We propose an enhanced role-based access control (ERBAC) model to solve the shortcomings of the RBAC's resource usage constraints,policy management and interoperability security in multi-domain cloud systems.Firstly,we introduce elements of containers and two role cardinality constraints into the RBAC,and establish the containers + dynamic role cardinality constraints based resource usage policy.Secondly,we study the role inheritance management for multi-domains in depth and present an inter-domain policy management function,whose objective is to check for the number of violations before committing an inter-domain role inheritance relation.Then,various security detection algorithms for policy conflict are given.Analysis results show that the ERBAC model can improve the security of inter-domain interoperation,enforce usage constraints upon resources and manage the security policies in an easy and effective way,which proves to be feasible and applicable for multi-domain cloud systems.%提出一种扩展的基于角色的访问控制ERBAC模型,以解决RBAC在多域云系统的资源使用约束、策略管理和互操作安全性等方面存在的不足.首先,通过引入容器元素和两类角色基数约束,构建了基于容器元素十动态角色基数约束的资源使用策略;其次,深入研究了多域角色继承管理,提出基于先检测后建立角色关系的域间策略管理函数,并给出各类安全策略冲突检测算法.分析表明,ERBAC模型实现了资源使用约束、支持高效的安全策略管理,提高了跨域互操作的安全性,且性能测试说明了该模型在多域云系统中具有适应性和可行性.
展开▼