电子政务中面向组织协作的访问控制模型研究
|
摘要
电子政务系统是将政府政务工作和现代信息通信技术充分结合的产物,电子政务技术也正在及时地应用着和集中体现着信息通信技术的新发展。
随着信息通信技术的不断发展,信息化和工业化的高层次的深度结合即两化融合的大力推进,对电子政务系统的建设产生了重要影响,电子政务系统正在由一个小规模的、单一的信息系统向一个大型化的、多应用的、分布式的、协同的、集群化的复杂信息系统发展,电子政务系统的复杂度越来越高。
由于电子政务系统对安全性要求甚高,因此,如何确保信息系统,尤其是电子政务系统的安全性成为目前国内外研究的热点问题。在信息安全的研究领域,访问控制模型和授权管理系统方向的研究占据着重要的地位,其中大部分的研究是基于技术的视角,缺乏以组织理论和工程技术相结合的方法来进行研究。
在政府的组织结构中,纵向上存在着上下级组织、横向上存在着同级组织,并且在一个组织内部又存在不同的部门,于是在不同组织之间以及同一组织内部的不同部门之间就存在着协作关系。现有的安全认证与授权体系难以满足不同组织、不同部门、不同业务系统对安全认证、授权管理以及业务协作的要求。
为了解决电子政务系统中面向多组织多部门之间协作的访问控制和授权管理问题,本文首先对访问控制理论和相关技术进行了总结性研究,进而分析了政府组织和组织协作,特别是电子政务中的组织安全协作,从技术和组织理论的双重视角对访问控制理论进行了研究,并对以组织安全协作为核心的协同政务系统进行了安全策略的分析,以角色网络模型和OB4LAC模型为基础,对OB4LAC模型进行进一步的扩展研究并且提出了面向组织安全协作的访问控制模型OB4LACC及其管理模型AOB4LACC,并对模型进行了形式化描述和定义。在OB4LACC模型中引入了虚拟岗位的概念,组织协作大都需要信息对象的共享,这些参与协作的岗位把需要共享的信息对象指派给虚拟岗位,虚拟岗位作为此岗位的子岗位,因此参与协作的岗位就拥有了虚拟岗位所具有的所有权限,进而实现了组织的安全协作。最后应用Struts、Hibernate等J2EE技术架构和实现方式,以及XML技术,对一个电子政务系统中的面向组织协作的访问控制权限管理系统进行了分析和设计,并且以一个实际电子政务系统建设的成功案例对本文提出的模型进行了效果分析,以验证OB4LACC模型的可用性和正确性,模型增强了电子政务系统的安全性,并且使电子政务系统具有高可扩展性、高可用性和灵活性。
The e-government system is the combination of government affairs and modern information and communication technology. E-government technology applies and embodies the newest development in information and communication technology.
With the continuous development of information and communication technology, informationization and industrialization are integrated in high-level. The construction of e-government system has been importantly impacted, and the development trend of electronic government system is form a single, small-scale information system to large-scale, multi-application distributed and cluster information system. The system complexity is increasing.
The e-government system has high security requirements, so how to ensure information systems, particularly the security of e-government systems has become a hot research field both at home and abroad.In the information security research field, access control model and authorization management system occupies an important position, in which most of the research is based on the technology perspective, and lacking of the combined approach to research, which is the combined organization theory and engineering two perspectives.
In the government's organizational structure, there are higher and lower vertical organization, the existence of similar lateral organizations, and within an organization, there are different departments, in different organizations and different departments within the same organization exists collaborative relationship. Existing security authentication and authorization system are difficult to achieve in different organizations, different departments and different business systems for security authentication, authorization management, and business collaboration requirements.
To address multiple sector collaboration between multiple organizations access control and authorization issues in e-government systems, this paper researched on access control theory and related technologies firstly, than studied and analyzed the organization and organizational collaboration, especially in e-government system. From the dual perspective of technical and organizational theory to research the access control model, and to research the security policy of the collaborative electronic government system. Based on role network model and OB4LAC, expanding the OB4LAC model. Organizational collaboration oriented access control model-OB4LACC and its administration model AOB4LACC have been proposed. The model has been formalized and defined and using formal language. In OB4LACC model, the concept of virtual position was been introduced. Collaboration mostly needs sharing the information object.The organization's security collaboration was realized using virtual position. Finally, we applied Struts, Hibernate etc J2EE structure and realization technology to analysis and design an e-government system, and strengthened the e-government system security, made e-government system have high scalability and availability.
