###
DOI:
Journal of Software:2009.20(2):403-414

基于属性的访问控制策略合成代数
林莉,怀进鹏,李先贤
(北京航空航天大学 计算机学院,北京 100191)
Attribute-Based Access Control Policies Composition Algebra
LIN Li,HUAI Jin-Peng,LI Xian-Xian
()
Abstract
Chart / table
Reference
Similar Articles
Article :Browse 3593   Download 5055
Received:January 04, 2007    Revised:February 27, 2008
> 中文摘要: 访问控制策略合成是确定分布式聚合资源访问控制策略的关键.为了规范策略合成和保障策略合成正确性,基于属性刻画了实体间的授权关系,通过属性值的计算结构扩展了现有的策略合成形式化框架,建立了新的基于属性的策略合成代数模型APoCA(attribute-base access control policy composition algebra).通过示例分析说明APoCA具有更强的策略合成描述能力和普适性,适应于更为复杂的应用场景.用代数表达式形式化地描述聚合资源的访问控制策略,讨论了策略表达式的若干代数性质,说明可借助策略表达式的代数性质去验证策略合成结果是否符合各方对聚合资源的保护性需求.给出了将代数表达式翻译成逻辑程序的翻译器,为聚合资源的访问控制策略评估和应用提供基础.
Abstract:The composition of access control policies is the key to determine access control policies for distributed aggregated resource. To regulate policy composition and guarantee its correctness, an algebraic model called APoCA (attribute-based access control policy composition algebra) is proposed for composing access control policy. In APoCA, an authorization relation between entities is described at the attribute level. APoCA fertilizes the existing formal frameworks by taking into account the computation of attribute values. Several examples are given to demonstrate the expressiveness of ApoCA. ApoCA can be used for more complex applications. In addition, access control policies of aggregated resources can be formulated as expressions of the algebra. Several algebraic properties of policy expressions are discussed. It shows that the algebraic properties of policy expressions can be used to verify whether policy composition results meet the protection needs of each party. Furthermore, a translator is devised to convert the policy expressions into logic programs, which provides the basis for the evaluation and application of access control policies for aggregated resources.
文章编号:     中图分类号:    文献标志码:
基金项目:Supported by the National High-Tech Research and Development Plan of China under Grant No.2007AA01Z426 (国家高技术研究发展计划(863)); the National Basic Research Program of China under Grant No.2005CB321803 (国家重点基础研究发展计划(973)); the National Natural Science Funds for Distinguished Young Scholar of China under Grant No.60525209 (国家杰出青年基金); the Funds for the International Cooperation and Exchange of the National Natural Science Foundation of China under Grant No.60731160632 (国家自然科学基金和国际(地区)合作项目); the Program for New Century Excellent Talents in University of China under Grant No.NCET-05-0186 (新世纪优秀人才计划) Supported by the National High-Tech Research and Development Plan of China under Grant No.2007AA01Z426 (国家高技术研究发展计划(863)); the National Basic Research Program of China under Grant No.2005CB321803 (国家重点基础研究发展计划(973)); the National Natural Science Funds for Distinguished Young Scholar of China under Grant No.60525209 (国家杰出青年基金); the Funds for the International Cooperation and Exchange of the National Natural Science Foundation of China under Grant No.60731160632 (国家自然科学基金和国际(地区)合作项目); the Program for New Century Excellent Talents in University of China under Grant No.NCET-05-0186 (新世纪优秀人才计划)
Foundation items:
Reference text:

林莉,怀进鹏,李先贤.基于属性的访问控制策略合成代数.软件学报,2009,20(2):403-414

LIN Li,HUAI Jin-Peng,LI Xian-Xian.Attribute-Based Access Control Policies Composition Algebra.Journal of Software,2009,20(2):403-414