Research On Access Control Modeling In Enterprise-Level Collaborative Environment

Access control is one of the essential means to secure information security. It could bedivided into the two of active/passive ones: the former is business-oriented and the latter issystem-centric. In enterprise applications, normally complex and various business/collaboration requirements should be met, and large-scaled subjects/objects might be involved.Therefore in their access control components, not only flexible and transparent securityservices should be provided, but also scalable and maintainable security administration shouldbe supported. In this paper the enterprise-oriented active/passive access control issue will beaddressed from these two perspectives. The main work of this paper includes:1. An organizations-role association based access control model is proposed. Anorganization-role association with the additional attributes of actuality, management andglobality are used as the basis of authorization, and the specialization/management relationsamong organization-roles are defined as its permission inheritance mechanisms. Not onlyoutstanding authorization scalability is provided in distributed homogeneous organizations,but also some flexible authorization policies could be represented in hierarchicalorganizations. Furthermore fine-grained Separation of Duties (SoD) constraints could berepresented, and the expression of similar constraints could be simplified through generalizedsemantics. The superiority of this model is validated by comparison with related work using aB2B example.2. A task-state based access control model is proposed to overcome the defect that taskbased access control is somewhat coarse-grained and inflexible such that the modeling ofbusiness processes might be interfered in turn. A Colored Petri Net (CPN) simulation methodis present for the model. The expression power of existing simulation methods is enhanced:the SoD among subjects could be represented; at the same time multiple permissions definedon workflow application data could be supported. The feasibility of the model's collaborationconcept and its simulation method is validated on a workflow of customizing development.3. In existing delegation models for workflow, time constraints are too fixed to adapt tothe executing states. To address this issue, a kind of delegation feature with time and statemixed context sensitivity is proposed on basis of the linear sequence of task executing states.First, the syntax of a delegating request is described in terms of event and condition. Next, theformal semantics of events and conditions is illustrated with the concepts of assignment andcontext, and then the temporal consistency of a delegating request is defined. To processdelegating requests internally, the regular forms of events and conditions are defined, and some related properties and theorems are proved. Then the regularizing, comparing anddetecting algorithms are given for events and conditions. Eventually, the processing flow forthe validation and enactment of delegations is built. Using a group of examples, theexpression power of the delegation syntax and the feasibility of the internal processingmechanism are validated. Comparing to those general event models, the delegation syntax isquite easier to use and popularize since it is oriented to specific requirements. Moreover, thelogic defects caused by the inappropriate application of the detection semantics are avoidedbecause events and conditions are modeled respectively and the instantaneity of events isensured.4. A task-role association based access control approach is proposed to address thewidespread and long-stand issure of repetitive authorizations among tasks in active accesscontrol models and to support the collaboration of multiple roles within a task at the sametime. The definition of function association with specialization and management relations isgiven by deeply analyzing the traditional relation of role-task assignment. Inference rulesabout the two relations on function associations are obtained from the components andattributes of function associations, and then authorizations are divided into two types ofbusiness and management based on the inheritance on the two relations. Thusauto-configurable authorization structures are established. Furthermore, the fine-grained andgeneralizable SoD constraints are defined. Comparisons with related work on the workflowsof software development and paper review show that repetitive authorizations among taskscould be effectively reduced.5. The task classification and role hierarchy based3-steps authorization integrates the twoaccess control paradigms of active and passive ones. But the scalability of the related modelsis degraded remarkably by repetitive authorizations between tasks, confliction between taskinheritances along multiple role hierarchies, repetitive expressions of task constraints.Therefore an enhanced active/passive integrated access control model is proposed in thispaper. First, the classification of active/passive tasks is fine-grained through extendablesubdivision of role hierarchy, thus many kinds of task assignments can be simplifiedoptionally. Secondly, task generalization based authorization inheritance and constraintcoverage mechanisms are introduced, thus repetitive authorizations and constraints can beeffectively reduced. Thirdly, a group of semantic coverage rules of completeness andsoundness are presented, which provide grounds for automatic constraints simplification, etc.Finally, multiple-granularity permission activation mechanism and dynamic exclusionsredundancy detecting algorithm is presented to remove unnecessary cost in access checking and to compensate efficiency loss which might be brought by scalability enhancing. Theauthorization and constraint scalability of this model is validated using an example ofsoftware project.