Kuang Y. Zeng,Jinxiang Zhang,Jiahai Yang

2006-01-01

Abstract:A new model for policy refinement is presented at the application background of CERNET. Using the properties of access control list (ACL) in this model, the policies described in different specification languages are mapped into access control lists, which are distributed to different network devices to enforce. Thus, the complex transformation logic in traditional policy refinement fashion is simplified, especially, security and access control configuration management can be automated.

Lin Yao,Xiangwei Kong,Zichuan Xu

DOI: https://doi.org/10.1109/NCM.2008.75

2008-01-01

Abstract:Although RBAC models have received broad support as a generalized approach to access control, the administration of roles in large organizations can become quite cumbersome. In this paper, we develop a new paradigm for access control and authorization management, called task-role based access control (TRBAC) with multi-constraint. The basic idea of this model different from traditional RBAC is that roles and permissions are not connected directly but are put together by tasks. It is a dynamic authorization model with fine-grained partition on users, roles, tasks and sessions. The unit of task becomes the permission granularity. It is more convenient for enterprise privilege management such as distributed application,C/S access control and workflow management. It can reduce the administrator's burden and avoid some potential safety hazards because of adopted dynamic authorization.

ZENG Kuang-yi,YANG Jia-hai

DOI: https://doi.org/10.3969/j.issn.1000-1220.2007.02.006

2007-01-01

Abstract:Policy refinement and policy conflict resolution are two of the toughest issues in implementing a policy-based network management (PBNM) system. Based on a brief review of general PBNM theories and specific access control technologies, the paper proposed a novel policy-based network management model, which adopts XML as the high level policy description language, and uses the generalized access control list(ACL) as an intermediate refining mechanism, focusing on network security and QoS management. Some critical issues and their solutions, including policy representation, policy refinement, and policy conflict policy detection, are discussed. A formula representation of the policy conflict issue is given with several important inferences. The effectiveness and efficiency of the model is verified by the implemented prototype.

Xuezeng Pan

DOI: https://doi.org/10.3785/j.issn.1008-973x.2009.08.005

2009-01-01

Abstract:To resolve the problem that the simple combination of BLP and Biba models will lead to poor availability,a confidentiality and integrity dynamic union model based on multi-level security(MLS) policy was presented.The two dimensions of secure model are composed of confidentiality and integrity,on which the security label is separated into write privilege range and read privilege range respectively,whereupon subject's access range is adjusted dynamically according to the security label of related objects and the history situation of the subject's access,improving the agility and practicability of the model.The formal definition of this model was given,and the security was also analyzed with proof.Finally,examples were illuminated to show the effectiveness and usability of this model.

袁平鹏,陈刚,董金祥

DOI: https://doi.org/10.3321/j.issn:1003-9775.2004.04.006

2004-01-01

Abstract:An access control paradigm composed of basic model and role model is proposed for collaborative applications. Basic model specifies the relationship among privileges and the way of ranking privileges. It relates privilege with operations on the objects, so the model appears more straightforward. Moreover, if Brokers' implementation permits, the model can support any grained access control. Role model re-defines the role concept of RBAC96, divides the permissions of role into public permissions, protect permissions and private permissions. It allows user to define roles more flexibly, prevents private permissions of roles from being inherited and reduces the definition of ancillary roles.

JIANG Jie,ZHANG Jie,CHEN De-ren

DOI: https://doi.org/10.3785/j.issn.1008-973x.2009.09.011

2009-01-01

Abstract:An extended context-aware role based access control(RBAC) based on reasoning(RC-RBAC) model was proposed by integrating the single context-aware RBAC and reasoning-based RBAC in order to solve the problems of the Absence of the adjustment and generation of the context-aware condition dynamically and the incapacity of updating the user authorization according to the adjusted constrain conditions in the existing RBAC.The extended model used the rule reasoning to adjust and generate the context constrains dynamically and start the common sensors and the self-defined sensors to collect the attribute values of the conditions.The access permission to the sensitive data was updated in real time based on the context-aware logic reasoning using the user rules and permission rules.The application results show that the extended RC-RBAC model can be employed in the distributed environment to satisfy the need of the dynamic authorization and reduce the real-time access control management complexity.

Li Jing

Abstract:Through policy-based network security management research,this paper analyzed the existing network secu-rity policy conflict detection and resolution method shortcomings.Based on policy refinement of ideas and security policy conflicts classification technology,policy-based network management security-level model was established,with exten-ded XACML language description.According to the relationship between policy behavior,using knowledge reasoning,dynamic layered security corresponding level of policy refinement consistency automatic detection and timely conflict resolution were made,letting it has a good reusability and scalability,and is conducive to the improvement of manage-ment efficiency.Policy-based access control refinement application implementation was verified.Finally,some of the fu-ture research directions were discussed.

