基于角色—任务的工作流系统存取控制模型
摘要
工作流(Workflow)技术用计算机自动执行组织机构中的部分或全部业务流程,从而显著提高业务流程处理的性能和效率。由于工作流系统中的所有信息都是通过网络传输,不可避免会遭受非法攻击,故工作流系统中的信息安全是极为重要的。
本文正是基于工作流系统的安全需求,开展了相关的研究工作。本文首先分析了存取控制相对于身份认证、数据保密、数据完整性和不可否认服务在工作流系统信息安全中的特殊性和重要性。同时指出工作流的静态特点和动态特点,并由此归纳出由工作流系统自身特性决定的、区别于非正作流系统的特殊存取需求:严格最小特权原则、事件顺序和职责分离原则。
接着本文详细介绍了RBAC模型和工作流技术,同时具体说明了政府办公自动化系统中的公文处理工作流,并以此为例,针对工作流系统的特性以及上述需求说明了传统的存取控制模型DAC、MAC不适合工作流系统的原因,同时详细分析了将RBAC、TBAC运用于工作流系统的不足之处。
在上述分析的基础之上,本文提出了基于角色-任务的工作流系统存取控制模型RTBAC(Role-Task Based Access Control for Workflow System)。RTBAC建立在广泛应用的RBAC96模型基础之上。RBAC96模型已经发展成熟,因此选择RBAC96作为RTBAC的基础可以确保新模型的先进性和客观性。
RTBAC中加入了“任务”的概念,任务是工作流系统执行时的最小工作单元。并且在RTBAC中:
①针对工作流的静态特性:固定不变的数据如已经归档的公文不能进行修改、制发等操作,一般只能查看,故与存取权限相关,用户通过执行相应的存取权限才能访问,即传统的RBAC模型;
②针对工作流的动态特性:正在流动、不断变化的数据如正在接受审批的公文则与任务相关,任务可以对此数据进行某种方式的存取。
其次在RTBAC中定义了“时间”、“时序关系”等概念,用以描述任务之间的顺序关系。为了确保工作流系统中职责分离原则的实现,本文接着定义了四种冲突实体:冲突权限、冲突用户、冲突任务和冲突角色,用以描述RTBAC基本组成部件之间的关系。最后本文深入探讨了这四种冲突实体在分配关系上的各种准则亦即施加在分配关系上的约束,其中最根本的在于冲突权限不能同时授予同一个用户,从而防止用户具有过多权力。
A workflow is the computerized automation of a business process of an organization, in whole or in part. Increasing use of electronic means leads to significant increases in processing performance and efficiency. These advantages, however, come at a cost. One such cost is an increased information security risk.
This paper focuses on the access control service that is one part of security mechanism in workflow systems. First, static features and dynamic features of workflow systems are pointed out. Based on these features, special access control requirements of workflow systems, such as Strict Least Privilege, Separation of Duty (SoD) and Order of Events, are analyzed.
Then, RBAC model is discussed. Through an example, the documents run workflow in the Government Official Automation System , workflow technology is introduced. Based on above issues, this paper explains why DAC and MAC as access control models are not suitable for workflows. At the same time, drawbacks of RBAC and TBAC applying for workflows are pointed out. The requirements imposed by workflows call for suitable access control mechanism that is more flexible and fine-grained.
Based on above analysis, a model ,RTBAC (Role-Task Based Access Control for Workflow System) ,is proposed to solve access control problems of the workflow system. RTBAC is built on the well-known RBAC96 model.
The concept of task is introduced to RTBAC to extend dynamic characteristics of RBAC. Tasks represent the smallest unit of work in the workflow. In RTBAC, users execute permissions to access fixed data and tasks to access flowing and varying data such as documents being approving. RTBAC can renew authorization in time according to the flowing and use of data in workflow systems. A formal description and an analysis of RTBAC are given.
