CH Fang,W Peng,XZ Ye,SY Zhang

DOI: https://doi.org/10.1109/cscwd.2005.194248

2007-01-01

Journal of Software

Abstract:Access control is one of the key steps to ensuring the availability, confidentiality and integrity of system resources. While it has been fully applied in various network systems, it's still relatively new for collaborative CAD. This paper provides a new framework of multi-level access control for collaborative CAD based on hierarchical product modeling. A layered privilege model (LPM) has been developed to provide multi-granularity access permissions in the part level and feature level. An extended hierarchy role-based access control (EHRBAC) is implemented, integrated with LPM and common Hierarchy RBAC, to provide hierarchical access control of collaborative feature modeling in the component/part level and design feature level. Mesh simplification techniques are used to create variable level-of-detail for individual features.

LI Jinyan,YU Zhonghua

DOI: https://doi.org/10.13196/j.cims.2017.06.009

2017-01-01

Abstract:With gradual improvement of collaborative manufacturing mode,the played an important role for the adjustment of organizational structure and business process reengineering.How to balance the To solve the problem that collaboration oriented flexible workflow should combine flexibility and security in dynamic environment,according to the characteristics of collaborative,the concept of team was introduced based on the hierarchical authorization management to realize the combination of role-based static authorization and task-based dynamic control,and a novel access control model was proposed for cooperation-oriented flexible workflow.As for the potential conflict of constraints at different levels due to the flexibility and cooperation,task-based separation of duty was provided,so as to better solve the problem of information security and access control for flexible workflow in dynamic environment.

Ran Yang,Chuang Lin,Yixin Jiang,Xiaowen Chu

DOI: https://doi.org/10.1109/GLOCOM.2011.6134072

2011-01-01

Abstract:In the service-oriented computing, a single transaction initiated by a client might invoke many different services in other administrative domains. Existing models for authorizing the access assume that all services involved in collaboration are managed by the central authority, which is not always a realistic premise. In this paper, we propose a novel authorization model for dynamic service collaboration. With the authorization discovery process, the client can discover the needed authorization for service access available in other autonomous domains. With extensions to SoD relationship, the conflicts of client interests can be formalized and expressed as constraints. The authorization problems are formalized to choose the optimal access path for each task. At last, the example and experiments show the practicality and the effectiveness of our scheme.

袁平鹏,陈刚,董金祥

DOI: https://doi.org/10.3321/j.issn:1003-9775.2004.04.006

2004-01-01

Abstract:An access control paradigm composed of basic model and role model is proposed for collaborative applications. Basic model specifies the relationship among privileges and the way of ranking privileges. It relates privilege with operations on the objects, so the model appears more straightforward. Moreover, if Brokers' implementation permits, the model can support any grained access control. Role model re-defines the role concept of RBAC96, divides the permissions of role into public permissions, protect permissions and private permissions. It allows user to define roles more flexibly, prevents private permissions of roles from being inherited and reduces the definition of ancillary roles.

李凤华,王巍,马建峰,刘宏月

DOI: https://doi.org/10.3321/j.issn:1000-436x.2008.09.017

2008-01-01

Abstract:The authorization decision on resources is the major problem in collaborative information systems.Firstly,the term "action" was defined based on roles,temporal states and environmental states,and the action-based access control（ABAC） model was presented.Then,the access control mechanism based on ABAC for collaborative information sys-tems was introduced.The security association was defined and its producing procedure was proposed,which contains security properties such as user request,user identity,password,role,temporal state,environmental state and lifetime.Finally,to exchange the security properties among user,action server and resources management server,a secure authen-tication protocol was proposed,and its security was proven under the universally composable model.

