Chen-hua Ma,Guo-dong Lu,Jiong Qiu

DOI: https://doi.org/10.1631/jzus.c0910564

2010-01-01

Journal of Zhejiang University SCIENCE C

Abstract:Collaborative access control is receiving growing attention in both military and commercial areas due to an urgent need to protect confidential resources and sensitive tasks. Collaborative access control means that multiple subjects should participate to make access control decisions to prevent fraud or the abuse of rights. Existing approaches to access control cannot satisfy the requirements of collaborative access control. To address this concern, we propose an authorization model for collaborative access control. The central notions of the model are collaborative permission, collaboration constraint, and collaborative authorization policy, which make it possible to define the collaboration among multiple subjects involved in gaining a permission. The implementation architecture of the model is also provided. Furthermore, we present effective conflict detection and resolution methods for maintaining the consistency of collaborative authorization policies.

Changqin Huang,Guanghua Song,Yao Zheng,Deren Chen

DOI: https://doi.org/10.1007/978-3-540-30102-8_39

2004-01-01

Abstract:Large-scale scientific and engineering computation is normally accomplished through the interaction of collaborating groups and diverse heterogeneous resources. Grid computing is emerging as an applicable paradigm, whilst, there is a critical challenge of authorization in the grid infrastructure. This paper proposes a Parallelized Subtask-level Authorization Service architecture (PSAS) based on the least privilege principle, and presents a context-aware authorization approach and a flexible task management mechanism. The minimization of the privileges is conducted by decomposing the parallelizable task and re-allotting the privileges required for each subtask. The dynamic authorization is carried out by constructing a multi-value community policy and adaptively transiting the mapping. Besides applying a relevant management policy, a delegation mechanism collaboratively performs the authorization delegation for task management. In the enforcement mechanisms involved, the authors have extended the RSL specification and the proxy certificate, and have modified the Globus gatekeeper, jobmanager and the GASS library to allow authorization callouts. Therefore the authorization requirement of an application is effectively met in the presented architecture.

Bin Xu,Xiaohu Yang,Yuanhong Shen,Shanping Li,Albert Ma

DOI: https://doi.org/10.1109/cts.2008.4543958

2008-01-01

Abstract:Software architecture is the backbone of a software- intensive system, many architecture models and styles are struggling to make the artifacts more understandable and reusable. Service-oriented programming is proposed to support reusing and enhancing distributed system development and a service-oriented architecture is essentially a collection of services which communicate with each other. However, the practitioners face the trouble in defining the services and identifying the communication request between all the services. Here in this paper, we adopted a role based architecture model named E-CARGO to facilitate the service definition and communication request identifying. An experience was conducted in prototyping a community support system and E-CARGO model was extended with data and authority access in the case study. The case study indicated that the suggested model could facilitate communication request identifying and service definition and could be helpful in identifying the authority control request during role shifting.

LI Jinyan,YU Zhonghua

DOI: https://doi.org/10.13196/j.cims.2017.06.009

2017-01-01

Abstract:With gradual improvement of collaborative manufacturing mode,the played an important role for the adjustment of organizational structure and business process reengineering.How to balance the To solve the problem that collaboration oriented flexible workflow should combine flexibility and security in dynamic environment,according to the characteristics of collaborative,the concept of team was introduced based on the hierarchical authorization management to realize the combination of role-based static authorization and task-based dynamic control,and a novel access control model was proposed for cooperation-oriented flexible workflow.As for the potential conflict of constraints at different levels due to the flexibility and cooperation,task-based separation of duty was provided,so as to better solve the problem of information security and access control for flexible workflow in dynamic environment.

Qinghuai Zeng,Changqin Huang,Deren Chen,Hualiang Hu

DOI: https://doi.org/10.1109/CACWD.2004.1349224

2004-01-01

Abstract:In grid environments, the dynamic and multi-institutional nature introduces challenging security issues. In this paper, we propose subtask-based authorization service (SAS) architecture to fully secure a type of application oriented to engineering and scientific computing. We minimize privileges for task by decomposing the parallel task and re-allotting the privileges required for each subtask. Community authorization module describes and applies community policies of resource permission and privilege for resource usage or task management. It separates proxy credentials from identity credentials. We adopt a relevant policy and task management delegation to describe rules for task management. The ultimate privileges are formed by the combination of relevant proxy credential, subtask-level privilege certificate and community policy for this user, as well as they conform to resource policy. To enforce the architecture, we extend the RSL specification and the proxy certificate, modify Globus' gatekeeper, jobmanager and the GASS library to allow authorization callouts, and evaluate the user's job management requests and job's resource request in the context of policies.