The time feature of the task helps the enforcement of Strict Least Privilege. The concepts of time and the sequence of time are put forward to describe order of tasks in the paper. To satisfy SoD requirements, this paper proposes concepts of conflicting permissions, conflicting users, conflicting tasks and conflicting roles, to describe the interrelation of elements of RTBAC. At last, constraints on associations between conflicting entities are discussed, among which the essence is that conflicting permissions are not be executed by the same user.
本文正是基于工作流系统的安全需求,开展了相关的研究工作。本文首先分析了存取控制相对于身份认证、数据保密、数据完整性和不可否认服务在工作流系统信息安全中的特殊性和重要性。同时指出工作流的静态特点和动态特点,并由此归纳出由工作流系统自身特性决定的、区别于非正作流系统的特殊存取需求:严格最小特权原则、事件顺序和职责分离原则。
接着本文详细介绍了RBAC模型和工作流技术,同时具体说明了政府办公自动化系统中的公文处理工作流,并以此为例,针对工作流系统的特性以及上述需求说明了传统的存取控制模型DAC、MAC不适合工作流系统的原因,同时详细分析了将RBAC、TBAC运用于工作流系统的不足之处。
在上述分析的基础之上,本文提出了基于角色-任务的工作流系统存取控制模型RTBAC(Role-Task Based Access Control for Workflow System)。RTBAC建立在广泛应用的RBAC96模型基础之上。RBAC96模型已经发展成熟,因此选择RBAC96作为RTBAC的基础可以确保新模型的先进性和客观性。
RTBAC中加入了“任务”的概念,任务是工作流系统执行时的最小工作单元。并且在RTBAC中:
①针对工作流的静态特性:固定不变的数据如已经归档的公文不能进行修改、制发等操作,一般只能查看,故与存取权限相关,用户通过执行相应的存取权限才能访问,即传统的RBAC模型;
②针对工作流的动态特性:正在流动、不断变化的数据如正在接受审批的公文则与任务相关,任务可以对此数据进行某种方式的存取。
其次在RTBAC中定义了“时间”、“时序关系”等概念,用以描述任务之间的顺序关系。为了确保工作流系统中职责分离原则的实现,本文接着定义了四种冲突实体:冲突权限、冲突用户、冲突任务和冲突角色,用以描述RTBAC基本组成部件之间的关系。最后本文深入探讨了这四种冲突实体在分配关系上的各种准则亦即施加在分配关系上的约束,其中最根本的在于冲突权限不能同时授予同一个用户,从而防止用户具有过多权力。
A workflow is the computerized automation of a business process of an organization, in whole or in part. Increasing use of electronic means leads to significant increases in processing performance and efficiency. These advantages, however, come at a cost. One such cost is an increased information security risk.
This paper focuses on the access control service that is one part of security mechanism in workflow systems. First, static features and dynamic features of workflow systems are pointed out. Based on these features, special access control requirements of workflow systems, such as Strict Least Privilege, Separation of Duty (SoD) and Order of Events, are analyzed.
Then, RBAC model is discussed. Through an example, the documents run workflow in the Government Official Automation System , workflow technology is introduced. Based on above issues, this paper explains why DAC and MAC as access control models are not suitable for workflows. At the same time, drawbacks of RBAC and TBAC applying for workflows are pointed out. The requirements imposed by workflows call for suitable access control mechanism that is more flexible and fine-grained.
Based on above analysis, a model ,RTBAC (Role-Task Based Access Control for Workflow System) ,is proposed to solve access control problems of the workflow system. RTBAC is built on the well-known RBAC96 model.
The concept of task is introduced to RTBAC to extend dynamic characteristics of RBAC. Tasks represent the smallest unit of work in the workflow. In RTBAC, users execute permissions to access fixed data and tasks to access flowing and varying data such as documents being approving. RTBAC can renew authorization in time according to the flowing and use of data in workflow systems. A formal description and an analysis of RTBAC are given.
