VRBAC:an Extended RBAC Model for Virtualization Environment and Its Conflict Detection Approach
Although there are many access control models having been developed and applied in various environments,few of them have addressed the issue of managing information access control in the combined context of virtualization and multiple domains.Aiming at applying RBAC in the virtualized and multi-domain scenarios,this paper enhanced authorization ability of RBAC through two concepts: domain and virtual machine.We define an innovative model named VRBAC in which authorized users can migrate or copy virtual machines from one domain to another without causing a conflict.Domain users or groups are allowed to share permissions of not only resources like shared files but also virtual machines with others either from the same or a different domain.Three types of conflicts between VRBAC policies are defined and formulated in the form of ontologies,which provides extra access to description logic reasoning and facilitates the conflict detection procedure.Moreover,in order to address the practical needs in enterprise management processes,we have successfully applied VRBAC to a widely used virtualization infrastructure: Microsoft Active Directory and VMware vSphere platform.Experimental results indicate that all policy conflicts can be detected precisely and efficiently.The generated reports can offer network administrators the conflict details including conflict types,positions and causes,which will serve as guidance for further conflict resolution.
virtualization RBAC policy conflict description logic colored petri net
Yang Luo Chunhe Xia Liangshuang Lv Yazhuo Li Zhao Wei
Key Laboratory of Beijing Network Technology, Beijing, China;School of Computer Science and Engineering, Beihang University, Beijing, China
国内会议
张家界
英文
153-169
2013-07-01(万方平台首次上网日期,不代表论文的发表时间)