issue 3.0,February.Technical report,Workflow Management Coalition,Brussels,1999
[26]Peter Lawrence.Workflow Handbook.Chichester,West Sussex,England;New York:John Wiley & Sons,c1997
[27]WfMC.The Workflow Reference Model,Doc.No.TCOO-lOO3.http://www.wfmc.org/
[28]W.M.P.van der Aalst.The application of Petri nets to workflow management.The Journal of Circuits,Systems and Computers,1998,8(1):21-66
[29]牛军钰,赵大哲,赵宏.一个基于WWW的工作流管理系统.北大学学报,2000,21(1):22-25
[30]DA Zhezhao,YAN Chunsun,JUN Yuniu,et al.Workflow Management System Based on Cooperation and Component,Proceedings of Second International Workshop on CSCW in Design,26-28 Nov,1997
[31]汪涛,黄力芹,吴耿锋.工作流管理的发展历程和趋势.计算机工程与科学,2001,23(1):98-99
[32]张哲冰,李永昊.工作流系统的设计与实现的研究.三峡大学学报,2003,25(4):324-326
[33]张志君,范玉顺.一种高性能的分布式工作流系统实现框架.计算机集成制造系统—CIMS,2003,9(6):431-435,455
[34]唐林燕.分布计算工作流环境的分析.现代计算机,2001,10:90-91
[35]Yeongho Kim,Suk-Ho Kang,Dongsoo Kim,et al.WW-FLOW:Web-based workflow management with runtime encapsulation.IEEE internet computing,2000,4(3):55-64
[36]Yunlong Z.,Hongxin L.,Jinsong X.,et al.The Design of Cooperative Workflow Management Model Based on Agent.Proceedings of Technology of Object-Oriented Languages and Systems(TOOLS 31),1999,465-470
[37]刑光林,洪帆.基于角色和任务的工作流访问控制模型.计算机工程与应用,2005, (2):210-214
[38]Bertino E,Bonati PA,Ferrari E.TRBAC:A temporal role-based access control model.ACM Transactions on Information and System Security,2001,(3):191-223
[39]Li S.,Kittel A.,Jia D.,et al.Security Considerations for Workflow Systems.IEEE,2000,0-7803-5864-3
[40]Anand R.T.,Tanvir Ahmed,Richa Kumar.Specification of Secure Distributed Collaboration Systems.IEEE,2003,0-7695-1876-1/03
[41]Knorr K.Dynamic access control through Petri net workflows.The 16th Annual Computer Security Applications Conference(ACSAC' 00),New Orleans,Louisiana,2000
[42]Thomas R.K.,Sandhu R.S.Task-based Authorization Controls(TBAC):A Family of Models for Active and Enterprise-Oriented Authorization Management.Lake Tahoe,Califonia:Proceedings of the IFIP WG11.3 Workshop on Database Security,1997
[43]Panos Periorellis,Savas Parastatidis.Task-based Access Control for Virtual Organizations.4th International Workshop on Scientific Engineering for Distributed Java Applications(FIDJI 2004),2005:38-47
[44]刘道斌,白硕.基于工作流状态的动态访问控制.计算机研究与发展,2003,(3)
[45]冯韬,王茜.分布式柔性工作流的研究与实现.计算机应用,2002,(2)
[46]SHI Meilin,YANG Guangxin,XIANG Yong,et al.Workflow Management Systems:A Survey.Beijing,China:International Conference on Communication Technology(ICCT),1998,2:S33051-S33056
[47]Sodki Chaari.An Authorization and Access Control Model for Workflow.In IEEE Computer,2004,6(4):141-148
[48]XU Wei,WEI Jun,LIU Yu,et al.SOWAC:A Service-Oriented Workflow Access Control Model.The 28th Annual International Computer Software and Applications Conference(COMPSAC'04),2004,0730-3157/04
[49]LIU Dongsheng.Modeling workflow processes with colored Petri nets.Computers in Industry,2002,49(2):267-281
[50]WU Shengli.Authorization and Access Control of Application Data in Workflow Systems.Journal of Intelligent Information Systems,2002,18(1):71-94
[51]Jacques Wainer.Constraint-based flexible workflows.CRIWG 2003,Autrans,France,2003
[52]Atluri V.A Semantic Based Execution Model for Multilevel Secure Workflows.Journal of Computer Security,2000,8(1):3-41
[53]ZHOU Mingtian,WANG Minyi,YAO Shaowen.A workflov instance migration approach based on the extended-task-structures.Journal of Software,2003,14(4):757-763
[54]David Edmond,Arthur H.M.ter Hosftede.A reflective infrastructure for workflow Adaptability.Data & Knowledge Engineering 34 271-304,2000
[55]Bastin Tony Roy Savarimuthu,Maryam Purvis,Martin Fleurke.Monitoring and controlling of a multi-agent based workflow system.In:Australasian Workshop on Data Mining and Web Intelligence(DMWI 2004),Dunedin,2004
[56]Vijay Atluri.Security for workflow systems.Information Security Technical Report,Elsevier Science,2001,6(2):59-68
[57]PTC.Product lifecycle management for product first manufacturing companies.http://www.ptc.com,2002-11-04
[58]丁于思.基于角色的安全访问控制在企业信息系统中的应用研究:[中南大学硕士学位论文].长沙:中南大学管理科学与工程系,2003
[59]崔玉松,沈文轩,张林等.基于角色的工作流访问控制模型及其实现.计算机应用与软件,2007,24(6):119-122
[60]宁葵.访问控制安全技术及应用.北京:电子工业出版社,2005
[61]Sabrina De Capitani di Vimercati,Stefano Paraboschi,Pierangela Samarati.Access control:principles and solutions.Software,2003,33(5):397-421
[62]王五一,唐刚,张勇敏.谈信息加密及对称密钥加密技术.计算机应用研究,1999,(12):26-27
[2]WfMC TC 1019-1998.Workflow Security Considerations-White Paper
[3]许春根.访问控制技术的理论与方法的研究:[南京理工大学博士学位论文].南京:南京理工大学,2003
[4]张栋,刘飞,宋豫川等.基于角色的访问控制机制在工作流平台下扩展的研究.制造业自动化,2004,26(5):53-57
[5]Sejong Oh,Seog Park.Task-role-based Access Control Model.Information System,2003,28(6):533-562
[6]Sandhu R.S.,Edward J.C.,Hal L.F.,et al.Role-based Access Control Models.IEEE Computer,1996,29(2):38-47
[7]David F.F.,Sandhu R.S.Proposed NIST Standard for Role-Based Access Control.ACM Transactions on Information and System Securitv(TISSEC).2001.4(3):224-274
[8]沈海波,洪帆.访问控制模型研究综述.计算机应用研究,2005,22(6):9-11
[9]曾炜,阎保平.工作流模型研究综述.计算机应用研究,2005,21(5):11-13、22
[10]Wil vander Aalst.工作流管理——模型、方法和系统.北京:清华大学出版社,2004
[11]范玉顺.企业建模理论与方法学导论.北京:清华大学出版社,2001
[12]范玉顺,吴澄.工作流管理技术研究与产品现状及发展趋势.计算机集成制造系统,2000,6(1):1-7、13
[13]范玉顺,吴澄.工作流技术综述.软件学报,2000,11(7):899-907
[14]陈浩,刘念,胡艳军等.基于工作流的知识建模研究.制造业自动化,2005,27(5):8-12
[15]张晓刚,李明树.基于工作流的知识流建模与控制.软件学报,2005,16(2):184-193
[16]张世栋,彭朝晖,杨少军等.支持多群体同步协同的工作流若干关键技术研究.系统仿真学报,2003,15(4):519-522
[17]邓集波,洪帆.基于任务的访问控制模型.软件学报,2003,14(1):76-81
[18]任莹.工作流管理系统访问控制技术:[清华大学工程硕士学位论文].北京:清华大学软件学院,2005
[19]赵亮,茅兵.访问控制研究综述.计算机工程,2004,30(2):1-2、89
[20]严悍.基于角色的访问控制对象建模及实现.计算机学报,2000,23(10):1064-1071
[21]史美林,杨光信,向勇等.WfMS:工作流管理系统.计算机学报,1999,22(3):321-334
[22]范玉顺.工作流管理技术基础——实现企业业务过程重组、过程管理与过程自动化的核心技术.北京:清华大学出版社,2001
[23]WfMC TC00-1003-1994.The Workflow Reference Model
[24]W.M.P.van der Aalst,K.M.van Hee.Workflow Management:Models,Methods,and Systems.MIT press,Cambridge,MA,2002
[25]WfMC.Workflow Management Coalition Terminology & Glossary,Document Number WFMC-TC-1011,Document Status-Issue 3.0,February.Technical report,Workflow Management Coalition,Brussels,1999
[26]Peter Lawrence.Workflow Handbook.Chichester,West Sussex,England;New York:John Wiley & Sons,c1997
[27]WfMC.The Workflow Reference Model,Doc.No.TCOO-lOO3.http://www.wfmc.org/
[28]W.M.P.van der Aalst.The application of Petri nets to workflow management.The Journal of Circuits,Systems and Computers,1998,8(1):21-66
[29]牛军钰,赵大哲,赵宏.一个基于WWW的工作流管理系统.北大学学报,2000,21(1):22-25
[30]DA Zhezhao,YAN Chunsun,JUN Yuniu,et al.Workflow Management System Based on Cooperation and Component,Proceedings of Second International Workshop on CSCW in Design,26-28 Nov,1997
[31]汪涛,黄力芹,吴耿锋.工作流管理的发展历程和趋势.计算机工程与科学,2001,23(1):98-99
[32]张哲冰,李永昊.工作流系统的设计与实现的研究.三峡大学学报,2003,25(4):324-326
[33]张志君,范玉顺.一种高性能的分布式工作流系统实现框架.计算机集成制造系统—CIMS,2003,9(6):431-435,455
[34]唐林燕.分布计算工作流环境的分析.现代计算机,2001,10:90-91
[35]Yeongho Kim,Suk-Ho Kang,Dongsoo Kim,et al.WW-FLOW:Web-based workflow management with runtime encapsulation.IEEE internet computing,2000,4(3):55-64
[36]Yunlong Z.,Hongxin L.,Jinsong X.,et al.The Design of Cooperative Workflow Management Model Based on Agent.Proceedings of Technology of Object-Oriented Languages and Systems(TOOLS 31),1999,465-470
[37]刑光林,洪帆.基于角色和任务的工作流访问控制模型.计算机工程与应用,2005, (2):210-214
[38]Bertino E,Bonati PA,Ferrari E.TRBAC:A temporal role-based access control model.ACM Transactions on Information and System Security,2001,(3):191-223
[39]Li S.,Kittel A.,Jia D.,et al.Security Considerations for Workflow Systems.IEEE,2000,0-7803-5864-3
[40]Anand R.T.,Tanvir Ahmed,Richa Kumar.Specification of Secure Distributed Collaboration Systems.IEEE,2003,0-7695-1876-1/03
[41]Knorr K.Dynamic access control through Petri net workflows.The 16th Annual Computer Security Applications Conference(ACSAC' 00),New Orleans,Louisiana,2000
[42]Thomas R.K.,Sandhu R.S.Task-based Authorization Controls(TBAC):A Family of Models for Active and Enterprise-Oriented Authorization Management.Lake Tahoe,Califonia:Proceedings of the IFIP WG11.3 Workshop on Database Security,1997
[43]Panos Periorellis,Savas Parastatidis.Task-based Access Control for Virtual Organizations.4th International Workshop on Scientific Engineering for Distributed Java Applications(FIDJI 2004),2005:38-47
[44]刘道斌,白硕.基于工作流状态的动态访问控制.计算机研究与发展,2003,(3)
[45]冯韬,王茜.分布式柔性工作流的研究与实现.计算机应用,2002,(2)
[46]SHI Meilin,YANG Guangxin,XIANG Yong,et al.Workflow Management Systems:A Survey.Beijing,China:International Conference on Communication Technology(ICCT),1998,2:S33051-S33056
[47]Sodki Chaari.An Authorization and Access Control Model for Workflow.In IEEE Computer,2004,6(4):141-148
[48]XU Wei,WEI Jun,LIU Yu,et al.SOWAC:A Service-Oriented Workflow Access Control Model.The 28th Annual International Computer Software and Applications Conference(COMPSAC'04),2004,0730-3157/04
[49]LIU Dongsheng.Modeling workflow processes with colored Petri nets.Computers in Industry,2002,49(2):267-281
[50]WU Shengli.Authorization and Access Control of Application Data in Workflow Systems.Journal of Intelligent Information Systems,2002,18(1):71-94
[51]Jacques Wainer.Constraint-based flexible workflows.CRIWG 2003,Autrans,France,2003
[52]Atluri V.A Semantic Based Execution Model for Multilevel Secure Workflows.Journal of Computer Security,2000,8(1):3-41
[53]ZHOU Mingtian,WANG Minyi,YAO Shaowen.A workflov instance migration approach based on the extended-task-structures.Journal of Software,2003,14(4):757-763
[54]David Edmond,Arthur H.M.ter Hosftede.A reflective infrastructure for workflow Adaptability.Data & Knowledge Engineering 34 271-304,2000
[55]Bastin Tony Roy Savarimuthu,Maryam Purvis,Martin Fleurke.Monitoring and controlling of a multi-agent based workflow system.In:Australasian Workshop on Data Mining and Web Intelligence(DMWI 2004),Dunedin,2004
[56]Vijay Atluri.Security for workflow systems.Information Security Technical Report,Elsevier Science,2001,6(2):59-68
[57]PTC.Product lifecycle management for product first manufacturing companies.http://www.ptc.com,2002-11-04
[58]丁于思.基于角色的安全访问控制在企业信息系统中的应用研究:[中南大学硕士学位论文].长沙:中南大学管理科学与工程系,2003
[59]崔玉松,沈文轩,张林等.基于角色的工作流访问控制模型及其实现.计算机应用与软件,2007,24(6):119-122
[60]宁葵.访问控制安全技术及应用.北京:电子工业出版社,2005
[61]Sabrina De Capitani di Vimercati,Stefano Paraboschi,Pierangela Samarati.Access control:principles and solutions.Software,2003,33(5):397-421
[62]王五一,唐刚,张勇敏.谈信息加密及对称密钥加密技术.计算机应用研究,1999,(12):26-27
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |