| With the development of the distributed and network technology, secure interoperation among the systems has already become an important form of cooperative work. It can directly bring to the improvement of work efficiency, and also contribute to resources sharing as well. These systems are not only service providers but also service users of other systems. Therefore, the systems protect one's own resources and comply with the security rules of other's systems. Access control actualize secure requirements of enterprise systems, simultaneity, it ensures the authorized users's normal operations and prevents unauthorized access by insider. Particularly in the multidomain environment, the security problem can get magnified because of heterogeneous security policy, numerous of users, and lacking global coordinator. Therefore, how to configure appropriate access control for supporting interoperation and ensuring system security has become the very important technology.Because of secure policy heterogeneity such as role and permission naming difference, role hierarchical heterogeneity, SoD constraints heterogeneity, etc, it is too hard to implement coordination and information sharing in the multidomain environment. To realize information and resources sharing, we introduce ontology in the multidomain access control. The ontology describes a series of concepts and relations for representing and defining a domain-specific knowledge. In the paper, we use the ontology description language OWL to formalize policy ontologies of different domains and to describe their relations and mapping relations.In this paper, based on the security of distributed systems interoperability in multi-domain environment as a focal point, we propose a mediator-based multidomain access control model. This model takes full account of heterogeneous security policies alignment and interdomain access each other in the multi-domain environment, which is consistent to the actual situation in the distributed systems. The biggest difference between the multi-domain environment and the centralized management of a single domain is access across domain, this paper analyzes the possibilities of violating secure constraints, the formal descriptions and the design of the detection algorithm are also given.The paper designs a multidomain access control prototype system based on the Java language and Jena development kit. The off-line processing part establishes their policy ontology according to different domain access control policy by OWL, defines the semantic mapping rules, establishes policy ontology mapping table through the defined rules, and solves the problem of heterogeneous security policy from the semantic permission/object level. The on-line processing part implements the functions such as request handle, semantic query and translation as well as security constraint inconsistency detection. |
PDF Full Text Request