随着信息通信技术的不断发展,信息化和工业化的高层次的深度结合即两化融合的大力推进,对电子政务系统的建设产生了重要影响,电子政务系统正在由一个小规模的、单一的信息系统向一个大型化的、多应用的、分布式的、协同的、集群化的复杂信息系统发展,电子政务系统的复杂度越来越高。
由于电子政务系统对安全性要求甚高,因此,如何确保信息系统,尤其是电子政务系统的安全性成为目前国内外研究的热点问题。在信息安全的研究领域,访问控制模型和授权管理系统方向的研究占据着重要的地位,其中大部分的研究是基于技术的视角,缺乏以组织理论和工程技术相结合的方法来进行研究。
在政府的组织结构中,纵向上存在着上下级组织、横向上存在着同级组织,并且在一个组织内部又存在不同的部门,于是在不同组织之间以及同一组织内部的不同部门之间就存在着协作关系。现有的安全认证与授权体系难以满足不同组织、不同部门、不同业务系统对安全认证、授权管理以及业务协作的要求。
为了解决电子政务系统中面向多组织多部门之间协作的访问控制和授权管理问题,本文首先对访问控制理论和相关技术进行了总结性研究,进而分析了政府组织和组织协作,特别是电子政务中的组织安全协作,从技术和组织理论的双重视角对访问控制理论进行了研究,并对以组织安全协作为核心的协同政务系统进行了安全策略的分析,以角色网络模型和OB4LAC模型为基础,对OB4LAC模型进行进一步的扩展研究并且提出了面向组织安全协作的访问控制模型OB4LACC及其管理模型AOB4LACC,并对模型进行了形式化描述和定义。在OB4LACC模型中引入了虚拟岗位的概念,组织协作大都需要信息对象的共享,这些参与协作的岗位把需要共享的信息对象指派给虚拟岗位,虚拟岗位作为此岗位的子岗位,因此参与协作的岗位就拥有了虚拟岗位所具有的所有权限,进而实现了组织的安全协作。最后应用Struts、Hibernate等J2EE技术架构和实现方式,以及XML技术,对一个电子政务系统中的面向组织协作的访问控制权限管理系统进行了分析和设计,并且以一个实际电子政务系统建设的成功案例对本文提出的模型进行了效果分析,以验证OB4LACC模型的可用性和正确性,模型增强了电子政务系统的安全性,并且使电子政务系统具有高可扩展性、高可用性和灵活性。
The e-government system is the combination of government affairs and modern information and communication technology. E-government technology applies and embodies the newest development in information and communication technology.
With the continuous development of information and communication technology, informationization and industrialization are integrated in high-level. The construction of e-government system has been importantly impacted, and the development trend of electronic government system is form a single, small-scale information system to large-scale, multi-application distributed and cluster information system. The system complexity is increasing.
The e-government system has high security requirements, so how to ensure information systems, particularly the security of e-government systems has become a hot research field both at home and abroad.In the information security research field, access control model and authorization management system occupies an important position, in which most of the research is based on the technology perspective, and lacking of the combined approach to research, which is the combined organization theory and engineering two perspectives.
In the government's organizational structure, there are higher and lower vertical organization, the existence of similar lateral organizations, and within an organization, there are different departments, in different organizations and different departments within the same organization exists collaborative relationship. Existing security authentication and authorization system are difficult to achieve in different organizations, different departments and different business systems for security authentication, authorization management, and business collaboration requirements.
To address multiple sector collaboration between multiple organizations access control and authorization issues in e-government systems, this paper researched on access control theory and related technologies firstly, than studied and analyzed the organization and organizational collaboration, especially in e-government system. From the dual perspective of technical and organizational theory to research the access control model, and to research the security policy of the collaborative electronic government system. Based on role network model and OB4LAC, expanding the OB4LAC model. Organizational collaboration oriented access control model-OB4LACC and its administration model AOB4LACC have been proposed. The model has been formalized and defined and using formal language. In OB4LACC model, the concept of virtual position was been introduced. Collaboration mostly needs sharing the information object.The organization's security collaboration was realized using virtual position. Finally, we applied Struts, Hibernate etc J2EE structure and realization technology to analysis and design an e-government system, and strengthened the e-government system security, made e-government system have high scalability and availability.
