欢迎来到麦多课文档分享! | 帮助中心 海量文档,免费浏览,给你所需,享你所想!
麦多课文档分享
全部分类
  • 标准规范>
  • 教学课件>
  • 考试资料>
  • 办公文档>
  • 学术论文>
  • 行业资料>
  • 易语言源码>
  • ImageVerifierCode 换一换
    首页 麦多课文档分享 > 资源分类 > PDF文档下载
    分享到微信 分享到微博 分享到QQ空间

    ANSI INCITS 526-2016 Information Technology C Next Generation Access Control C Generic Operations and Data Structures (NGAC-GOADS)《信息技术 下一代访问控制通用操作和数据结构(NGAC-GOADS)》.pdf

    • 资源ID:435832       资源大小:766.84KB        全文页数:64页
    • 资源格式: PDF        下载积分:10000积分
    快捷下载 游客一键下载
    账号登录下载
    微信登录下载
    二维码
    微信扫一扫登录
    下载资源需要10000积分(如需开发票,请勿充值!)
    邮箱/手机:
    温馨提示:
    如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
    如需开发票,请勿充值!如填写123,账号就是123,密码也是123。
    支付方式: 支付宝扫码支付    微信扫码支付   
    验证码:   换一换

    加入VIP,交流精品资源
     
    账号:
    密码:
    验证码:   换一换
      忘记密码?
        
    友情提示
    2、PDF文件下载后,可能会被浏览器默认打开,此种情况可以点击浏览器菜单,保存网页到桌面,就可以正常下载了。
    3、本站不支持迅雷下载,请使用电脑自带的IE浏览器,或者360浏览器、谷歌浏览器下载即可。
    4、本站资源下载后的文档和图纸-无水印,预览文档经过压缩,下载后原文更清晰。
    5、试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。

    ANSI INCITS 526-2016 Information Technology C Next Generation Access Control C Generic Operations and Data Structures (NGAC-GOADS)《信息技术 下一代访问控制通用操作和数据结构(NGAC-GOADS)》.pdf

    1、American National StandardDeveloped byfor Information Technology Next Generation Access Control Generic Operations andData Structures(NGAC-GOADS)INCITS 526-2016INCITS 526-2016INCITS 526-2016American National Standardfor Information Technology Next Generation Access Control Generic Operations andData

    2、 Structures (NGAC-GOADS)SecretariatInformation Technology Industry CouncilApproved February 17, 2016American National Standards Institute, Inc.AbstractNext Generation Access Control (NGAC) is a fundamental reworking of traditional access control to meetthe needs of the modern, distributed, interconn

    3、ected enterprise. NGAC policy follows an attribute-basedconstruction in which authorization to resources is defined in terms of attributes associated with users, ap-plications, resources, and other system entities. This standard, NGAC-GOADS contains a detailed math-ematical description of the defini

    4、tions and abstractions defined in the NGAC-FA standard, INCITS 499-2013. It details a fixed set of configurable data relations and a fixed set of functions that are capable ofexpressing and specifying a wide range of different types of access control policies of a wide range of com-plexities. Approv

    5、al of an American National Standard requires review by ANSI that therequirements for due process, consensus, and other criteria for approval havebeen met by the standards developer.Consensus is established when, in the judgement of the ANSI Board ofStandards Review, substantial agreement has been re

    6、ached by directly andmaterially affected interests. Substantial agreement means much more thana simple majority, but not necessarily unanimity. Consensus requires that allviews and objections be considered, and that a concerted effort be madetowards their resolution.The use of American National Stan

    7、dards is completely voluntary; theirexistence does not in any respect preclude anyone, whether he has approvedthe standards or not, from manufacturing, marketing, purchasing, or usingproducts, processes, or procedures not conforming to the standards.The American National Standards Institute does not

    8、 develop standards andwill in no circumstances give an interpretation of any American NationalStandard. Moreover, no person shall have the right or authority to issue aninterpretation of an American National Standard in the name of the AmericanNational Standards Institute. Requests for interpretatio

    9、ns should beaddressed to the secretariat or sponsor whose name appears on the titlepage of this standard.CAUTION NOTICE: This American National Standard may be revised orwithdrawn at any time. The procedures of the American National StandardsInstitute require that action be taken periodically to rea

