| With the increasingly tremendous evolution of electronic information system and the emergence of digital library environment, the issue of information security is becoming more and more important, and access control is one of the key parts of information security. Unlike traditional database system environment, the main characteristic of digital library or large electronic information system is that they accept a huge number of dynamic visitors. This paper proposes a model of Constraint-Based Access Control-CBAC, which is not only simply based on user identity, but also establishes the policies of access control on user qualifications and characteristics.This paper first has a review on the currently mature access control implementations (Matrix, Lists and Capabilities) and access control models (Discretionary Access Control, Mandatory Access Control and Role-Based Access Control). Then it puts forward a Constraint-Based Access Control model, to meet the requirements set up by the main characteristics and dynamic changes of authorization management and access control in current application environment. The basic constitution and frames of CBAC model are introduced and a formal language to describe the security policy of CBAC model is proposed. This paper also establishes the grammar and criteria to uniformly describe the user character constraint conditions and time constraint conditions of CBAC model, and provides the design scheme and detailed algorithms of CBAC.Based on the traditional access control model, CBAC model introduces "User Credential Type" as the new subject, which carries the description of characteristic constraint conditions based on the concept of "group". This model brings forward hierarchies of user credential type, object, privilege, and the propagation rules of the hierarchies. In the mean time, the description of user characterristic condition provides more flexible description and constraints for users belong to the same user credential type. The authorization administration of CBAC model contains two parts: Static Permission Administration and Dynamic Permission Administration. SPA is similar to the permission administration in a centralized model; while DPA is similar to limited decentralized permission administration, and it also includes positive delegated-permission and negative blocked-permission, and has time constraint. The introduction of Dynamic Permission Administration with time constraint makes the security policy of access control more flexible, and it could meet part of the dynamic changes and requirements in authorization administration.This paper also introduces the detailed implementation algorithms of CBAC model. An example of application of CBAC model is given in the environment of Campus Library Information System and the system was implemented with Java and Oracle.Finally this paper summarizes on CBAC model and gives possible future diretions.
|
PDF Full Text Request