Research On Resource Management Model Oriented To Authorization Management

Uniform Authorization management is a necessary information security technology platforman for various information systems and network construction, and is the core of network security trust architecture. Thereinto, the uniform management of various distributed resources is the important premise and support of the uniform authorization management. As the result of the intensive increasing of resource amount, the reinforcement of resource diversity and the complexity of resource distribution, the extensibility, standardization and security of the resource management have profound impact on authorization management, and therefore, the foundation function of resource management for authorization management is more and more prominent. However, in the current authorization management research, resource management is neglected, and lacks thorough and systematic theory research. The management pattern runs short of universality and extensibility which affect the implenetation and application of uniform authorization management.Therefore, we extract reousce management from authorization management as a special resourch aspect and propose the concept of resource management oriented to authorization management. In this dissertation, we make deep and systemic research on resource management model oriented to authorization management with the aim of solving the uniform management of any types and granularities of resources and provide support for authorization management, especially for secure and formal authorization management. The main work of this dissertation includes the following aspects.1. The concept of resource management oriented to authorization management is proposed. The important effect of resource management for auhorization management and its secutity is discussed and the main function of resource management is explained.2. The basic resource management model oriented to authorization management is proposed. The resources are classified according to the properties and allowable operations based on the object oriented concept. The resource type relationship tree is introduced for management of resource types, and various types and granularities of resources are organized as tree structure. The resource type is extensible and the granularity of resource is controllable through dynamic management of resource type relationship tree and resource organization structure. The deduction relationship between privileges is derived to improve the efficiency of authorization, and security constraints and resource management rules oriented to authorization management are developed to regulate the dynamic management of resources. The proposed model can support management of any types and granularities of resources, with the properties of extensible resource type, adjusted granularities and deductibility privileges.3. To meet the demand of multi-hierarchy resource management in distributed environment, the extended resource management model supporting multi-hierarchy management is designed. Furthermore, the concept of virtual and actual nodes combined resources organization structure and resource management branch is introduced to make reasonable division of resources, and the dynamic distribution and delegation of resources administration privileges. Multi-hierarchy security constraints and resource management rules oriented to authorization management are developed to make the delegation of resources administration privileges security. The extended model can support the autonomous management of resources, dynamic allocation and reclaim of administration privileges with the management structure extensible and flexible.4. The security principles of resource management oriented to authorization management is proposed. For the aim of ensuriung the authorization security, the security demands of resource management oriented to authorization management is studied. The proposed security resource management principles include the consistency, privilege no leakage and separation of duty principles. The security principles can support the security requirements of authorization management efficiently and provide criterions for evaluatting the security of resource management.5. Based on the state machine theory, the security of proposed models is formally proved and analyzed. The state transition system of the basic model and the extended model are described respectively and the security invariants of the models are given, and the security invariants are proved to be consistent with security principles of resource management oriented to authorization management. The initial state and any state transition rules of the system are formally proved to maintain the security invariants. It's proved that the models satisfy the security principles of resource management oriented to authorization management.6. The key algorithms of resource management oriented to authorization management are given. A fast deductive privilege calculating algorithm based on reachability matrix of privilege deduction is proposed, experiments show that the method has high efficiency. Also, the compatibility determination theorem and algorithm are proposed to solve the problem of compatibility between separation of duty policy and deduction relation between privileges.