Yl Jiang,Bs Liao,Y Liu,J Hu

DOI: https://doi.org/10.1007/978-3-540-30483-8_2

2004-01-01

Abstract:Traditional methods for authorization within Grid computing have many shortcomings. Firstly, the enrolments of users and services into the server are done manually, which is not adaptable to the dynamic environment where the service providers and service consumers join or leave dynamically. Secondly, the authorization policy language is not expressive enough to represent more complex policies, and can't resolve the problem of semantic inconsistency between different parties who treat the same policy. This paper takes advantage of characteristics of intelligent agent such as autonomy, proactivity, and sociality, to treat with the authorization issues, including automated registrations and management of agents (service providers and service consumers), autonomous authentication and authorization based on policies, etc. On the other hand, an ontology-based content-explicit policy modeling framework is presented, which resolves the semantic inconsistency problem among different parties.

CH Fang,W Peng,XZ Ye,SY Zhang

DOI: https://doi.org/10.1109/cscwd.2005.194248

2007-01-01

Journal of Software

Abstract:Access control is one of the key steps to ensuring the availability, confidentiality and integrity of system resources. While it has been fully applied in various network systems, it's still relatively new for collaborative CAD. This paper provides a new framework of multi-level access control for collaborative CAD based on hierarchical product modeling. A layered privilege model (LPM) has been developed to provide multi-granularity access permissions in the part level and feature level. An extended hierarchy role-based access control (EHRBAC) is implemented, integrated with LPM and common Hierarchy RBAC, to provide hierarchical access control of collaborative feature modeling in the component/part level and design feature level. Mesh simplification techniques are used to create variable level-of-detail for individual features.

HL Hu,D Chen,CQ Huang

DOI: https://doi.org/10.1109/icsmc.2004.1401072

2004-01-01

Abstract:The idea of role has been widely applied to solving the authority, responsibility, function and interaction, which are associated with member station in organizations. Access control is a key security issue in distributed collaboration systems. After analyzing corresponding security requirements and the present status of security in distributed collaboration system, this paper presents an extensive role-based access control (ERBAC) architecture based on differentiated domain management. In this architecture, security management is classified into inter-domain one and infra-domain one, whilst, it can integrate new security policies. Based on definition of role permission type, the paper introduces a function of permission type change to make ERBAC architecture flexible. In addition, the authors discuss the methods by which the security can be implemented in an agent-based framework. The practices signify that this system can be flexibly applied various existing policy languages and protocols.

Zhuoren Jiang,Yan Chen,Ming Yang

DOI: https://doi.org/10.1109/ICIME.2010.5477923

2010-01-01

Abstract:Recently, SOA plays a more and more important role in software research and software development. On the basis of the research findings on SOA, this paper presents an innovative model for applying SOA: Multi-layer Structure For Dynamic Service Integration (MSFDSI). The paper expatiates on the organization of MSFDSI, on the basis of typical organization of SOA, MSFDSI adds a authorized institution and a service integration & analysis adapter to achieve the service authorization, service analysis and dynamic service integration. The paper also presents the hierarchy of MSFDSI, analyzes its service, proposes innovative concepts of coordination service and procedural service which traditional SOA models never contain, gives the Meta-model for service contracts and describes the main process of MSFDSI. Moreover, this paper gives a real case study of applying this model in a project of "Maritime and shipping integrated system of Yunnan Province". The case study shows that MSFDSI separates the business logic and the specific implementation technology, achieves the dynamic service integration successfully, improves the performance of system and provides a new and effective solution for applying SOA.

Linyuan Liu,Haibin Zhu,Zhiqiu Huang,Dongqing Xie

DOI: https://doi.org/10.1016/j.csi.2010.09.001

2011-03-01

Abstract:With the popularity of Internet technology, web services are becoming the most promising paradigm for distributed computing. This increased use of web services has meant that more and more personal information of consumers is being shared with web service providers, leading to the need to guarantee that the private data of consumers are not illegitimate collected, used and disclosed in services collaboration. This paper studies how to realize the minimal privacy authorization while achieving the functional goals. Initially, this paper uses authorization policies to specify the privacy privileges of the services collaboration, and utilizes the trust relationships among services to make authorization decision. Next, it models the interface behaviors of services by extending the interface automata to support privacy semantics. Furthermore, it quantitatively analyzes the minimum set of privacy privileges which are required by the services to achieve the functional goals, and presents the minimal authorization algorithm, which helps us to automatically derive optimal authorization policies for a services collaboration. Finally, it verifies the correctness and efficiency of the approach proposed by this paper through a case study.

