工作流系统中的PRBAC访问控制模型研究

doi:10.3969/j.issn.0255-8297.2020.05.002

摘要/Abstract

摘要： 工作流管理系统（workflow management systems，WFMS）已被企业和政府广泛用于组织的业务流程管理，系统的任务分派一般采用基于角色的访问控制（role-based accesscontrol，RBAC）模型来解决授权控制问题，这为员工的角色或部门变更提供了良好的适应性.然而，随着竞争的加剧和改革的常态化，组织的结构和角色变化日益频繁.另外，一套流程系统实施到不同的组织，也要面对不同的组织结构和角色.RBAC模型导致业务流程定义中的任务授权严重依赖于组织，后者的频繁变化不但会引起授权体系的频繁变化，甚至因影响流程定义而引起执行期的异常.为此，提出了一种基于职位-角色的访问控制（position-role basedaccess control，PRBAC）模型，将角色的粒度细化为组织职位，同时引入业务角色的概念，授权仅针对后者，并通过一个映射层来建立两者的对应关系.证明了PRBAC与RBAC在表达能力上的等价性，并对授权粒度和复杂度进行了分析.通过案例分析，演示了PRBAC模型可以有效提高WFMS应对组织变化的适应性和柔性，实现了组织模型与业务模型的解耦.

关键词: 工作流, PRBAC模型, 组织职位, 业务角色, 授权

Abstract: Workflow management systems (WFMS) has been widely used in organizational business process management of enterprises and government, and role-based access control (RBAC) model is generally adopted in system tasks for solving the problem of authorization control, and performs good adaptability to the changes of employees; roles or departments. However, with the intensification of competition and the normalization of reform, the organization structures and roles are changing more and more frequently, thus a process system implemented to different organizations will face with much more serious variety of organization structures and roles. The RBAC model causes the task authorization in the business process definition to be heavily organization-dependent, thus the frequent changing of organization will require continuous changing of authorization system, or even worse, lead to its abnormal execution due to the improper process definition. For this problem, this paper proposes a position-role based access control (PRBAC) model, which divides the granularity of roles into organization positions, introduces the concept of business roles which are the only authorization objects, and establishes the corresponding relationship through a mapping layer. The equivalence of PRBAC and RBAC in expressivity is proved, and the granularity and complexity of authorization are analyzed. Through case analysis, we demonstrate that PRBAC model can effectively improve the adaptability and flexibility of WFMS in organizational changes, and realize the decoupling of organization model and business model.

Key words: workflow, PRBAC model, organization position, business role, authorization

中图分类号:

P751.1

熊天虹, 余阳, 娄定俊. 工作流系统中的PRBAC访问控制模型研究[J]. 应用科学学报, 2020, 38(5): 672-681.

XIONG Tianhong, YU Yang, LOU Dingjun. Research on PRBAC Access Control Model in Workflow System[J]. Journal of Applied Sciences, 2020, 38(5): 672-681.