Computer Science

Ying-hong WU,Hao HUANG,Qing-kai ZENG

DOI: https://doi.org/10.3969/j.issn.1002-137X.2014.03.001

2014-01-01

Computer Science

Abstract:Policy refinement is an important method to resolve the complexity of distribute access control policy configuration.This article analyzed the existing policy refinement techniques,including their system and policies hierarchical description,their methods to derive the lower levels coordination control policies,their ability of policy conflict analysis and dispel in policy refinement,and the associated attribute analysis methods about the completeness and consistency in policy refinement,the consistency among coordination control policies for defense in depth,the composing and mutual exclusion polices relationship of application.The analysis shows that the key problem that affects refinement ability is lack of policies associated attribute analysis ability.The article further analyzed policies associated attribute analysis of the existing policy conflict analysis techniques,usability of distributed application and calculation expansibility.Based on these analysis we pointed out some research problems which can improve policy refinement ability to adapt the service oriented distributed application.

CH Fang,W Peng,XZ Ye,SY Zhang

DOI: https://doi.org/10.1109/cscwd.2005.194248

2007-01-01

Journal of Software

Abstract:Access control is one of the key steps to ensuring the availability, confidentiality and integrity of system resources. While it has been fully applied in various network systems, it's still relatively new for collaborative CAD. This paper provides a new framework of multi-level access control for collaborative CAD based on hierarchical product modeling. A layered privilege model (LPM) has been developed to provide multi-granularity access permissions in the part level and feature level. An extended hierarchy role-based access control (EHRBAC) is implemented, integrated with LPM and common Hierarchy RBAC, to provide hierarchical access control of collaborative feature modeling in the component/part level and design feature level. Mesh simplification techniques are used to create variable level-of-detail for individual features.

Zhikun ZHANG,Jianguo XIAO,Xiangning KONG

DOI: https://doi.org/10.4156/jnit.vol2.issue1.3

2011-01-01

Journal of Next Generation Information Technology

Abstract:With concern of the current research results as well as the features of the demands for access control of the Web-based application system,the authors propose a context constraint access control theory model on the level of standard reference model,from the perspective of flexibility,generality,and feasibility,and elaborate on the theory of this model and the architecture of access control system.Then the authors give the description and modeling of the access control policy and defines the entities and relations in the model by using a XML-based policy specification grammar called X-Grammar.Finally the overall function description and structure design is given,and an engineering method to elicit and define context constraints is raised.

Tao Peng,Minghua Jiang,Ming Hu

DOI: https://doi.org/10.4028/www.scientific.net/amr.121-122.558

2010-01-01

Advanced Materials Research

Abstract:A multi-polices access control model is proposed, with the model, access control based on policy regulation and XML based policy description is given. At the same time, We use the XSD(XML Schema Definition) to describe the content and the structure of the xml documents, and check the validity of the xml documents. Based on the description of the access control, an application system is realized we construct the runtime platform and choose some access control polices to test our system. The result is well.

Xinyu Fan,Faen Zhang,Jianfei Song,Jingming Guo,Fujie Gao

DOI: https://doi.org/10.48550/arXiv.2001.01945

2020-01-07

Abstract:A fine-grained provenance-based access control policy model is proposed in this paper, in order to improve the express performance of existing model. This method employs provenance as conditions to determine whether a piece of data can be accessed because historical operations performed on data could reveal clues about its sensitivity and vulnerability. Particularly, our proposed work provides a four-valued decision set which allows showing status to match a restriction particularly. This framework consists of target policy, access control policy, and policy algebras. With the complete definition and algebra system construction, a practical fine-grained access control policy model is developed.

Cryptography and Security

Bei-shui Liao,Ji Gao

DOI: https://doi.org/10.1007/11590354_23

2005-01-01

Abstract:Currently, the management of grid services is becoming increasingly complex. To resolve this complexity problem, autonomic computing and policy-based multi-agent technology have been proposed as promising methods. However, there are many challenges to be resolved. Among them, policy refinement is a great problem that hampers the development of policy-based system. To cope with this issue, this paper presents a policy refinement mechanism based on recipes. Recipes define possible refinement alternatives for each abstract policy. And the policy refinement engine automatically refines the policies by choosing the refinement branch in terms of the conditions of each branch.