computer science, software engineering, hardware & architecture

ZHU Lei,ZHOU Ming-Hui,LIU Tian-Cheng,MEI Hong

DOI: https://doi.org/10.3321/j.issn:0254-4164.2005.04.027

2005-01-01

Chinese Journal of Computers

Abstract:Service Oriented Architecture (SOA) is a method to design and construct loose coupling software systems. It turns the distributed applications developed on middleware into software services on Internet. Traditional permission management system on middleware has good flexibility and basically, meets the security requirements of closed system, but under SOA, it cannot meet the authorization requirements of requesting services and sharing resources between different nodes and systems. This paper proposes a service oriented permission management model, supporting delegation and reasoning to provide application developers with improved permission management mechanism and to expand capabilities of middleware to share resources and services across organizations. The above model is implemented and validated in a J2EE application server. The experiments show that the model has high flexibility and scalability, and it is reasonable that when over 50 clients request at the same time, response time increases a lot because of signature verifications and file IO operations.

Laura Pearlman,Von Welch,Ian Foster,Carl Kesselman,Steven Tuecke

DOI: https://doi.org/10.48550/arXiv.cs/0306053

2003-06-12

Distributed, Parallel, and Cluster Computing

Abstract:In "Grids" and "collaboratories," we find distributed communities of resource providers and resource consumers, within which often complex and dynamic policies govern who can use which resources for which purpose. We propose a new approach to the representation, maintenance, and enforcement of such policies that provides a scalable mechanism for specifying and enforcing these policies. Our approach allows resource providers to delegate some of the authority for maintaining fine-grained access control policies to communities, while still maintaining ultimate control over their resources. We also describe a prototype implementation of this approach and an application in a data management context.

Chun CAO,Xiao-Xing MA,Jian LU

DOI: https://doi.org/10.3321/j.issn:0254-4164.2006.07.022

2006-01-01

Chinese Journal of Computers

Abstract:To protect the services against illegal accessing, misusing and tampering is the essential problem in service oriented computing paradigm. As existing access control models and mechanisms can hardly meet the requirements of securing the services in the SOC environment completely, an access control model SCoAC is proposed in this paper. Interactions happening between services are viewed as the contributing processes from both sides to the application system. By specifying the relationship among the entities in the system, the model expresses the authorization for services capturing the trust relationship between their administration domains as well as the application context. This paper also introduces a BindingContext matching mechanism to support fine-grained access control. The evolution of application systems can be mapped onto the changing of the authorization status for the services effectively.

ZHANG Shuai,SUN Jian-ling,XU Bin,HUANG Chao

DOI: https://doi.org/10.3785/j.issn.1008-973X.2012.11.015

2012-01-01

Abstract:A dynamic multiple domains access control model base on role based access control(RBAC) was proposed in order to solve the problem that current single domain based access control model cannot fulfill the authorization requirements for service compositions crossing multiple enterprises.The process structures were analyzed and a role mining algorithm was proposed to find the role set with minimized permissions that meet the access requirements of composite services.Authorization negotiations were set up among relevant domains for each cross domain operation in composite services and cross domain role mappings were built according the mined role sets with minimized cost to fulfill the cross domain operations.Based on this model,a runtime framework aligned with current industry standard was proposed to authorize dynamically based on the current running status of composite services.Simulation experiments showed the effectiveness of key part of the role mining algorithm.

Bo Tang,Ravi Sandhu,Qi Li

DOI: https://doi.org/10.1002/cpe.3446

2013-01-01

Abstract:The cloud service model intrinsically caters to multiple tenants, most obviously in public clouds but also in private clouds for large organizations. Currently most cloud service providers (CSPs) isolate user activities and data within a single tenant boundary with no or minimum cross-tenant interaction. It is anticipated that this situation will evolve soon to foster cross-tenant collaboration supported by Authorization as a Service (AaaS). At present there is no widely accepted model for cross-tenant authorization. Recently, Calero et al [12] informally presented a multi-tenancy authorization system (MTAS) which extends the well-known role-based access control (RBAC) model by building trust relations among collaborating tenants. In this paper we formalize this MTAS model and propose extensions for finer-grained cross-tenant trust. We also develop an administration model for MTAS (AMTAS). We demonstrate the utility and practical feasibility of MTAS by means of an example policy specification in XACML. We anticipate researchers will develop additional multi-tenant authorization models before eventual consolidation and unification.

