计算机工程与应用
計算機工程與應用
계산궤공정여응용
COMPUTER ENGINEERING AND APPLICATIONS
2013年
19期
83-87
,共5页
XACML策略%访问控制%业务流程%策略%委托
XACML策略%訪問控製%業務流程%策略%委託
XACML책략%방문공제%업무류정%책략%위탁
Extensible Access Control Makeup Language(XACML)%access control%business process%policy%delegation
在分析业务流程访问控制策略需求的基础上,对经典的XACML策略实施框架进行了扩展,提出一种能够根据业务流程执行状态管理策略的实施框架。通过在策略模式中引入<PolicyIssuer>元素和定义<Condition>元素的语义,使其能够描述访问策略和委托策略,并支持任务级最小特权的实现。给出了两种策略决策优化方法,针对策略集中无效策略数量过多的问题,采用逐步裁减法减少策略元素比对的次数,针对策略集中委托策略数量过多且需要验证可信性的问题,采用信任关联法减少策略匹配的次数,有效地提高了策略决策的效率。
在分析業務流程訪問控製策略需求的基礎上,對經典的XACML策略實施框架進行瞭擴展,提齣一種能夠根據業務流程執行狀態管理策略的實施框架。通過在策略模式中引入<PolicyIssuer>元素和定義<Condition>元素的語義,使其能夠描述訪問策略和委託策略,併支持任務級最小特權的實現。給齣瞭兩種策略決策優化方法,針對策略集中無效策略數量過多的問題,採用逐步裁減法減少策略元素比對的次數,針對策略集中委託策略數量過多且需要驗證可信性的問題,採用信任關聯法減少策略匹配的次數,有效地提高瞭策略決策的效率。
재분석업무류정방문공제책략수구적기출상,대경전적XACML책략실시광가진행료확전,제출일충능구근거업무류정집행상태관리책략적실시광가。통과재책략모식중인입<PolicyIssuer>원소화정의<Condition>원소적어의,사기능구묘술방문책략화위탁책략,병지지임무급최소특권적실현。급출료량충책략결책우화방법,침대책략집중무효책략수량과다적문제,채용축보재감법감소책략원소비대적차수,침대책략집중위탁책략수량과다차수요험증가신성적문제,채용신임관련법감소책략필배적차수,유효지제고료책략결책적효솔。
By analyzing the requirements of access control for business process, an extended enforcement framework that supports policy management based on state of business process is proposed. By introducing element<PolicyIssuer>and defining semantic of element<Condition>in policy schema, access control policy and delegation policy can both be described and least privilege at task level can be achieved. In order to reduce time cost of policy decision in case that numbers of unrelated policies and dele-gation policies are large, two methods which can reduce the numbers of matching policies and policy elements are proposed.