| Business process can be described as a series of activities that are completed by differentpeople to achieve a specific target; it can be seen as a method of service composition. Bybusiness process, Web services from different organizations and enterprises are combined as awhole according to business needs to complete a specific task. As well as it is widely used,access control problems of business proecess are getting more and more attention in recentyears.Target of this thesis is to provide dynamic, flexible and extensible access control forbusiness process. By analyzing the requirements of access control for business process, thisthesis explores deeply into key technoloigies in access control, such as access control model,delegation mechanism and access control policy. The main work is shown as follows.1. A Task and Attribute Based Access Control Model called TABAC model is proposed.Due to the dynamic access control requirements of Business process, by integrating advantagesof TBAC and ABAC model, a task and attribute based access control model is brought forward.The formal definition of the model is given, including the main elements, relations, rules andworking processes. The dynamic character and reasonableness of the model is analyzed withgraph transformation. By introducing TABAC model in actual applications, the TABAC modelhas better adaptation to the dynamic access control requirements for business process comparedwith other models.2. An Attribute Restricted Delegation Mechanism called ARDM for business process is putforward. In order to improve flexibility of permission management in business process, ARDMis proposed to allow users to transfer their permissions. In ARDM, owner of permissions couldtransfer their power of executing tasks in business process to other users through delegation. Inorder to solve the problem of casualness in delegation, ARDM introduces prerequisite condition,delegatee condition and revoke condition to constrain the capability of delegators anddelegatees. In order to ensure consistency, this thesis analyzes three types of conflicts indelegation, discusses the reasons of conflicts, and designs conflict detection and solvingmethods.3. Delegation-supported access control policy for business process is researched. Aimingat managing policies according to the state of business process, policy enforcement process isdesigned based on XACML stardard. By extending policy schema of XACML, access controlpolicy and delegation policy can both be described and least privilege at task level can beachieved. In order to reduce time cost of policy decision in case that numbers of unrelatedpolicies and delegation policies are large, two methods which can reduce the numbers of matching policies and policy elements are proposed.4. Key modules of access control for document flow system are designed and implemented.By analyzing the requirements of document flow system based on WS-BPEL, this thesisproposes an access control framework, and gives implementation method of managementmodule, policy management module and access control enforcement module. |
PDF Full Text Request