Research On Access Control Model In Collaborative Environments

With the development of Computer Supported Cooperative Work (CSCW) technology, a group of users from geographically dispersed can work together for the same goal. Because of unpredictable interactive mode between collaborative users and collaborative systems, some especial security problems must be solved. In collaborative environments, access control faces more challenges, not only should it prevent outside invasion but also prevent inter unauthorized access. CSCW is widely used in many application fields, and representative applications include workflow, OA, military commanding automatization etc. Appropriate access control models are needed to ensure security of the applications.In this paper access control models in collaborative environments are surveyed. Based on the analyses of security requirements in collaborative environment, several access control models are proposed, and these models are validate through formal prove or prototype systems.The locale and role based access control model in collaborative environments is proposed based on the role based access control model and the locale based access control model. Some major components, such as roles, permissions and locales, are redefined. The model combines global access control policies and discretionary access control policies of collaboration locales to provide a flexible and hierarchy authorization mechanism.A multilevel collaborative access control model applied to the tree like hierarchy organizations is proposed based on the famous Bell-LaPadula (BLP) model. Hierarchy relations among departments are built and a new concept named"post"is proposed, it is greatly simplified to assign security tags to subjects and objects. The interoperation among different departments is implemented through assigning multi security tags to one post, and the more departments are close on the organization tree, the more secret objects can be exchanged by staffers of the departments. The access control matrixes of department, post and staffer are defined, making use of the three access control matrixes multi granularity and flexible discretionary access control policy is implemented. The outstanding merit of BLP model is inherited, the model can promise all information flow is under controlled, and compared to BLP model the proposed model is more flexible.A locale based distributed authorization model applied to workflow system is proposed, the model can support some application scenes that others models can't support. The authorization of workflow system is divided into two steps. The first step is to choose executing locales for activities of workflow, both directly assigning method and data driven method can be used to choose executing locale for activities. The second step is that administrators of locales assign executers to activities based on security policies of locales, both authorization rules and directly assigning methods can be used to choose executors for activities. Through the two steps, the distributed authorization of workflow system is implemented.A feature based spatial data access control model is proposal. The model is composed of a basic authorization module and an authorization constraints module. The authorization fashion of the basic authorization module is coarse granularity but simple, the goal of the basic authorization module is let users have enough privileges to do their works. The authorization constraints module limits scope of privileges in given geographical areas or geographical objects set. The two modules cooperate to implement flexible and fine granularity access control. And a distributed authorization administration model is proposal according to principles of the smallest privileges and separation of duties.A system prototype is developed for military commanding automatization, and the access control models proposed in the paper are applied to the prototype and are verified in real works.