Zhiyong Zhang,Tao Huang,Qingtao Wu,Jiexin Pu

DOI: https://doi.org/10.4028/www.scientific.net/kem.460-461.96

2010-01-01

Advanced Materials Research

Abstract:Nowadays open and distributed Computer Supported Cooperative Work (CSCW) systems are faced with security challenges due to large numbers of cooperative users, and a mass of valued data resources need to be protected against unauthorized usage, disseminations and share. To this end, role-based collaboration framework and access control approaches have been a focus in recent years, but there lack of a holistic and comprehensive model and visual modeling. We proposed and formalized a CSCW-enabling access control model integrating generic centralized authorization and distributed authority delegation, called IACM (Integrated Access Control Model) for CSCW, based on the cooperative roles and their owned activities. And then, the visual modeling was represented with static and dynamic characteristics, with a goal to narrow the gap of the formalized model and application level. Finally, an application in the collaboration system for equipments manufacture designing was implemented to improve security of the role-based centralized authorization management by using the authorization constraint rules, and to enhance the collaborative capability based on the user-side delegation mechanism, effectively guaranteeing CSCW system security and authorization management efficiency.

Guang-can YU,Rui-xuan LI,Zheng-ding LU,Wei SONG,Zhuo TANG

DOI: https://doi.org/10.3969/j.issn.1002-137X.2009.01.019

2009-01-01

Computer Science

Abstract:Collaborating systems require an appropriate authorization model to specify and maintain policies that not only facilitate group activities but also enforce restrictions and accountability.It is a great challenge to provide appropriate authorization models for collaborating systems.Existing models fail to incorporate adequately authorization decisions into the rich notion of context and all kinds of authorization constraints that are inherent to any collaborative settings.We presented the locale-based access control (Locale-BAC) model in collaborative environment.Some major components,such as roles,permissions and locales,were redefined in Locale-BAC model.Our model combines global access control policies and discretionary access control policies of collaboration locales to provide a flexible and hierarchy authorization mechanism.

Li Mujun,Shen Lianguan,Zhao Wei,Wang Xiaodong,J. J. Zheng

2006-01-01

Abstract:Interoperability is very important in a distributed heterogeneous environment. But co-operative actions may cause conflictions, which will lead to different meanings or failure of the operation. Hence, how to maintain the consistency of the design data among the designers with good responsibility is of utmost importance in the synchronous collaborative design system. In the process of real-time coll aborative design, the main design data is the entities which are created and modified in the period of design and red-mark discussion. In view of this point, an entity-based access control mechanism is proposed, and its related authorization methods are discussed. The requirements that may need to be taken into consideration in the synchronous interactions are investigated. Some basic concepts of access control and the data model are specified. And then mechanisms of the confliction avoidance, detection and elimination are studied to guarantee the co-operations to be executed properly and efficiently. Applications of the access control model in the WebCAD, a web-based and real-time environment for the synchronous collaborative design, are also introduced to validate its practicability and effectivity.

Yuqing Sun,Chen Chen

DOI: https://doi.org/10.1007/978-3-642-23620-4_26

2011-01-01

Abstract:In dynamic collaboration, participants oftentimes need to share resources with each other under the same criteria. However, since each participant has its own authorization policies as a way of controlling resource access, their discrepancies make such collaboration difficult. It is desired to develop a practical and automatic way to generate the collaborative policies for coequal authorizations. In this paper, we investigate this problem by proposing an authorization framework based on the widely adopted XACML policy. Each practical XACML policy is converted into Boolean expressions and further refined as a set of atomic rules against the policy structure. With the rule set, the combination algorithms in policies and the collaboration preference of participants, the collaborative authorization policy is automatically generated. We analyze the consistency of the collaborative policies with previous authorization policies. Some experiments are performed to exam our approach and show that it can efficiently solve the problem of coequal authorizations.

Feng Liang,Haoming Guo,Shengwei Yi,Shilong Ma

DOI: https://doi.org/10.4304/jnw.7.3.524-531

2012-01-01

Abstract:In order to collaborate large numbers of heterogeneous distributed devices over multiple domains within a modern large-scale device collaboration system, a fine-grained, flexible and secure approach is required for device authentication and authorization. This paper proposed a Multiple-Policy supported Attribute-Based Access Control model and its architecture to address these demands. With eXtensible Access Control Markup Language standard, this model exceeds the traditional Attribute-Based Access Control Model by providing cross-domain authentication and authorization, hierarchical policy combination and enforcement, unified device access control and fine-grained attributes-based privilege description. Experiments show the performance of this architecture is acceptable within production environment.

