| With the development of modern information technology, information as an important resource is continuously subjected to all kinds of external and internal threatens, and access control is an important measure to protect information. In recent years, role-based access control (Role-Based Access Control, RBAC) as an advanced and efficient access control method has been widely used.Although RBAC policy has many advantages, many applications are difficult to be described by RBAC in reality, such as time constraints. In reality applications, we are likely to control some permission to be used in a certain time, or restrict the activities of some users within a certain time. This means that we need to do some adjustments on RBAC policy. In other words, the problem to be solved by the access control is "who has the power to do something", and our research topic is "who has the power to do something in what way and at what time". The RBAC policy with temporal constraints is not always safe. With the temporal factor added, new conflicts will appear in RBAC policy. How to find out and eliminate unsafe factors in access control policy is a worthy subject to be studied.This paper firstly lists all types of temporal constraints that can be added into RBAC policy in detail. Then we combine temporal constraints with all modules in RBAC model, including the role of effective, role assignment, role hierarchy, separation of duty, cardinality constraints and so on. The new RBAC policy has the ability to describe various temporal constraints, and can appropriately describe the behavior of the common access control with temporal constraints.Secondly, this paper presents a security analysis method on RBAC policy with temporal constraints. This method models RBAC policy with colored Petri net, and finds out the conflict existed in RBAC policy by analyzing the Petri net model. Petri net as a modeling tool to analyze the RBAC policy is very appropriate. This paper describes the process and details of modeling RBAC policy with temporal constraints using the colored Petri net, and this paper also presents the analysis method of Petri net models. Then, we validate our model and analytical methods with a medical management policy example, and the result is efficient.Finally, this paper describes a time-constrained RBAC-based security access control system design method in detail, the system is based on standard RBAC model, and some temporal constraints are added into the system. The system generally realized the access control requirements for the temporal constraints. |
PDF Full Text Request