General access control models enable flexible expression of access control policies, but they make the verification of whether a particular access control configuration is safe (i.e., prevents the leakage of a permission to an unauthorized subject) difficult. The current approach to expressing safety policy in such models is to use constraints. When the constraints are verified, then the configuration is verified to be safe. However, the addition of constraints to an access control configuration significantly increases its complexity, so it quickly becomes difficult to understand the access control policy expressed in the configuration such that future changes can be made correctly. We propose an approach whereby the complexity of each access control configuration is estimated, so the administrators can see the effect of a configuration change on the future ability to maintain the configuration. We identify metrics for making complexity estimates and evaluate these metrics on some constraint examples. Our goal is to enable the use of flexible access control models for safety-critical systems by permitting limited use of constraints that do not complicate the configuration beyond a maintainable complexity.
通用访问控制模型可以灵活表达访问控制策略,但是很难验证特定访问控制配置是否安全(即,防止将权限泄露给未经授权的主体)。在这种模型中表达安全策略的当前方法是使用约束。验证约束后,将验证配置是否安全。但是,将限制添加到访问控制配置中会大大增加其复杂性,因此迅速变得难以理解配置中表达的访问控制策略,从而无法正确进行将来的更改。我们提出一种估计每个访问控制配置的复杂性的方法,以便管理员可以看到配置更改对将来维护该配置的能力的影响。我们确定用于进行复杂性估算的指标,并在一些约束示例中评估这些指标。我们的目标是允许对安全性至关重要的系统使用灵活的访问控制模型,方法是允许限制使用约束,这些约束不会使配置复杂化,而无法保持复杂性。 P>
机译:用于第三代无线接入网中QoS支持的低复杂度介质访问控制协议
机译:控制核电系统光晕-混沌的复杂性并管理高科技领域
机译:评估增强的基于角色的访问控制模型以管理州级临床教育计划协作过程中的信息访问
机译:使用矩阵管理访问控制复杂性
机译:管理企业级的内容:从服务发现,访问控制,命令执行
机译:由家庭医生提供给患者的结肠直肠癌筛查网站和/或由护士管理的电话帮助热线是否会增加粪便潜血测试的摄取?:一项实用的整群随机对照试验的结果
机译:聚合和受控交互:管理设计复杂性的自动机制
机译:设计用于控制和管理视觉显示中信息复杂性的问卷