面向政务协同的访问控制模型

摘要: 针对政务协同场景需求复杂多样、人员流动管理困难、数据隐私度高和数据量大的特点，提出面向政务协同办公的访问控制模型(GBAC)。政务协同场景中访问控制需要实现多部门对同一资源进行不同操作的需求。现有主流访问控制技术面临访问控制粒度不够精细和管理维护成本高的问题，缺乏安全、灵活、精准的访问控制。为此，结合我国政务部门运行机制，首先将政府组织结构和行政区划结构融入访问控制模型，构建政务人员、组织、资源和行政区划的归属关系树；其次，结合政务工作人员所属组织和岗位等属性，构建联合主体，实现自动化授予和解除权限；然后，根据组织职能和行政区划等级设计主客体属性匹配策略，打通数据壁垒，提高鉴权效率；最后，引入权限分级思想，为资源设置数据级别和功能级别，控制主体访问阈值，提高模型灵活性，进一步保障数据安全。与基准模型基于角色的访问控制(RBAC)和基于属性的访问控制(ABAC)相比，内存消耗大幅减小，访问时延更低。安全、高效、灵活地实现了政务协同场景下的权限管理.

Abstract: To address challenges faced by government collaborative scenarios, such as diverse requirements, frequent personnel turnover, high data privacy concerns, and large data volumes, Government-Based Access Control (GBAC), tailored for governmental collaborative office work, was proposed. Access control in government collaborative scenarios must accommodate the demand for multiple departments to perform different operations on the same resource. Existing access control technologies face issues of inadequate granularity and high maintenance costs. A secure, flexible, and precise access control model is lacking. Firstly, combining operational mechanisms of government departments in China, GBAC integrated organizational structure of government and administrative divisions into the access control model. It constructed a relationship tree of government staff, organizations, resources, and administrative divisions. Subsequently, combined with attributes of organizations and positions to which the government staff belongs, joint subject was constructed to achieve automated granting and revocation of permissions. Furthermore, based on organizational functions and administrative division levels, a subject-object attribute matching strategy was designed to break through data barriers and improve efficiency of authentication. Finally, by introducing concept of permission hierarchy, data and functional levels were set for resources, which enhances model flexibility and ensures data security. Compared with benchmark models such as Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC), GBAC significantly reduces memory consumption and access latency. The proposed model implements permission management in government collaborative scenarios, effectively and securely.

赵大燕，何华均，李宇平，张钧波，李天瑞，郑宇. 面向政务协同的访问控制模型 [J]. 计算机应用. 2024.