The time feature of the task helps the enforcement of Strict Least Privilege. The concepts of time and the sequence of time are put forward to describe order of tasks in the paper. To satisfy SoD requirements, this paper proposes concepts of conflicting permissions, conflicting users, conflicting tasks and conflicting roles, to describe the interrelation of elements of RTBAC. At last, constraints on associations between conflicting entities are discussed, among which the essence is that conflicting permissions are not be executed by the same user.
引文
1. R.S.Sandhu, E.J.Coyne, H.L.Fenstein, C.E.Youman. Role-based access control models. IEEE Computer, 29(2):38-47, Feb 1996
2. Sandhu, R., Samarati, P. Authentication, access control and audit. ACM Comput. Surv. 28, 1, March 1996
3. Sikkel, K.. A Group-based authorization model for Cooperative Systems. Proceedings of ECSCW'97,1997
4. WfMC. The workflow reference model. 1994
5.甄炜,杨学良,宛霞.并行工程协同工作环境中工作流管理的研究与实现.计算机工程与应用,2001.21:73-75
6.韩燕波.基于系统动态重构的高适应性工作流管理.计算机工程与应用,1999.9:15-19
7.史美林,杨光信,向勇等.WfMS:工作流管理系统.计算机学报,1999.3:325-334
8.刘大昕,李宁宁,曹瀚等.工作流管理技术及其在MIS建模中的应用研究.计算机应用研究,2000.4:14-16
9.姜朋慧,姜志红,须德.工作流系统中路由图构造问题.北方交通大学学报,2000.6:88-92
10.王培康,胡访宇,袁平波.一种信息系统授权实现方法.计算机工程,2001.1:135-136
11. Conflict Analysis as a means of Enforcing Static Separation of Duty Requirements in Workflow Environments
12.李成锴,詹永照,茅兵等.基于角色的CSCW系统访问控制模型.软件学报,2000.11
13.李慧芳,范玉顺.工作流系统时间管理.软件学报,2002.8:1552-1558
14.洪帆,陈凤珍.基于任务的访问控制系统.计算机与现代化,2001.4:39-72
15.洪帆,杜小勇.办公自动化系统中基于任务的访问控制.华中科技大学学报,2001.3:6-8
16.洪帆,赵晓斐.基于任务的访问控制模型及其实现.华中科技大学学报,2002.1:17-19
17. Kuhn, D. R. Mutual exclusion of roles as a means of implementing Separation of duty in role-based access control systems. In Proceedings of the 2nd ACM Workshop on Role-based access control, Fairfax, VA, October 1997.
18. F. Leyman, D. Roller. Production Workflow: Concepts and Techniques, Prentice Hall, Upper Saddle River, NJ(2000).
19.王海洋,林宗楷,林守勋.基于扩展模型的工作流描述方法和最大时间控制问题.计算机辅助设计与图形学学报,1999.3.:253-255
20.李理,胡于进.基于流程动态化的工作流模型设计.计算机工程与应用,2001.7:118-120
21.邓集波,洪帆.基于任务的访问控制模型.软件学报,2003.1:76-82
22. Sylvia Osborn, Ravi Sandhu, Qamar Munawer. Configuring role-based access control to enforce mandatory and discretionary access control policies[J]. ACM Transactions on Information and System Security, 2000.3
23. Ravi Sandhu. Role activation hierarchies[C]. In: Proceedings of 3rd ACM Workshop on RBAC, ACM, Fairfax, 1998-10
24. Ravi Sandhu, Venkata Bhamidipati, Qamar Munawer. The ARBAC96 model for role-based administration of roles[J]. ACM Transactions on Information and System Security, 1999. 2
25.冯德民,王小明,赵宗涛.一种扩展角色存取控制模型.计算机工程与应用,2003.3:87-89
26. Sylvia Osborn, Yuxiao Guo. Modeling users in role-based access control. Fifth ACM Workshop on Role-Based Access Control, Berlin, Germany, July 26-27, 2000
27. Ravi Sandhu, David Ferraiodo, Richard Kulin. The NIST Model for Role-Based Access Control: Towards a unified Standard. Fifth ACM Workshop on Role-Based Access Control, Berlin, Germany, July 26-27, 2000
