基于任务分类和角色层次的三步授权机制集成了主被动两种访问控制模式,但任务间重复授权、多种角色层次上的任务继承冲突、任务约束重复表达等问题严重影响了有关模型的伸缩性。为此提出一种增强的主被动集成访问控制模型。通过可扩展的角色层次划分细化了主/被动任务的分类,可以灵活地简化多种任务分配关系;引入基于任务泛化的授权继承和约束覆盖机制,可以有效减少任务之间的重复授权和约束;通过一组正确和完备的语义覆盖规则,为自动约束化简等提供了依据。最后给出多粒度权限激活机制和动态互斥的冗余检测算法,以消除不必要的访问检查开销,降低伸缩增强带来的效率损失。%The 3-step authorization mechanism based on task classification and role hierarchy integrates two access control paradigms of active and passive ones.But the scalability of the related models was seriously affected by repetitive authorizations among tasks,conflicts among task inheritances along multiple role hierarchies and repetitive expressions of task constraints.To deal with these problems,an enhanced active-passive integrated access control model was proposed.The classification of active/passive tasks was refined through extendable subdivision of role hierarchy,thus many kinds of task assignments could be simplified flexibly.Task generalization based authorization inheritance and constraint coverage mechanisms were introduced to reduce repeatitive authority and constraint among tasks.The basis was provided for automatic constraints simplification by a set of correct semantic overlay rules.Finally,multiple-granularity permission activation mechanism and dynamic exclusions redundancy detecting algorithm was presented to eliminate unnecessary cost in access checking and to compensate efficiency loss brought by scalability enhancing.
展开▼
