Font Size: a A A

The Construction Of Role Based Access Control Policy

Posted on:2011-04-03Degree:DoctorType:Dissertation
Country:ChinaCandidate:C HuangFull Text:PDF
GTID:1118330332978358Subject:Computer application technology
Abstract/Summary:PDF Full Text Request
As the development of economic globalization and the development modern service industry, information technology has been one of the most important factors to achieve the continuous prosperous. The adoption of large scale enterprise applications greatly improves the efficiency, however as the systems become larger, the security problems become more serious subsequently. Access control is one of the essential and fundamental security techniques to protect the system's resources, which provides the guarantee to make sure the application under safety. The complexity of the business requirement and constraints in large scale enterprise applications present the new demands and challenges.Role Based Access Control (RBAC) is one of the most pervasively applied access control techniques, which provides the full support of fine grained administration, least privilege, and separation of duty etc. Since the presence of RBAC, a lot of researchers have been working on the construction methods of RBAC policy. "Role" is the core concept in RBAC, and the essence of constructing RBAC policy is to define the relationship among roles, the relationship between role and permission, and the relationship between user and role, thus the research of RBAC policy construction is also called "Role Engineering". In this paper, the concentration has been put on the key techniques to construct RBAC policy and the major contributions of this dissertation are summarized as below:1) A role increment based RBAC policy construction method is proposed. Firstly the noise in user permission data is categorized into positive and negative form, and a noise detection algorithm is presented. Secondly, the role system will be created iteratively based on the role increment, which is an effective way to measure the contribution of candidate roles. Lastly, a unified role hierarchy build algorithm is presented. The proposed method can not only reduce the impact of noise effectively, but also improve the relationship and hierarchy structure among roles, thus facilitate to build more accurate RBAC policy. 2) A goal-oriented RBAC policy construction method is proposed. Firstly, the meta-model is defined. Secondly, decomposing system requirements gradually, permissions and roles will be constructed via building the proposed objective and activity decomposition diagrams. Lastly, an algorithm is proposed to check the policy redundancy and inconsistency. This method can make different analysts' concerns focus on RBAC policy of different level, to improve the efficiency of policy construction. Through the redundancy and inconsistency checking, potential hazards can be eliminated to ensure the accuracy and effectiveness of overall system access control policy.3) A distributed RBAC policy construction method for web services composition is proposed. Firstly, the problem of constructing distributed RBAC policy is analyzed. Secondly, constructing optimal distributed RBAC policy is proven to be an NP complete problem. Lastly, by analyzing the existing RBAC policy in independent systems and the web service composition, the algorithm to build the necessary role mapping for web service composition is presented. Compared to existing methods, this method has obvious performance advantages, while integrating existing RBAC policy smoothly to reduce the construction cost.4) A security conflict detection and resolution method for distributed RBAC policy is proposed. Firstly, root cause of security conflicts is proved to be the existence of none-secure backtracking role mapping. Secondly, the detection algorithm based on the depth first search algorithm is proposed. Lastly, based on the detection results the resolution method is also presented, which utilizes the max flow algorithm. Compared to the existing methods, the proposed detection algorithm not only has better performance, but also can generate the role mapping information which causes the security conflicts. The proposed resolution algorithm can eliminate security conflicts and ensure the safety of the systems.
Keywords/Search Tags:Large scale enterprise application, access control, role based access control, role engineering, role mining, access control consistency, access control constraint, separation of duty, security conflicts
PDF Full Text Request
Related items