Ziyi Su,Frederique Biennier

DOI: https://doi.org/10.48550/arXiv.1305.1727

2013-05-08

Cryptography and Security

Abstract:In an open information systems paradigm, real-time context-awareness is vital for the success of cooperation, therefore dynamic security attributes of partners should considered in coalition for avoiding security conflicts. Furthermore, the cross-boundary asset sharing activities and risks associated to loss of governance call for a continuous regulation of partners' behavior, paying attention to the resource sharing and consuming activities. This paper describes an attribute-based usage control policy shceme compline to this needs. A concise syntax with EBNF is used to summarize the base policy model. The semantics of negotiation process is disambiguated with abductive constraint logic programming (ACLP) and Event Calculus (EC). Then we propose a policy ratification method based on a policy aggregation algebra that elaborate the request space and policy rule relation. This method ensures that, when policies are aggregated due to resource sharing and merging activities, the resulting policy correctly interprets the original security goals of the providers' policies.

Dongliang Jiao,Liu Lianzhong,Li Ting,Ma Shilong

DOI: https://doi.org/10.1109/icfcsa.2011.27

2011-01-01

Abstract:Usage control model is presented and has been considered as the next generation control model which is used to access digital objects. in order to achieve full functionality of UCON, this paper puts forward a realization of UCON Model Based on extended-XACML-CeXUCON. First, We extended the policy decision point in XACML to support administrate conditions obligations and attributions of subject or object. Second, we established a eXUCON context model and find the differents between eXUCON context model and XACML context model. Finally, the potential of our realization for improving the convenience of enforcement mechanisms is illustrated using a small, but representative example.

shaomin zhang,hongbian yang,baoyi wang

DOI: https://doi.org/10.1007/978-3-642-27287-5_94

2012-01-01

Abstract:For the problems of attribute elements maintenance difficulty and heterogeneous attribute of multi-domain in ABAC model, we propose the method of using ontology to maintain access control elements and distributed attribute management, which describe the logical relationships among attributes with OWL and introduce attribute mapping technology in access control decision-making. It can reduce the complexity of attribute management and raise the security of the cross-domain access. It makes up the defects in original ABAC model, and has a good reference to research the cross-domain access control.

Jason Crampton,Charles Morisset

DOI: https://doi.org/10.48550/arXiv.1204.2342

2014-07-31

Abstract:There have been many proposals for access control models and authorization policy languages, which are used to inform the design of access control systems. Most, if not all, of these proposals impose restrictions on the implementation of access control systems, thereby limiting the type of authorization requests that can be processed or the structure of the authorization policies that can be specified. In this paper, we develop a formal characterization of the features of an access control model that imposes few restrictions of this nature. Our characterization is intended to be a generic framework for access control, from which we may derive access control models and reason about the properties of those models. In this paper, we consider the properties of monotonicity and completeness, the first being particularly important for attribute-based access control systems. XACML, an XML-based language and architecture for attribute-based access control, is neither monotonic nor complete. Using our framework, we define attribute-based access control models, in the style of XACML, that are, respectively, monotonic and complete.

Cryptography and Security,Logic in Computer Science

HU Ying-song,CHEN Gang,ZHU A-ke,CHEN Zhong-xin

2006-01-01

Abstract:A new access control model based on roles and departments is proposed,which extends the traditional RBAC model. The new model abstracts the department from the property of roles,and becomes an important factor of permission control. Furthermore,this paper designs a three-layered architecture for this cross-platform security administration and one of the access control policies is described in detail.

Ran Yang,Chuang Lin,Fujun Feng

DOI: https://doi.org/10.4304/jcp.4.6.510-518

2009-01-01

Journal of Computers

Abstract:Access control is one of the most important technologies to guarantee computer security. A new model with support for valid time and usage constraint is described based on full analysis of flaws in existing models. In the new model, authorization rules can express access control policies completely and access constraints are necessary conditions to prevent authorization abuse. To solve the problems in implementation of the model, a sound scheme for administration of authorizations is proposed and some access decision algorithms are developed.

Bs Liao,J Gao,J Hu,Jj Chen

DOI: https://doi.org/10.1007/978-3-540-30483-8_42

2004-01-01

Abstract:The integration of web services and intelligent agents is promising for automated service discovery, negotiation, and cooperation. But due to the dynamic and heterogeneous nature of web services and agents, it is challenging to guide the behaviors of underlying agents to meet the high-level business (changeful) requirements. Traditional Policy-driven methods (Ponder, Rei, KAoS, etc) are not adaptable to direct the discovery, negotiation and cooperation of dynamic agents who may join in or leave out of a specific community or organization (virtual organization) at run time. The purpose of this paper is to model an ontology-based, policy-driven control framework that is suitable to supervise the dynamic agents according to high-level policies. On the basis of federated multi-agents infrastructure and ontologies of policies, domain concepts, and agent federations, a model of role-based policy specification framework is presented in this paper.