    10、ffirm, revise, orwithdraw this standard. Purchasers of American National Standards mayreceive current information on all standards by calling or writing the AmericanNational Standards Institute.American National StandardPublished byAmerican National Standards Institute, Inc.25 West 43rd Street, New

    11、York, NY 10036Copyright 2016 by Information Technology Industry Council (ITI)All rights reserved.No part of this publication may be reproduced in anyform, in an electronic retrieval system or otherwise,without prior written permission of ITI, 1101 K Street NW, Suite 610, Washington, DC 20005. Printe

    12、d in the United States of AmericaCAUTION: The developers of this standard have requested that holders of patents that may berequired for the implementation of the standard disclose such patents to the publisher. However,neither the developers nor the publisher have undertaken a patent search in orde

    13、r to identifywhich, if any, patents may apply to this standard. As of the date of publication of this standardand following calls for the identification of patents that may be required for the implementation ofthe standard, no such claims have been made. No further patent search is conducted by the

    14、de-veloper or publisher in respect to any standard it processes. No representation is made or impliedthat licenses are not required to avoid infringement in the use of this standard.i Table of Contents Page Foreword . iv Introduction . x 1 Scope . 1 2 Normative References . 2 3 Definitions, Symbols,

    15、 Abbreviations, and Conventions 3 3.1 Definitions . 3 3.2 Symbols and abbreviations 3 3.3 Keywords 4 3.4 Conventions . 4 4 Abstract Data Structures . 5 4.1 Overview 5 4.2 Basic elements . 5 4.2.1 Background 5 4.2.2 Users 5 4.2.3 Processes . 5 4.2.4 Objects . 5 4.2.5 Operations 6 4.2.6 Access rights

    16、6 4.3 Containers 6 4.3.1 Background 6 4.3.2 User attributes 6 4.3.3 Object attributes . 6 4.3.4 Policy classes . 6 4.4 Relations 7 4.4.1 Background 7 4.4.2 Assignment . 7 4.4.3 Association . 8 4.4.4 Prohibition 9 4.4.5 Obligation . 13 4.5 Access authorization 13 5 Administrative Commands 16 5.1 Over

    17、view 16 5.2 Semantic definitions . 16 5.2.1 Element creation 19 5.2.2 Element deletion . 20 5.2.3 Entity creation . 22 5.2.4 Entity deletion . 24 5.2.5 Relation formation 26 5.2.6 Relation rescindment 28 Annex A (Informative) Pattern and Response Grammars 31 A.1 Overview 31 A.2 Event pattern grammar

    18、. 32 A.2.1 Base specification 32 A.2.2 User specification . 32 A.2.3 Policy class specification 32 A.2.4 Operation specification . 33 A.2.5 Policy element specification . 33 ii A.3 Event response grammar . 33 A.3.1 Base Specification 33 A.3.2 Create action specification . 34 A.3.3 Assign action spec

    19、ification . 34 A.3.4 Grant action specification . 35 A.3.5 Deny action specification 35 A.3.6 Delete action specification 36 A.4 Grammar considerations 36 Annex B (Informative) Mappings of Existing Access Control Schemes . 38 B.1 Overview 38 B.2 Chinese wall . 38 B.2.1 Background 38 B.2.2 Mapping co

    20、nsiderations 39 B.2.3 Example mapping . 40 B.3 Role-based access control . 42 B.3.1 Background 42 B.3.2 Mapping considerations 42 B.3.3 Example mapping . 44 B.4 Bibliography 48 Annex C (Normative) Summary of Notation . 49 iii List of Figures Figure Page Figure 1: NGAC Access Decision Function 15 Fig

    21、ure B.1: Example Chinese Wall Policy 40 Figure B.2: RBAC Policy Configuration 44 Figure B.3: Roles and Role Hierarchy Representation 45 Figure B.4: Permission Assignment Representation . 46 Figure B.5: User Assignment Representation . 46 Figure B.6: Complete GOADS Policy Representation . 48 ivForewo

    22、rd(This foreword is not part of American National Standard INCITS 526-2016.)Technical Committee CS1 of Accredited Standards Committee INCITS developedthis standard during 2012-2013. The standards approval process started in 2014. Next Generation Access Control (NGAC) is a fundamental reworking of tr