引文
[1]Huaiming Li, Shuai Yang, Ning Wang, Yanzhang Wang. Research on Organizational Collaboration Oriented OB4LAC in E-government.2010 IEEE/WIC/ACM International Conferences on Web Intelligence and Intelligent Agent Technology,4th International Workshop on Intelligent E-government and Emergency Management.2010.
[2]汤庸,冀高峰,朱君等.协同软件技术与应用[M].北京:机械工业出版社,2007.
[3]拉塞尔·M·休登.无缝隙政府:公共部门再造指南.北京:中国人民大学出版社,2002.
[4]刘家真.电子文件管理理论与实践.北京:科学出版社,2003
[5]张敏聪.电子政务与政府行政管理变革.决策借鉴,2002,25(4):54-56.
[6]苏新宁,吴鹏,朱晓峰,闵东.电子政务技术[M].北京:国防工业出版社,2003.
[7]寿志勤,靳鹏,杨皖苏,许君.中国电子政务发展综述.预测,2002,21(6):10-13.
[8]曹天杰,张永平,苏成.计算机系统安全[M].北京:高等教育出版社,2003.
[9]叶鑫,王延章.电子政务的层次角色网络模型研究[J].系统工程学报,2006,21(2):216-220
[10]李沛武,卢正鼎RBAC角色区间的封装和分布式管理[J].小型微型计算机系统.2005,26(2):252-255.
[11]於光灿.协作环境中访问控制研究[D].武汉:华中科技大学,2008
[12]张晓菲,许访,沈昌祥.基于可信状态的多级安全模型及其应用研究[J].电子学报.2007,35(8):1511-1515.
[13]李晓峰,冯登国,徐震.一种通用的访问控制管理模型[J].计算机研究与发展.2007,44(6):947-957.
[14]Sandhu R. Role-Based Access Control Models[J]. IEEE Computer,1996(2):38-47
[15]Sandhu R, Bhamidipati V, Munawer Q. The ARBAC97 Model for Role-Based Administration of Roles[J]. ACM Transaction on Information and System,1999(2):105-135
[16]Sandhu R, Bhamidipati V, Munawer Q. The ARBAC97 model for role-based administration of roles. ACM Transactions on Information and Systems Security,1999,2.
[17]Sandhu R, Ferraiolo D, Kuhn R. The NIST model for role-based access control:Towards a unified standard. National Institute of Standards and Technology, December 2000, http://csrc. nist. gov/rbac/sandhu-ferraiolo-kuhn-00. pdf
[18]Ravi Sandhu, Kumar Ranganthan, Xinwen Zhang. Secure information sharing enabled Trusted Computing and models. The 2006 ACM Symposium on Information, computer and communications security.2006.
[19]周颖洁,张长立.试析西方组织理论演变的历史逻辑[J].现代管理科学.2007(5):68-69
[20]Sandhu R. The Typed Access Matrix Model[C]. Proceeding of the IEEE Symposium on Security and Privacy, Oakland, California,1992:p.122-136
[21]丁锋.基于OB4LAC的政府组织授权系统模型研究[D].大连:大连理工大学,2009.
[22]王杜娟.电子政务中的组织与访问控制体系研究与实现[D].大连:大连理工大学,2006
[23]邵素芬.访问控制研究与实现[D].北京:北京邮电大学,2009.
[24]Sandhu RS, Coyne EJ, Feinstein HL, Youman CE. Role—Based access control model s. IEEE Computer,1996,29(2):38 47.
[25]邓集波,洪帆.基于任务的访问控制模型[J].软件学报.2003,01(14):76-82
[26]Ravi Sandhu, JaehongPark. UsageControl:AVisionforNextGenerationAeeess Control[C].ProeeedingsofMathematiealMethods. Models. andArehiteeturesforNetwork SeeuritySystems2003. St. Petersburg. Russia.2003
[27]Ravi Sandhu, Jaehong Park. The UCONABC Usage Control Model. Transaction on Information and System Security[J]. Vol.7. No.1. Feb.2004.
[28]袁磊.使用控制模型的研究[J].计算机工程.2005
[29]于淼,王延章.基于角色网络模型的电子政务系统框架的研究与实现[J].计算机工程与应用.2003,12(31):31-35
[30]叶鑫,韩胜菊,裘江南,牛光新.基于角色网络模型的行政事务处理系统控制器[J].计算机应用研究.2008,7(25):2010-2012
[31]李怀明.电子政务系统中基于组织的访问控制模型研究[D].大连:大连理工大学,2009
[32]Zhang L H, Alan G J, Chu B T. A rule-based framework for role based delegation [J]. ACM Trans on Information and System Security,2003,6(3):404—441.