Yi-sheng AN,Bing-jie LUO,Xiang-mo ZHAO,Ren-hou LI

DOI: https://doi.org/10.3969/j.issn.1001-3695.2012.09.033

2012-01-01

Abstract:To assure activity based dynamic assignment and retrieve of cooperative permission in multi-user environment,this paper proposed an activity sequence based access control model,and provided CPNs based modeling and analyzing issues.In this model,it divided the shared cooperative document and view space according to the sequence of interdependent activities,and associated the cooperative activities with the assignment and retrieve of role.Therefore,it solved the problem of authorized users with persistent permissions to specific object in traditional access control.Finally,gave an example of applying cooperative roles to indicate how to implement the dynamic assignment and retrieve of cooperative permission.

Wenxin Li,Jingsha He,Nafei Zhu,Shuting Jin,Da Teng

DOI: https://doi.org/10.1504/ijsn.2021.119393

2021-01-01

International Journal of Security and Networks

Abstract:There are currently many types of access control models and schemes that have been proposed to protect valuable resources in a distributed environment. Many such models have failed to take into consideration efficiency, security, practical implementation and management at the same time. Based on the analysis of conventional certificate-based access control characteristics, this paper proposes an authorisation certificate-based access control (ACBAC) model to realise access control in a distributed environment. Employing certificates in access control can help meet the various requirements in distributed networks or systems while ensuring security to a great extent. Efficiency and security can thus be improved by delegating the functions of making access authorisation decisions to the certificate issuer (CI). We will formally describe the model, introduce the application scenarios and the processes of the model, and provide the details of implementation. Finally, the effectiveness and superiority of the model is verified through experiment and analysis.

Yanxia Liu

2011-01-01

Computer Integrated Manufacturing Systems

Abstract:The 3-step authorization mechanism based on task classification and role hierarchy integrates two access control paradigms of active and passive ones.But the scalability of the related models was seriously affected by repetitive authorizations among tasks,conflicts among task inheritances along multiple role hierarchies and repetitive expressions of task constraints.To deal with these problems,an enhanced active-passive integrated access control model was proposed.The classification of active/passive tasks was refined through extendable subdivision of role hierarchy,thus many kinds of task assignments could be simplified flexibly.Task generalization based authorization inheritance and constraint coverage mechanisms were introduced to reduce repeatitive authority and constraint among tasks.The basis was provided for automatic constraints simplification by a set of correct semantic overlay rules.Finally,multiple-granularity permission activation mechanism and dynamic exclusions redundancy detecting algorithm was presented to eliminate unnecessary cost in access checking and to compensate efficiency loss brought by scalability enhancing.

WANG Hong-xiu,WANG Gang,WEN Xiao-xian,GAO Guo-an

DOI: https://doi.org/10.3969/j.issn.1000-3428.2008.17.063

2008-01-01

Abstract:To guarantee access security in network collaborative enterprise modeling systems,establishing access control function is in demand.Based on study of the role-based access control,discretionary access control and mandatory access control,combined with the characteristic of the collaborative enterprise modeling system,a role and task based dynamic access control with limitation of the enterprise model node state is proposed.In this method,user's position,the tasks performed by this position and the role are confirmed,the corresponding model node status are examined.And the access authorization is established.These are convenient for realizing the grained security administration to users and objects.Based on the specification,system realization method is presented.

Yingying Su,Jianrong Wang,Shuang Liang,Liang Tang

DOI: https://doi.org/10.1109/IITA.2008.567

2008-01-01

Abstract:Aimed at security issues in collaborative process planning system, a multi-level and dynamic access control (PPMLDAC) model was proposed for collaborative process planning based on role based access control (RBAC) model. A multi-level permission model was discussed on the basis of product and task decomposition level structure. New concepts of permission and permission assignment were defined for enriching the expression ability and simplifying the permission assignment to realize access control of the system. Moreover, permission state was defined and permission state migration was brought into PPMLDAC model for user permission changing along with the change of collaborative process planning environment. Working team was presented to enhance the management of users and meet the requirements of dynamic change for the staff in collaborative process planning environment. Based on the practice, PPMLDAC model was efficient to control collaborative operations and improve the system security.

