Static Separation Of Duty (SSOD) is an important principle of information system security. In Role-Based Access Control (RBAC), it is difficult to enforce 2-n SSOD policy directly based on 2-2 Static Mutually Exclusive Role (SMER) constraints. In this paper, the necessary and sufficient conditions of realizing 2-n SSOD policy based on 2-2 SMER constraints were proposed and proved. The sufficient condition proposed was less restrictive than the existing research and allowed more flexible privilege assignment. By the operation rules of authorization management, the sufficient condition was kept and the satisfaction of2-n SSOD policy during the dynamic change of application environment could be maintained. The application example shows that the method is correct and effective.%静态职责分离(SSOD)是保证计算机安全的重要策略.在基于角色的权限控制(RBAC)中直接基于互斥角色约束(2-2 SMER)实现最简单的SSOD策略(2-n SSOD)是困难的.通过对互斥角色的权限分配进行约束,研究并证明了基于2-2SMER实现2-n SSOD策略的充分条件,此充分条件和现有研究相比具有更弱的约束力,支持更灵活的权限分配.进一步给出了实现2-nSSOD策略的授权管理操作规则,以确保权限的动态管理始终满足此充分条件,维持系统对2-n SSOD策略的满足状态.最后,通过应用实例说明了实现2-n SSOD策略方法的有效性和可行性.
展开▼