L. Pearlman,V. Welch,I. Foster,C. Kesselman,S. Tuecke

DOI: https://doi.org/10.48550/arXiv.cs/0306082

2003-06-14

Software Engineering

Abstract:Virtual organizations (VOs) are communities of resource providers and users distributed over multiple policy domains. These VOs often wish to define and enforce consistent policies in addition to the policies of their underlying domains. This is challenging, not only because of the problems in distributing the policy to the domains, but also because of the fact that those domains may each have different capabilities for enforcing the policy. The Community Authorization Service (CAS) solves this problem by allowing resource providers to delegate some policy authority to the VO while maintaining ultimate control over their resources. In this paper we describe CAS and our past and current implementations of CAS, and we discuss our plans for CAS-related research.

Minghui Zhou,Haiyan Zhao,Hong Mei

DOI: https://doi.org/10.1109/ICWS.2006.14

2006-01-01

Abstract:In the service-oriented architecture, the components deployed on application servers are published as Web services. Though many researches focus on how to authorize at the Web service level currently, there is little work involving the authorization gap between the service and its component implementation. This paper tries to bridge the gap by proposing a service-oriented trust management model, which expands the application server's capability to deal with more complex trust relationship between service users and services, and supplies a flexible trust management mechanism to integrate authentication and authorization together. Moreover, the model provides a finer granularity access control, sustains delegation between users, and has a certain extent reasoning capability. The model has been implemented in a J2EE application server, and the experiment has demonstrated that the model has high flexibility and scalability

Dianfu Ma,Min Liu,Yongwang Zhao,Chunyang Hu

DOI: https://doi.org/10.1145/1363686.1364216

2008-01-01

Abstract:The collaboration of services scattered over the internet is often required in solving a complicated scientific problem or finishing a complex business process. Centralized client/server architecture used in traditional service collaboration mechanism such as workflow has exhibited many weaknesses. We adopt the concept from peer-to-peer computing and Synergetics, and introduce an innovative middleware for structured-based service collaboration, in which each service node belongs to one or more structured collaboration organizations and is allowed to join and leave (planned departure or sudden failure) freely. We also propose neighborhood-based maintenance mechanism to cope with the dynamics of collaboration organization structure in a decentralized manner.

XU Feng,LAI Hai-Guang,HUANG Hao,XIE Li

DOI: https://doi.org/10.3321/j.issn:0254-4164.2005.04.028

2005-01-01

Chinese Journal of Computers

Abstract:Service oriented architecture (SOA) is an evolution of client/server architecture. A SOA based system can transparently incorporate services running on different software platforms. It could drive the costs down by achieving automated code generation, reuse, and interoperability. But it will cause the complexity of security management due to its loose couple and dynamic characteristics. The paper first reviews the development of access control technology, and then presents a workflow based and services oriented role based access control (WSRBAC) model. In the model, the authors introduce two notions of services and authorization transfer to describe dynamic service oriented architecture. In WSRBAC model, access control system can make its access control decisions by capturing practical relevant environmental context. It can realize access control with dynamic grant and adapt permissions based on the state of workflows and services. This model can enhance system security and provide flexibility in access control system.

Chao Huang,Jianling Sun,Xinyu Wang,Yuanjie Si

DOI: https://doi.org/10.1109/ISBIM.2008.132

2009-01-01

Abstract:In large enterprise software systems, users often need to delegate their authority to others. Permission base delegation model (PBDM) based on RBAC96 currently is the most attractive model to fulfill the delegation requirement since it supports partly delegation and multiple steps delegation. However in PBDM there is no explicit specification of the separation of duty (SOD) constraint, which is one of the most important constraints and is essential to the security of the system. In this paper, we analyze the SOD constraint in PBDM delegation model and give the formal definition for the constraint. We prove that the constraint violation will not happen at the stage of the delegation role definition whereas it can only happen at the stage of role assignment. We then propose a protective mechanism to prevent the illegal role delegation utilizing the prerequisite conditions which are a set of Boolean expressions. We also give the algorithm to check the prerequisite conditions to help the security administrator guarantee the safe role delegation.