28. J. Joshi, A. Ghafoor, W. Aref, E. Spafford. Digital government security infrastructure design challenges. IEEE Computer, 34(2), 2001
29. David Ferraiodo, Cugini J., Richard Kulin. Role-Based Access Control: Features and motivations. Proceedings of 11th Annual Computer Security Application Conference, 1995
30. Biddle B., E. Thomas. Role Theory: Concepts and Research. New York: Robert E. Krieger Publishing Company, 1979
31. Fernandez E., J. Hawkins. Determining role rights from use case. Second ACM Workshop on Role-Based Access Control, Fairfax, VA, USA, 1997
32. Epstein P., Ravi Sandhu. Towards a UML based approach to role engineering. Fourth ACM Workshop on Role-Based Access Control, Fairfax, VA, USA, 1997
33. David Ferraiodo, Ravi Sandhu, S. Gavrila, Richard Kuhn, R. Chandramonli. Proposed NIST Standard for RBAC. ACM Transactions on Information and System Security, 2001. 3
34. Jonathan D. Moffet. Control Principles and Role Hierarchies. In Proceedings of 3rd ACM Workshop on Role-Based Access Control, November, 1998
35. Jonathan D. Moffet, Emil C. Lupu. The use of role hierarchies in Access Control. In Proceedings of 4th ACM Workshop on Role-Based Access Control, October, 1999
36. E. Bertino, E. Ferrari, V. Atluri. The specification and enforcement of authorization constraints in workflow management systems. ACM Transactions on Information and System Security, 1999. 2
37. M. Nyanchama, S. L. Osborn. The role graph model and conflict of interest. ACM Transactions on Information and System Security, 1999. 2
38.董光宇,卿斯汉,刘克龙.带时间特性的角色授权约束.软件学报,2002.8:1521-1527
39. Michael J. Covington. Generalized role-based access control for securing future applications. National Information Systems Security Conference, 2000
40. http://cnflow. org/wf.isp
41. http://www.delfan.com/workflow/
42. Longhua Zhang et al. A role-based framework for role-based delegation. The ACM Symp on Access Control Models and Technologies(SACMAT), Chantilly, VA, 2001
43.柳青.一种分布式工作流系统的建模方法:DWfS-UMLOPN.硕士毕业论文,2001
44.姬涛.基于工作流的DCIOAS的设计与实现.硕士毕业论文,2001
45.吴朝晖,潘云鹤.工作流管理技术.计算机世界,1998.18
46.罗海滨,范玉顺,吴澄.工作流技术综述.软件学报,2000.7:899-907
47. http://www.almaden.ibm.com/cs/exotica/wfmsys.ps
48.杜旭,杨宗凯.基于工作流对象的网络办公软件设计.计算机工程与应用,2000.3:88-90
49. Bertino, E., Ferrari, E., Atluri, V.. A flexible model supporting the specification and enforcement of role-based authorization in workflow management systems. Proceedings of ACM RBAC'97,1997
50. J. H. Saltzer, M. D. Schroeder. The protection of information in computer systems. Proceedings of the IEEE 63, 1975.9
51. D. D. Clark, D. R. Wilson. A Comparison of commercial and military computer security policies. Proceedings of IEEE Symposium on Security and Privacy, 1987. 4
52. R. K. Thomas, R. S. Sandhu. Conceptual foundations for a model of Task-based authorizations. Proceedings of the IEEE Computer Security Foundations Workshop, New Hampshire, IEEE Press, 1994
53. R. K. Thomas, R. S. Sandhu. Task-based authorization controls(TBAC):A family of models for active and enterprise-oriented authorization management. Database Security, Ⅺ:Status and Prospects, Chapman and Hall, London,1997