    23、aditionalaccess control into a form suited to the needs of the modern, distributed, intercon-nected enterprise. Access control is both an administrative and an automated process of defining andrestricting which users and their processes can perform which operations on whichsystem resources. The info

    24、rmation that provides the basis by which access requestsare granted or denied is known as a security policy. A security model is a formal rep-resentation of a security policy and its working. A wide variety of policy types andsupporting security models have been created to address different situatio

    25、ns. Exam-ples of well-known policies are Discretionary Access Control (DAC), Mandatory Ac-cess Control (MAC), Role Based Access Control (RBAC) and Chinese Wall.NGAC diverges from traditional approaches to access control in defining a genericarchitecture that is separate from any particular policy or

    26、 type of policy. NGAC is notan extension of, or adaption of, any existing access control mechanism, but insteadis a redefinition of access control in terms of a fundamental and reusable set of dataabstractions and functions. NGAC provides a unifying framework capable without ex-tension of supporting

    27、 not only current access control approaches, but also noveltypes of policy that have been conceived but never implemented due to the lack of asuitable enforcement mechanism.NGAC accommodates combinations of different policies merely by changes to itscontrol information, and thus it is possible to ha

    28、ve several types of policies supportedconcurrently in a manner that is both deterministic and manageable. NGAC is alsosuitable for applications in which some information is stored locally and some isstored in a grid or cloud, since different policies can be asserted in each context.Even more general

    29、ly, NGAC supports a situation where policy determined by a cen-tral organization is able to operate concurrently with a local, specific and more ad hocpolicy.Through its support of access control policies, NGAC is also able to protect data ser-vices, such as e-mail, workflow, records management etc.

    30、 Support for data servicesis effected through the use of NGAC access control information to mediate data ser-vice operations.The family of NGAC standards specifies the architecture, functions, operations, andinterfaces necessary to ensure interoperability between conforming NGAC imple-mentations. Th

    31、is standard, NGAC-GOADS, defines in detail the generic operationsand data structures of NGAC, which were previously outlined in the NGAC-FA stan-dard.This standard contains the following items:a) detailed specifications of the abstract data structures needed to support thedefinitions in NGAC-FA;b) a

    32、 detailed description of how the abstract structures in (a) above are used torepresent an access control policy and form access decisions;c) detailed descriptions of the generic commands needed to support the admin-istration access information flows in NGAC-FA, in terms of the descriptionsin (b) abo

    33、ve;vd) an informative annex containing an example of using formal grammars tospecify the pattern and response components of an obligation; e) an informative annex containing examples of representing common accesscontrol methods in terms of (a), (b), (c), and (d) above; andf) a normative annex summar

    34、izing the mathematical notation used in this stan-dard.Users of this standard are encouraged to determine if there are standards in develop-ment or new versions of this standard that may extend or clarify technical informationcontained in this standard.This standard contains three annexes. Annexes A

    35、 and B are informative and are notconsidered part of this standard. Annex C is normative and is considered part of thisstandard.Requests for interpretation, suggestions for improvement or addenda, or defect re-ports are welcome. They should be sent to InterNational Committee for InformationTechnolog

    36、y Standards (INCITS), ITI, 1101 K Street, NW, Suite 610, Washington, DC20005.This standard was processed and approved for submittal to ANSI by INCITS. Com-mittee approval of this standard does not necessarily imply that all committee mem-bers voted for its approval. At the time it approved this stan

    37、dard, INCITS had thefollowing members:Philip Wennblom, ChairJennifer Garner, SecretaryOrganization Represented Name of RepresentativeAdobe Systems, Inc. .Scott FosheeSteve Zilles (Alt.)AIM Global, Inc. Steve HallidayMary Lou Bosco (Alt.)Chuck Evanhoe (Alt.)Dan Kimball (Alt.)Apple.Helene WorkmanMarc

    38、Braner (Alt.)David Singer (Alt.)Distributed Management Task Force (DMTF) John Crandall Jeff Hilland (Alt.)Lawrence Lamars (Alt.)EMC Corporation .Gary Robinson Stephen Diamond (Alt.)Farance, Inc. .Frank Farance Timothy Schoechle (Alt.)Futurewei Technologies, Inc. Yi ZhaoTimothy Jeffries (Alt.)Wilbert

