GM/T 0032-2014 PDF English
Search result: GM/T 0032-2014 English: PDF (GM/T0032-2014)
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Name of Chinese Standard | Status |
| GM/T 0032-2014 | English | 160 |
Add to Cart
|
0-9 seconds. Auto-delivery.
|
Specifications for role based privilege management and access control
| Valid |
PDF Preview: GM/T 0032-2014
GM/T 0032-2014: PDF in English (GMT 0032-2014) GM/T 0032-2014
GM
CRYPTOGRAPHY INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
File No.. 44633-2014
Specifications for role based
privilege management and access control
ISSUED ON. FEBRUARY 13, 2014
IMPLEMENTED ON. FEBRUARY 13, 2014
Issued by. State Cryptography Administration
Table of Contents
Foreword . 3
1 Scope .. 4
2 Normative references .. 4
3 Terms and definitions .. 4
4 Abbreviations .. 6
5 Privilege and access control framework .. 6
5.1 Location of privilege and access control in the public key cryptography
infrastructure application technology framework . 6
5.2 General of privilege and access control framework . 6
5.4 Access control enforcement function (AEF) .. 8
5.5 Access control decision function (ADF) .. 8
6 Access control policy description language . 11
6.1 Model .. 11
6.2 Syntax .. 14
7 Privilege policy description language . 18
7.1 Model . 18
7.2 Privilege policy description language syntax .. 19
8 Access control protocol .. 23
8.1 General . 23
8.2 Access control request message .. 24
8.3 Access control response message .. 28
9 Requirements for application systems .. 31
9.1 AEF implementation .. 31
9.2 Expression of roles . 31
9.3 Privilege process . 32
9.4 Description of access control policy . 32
9.5 Identity identification .. 32
Annex A (normative) Definition and description of access control decision status
code .. 33
Bibliography .. 34
Foreword
This Standard was drafted in accordance with the rules given in GB/T 1.1-2009.
Attention is drawn to the possibility that some of the elements of this document
may be the subject of patent rights. The issuing authority shall not be held
responsibility for identifying any or all such patent rights.
This Standard was proposed by and shall be under the jurisdiction of Code
Industry Standardization Technical Committee.
Drafting organizations of this Standard. Changchun Jida Zhengyuan
Information Technology Co., Ltd., Wuxi Jiangnan Information Security
Engineering Technology Center, Chengdu Westone Information Industry Co.,
Ltd., Shandong De’an Information Technology Co., Ltd., Shanghai Koal
Software Co., Ltd., Beijing Digital Certificate Certification Center Co., Ltd.,
Shanghai Digital Certificate Certification Center Co., Ltd., Wanda Information
Co., Ltd., Xingtang Communication Technology Co., Ltd.
Drafters of this Standard. Liu Ping, Li Weiping, Zhao Lili, He Changlong, Xu
Qiang, Li Yuanzheng, Gao Zhiquan, Tan Wuzheng, Li Shusheng, Cui Jiuqiang,
Zhou Dong, Wang Nina.
Specifications for role based
privilege management and access control
1 Scope
This Standard specifies the role-based privilege and access control framework
structure and the logical relationship between the various components within
the framework, defines the functions, operating procedures and operating
protocols of each component, and defines the uniform format of access control
policy description language and privilege policy description language, and the
standard interface for access control protocols.
This Standard is applicable to the development of role-based privilege and
access control systems under the public key cryptography technology system,
and may guide the detection of such systems and the development of related
applications.
2 Normative references
The following referenced documents are indispensable for the application of
this document. For dated references, only the dated edition cited applies. For
undated references, the latest edition of the referenced document (including all
amendments) applies.
GB/T 20519 Information security technology - Public key infrastructures -
Privilege Management Center technical specification
GM/T 0019 Universal cryptography service interface specification
3 Terms and definitions
For the purpose of this document, the following terms and definitions apply.
3.1
access control decision
Evaluation result of the access control decision function to the access request.
3.2
access control decision function
Component responsible for making the decision on the access request.
