| Role based access control(RBAC)model is a widely used access control model.By introducing the concept of role between users and privileges,the user's privilege management is simplified,the overhead of the system is reduced.However,with the advent of Cloud Computing and Internet of Things,when we making an access decision,the user's static permission is no longer used as the only basis,so that traditional RBAC is hard to meet the access requirements.Attribute based access control(ABAC)model takes attributes as access control parameters and takes into account the a variety of factors in the access scene,making the access control dynamic and flexible.However,ABAC is also more complex than RBAC in terms of auditing,because analyzing policies and reviewing or changing user permissions are very arduous tasks.What's more,the ABAC model is still in the research stage and there is no mature model that can be implemented.For large-scale environments,RBAC and ABAC all have known limitations.However,they can provide complementary features to each other.Therefore,the integration of ABAC and ABAC has gradually become a hot research area in recent years.In this paper,we focus on the integration of attributes and roles.The main work is as follows:1.Attribute is the core element of attribute-based access control.Aimed at the attribute screening problem,an attribute screening method based on knowledge judgment and formal context reducible element is proposed.Firstly,the attributes are classified,and the attribute expression and its priority are defined,which achieves a simple description of attributes and policies.Secondly,based on the knowledge of the administrator,an attribute shrinking method is put forward to convert a large attribute assignment set into a relative smaller one,which implements the transformation of non-policy attributes to policy attributes.Thirdly,the attribute reduction algorithm based on the formal context reducible element is designed to delete the reducible element which is difficult to recognize in the policy attribute.Finally,the effectiveness of the method was verified by examples.2.Role is the core element of role-based access control.Aimed at the role mining problem,a semantic role mining algorithm based on formal concept analysis is proposed.First,the user-permission concept lattice is generated based on formal concept analysis.After the user-permission concept lattice was reversed,it was mapped to initial candidate role state,and the final role state was mined by reduction and pruning operations.And then,the user-attribute concept lattice is generated based on formal concept analysis.After that,the most approximate expressions were defined to give semantic meanings to roles by analyzing the similarity between user-permission concept lattice and user-attribute concept lattice.The generated roles have clear structural hierarchy and semantic meanings.Finally,the experimental results verify the correctness and effectiveness of the proposed algorithm.3.The integration of attributes and roles can achieve better access control model.Aimed at solving the problems that the existing methods can not meet the dynamic,flexible,fine-grained and auditable access requirements at the same time,an attribute and role based tri-layer hybrid access control model is proposed.First,the basic idea of the tri-layer hybrid access control model is introduced and the first order logic is used to formally describe the model.Then,the access control workflow is introduced,and the preparation and decision stages of the model are gradually described.Lastly,the performance and security of the model are analyzed.4.Based on the above key technologies,an access control prototype system combined attribute with role is designed.The system implements attribute screening,role mining,automatic attribute-based user-role and role-permission assignment,attribute-based permissions filtering.It follows the principles of least privilege and separation of duties,meets the needs of large-scale environments,and has a high practical value. |
PDF Full Text Request