    39、 Adams (Alt.)GS1GO .Frank SharkeyCharles Biss (Alt.)Hewlett-Packard Company Karen Higginbottom Paul Jeran (Alt.)IBM Corporation .Steve HolbrookAlexander Tarpinian (Alt.)IEEEJodie HaaszChristy Bahn (Alt.)Justin Casto (Alt.)Noelle Humenick (Alt.)Don Wright (Alt.)viOrganization Represented Name of Repr

    40、esentativeIntel Philip Wennblom Grace Wei (Alt.)Stephen Balogh (Alt.)Microsoft Corporation . Laura Lindsay John Calhoon (Alt.)National Institute of Standards approved international and regional standards (ISO and IEC); and approved foreign standards (including JIS and DIN). For further information,

    41、contact the ANSI Customer Service Department: Phone: +1 212-642-4900 Fax: +1 212-302-1286 Web: http:/www.ansi.org E-mail: ansionlineansi.org or the InterNational Committee for Information Technology Standards (INCITS): Phone 202-626-5738 Web: http:/www.incits.org E-mail: incitsitic.org NGAC-FA: INCI

    42、TS 499-2013, American National Standard for Information Technology Next Generation Access Control - Functional Architecture (NGAC-FA) ZNOT: ISO/IEC 13568:2002, Information technology Z formal specification notation Syntax, type system and semantics INCITS 526-2016 3 3 Definitions, Symbols, Abbreviat

    43、ions, and Conventions 3.1 Definitions For the purposes of this document, the terms and definitions in NGAC-FA apply, as do the following terms and definitions. Access right: A property that needs to be held by a user to perform operations on information persisted in the PIP and on object resources.

    44、Access decision: The result of evaluating an access request with respect to authorizations defined with a configured NGAC policy. Access right set: A subset of all access rights, whose members are related for the purposes of access control. Authorization state: The basic elements and containers, tog

    45、ether with the relations that define the prevailing access rights between these entities. Policy elements: The users, user attributes, object attributes and policy classes associated with a particular access control policy. Policy element diagram: The directed graph representing all policy elements

    46、and the assignment relation over them. Referent: A policy element used in NGAC relations as a designator for not only itself, but also for the section of the policy element diagram whose members are contained by the policy element. 3.2 Symbols and abbreviations Symbol /Abbreviation Meaning (see NGAC

    47、-FA forfurtherinformation) ACE Access Control Entry API Application Programming Interface BNF Backus-Naur Form DAC Discretionary Access Control DSD Dynamic Separation of Duty EPP Event Processing Point MAC Mandatory Access Control NGAC Next Generation Access Control PAP Policy Administration Point P

    48、DP Policy Decision Point PEP Policy Enforcement Point PIP Policy Information Point RBAC Role-Based Access Control SOD Separation of Duty SSD Static Separation of Duty INCITS 526-2016 4 3.3 Keywords Invalid: A keyword used to describe an illegal or unsupported bit, byte, word, field or code value. Re

    49、ceipt of an invalid bit, byte, word, field or code value shall be reported as an error. Mandatory: A keyword indicating an item that is required to be implemented as defined in this standard to claim compliance with this standard. May: A keyword that indicates flexibility of choice with no implied preference. Optional: A keyword that describes features that are not required to be implemented by this standard. However, if any optional feature defined by this standard is implemented, it shall be implemented as defined in this standard. Reserved: A keyword referring to bits,


    注意事项

    本文(ANSI INCITS 526-2016 Information Technology C Next Generation Access Control C Generic Operations and Data Structures (NGAC-GOADS)《信息技术 下一代访问控制通用操作和数据结构(NGAC-GOADS)》.pdf)为本站会员(花仙子)主动上传,麦多课文档分享仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文档分享(点击联系客服),我们立即给予删除!




    关于我们 - 网站声明 - 网站地图 - 资源地图 - 友情链接 - 网站客服 - 联系我们

    copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
    备案/许可证编号:苏ICP备17064731号-1 

    收起
    展开