| Access control is an effective way to protect the information systems which allow only authorized user access system resources. It can protect the system from being breaked by illegal users or illegal operations of authorized users. Delegation is an important way of authorization, which refers to the delegator who grants his own permissions to the delegatee, so that the delegatee can implement the missions and work which are applied by the delegator. Delegation can improve the efficiency and flexibility of authorization management. Although current research proposed different delegation models and solutions which focus on permanence, levels of delegation, multiple delegation and totality, revocation of delegation and so on, most of existing delegation models adopts unilateral delegation agreement, whith implement only based on delegator's intention. The scheme is not a truly bilateral delegation agreement. This kind of delegation model refers only to organizations with clear levels and high implementation capacity such as military organization, government and so on which may cause imbalance of system resources. Bilateral delegation which takes into account the requirements of both delegator and delegatee at the same time makes the delegation in line with the requirement of users, improves the validity of delegation, balances system resources load, and improves the operational efficiency of the system and has the practical significance.To solve the problem, this paper give a detailed analysis about existing access control models and the delegation mechanisms, dicuss all requirements in achieving bilateral delegation agreement, and then propose the conceptions of delegation intention and intention match. Based on security and business requirements, delegation intention can be divided into mandatory intention and elective intention where the former means delegation intention that must be satisfied such as system security policy and security constraints and the latter means the delegation intentions need to be satisfied as much as possible.For mandatory intention, t the paper presents delegation intention logic (DIL) to describe the intention of delegator and delegatee based on predicate system. The DIL has strong ability of intention expressing, which can express and store the delegation intention effectively. Besides, DIL have strong ability of knowledge inference, which can match the intentions of delegator and delegatee efficiently by deductive inference based on intetions of both sides and then achieve the bilateral delegation agreement.To solve the question of intention fuzzy expression and fuzzy match which may appear in the process of delegation agreement, we lead in fuzzy theory to expand DIL and proposed the conception of intention attribute divergence. We compute the divergence degree of the intention attributes in the process of delegation agreement, and get the divergence degree of whole intention through fuzzy inference.Based on intention expression and matching, we present a delegation agreement model which considered the needs of delegation agreement. It can work along with existing access control models and delegation mechanisms. The mechanisms can realize the bilateral intentions based delegation agreement. We made experiments on the platform of Visual Prolog and verified the validity and feasibility of the proposed method and model. |
PDF Full Text Request