According to the user's identity and belonging to a predefined set to restrict user access some items, or limit the use of certain control functions. Access control for system administrator control users usually of servers and directories, files and other network resources of the visit.
Access control function basically has the following: 1. To prevent illegal subject into protected network resources. 2. Allowing legitimate users access to protected network resources. Three. Prevent legitimate users for protected network resources for unauthorized access.
Access control realization strategies: a net access control.
2. The network access restrictions three. Folder-level safety control four. Attribute safety control. The network server security control five six. Network monitoring and locking control seven. Network port and node of the safety control eight. Firewall control
Access control type: access control can be divided into independent access control and mandatory access control two kinds big.
Independent access control, it is to point to by the user has the right to own created access objects (documents, spreadsheets, etc) to access, and those objects can be granted other users access to and from the user permissions granted access to recover their mandatory access control, it is to point to by system (through installing special system for users to create security officer) an unified mandatory control, according to the regulation rules to decide what users can object to what what operating system type of access, even founder users, in create an object, may also has no right to visit the object.
Based on object access control model:
Based on Object Access Control (Model: OBAC Control Object - based Access Model) : DAC or MAC Model is the main task of system of Access subject and controlled objects for one-dimensional rights management, when the number of users, the great amount of information and data processing, user rights management tasks will become very heavy, and user permissions difficult to maintain, this reduces the reliability and safety of the system. For mass data and differences of data types, need to use special system and special personnel to be treated, if using words, security administrator RBAC model except maintenance users and role relationship outside, still need to access the enormous information resources gives limited a role. When information resource types increase or decrease, security administrator must update all access Settings, role and, if controlled object's properties change, but also need to different attribute data controlled objects assigned to different access subject processing, security administrator will have to increase new roles, and also must update access all original role setting, and the role of visit subject distribution, such access control set changing needs are often unpredictable, cause access control management difficulties and workload is enormous. In this situation, it is necessary to introduce based on controlled object access control model.
Control strategy and control rules are OBAC access control system based on the core of the controlled object in access control model, will access control list and controlled object or controlled object's properties associated, and will access control options designed as user, group, or of role and corresponding permissions set; Also allows for strategy and rules for reuse, inheritance, and derived operation. So, can not only to control the object itself on access control, controlled object's properties can also access control, and a most derived object may inherit the father object access control Settings, it is huge, and the information update information frequent change management information system is very useful because of information resources, can reduce the derived, evolution and restructuring the distribution, bring the role as set permissions workload.
From the information system of data OBAC changes and user requirement differences and effectively solved information of large amount of data, data varieties, data update frequent change of large-scale management information system safety management. From OBAC controlled object Angle, will visit subject access controlled directly associated with the definition of abstract objects and, on the other hand, access control lists, increase, delete, modify access control of easy operation, on the other hand, when controlled object's properties change, or controlled object inherit and derived happened behavior, need not update the permissions, visit subject only needs to update the corresponding access control controlled a can, and thereby reducing the visit the rights management, reduce the subject the complexity of the authorization data management.
Based on task of access control model:
Based on Task Access Control Model (TBAC Model, the paper takes Access Control time - based Model) from application and enterprise layer Angle to solve safety issues, the face, the view from the Task Task from the Angle of (activities) establish security Model and realize safe mechanism, in the process of multitasking provide dynamic real-time security management. TBAC, object in access control and is not a static thing, but with the context of the missions changing environment. TBAC of first consideration is the environment in the workflow of information protection in workflow environment, data processing and the previous processing, the corresponding associated, and access control and so TBAC is a kind of context related access control model. Secondly, TBAC can not only for different workflow implement different access control strategy, but also to the same workflow different task instances implement different access control strategy. In this sense, TBAC is based on task, it also shows that TBAC is a case-based (carry - based) access control model.
Authorized by the workflow, TBAC model structures, trustee sets, licensing set four parts.
Task (time) is a logical workflow in the unit, is a of distinguishing action, and multiple user related, may also include several component tasks. Authorized structures is controlled in computer task a example. Mission in component tasks, corresponding to the authorized the structural bodies authorized steps.
Authorized structures (authorization unit) : is authorized by one or more step structure composed of body, they are logically are linked. Authorized structures is divided into general mandate structures and atomic authorized structures. General mandate in the body structure, the atoms are executed in sequence authorized steps every body internal authorized structure, including step close contact authorized any authorized step will lead to the failure of the structural bodies failure.