[33]Zhang L H, Alan G J, Chu B T. A rule-based framework for role based delegation [J]. ACM Trans on Information and System Security,2003,6(3):404—441.
[34]陈振明.公共管理学原理[M].北京:中国人民大学出版社,2003
[35]Li chengkai, Zhan Yongzhao, Mao Bing Xie Li. A Role—Based Access Control Model for CSCW Systems. Journal of Software,2000,11(7):931—937.
[36]王一冰.政府办公自动化系统开发平台的设计与实现[D].大连:大连理工大学,2005.
[37]张建,胡克瑾.基于协作体的电子政务协同工作模型研究[J].同济大学学报(自然科学版).2005,33(10).1380-1384.
[38]赵小龙,张毓森,袁峰.面向组织结构的访问控制模型[J].计算机程.2009,10(35):155-161
[39]Gong L, Qian X. Computational issues in secure interoperation. IEEE Transactions on Software and Engineering,1996,22(1):43-52.
[40]Kapadia A, AI-Muhtdai J, Campbell R, et al. IRBAC 2000:Secure interoperability using dynamic role translation. In Technical Report:UIUCDCSR-2000-2162,2000.
[41]Piromruen S, Joshi J. An RBAC framework for time constrained secure interoperation in multi-domain environments. In Proceedings of 10th IEEE International Workshop on Object-Oriented Real-Time Dependable Systems(WORDS'05),2005:36-48.
[42]Tolone W, Ahn G J, Pai T, et al. Access control in collaborative systems. ACM Computing Surveys,2005,37(1):29-41.
[43]Li Q, Zhang X, Qing S, et al. Supporting ad-hoc collaboration with group-based RBAC model. CollaborateCom-2006, Atlanta, Georgia, USA,2006,11.
[44]Zhang, Haizheng, Lesser,Victor. Forming and searching content-based hierarchical agent clusters in distributed information retrieval systems. Web Intelligence and Agent Systems,v 4,n 4,p 353-370,2006
[45]Kushtina, Emma, Zaikin, Oleg, Rozewski, Przemysaw, Maachowski, Bartomiej. Cost estimation algorithm and decision-making model for curriculum modification in educational organization. European Journal of Operational Research, v 197, n 2,p 752-763, September 1,2009
[2]汤庸,冀高峰,朱君等.协同软件技术与应用[M].北京:机械工业出版社,2007.
[3]拉塞尔·M·休登.无缝隙政府:公共部门再造指南.北京:中国人民大学出版社,2002.
[4]刘家真.电子文件管理理论与实践.北京:科学出版社,2003
[5]张敏聪.电子政务与政府行政管理变革.决策借鉴,2002,25(4):54-56.
[6]苏新宁,吴鹏,朱晓峰,闵东.电子政务技术[M].北京:国防工业出版社,2003.
[7]寿志勤,靳鹏,杨皖苏,许君.中国电子政务发展综述.预测,2002,21(6):10-13.
[8]曹天杰,张永平,苏成.计算机系统安全[M].北京:高等教育出版社,2003.
[9]叶鑫,王延章.电子政务的层次角色网络模型研究[J].系统工程学报,2006,21(2):216-220
[10]李沛武,卢正鼎RBAC角色区间的封装和分布式管理[J].小型微型计算机系统.2005,26(2):252-255.
[11]於光灿.协作环境中访问控制研究[D].武汉:华中科技大学,2008
[12]张晓菲,许访,沈昌祥.基于可信状态的多级安全模型及其应用研究[J].电子学报.2007,35(8):1511-1515.
[13]李晓峰,冯登国,徐震.一种通用的访问控制管理模型[J].计算机研究与发展.2007,44(6):947-957.
[14]Sandhu R. Role-Based Access Control Models[J]. IEEE Computer,1996(2):38-47
[15]Sandhu R, Bhamidipati V, Munawer Q. The ARBAC97 Model for Role-Based Administration of Roles[J]. ACM Transaction on Information and System,1999(2):105-135
[16]Sandhu R, Bhamidipati V, Munawer Q. The ARBAC97 model for role-based administration of roles. ACM Transactions on Information and Systems Security,1999,2.
[17]Sandhu R, Ferraiolo D, Kuhn R. The NIST model for role-based access control:Towards a unified standard. National Institute of Standards and Technology, December 2000, http://csrc. nist. gov/rbac/sandhu-ferraiolo-kuhn-00. pdf
[18]Ravi Sandhu, Kumar Ranganthan, Xinwen Zhang. Secure information sharing enabled Trusted Computing and models. The 2006 ACM Symposium on Information, computer and communications security.2006.