Bo Yu,Lin Yang,Yongjun Wang,Bofeng Zhang,Linru Ma,Yuan Cao

DOI: https://doi.org/10.1007/978-94-007-5699-1_98

2012-01-01

Abstract:Service composition has become the main style of cross-domain business collaboration environments, and security issues prohibit the widespread use of composite services. Based on attribute, this paper presents a multiple policies collaborative access control model which combines the attribute policies of composite service, component services and user domain. This model can provide fine-grained access control for service composition and support collaborative authorization based on business attributes in business collaboration environments while keeping the standalone of component service access control. The analysis result shows that this model not only satisfies the access control requirements of business process in composite service, but also provides fine-grained access control for component services. © 2012 Springer Science+Business Media.

Yong-he WEI,Chen-gen WANG,Qi-lin SHU,Ming-xu MA

DOI: https://doi.org/10.3321/j.issn:1005-3026.2008.03.022

2008-01-01

Abstract:Analyzing what are required for the access control of workflow, an access control model for task-oriented workflow is put forward, in which the idea of authorized task in order to separate the relation between roles and permissions. An authorization task is introduced to make the executive roles in no relation to authority, where the authority least approved to execute a task and the role assigned to execute the task are both the attributes of task authorization. The model also defines the conflict relationship between different tasks, then gives the dynamic constraint rules on the authorization to ensure and enforce the implementation of security strategies. In this model, the authorization flow is synchronized with workflow so as to meet the access control s requirements of dynamic authorization, authority least approved and separation of responsibility from duty. Differing from existing models, in the proposed model the separation of authority from executive role cancels the coupling of organizational model with workflow model.

Bo Tang,Ravi Sandhu,Qi Li

DOI: https://doi.org/10.1002/cpe.3446

2013-01-01

Abstract:The cloud service model intrinsically caters to multiple tenants, most obviously in public clouds but also in private clouds for large organizations. Currently most cloud service providers (CSPs) isolate user activities and data within a single tenant boundary with no or minimum cross-tenant interaction. It is anticipated that this situation will evolve soon to foster cross-tenant collaboration supported by Authorization as a Service (AaaS). At present there is no widely accepted model for cross-tenant authorization. Recently, Calero et al [12] informally presented a multi-tenancy authorization system (MTAS) which extends the well-known role-based access control (RBAC) model by building trust relations among collaborating tenants. In this paper we formalize this MTAS model and propose extensions for finer-grained cross-tenant trust. We also develop an administration model for MTAS (AMTAS). We demonstrate the utility and practical feasibility of MTAS by means of an example policy specification in XACML. We anticipate researchers will develop additional multi-tenant authorization models before eventual consolidation and unification.

Zou Linghao,Guo Dongming,Gao Hang,Sun Changle

DOI: https://doi.org/10.3321/j.issn:1004-132X.2009.20.015

2009-01-01

Abstract:The existing access control models can not completely meet the requirements of cooperative products development nowadays. Based on the task and role access control model and analyzing requirements of access control for cooperative product development,the paper refered to and expanded the mandatory access control strategy, a new mixed access control model was proposed, which faced the cooperative product development and gave the definition of the model and basic rules. The application on the access control of cooperative product development system for model aircraft design and manufacture shows the effectiveness of proposed method.

MA Chen-hua,WANG Jing,QIU Jiong,LU Guo-dong

DOI: https://doi.org/10.3785/j.issn.1008-973x.2010.12.011

2010-01-01

Abstract:Access control models proposed so far provide no support for context-based dynamic authorization and flexible authorization policy definition for tasks.To address these issues,a flexible context-constraint-based access control model was proposed for workfolws.The concepts of contextconstraint-based role assignment policy and context-constraint-based role authorization policy were defined.The interrelationships between policies were analyzed and the conflicts exhibited by policies were classified.Static and dynamic conflict detection methods were provided to maintain the consistency of policies.By the introduction of two new concepts,priority rule and conflict resolution policy,a flexible approach to resolve conflicts were provide.The security administrator can choose the method of resolving conflicts flexibly according to system requirements by defining priority rules and conflict resolution policies.Furthermore,the role assignment algorithm and the authorization decision algorithm based on the minimum sets of role assignment policies and role authorization policies were given.The model provides support for context-based dynamic authorization,automatic user-role and role-permission assignment.