Research On Policy Integration Mechanism Of Hybrid Hierarchy Based Multi-domains

With the development of network technology and social organization, the need of information sharing and interoperation between distributed systems is becoming more urgent and frequent. Compared with normal Web service and grid computing systems that work in multi-domain environment, in the distributed collaboration environment, each organization domain has its own access control policies and not only aims at sharing the resources but also emphasizes security on interoperation. How to provide and ensure a secure mechanism for multi-domain interoperation is essential and becomes a research focus. This problem can be abstracted as, in a distributed collaborative environment, how to maximize interoperability between the multi-domains while ensuring the principles of security and autonomy. Role-Based Access Control (RBAC) model has role hierarchy, separation of duties, least privilege and other flexible features. And due to its inherent richness in convenience of management and matching of social organization, compared with traditional access control models, RBAC is more suitable for applications in a distributed collaborative environment.This paper proposes, for multi-domain RBAC systems, a reliable static policy integration mechanism that consists of role mapping and conflict resolution modules. Its goal is to maximize the inter-domain access while fully meeting the security and autonomy principles. By introducing the concept of equivalent permissions, the goal of policy integration module is made clear. By introducing the direction, inheritance type and non-transitivity features of the role mapping, the conflict resolution module can be split into several 0-1 programming problem in order to get an optimal global policy. In our integration mechanism, hybrid hierarchy, static SOD and dynamic SOD constraints are supported. And absolute security is emphasized which is invulnerable from the influence of user-role assignment. Due to the efficient algorithm, dynamic changes in distributed collaboration environment are easily handled.Then, a C++ based simulation system is designed and implemented for distributed RBAC domains. The logic layers of this system consist of policy record layer, policy abstraction layer and policy management layer. The policy record layer deals with reading and writing operations on policy files.The policy abstraction layer implements RBAC core elements, role hierarchical and separation of duties using C++ class definition. The policy management layer provides various function interfaces for simulation need and new functions can be added for further research.Finally, the policy integration algorithm proposed in this paper is implemented using the interfaces provided in policy abstraction layer and its call function is added in policy management layer. With specific examples and comparative analysis on performance, the correctness and efficiency of our algorithm is demonstrated.