[19]周颖洁,张长立.试析西方组织理论演变的历史逻辑[J].现代管理科学.2007(5):68-69
[20]Sandhu R. The Typed Access Matrix Model[C]. Proceeding of the IEEE Symposium on Security and Privacy, Oakland, California,1992:p.122-136
[21]丁锋.基于OB4LAC的政府组织授权系统模型研究[D].大连:大连理工大学,2009.
[22]王杜娟.电子政务中的组织与访问控制体系研究与实现[D].大连:大连理工大学,2006
[23]邵素芬.访问控制研究与实现[D].北京:北京邮电大学,2009.
[24]Sandhu RS, Coyne EJ, Feinstein HL, Youman CE. Role—Based access control model s. IEEE Computer,1996,29(2):38 47.
[25]邓集波,洪帆.基于任务的访问控制模型[J].软件学报.2003,01(14):76-82
[26]Ravi Sandhu, JaehongPark. UsageControl:AVisionforNextGenerationAeeess Control[C].ProeeedingsofMathematiealMethods. Models. andArehiteeturesforNetwork SeeuritySystems2003. St. Petersburg. Russia.2003
[27]Ravi Sandhu, Jaehong Park. The UCONABC Usage Control Model. Transaction on Information and System Security[J]. Vol.7. No.1. Feb.2004.
[28]袁磊.使用控制模型的研究[J].计算机工程.2005
[29]于淼,王延章.基于角色网络模型的电子政务系统框架的研究与实现[J].计算机工程与应用.2003,12(31):31-35
[30]叶鑫,韩胜菊,裘江南,牛光新.基于角色网络模型的行政事务处理系统控制器[J].计算机应用研究.2008,7(25):2010-2012
[31]李怀明.电子政务系统中基于组织的访问控制模型研究[D].大连:大连理工大学,2009
[32]Zhang L H, Alan G J, Chu B T. A rule-based framework for role based delegation [J]. ACM Trans on Information and System Security,2003,6(3):404—441.
[33]Zhang L H, Alan G J, Chu B T. A rule-based framework for role based delegation [J]. ACM Trans on Information and System Security,2003,6(3):404—441.
[34]陈振明.公共管理学原理[M].北京:中国人民大学出版社,2003
[35]Li chengkai, Zhan Yongzhao, Mao Bing Xie Li. A Role—Based Access Control Model for CSCW Systems. Journal of Software,2000,11(7):931—937.
[36]王一冰.政府办公自动化系统开发平台的设计与实现[D].大连:大连理工大学,2005.
[37]张建,胡克瑾.基于协作体的电子政务协同工作模型研究[J].同济大学学报(自然科学版).2005,33(10).1380-1384.
[38]赵小龙,张毓森,袁峰.面向组织结构的访问控制模型[J].计算机程.2009,10(35):155-161
[39]Gong L, Qian X. Computational issues in secure interoperation. IEEE Transactions on Software and Engineering,1996,22(1):43-52.
[40]Kapadia A, AI-Muhtdai J, Campbell R, et al. IRBAC 2000:Secure interoperability using dynamic role translation. In Technical Report:UIUCDCSR-2000-2162,2000.
[41]Piromruen S, Joshi J. An RBAC framework for time constrained secure interoperation in multi-domain environments. In Proceedings of 10th IEEE International Workshop on Object-Oriented Real-Time Dependable Systems(WORDS'05),2005:36-48.
[42]Tolone W, Ahn G J, Pai T, et al. Access control in collaborative systems. ACM Computing Surveys,2005,37(1):29-41.
[43]Li Q, Zhang X, Qing S, et al. Supporting ad-hoc collaboration with group-based RBAC model. CollaborateCom-2006, Atlanta, Georgia, USA,2006,11.
[44]Zhang, Haizheng, Lesser,Victor. Forming and searching content-based hierarchical agent clusters in distributed information retrieval systems. Web Intelligence and Agent Systems,v 4,n 4,p 353-370,2006
[45]Kushtina, Emma, Zaikin, Oleg, Rozewski, Przemysaw, Maachowski, Bartomiej. Cost estimation algorithm and decision-making model for curriculum modification in educational organization. European Journal of Operational Research, v 197, n 2,p 752-763, September 1,2009
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |