Workflow Authorization Model 1.0 999 james999 http://www.javafox.org 2003-12-14 james-fly@vip.sina.com MSN fcxiao2000@hotmail.com http://www.javafox.org/workflow/index.html 1
1....3 2....3 3. Subject-Object View...4...5 4.1. Authorization-step...5 4.2....6...6 5.1. Core RBAC...7 5.1.1. User Role...7 5.1.2....7 5.1.3....8 5.1.4. session...8 5.2. Core RBAC...8 5.3....9 5.4....10 5.5....10 5.5.1....10...10...10...11...11 5.5.2....11...11...11...12 5.6....12 5.7....12 5.7.1....12 5.7.2....12 1...13 2...13 3...13 5.7.3....14 6....14 7....15 2
1. 1.0 Role-based Task-based Task-based 2. version 1.1 A A B B C C Task A Task B Task C B B B C C 3
(Task-Based Authorization Model) (Role-Based Access Control Model) subject-object view of access control subject-object 3. Subject-Object View subject-object view traditional passive subject-object access matrix 1969 B.W. Lampson subject object access matrix i j Mij i Si j Oj Mij {read, write} Si Oj Subject A Subject B Object A R W Object B RW R subject-object Subject Object Right subject-object view Subject S,Object O,Right R subject-object so 4
4. Active security model subject-object TBAC Active security model / A B Permission Permission State TBAC Dependency AS Authorization Step 4.1. Authorization-step R.S97 life-cycle of authorizations 5
4.2. TBAC0 4 Separation Dependency Existential Temporal concurrency Existential Temporal concurrency 1 A state1 B state2 A state1 B state2 2 A state1 < B state2 A state1 B stat2 A B 3 A state1 X B state2 B state2 A state1 4 A state1 B state2 B state2 A state1 1 2 Existential Dependency and Temporal Dependency state permission state TBAC TBAC email msn 5. Subject-Object MAC DAC / Role-based Ravi Sandhu 2000 RBAC RAV00 6
http://csrc.nist.gov/rbac/rbac-std-draft.doc RBAC OS 5.1. Core RBAC RBAC Core RBAC RBAC Users Roles permissions objects OBS operations OPS assigment session Users User Assignment Roles Permission Assignment OPS OBS Sessions RBAC 5.1.1. User Role User Role User Role 5.1.2. permission OP OB A B A B object OB permission object object operation OP permission operation operation 7
5.1.3. assignment user permission assignment object opertiaon 5.1.4. session session web session session A A B Sandhu Role-based Access Control RBAC User Role Authorization Session Rights User Group Object 5.2. Core RBAC RBAC Hierarchal RBAC Constrained RBAC Ravi Sandhu RBAC RAV00 Hierarchal RBAC Composite Roles Composite Roles Ua Ra Rb Ua CRa Ra Rb Ua Ra Rb 8
5.3. D1 D2 A B C D21 D 1 D2 D21 2 User 3 C D A D LDAP A A LDAP 9
5.4. Project Manager Team Leader PM TL Hierarchal RBAC Composite Roles Core RBAC permission assignment Core RBAC 5.5. 5.5.1. Hierarchical Roles Project Lead Production Engineer 10
Director Project Lead 1 Project Lead 2 Production Engineer 1 Quality Engineeer 1 Production Engineer 2 Quality Engineer 2 RAV00 Core RBAC Composite Roles 5.5.2. 11
User Assignment User Assignment 5.6. Core RBAC User Assignment Design 5.7. Core RBAC Permission Assignment Task Core RBAC Permission 5.7.1. Core RBAC objects OBS operations OPS 5.7.2. 12
1 A B Task A Task B Task C 2 A Task B F1 F2 B A 3 A Task B E1 A E2 B 1 XPDL 13
2 3 Degine Engine 3 RiseSoft RiseOffice 3 5.7.3. Ua Ra Rb O Rb Ua O Ua O Hierarchal RBAC 6. R.S97 R. K. Thomas R. S. Sandhu Task-based Authorization Controls A Family of Models for Active and Enterprise-oriented Authorization Management ROS96 Roshan Thomas Task-based Authorization: A Research Project in Next-generation Active Security Models for Workflows RAV00 Ravi Sandhu,David F. Ferraiolo, Serban Gavrila, A Proposed Standard for Role-Based Access Control RAV96 Ravi Sandhu,Edward J.Coyne,Hal L.Feinstein,Charles E.Youman Role-Based Access Control Models RAV97 Ravi Sandhu Rationale for the RBAC96 Family of Access Control Models RAV97 Vijayalakshmi Atluri,Wei-Kuang Huang An Authorization Model for Workflows SHE02 Shengli Wu 14
Authorization and Access Control of Application Data in Workflow Systems http://sonata.iscas.ac.cn/wshi/papers/secure_os_overview.pdf http://www.yesky.com/softchannel/72356682675519488/20031031/1740846.shtml Eduardo B. Fernandez Happy UMLChina http://www.uml.org.cn/sjms/sjms52.htm 7. 2003-12-9 R. K. Thomas Task-based Authorization Controls A Family of Models for Active and Enterprise-oriented Authorization Management 2003-12-10 2003-12-11 Subject-Object TBAC SO SO TBAC 2003-12-12 Core RBAC RAV96 RAV97 2003-12-13 2003-12-14 15