3.3
access control enforcement function
Component that performs the access control policy function.
3.4
access control policy
Binding relationship, determined by the application, between roles and
resources.
3.5
access control policy certificate
Attribute certificate that carries the application access control policy.
3.6
contextual information
Environmental information related to the access decision result when the
request is happening.
3.7
privilege management
Management of the distribution relationship between subjects and roles.
3.8
privilege information
Information that identifies the distribution relationship between subjects and
roles.
3.9
privilege certificate
Attribute certificate that carries the privilege information.
to complete the binding of subjects and roles, roles and resources, such as
using privilege certificates and access control policy certificates. When using
the attribute certificate to carry the binding relationship, the system shall follow
the requirements of GB/T 20519.
5.4 Access control enforcement function (AEF)
The AEF receives the access request, encapsulates the access request
according to the access control protocol and controls the access to the resource
based on the decision result.
When the decision result is “permit”, the AEF authorizes the initiator's access
to the resource; if the decision result is “deny”, the AEF shall block the initiator's
access to the resource.
The use mode of the AEF includes share and non-share. In the share mode,
multiple applications use one AEF; in the non-share mode, each application
uses its own AEF.
5.5 Access control decision function (ADF)
The ADF makes the decision on the access request based on the privilege
information, the access control policy and other information.
The input of the ADF includes the access request, the privilege information, the
access control policy and the ADF retention information. The output of the ADF
is the access control decision result.
The ADF decision result includes “permit” and “deny”. “Permit” means that the
access request meets the resource's access control policy constraints; “deny”
means that the access request does not meet the access control policy
constraints.
The input and output information of the ADF is shown in Figure 3.
1) Initiator identity.
The initiator identity includes three types, which are.
- simple string;
- signature certificate serial number + signature certificate issuer subject;
- signature public key.
2) Resource information.
The resource information is the resource identity string carried in the
access request.
3) Contextual information.
The contextual information is the information related to the access request
and capable of identifying the environment characteristics of the access
request. It may need this information when making access request
decisions. They are, respectively.
- time. the time when the access request is initiated;
- location. the source address where the access request is initiated;
- type of initiator identity;
- custom information. the information defined by the application,
participating in the access decision.
4) Role identity.
The role identity is the role information that the subject shall use to access
resources in the current scenario when an access occurs.
See Clause 8 for detailed access request formats.
5.5.2 Privilege information
The privilege information in the role-based privilege and access control model
refers to the binding relationship between subjects and roles.
See Clause 7 for a detailed description of privilege information.
The privilege information of the initiator may be carried by using the privilege
certificate, or may be carried by other methods, but the authenticity and integrity
of the privilege information shall be ensured.
see the definition of access request carrying protocol. For example, the HTTP
protocol defines the GET, POST and other actions.
6.1.2 Rules
The rule is the criteria for controlling access to the resource, including four
elements. roles, resources, actions and conditions, among which conditions are
optional factors. The evaluation result may be “permit” or “deny”. Multiple rule
evaluation results for the same resource shall be combined into a single
evaluation result using the merge algorithm.
The ADF selects appropriate rules based on the role of the access request
initiator and resources, actions and related environmental factors of the request.
For unconditional rules, the access request initiator may perform corresponding
actions on the resource as long as it is the role specified in rules. For conditional
rules, the access request initiator shall be the role specified in rules and meet
the requirements of the conditions before performing corresponding actions on
the resource.
For conditional rules, the evaluation result of rules depends on the evaluation
result of conditions. The ADF evaluates each condition and combines multiple
condition evaluation results into a logical expression through the logical
combination algorithm, which finally forms the evaluation result for all conditions.
6.1.3 Conditions
The condition is the contextual restriction (such as the time limit of actions) that
shall be satisfied when performing the specified action on the resource. The
evaluation result is TRUE or FALSE.
The condition is a relational expression consisting of one of four kinds of
contextual information. time, location, initiator identity type and custom
information. Multiple conditions may be connected by using logical operators
and form a logical expression...
......
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.
|