54. Information Proceeding Systems—Open Systems Interconnection—Basic Reference Model—Part 2: Security Architecture, ISO7498-2, International Organization for Standardization (1989)
55.陈娟娟,胡金柱.《关于RBAC模型中角色继承类型的研究》,全国理论计算机科学学术年会论文集,2002.10:52-53
56.陈娟娟,胡金柱,谢亚玲.《用户群组在RBAC模型中的应用》,《计算机应用》,2003.3:64-67
2. Sandhu, R., Samarati, P. Authentication, access control and audit. ACM Comput. Surv. 28, 1, March 1996
3. Sikkel, K.. A Group-based authorization model for Cooperative Systems. Proceedings of ECSCW'97,1997
4. WfMC. The workflow reference model. 1994
5.甄炜,杨学良,宛霞.并行工程协同工作环境中工作流管理的研究与实现.计算机工程与应用,2001.21:73-75
6.韩燕波.基于系统动态重构的高适应性工作流管理.计算机工程与应用,1999.9:15-19
7.史美林,杨光信,向勇等.WfMS:工作流管理系统.计算机学报,1999.3:325-334
8.刘大昕,李宁宁,曹瀚等.工作流管理技术及其在MIS建模中的应用研究.计算机应用研究,2000.4:14-16
9.姜朋慧,姜志红,须德.工作流系统中路由图构造问题.北方交通大学学报,2000.6:88-92
10.王培康,胡访宇,袁平波.一种信息系统授权实现方法.计算机工程,2001.1:135-136
11. Conflict Analysis as a means of Enforcing Static Separation of Duty Requirements in Workflow Environments
12.李成锴,詹永照,茅兵等.基于角色的CSCW系统访问控制模型.软件学报,2000.11
13.李慧芳,范玉顺.工作流系统时间管理.软件学报,2002.8:1552-1558
14.洪帆,陈凤珍.基于任务的访问控制系统.计算机与现代化,2001.4:39-72
15.洪帆,杜小勇.办公自动化系统中基于任务的访问控制.华中科技大学学报,2001.3:6-8
16.洪帆,赵晓斐.基于任务的访问控制模型及其实现.华中科技大学学报,2002.1:17-19
17. Kuhn, D. R. Mutual exclusion of roles as a means of implementing Separation of duty in role-based access control systems. In Proceedings of the 2nd ACM Workshop on Role-based access control, Fairfax, VA, October 1997.
18. F. Leyman, D. Roller. Production Workflow: Concepts and Techniques, Prentice Hall, Upper Saddle River, NJ(2000).
19.王海洋,林宗楷,林守勋.基于扩展模型的工作流描述方法和最大时间控制问题.计算机辅助设计与图形学学报,1999.3.:253-255
20.李理,胡于进.基于流程动态化的工作流模型设计.计算机工程与应用,2001.7:118-120
21.邓集波,洪帆.基于任务的访问控制模型.软件学报,2003.1:76-82
22. Sylvia Osborn, Ravi Sandhu, Qamar Munawer. Configuring role-based access control to enforce mandatory and discretionary access control policies[J]. ACM Transactions on Information and System Security, 2000.3
23. Ravi Sandhu. Role activation hierarchies[C]. In: Proceedings of 3rd ACM Workshop on RBAC, ACM, Fairfax, 1998-10
24. Ravi Sandhu, Venkata Bhamidipati, Qamar Munawer. The ARBAC96 model for role-based administration of roles[J]. ACM Transactions on Information and System Security, 1999. 2
25.冯德民,王小明,赵宗涛.一种扩展角色存取控制模型.计算机工程与应用,2003.3:87-89
26. Sylvia Osborn, Yuxiao Guo. Modeling users in role-based access control. Fifth ACM Workshop on Role-Based Access Control, Berlin, Germany, July 26-27, 2000
27. Ravi Sandhu, David Ferraiodo, Richard Kulin. The NIST Model for Role-Based Access Control: Towards a unified Standard. Fifth ACM Workshop on Role-Based Access Control, Berlin, Germany, July 26-27, 2000
28. J. Joshi, A. Ghafoor, W. Aref, E. Spafford. Digital government security infrastructure design challenges. IEEE Computer, 34(2), 2001
29. David Ferraiodo, Cugini J., Richard Kulin. Role-Based Access Control: Features and motivations. Proceedings of 11th Annual Computer Security Application Conference, 1995
30. Biddle B., E. Thomas. Role Theory: Concepts and Research. New York: Robert E. Krieger Publishing Company, 1979