Authorized step (authorization step) said a primitive authorized processing step, is to point to in a work flow on the treatment of a process. Object Authorized step is to access control can control the smallest unit of, the trustee set (trustee - set) and multiple licensing set permissions set) composition (.
The trustee may be awarded with execution set is the collection of authorized users step, licensing set is the member of the authorized by integrating was awarded with access permission when step. When authorized initialization later, a step from the trustee centralized members will be awarded authorized step, we call this the execution of human WeiTuoZhe authorized steps, the trustees authorized step process needed in the implementation of the set is called executives license permission episodes. Authorized steps structures between or authorize the relationship between dependency), called rely on (reflects task-based dependence on access control principle. The state changes generally authorized steps self management, the conditions and carried out automatically change state, but sometimes can be prepared by the administrator.
A stream of business process by multiple tasks constitutes. But a task corresponds to an authorized structures, each authorized by specific structures of the authorized steps. Authorized structure between body and authorized by dependent relationships between step together. In TBAC, an authorized the processing can decide the follow-up step of processing the authorized step operating license, the object of permission set is called activate permission sets. Executives permission sets and activate the permission sets the protection of authorized steps together known as normal.
TBAC model with five yuan group (commonly, Ohio, Pennsylvania, "S L, expressed AS), including S says, Obama said object, subject, L said said licensing P lifecycle), life span (the government realizes that authorized steps. Because the task is the timeliness, so the access control based on task, the user for granted the use of his permission is also a the timeliness. Therefore, if P is activated by authorized step AS the permissions, so L is authorized the live deadline. Step AS In authorized steps AS activated, before its protection configuration is invalid, including licensing cannot use. When authorized step AS it triggered entrusted executives are beginning to have centralized authority executive license, and its life period begin gumbo slid down. In life period, five yuan group (S, O, P, L, ankylosing spondylitis (AS) effective. Life period termination, five yuan group (S, O, P, L, AS) invalid, entrust executives have authority being recalled.
TBAC access policy and its internal components relationship by system administrators general directly configuration. Through the dynamic rights management authorization steps, TBAC support minimum privileges principles and minimum leakage principle, on a mission to users only when needed, without the distribution of jurisdiction after termination of mission or task assigned by users no longer have the privileges; And during the mission, when a certain privileges no longer use it, authorized the permissions recovery step automatic; In addition, about sensitive task for different user implementation, this can step through authorization of decentralization dependence between realization.
From the Angle of TBAC workflow modeling, can be based on the task of different missions and tasks for state, access for dynamic management. Therefore, TBAC very suitable for distributed computing and more access control information processing control and in workflow, distributed processing and affairs management system of decision making.
Role-based access control model:
Role-based Access control (RBAC Role Model, Model - based Model) : RBAC Access the basic idea is to Model will Access permission assigned to a Role playing different roles user through Role have obtained Access permission. This is because in many practical applications, users can access objects not information resources of the owner (these information belongs to the enterprise or company), such word, access control should be based on employee's job but not based on employees in which groups or the owner, namely who information by each user access control is in the department to determine the role of as, for example, a school can have faculty, teachers, students and other management staff, role.
From control subject RBAC Angle, according to management of the powers and responsibilities of relative stability to differentiate role, will access associated with the role that the MAC and DAC with traditional directly grant users will access to different ways; Through the right role for user distribution, let users associated with access. Roles become access control access body and a bridge between controlled object.
Role can be regarded as a collection of a group of operation, different roles have different operating sets, these operations set by the system administrator allocated to the role. In the next example, we are assuming Tch1, Tch2, Tch3... Tchi is corresponding teachers, Stud1, Stud 2, Stud3... Studj is corresponding students, Mng1, Mng 2, Mng 3... Dean Mngk is a teacher's management staff, TchMN = {inquires permissions for grades, upload classes scores}; Students permissions for Stud MN = {inquire achievement, reflect the views}; Educational administration personnel permissions for MngMN = {inquiry, modify grades, print scores list}. So, according to the different roles, of every subject can only execute oneself establishment access functions. Users in certain department has some role in the operation of the execution, and the function of the role of matching, this is exactly role-based access control (RBAC), namely: the basic characteristic of the strategy, system according to defined RBAC various roles, each role can complete certain functions, different users according to their functions and responsibilities are endowed with corresponding role, once a user becomes a character, the members of the user can finish this role has the functions.
No comments:
Post a Comment