In order to resolve the problem that users who lack of corresponding qualifications and ability in workflow environment might get access rights through its role, this paper presents attribute constraints before the tasks assignment. Users and tasks have certain attributes and corresponding attribute expressions, user attributes reflect their equipped apti-tude and ability and task attributes indicate its requirements to users in qualifications and ability. The system authorizes to users only when the corresponding rules are satisfied by attribute expressions. Case analysis shows this approach can pre-vent the users who lack of corresponding qualifications and ability to get the tasks so as to eliminate the safety hazards and achieve a more fine-grained access control.%针对在工作流环境中不具备相应资质和能力的用户可能通过其担任的角色获取任务,进而获得访问权限的问题,提出在任务分配之前进行属性约束。用户和任务都具有属性和相应的属性表达式,用户属性反映用户具备的资质和能力,任务属性反映任务对用户资质和能力的要求,只有对应的属性表达式满足策略规则时系统才向用户进行任务授权。实例分析表明,该方法能够防止不具备相应资质和能力的用户获取任务权限,消除安全隐患,实现更加细粒度的访问控制。
展开▼