| Access control is one of the most efficient techniques for information security. Withthe rapid development of information technologies and increase of distributionapplications, many access control models and mechanisms were proposed. The essence ofthese access control schemes, even for differential applications, is same, namely aim to docorrect authorization on access requestor according to security criterions of system. Thereare two aspects of “correct authorization”. First, the access requestor should beauthenticated correctly based on credential or identity. Second, an access control systemshould make policies and regulations to abstract privilege information, and then thelegitimate users should be accredited with the least privilege set which can afford hisoperation environment.During actual applications, a right authorization could not be executed due todisturbance or conflict, since access scheme and rule of an access control system is socomplex and uncertain. As a result, the access control system cannot provide ideal serviceeven if the resources are available. This dissertation focuses on authorization conflict, andmain works are listed as follows:The policy conflict detection and resolution are important issues in authorization ofan access control model. According to the existing problems in policy consistency, linearmethod and matrix method are proposed to build complex policy. Consistency detectionand policy conflicts elimination on the two different schemes are discussed.In Automated Trust Negotiation, access control policy regulates user’s access toresource so as to protect sensitive information and resource. However, it easily results inpolicy inconsistency when designing policies, which surely leads to unavailable service. Adetailed research on policy inconsistency is worked, and classifies conflict policies intodifferent types. Meanwhile,0-1table is introduced to handle policy conflicts. When policy inconsistency problem is dealt with, the minimal policy-sets also generate.In discretionary authorization model, user can transfer privileges to the other subject.However, unlimited authorization transfer may lead to implicit conflicts in access right. Tofigure out such a problem, a new approach for solving authorization conflicts is proposed.In the approach, an extended access capacity list is presented to carry the authorizationinformation, on which could track the privilege propagation and limit the depth and scaleof authorization. As a reulst, authorization conflict can be solved before it happens, andthe authorization can be easily implemented by some simple functions.Current authorization models are designed to assign privileges effectively rather thanrevoke privileges conveniently. Implicit authorization conflicts can be caused by privilegepropagation on multi-step delegation and incompletely delegation revocation. Noadditional constraint to creation of topology of delegation, revocation algorithm fortraversal propagation path is difficult and complex. A topologic structure based on Eulergraph is introduced to authorization delegation graph. An insert algorithm is presented tobuild Euler delegation graph, and traversal algorithms on Euler delegation graph are givento solve direct delegation revocation and complete delegation revocation. Consequently,the potential for implicit authorization conflict is reduced. |
PDF Full Text Request