参考文献

[1] Aalst W V D, Hee K V. Workflow management:models, methods, and systems[M]. Cambridge:MIT Press, 2004.
[2] 余阳, 王颍, 刘醒梅, 等. 基于社会关系的工作流任务分派策略研究[J]. 软件学报, 2015, 26(3):562-573. Yu Y, Wang Y, Liu X M, et al. Workflow task assignment strategy based on social context[J]. Journal of Software, 2015, 26(3):562-573. (in Chinese)
[3] 郭秦龙, 闻立杰, 金涛, 等. NBAJ:一种基于网络流的工作流资源分配合理性判定方法[J]. 计算机集成制造系统, 2015, 21(2):326-335. Guo Q L, Wen L J, Jin T, et al. NBAJ:workflow resource assignment satisfaction judgment method based on network-flow[J]. Computer Integrated Manufacturing Systems, 2015, 21(2):326-335. (in Chinese)
[4] 熊厚仁, 陈性元, 张斌, 等. 基于RBAC的授权管理安全准则分析与研究[J]. 计算机科学, 2015, 42(3):117-123. Xiong H R, Chen X Y, Zhang B, et al. Security principles for RBAC-based authorization management[J]. Computer Science, 2015, 42(3):117-123. (in Chinese)
[5] Mitra B, Sural S, Vaidya J, et al. A survey of role mining[J]. ACM Computing Surveys, 2016, 48(4):1-37.
[6] 熊厚仁, 陈性元, 费晓飞, 等. 基于属性和RBAC的混合扩展访问控制模型[J]. 计算机应用研究, 2016, 33(7):2162-2169. Xiong H R, Chen X Y, Fei X F, et al. Attribute and RBAC-based hybrid access control model[J]. Application Research of Computers, 2016, 33(7):2162-2169. (in Chinese)
[7] 于会松, 孟照旭, 黄华晔, 等. 基于映射的角色访问控制模型的设计与实现[J]. 计算机仿真, 2016, 33(4):292-295. Yu H S, Meng Z X, Huang H Y, et al. Design and implementation of mapping-based role access control model[J]. Computer Simulation, 2016, 33(4):292-295. (in Chinese)
[8] Zhu H, Zhang W, Wang Y, et al. A role-permission assignment method of RBAC involved conflicting constraints under E-CARGO[J]. International Journal of Cognitive Informatics & Natural Intelligence, 2015, 9(4):49-64.
[9] 王于丁, 杨家海, 徐聪, 等. 云计算访问控制技术研究综述[J]. 软件学报, 2015, 26(5):1129-1150. Wang Y D, Yang J H, Xu C, et al. Survey on access control technologies for cloud computing[J]. Journal of Software, 2015, 26(5):1129-1150. (in Chinese)
[10] Albrecht-Buehler C. Task-based access control in a virtualization environment:US8595824[P]. 2011-08-09
[11] Liu M, Wang X. Safeness discussions on TRBAC and GTRBAC model and an improved temporal role-based access control model[J]. International Journal of Security & Its Applications, 2015, 9(8):23-34.
[12] Hu V, Ferraiolo D, Kuhn R, et al. Guide to attribute based access control (ABAC) definition and considerations[J]. ITLB, 2013, 12(1):162-174.
[13] 黄毅, 李肯立. 一种面向云计算的任务-角色访问控制模型[J]. 计算机应用研究, 2013, 30(12):3735-3737. Huang Y, Li K L. Model of cloud computing oriented T-RBAC[J]. Application Research of Computers, 2013, 30(12):3735-3737. (in Chinese)
[14] Qi H, Luo X, Di X, et al. Access control model based on role and attribute and its implementation[C]//International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery. IEEE, 2016:66-71.
[15] 蔡婷, 聂清彬, 欧阳凯, 等. 基于角色扩展的RBAC模型[J]. 计算机应用研究, 2016, 33(3):882-885. Cai T, Nie Q B, Ouyang K, et al. Role-extended-based RBAC model[J]. Application Research of Computers, 2016, 33(3):882-885. (in Chinese)
[16] 熊厚仁, 陈性元, 张斌, 等. 基于双层角色和组织的可扩展访问控制模型[J]. 电子与信息学报, 2015, 37(7):1612-1619. Xiong H R, Chen X Y, Zhang B, et al. Scalable access control model based on double-tier role and organization[J]. Journal of Electronics & Information Technology, 2015, 37(7):1612-1619. (in Chinese)
[17] 周炜. 具有时空约束的TRBAC模型在OA中的应用[J]. 网络安全技术与应用, 2014, 32(8):116-117. Zhou W. Application of TRBAC model with temporal and spatial constraints in OA[J]. Net Security Technologies and Application, 2014, 32(8):116-117. (in Chinese)
[18] 李金艳, 余忠华. 面向协作的柔性工作流访问控制机制[J]. 计算机集成制造系统, 2017, 23(6):1234-1242. Li J Y, Yu Z H. Access control mechanism of cooperation-oriented flexible workflow[J]. Computer Integrated Manufacturing Systems, 2017, 23(6):1234-1242. (in Chinese)
[19] 闫春钢, 蒋昌俊, 丁志军, 等. 工作流网系统合理性的语言特性[J]. 应用科学学报, 2011, 29(1):61-65. Yan C G, Jiang C J, Ding Z J, et al. Language properties for rationality of workflow net system[J]. Journal of Applied Sciences, 2011, 29(1):61-65. (in Chinese)
[20] Bhuyan F A, Lu S, R. Reynolds, et al. A security framework for scientific workflow provenance access control policies[J]. IEEE Transactions on Services Computing, 2019, 16(6):11-26.
[21] Ghazal R, Qadeer N, Malik A K, et al. Intelligent agent-based RBAC model to support cyber security alliance among multiple organizations in global IT systems[C]//17th International Conference on Information Technology New Generations. Springer, Cham, 2020:87-93.
[22] Siegel J. OMG overview:CORBA and the OMA in enterprise computing[J]. Communications of the ACM, 1998, 41(10):37-43.
[23] Aalst W V D, Adams M, Russell N. Modern business process automation:YAWL and its support environment[M]. Berlin:Springer, 2010.