31. Fernandez E., J. Hawkins. Determining role rights from use case. Second ACM Workshop on Role-Based Access Control, Fairfax, VA, USA, 1997
32. Epstein P., Ravi Sandhu. Towards a UML based approach to role engineering. Fourth ACM Workshop on Role-Based Access Control, Fairfax, VA, USA, 1997
33. David Ferraiodo, Ravi Sandhu, S. Gavrila, Richard Kuhn, R. Chandramonli. Proposed NIST Standard for RBAC. ACM Transactions on Information and System Security, 2001. 3
34. Jonathan D. Moffet. Control Principles and Role Hierarchies. In Proceedings of 3rd ACM Workshop on Role-Based Access Control, November, 1998
35. Jonathan D. Moffet, Emil C. Lupu. The use of role hierarchies in Access Control. In Proceedings of 4th ACM Workshop on Role-Based Access Control, October, 1999
36. E. Bertino, E. Ferrari, V. Atluri. The specification and enforcement of authorization constraints in workflow management systems. ACM Transactions on Information and System Security, 1999. 2
37. M. Nyanchama, S. L. Osborn. The role graph model and conflict of interest. ACM Transactions on Information and System Security, 1999. 2
38.董光宇,卿斯汉,刘克龙.带时间特性的角色授权约束.软件学报,2002.8:1521-1527
39. Michael J. Covington. Generalized role-based access control for securing future applications. National Information Systems Security Conference, 2000
40. http://cnflow. org/wf.isp
41. http://www.delfan.com/workflow/
42. Longhua Zhang et al. A role-based framework for role-based delegation. The ACM Symp on Access Control Models and Technologies(SACMAT), Chantilly, VA, 2001
43.柳青.一种分布式工作流系统的建模方法:DWfS-UMLOPN.硕士毕业论文,2001
44.姬涛.基于工作流的DCIOAS的设计与实现.硕士毕业论文,2001
45.吴朝晖,潘云鹤.工作流管理技术.计算机世界,1998.18
46.罗海滨,范玉顺,吴澄.工作流技术综述.软件学报,2000.7:899-907
47. http://www.almaden.ibm.com/cs/exotica/wfmsys.ps
48.杜旭,杨宗凯.基于工作流对象的网络办公软件设计.计算机工程与应用,2000.3:88-90
49. Bertino, E., Ferrari, E., Atluri, V.. A flexible model supporting the specification and enforcement of role-based authorization in workflow management systems. Proceedings of ACM RBAC'97,1997
50. J. H. Saltzer, M. D. Schroeder. The protection of information in computer systems. Proceedings of the IEEE 63, 1975.9
51. D. D. Clark, D. R. Wilson. A Comparison of commercial and military computer security policies. Proceedings of IEEE Symposium on Security and Privacy, 1987. 4
52. R. K. Thomas, R. S. Sandhu. Conceptual foundations for a model of Task-based authorizations. Proceedings of the IEEE Computer Security Foundations Workshop, New Hampshire, IEEE Press, 1994
53. R. K. Thomas, R. S. Sandhu. Task-based authorization controls(TBAC):A family of models for active and enterprise-oriented authorization management. Database Security, Ⅺ:Status and Prospects, Chapman and Hall, London,1997
54. Information Proceeding Systems—Open Systems Interconnection—Basic Reference Model—Part 2: Security Architecture, ISO7498-2, International Organization for Standardization (1989)
55.陈娟娟,胡金柱.《关于RBAC模型中角色继承类型的研究》,全国理论计算机科学学术年会论文集,2002.10:52-53
56.陈娟娟,胡金柱,谢亚玲.《用户群组在RBAC模型中的应用》,《计算机应用》,2003.3:64-67
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |