Information Technology Reference
In-Depth Information
Permission
VM Migration
Constraints
Domain Constraints
Resource
Role Hierarchy
(RH)
Resource Assignment
(RA)
User Assignment
(UA)
Permission Assignment
(PA)
User
Role
VM
*
*
*
*
1
1
Domain
Operation
*
*
Segregation of Duties
Constraints
Sessions
Fig. 1.
Concept model of VRBAC
3.1 New Elements of VRBAC
Considering that most of RBAC implementations have also introduced the do-
main conception into their systems, so it's significant to integrate domain notion
into the RBAC model for multi-level managing purpose.
In virtualized environment, the interoperability between VMs including VM
migration, VM template replication, and so on can be very complicated. For this
reason, the traditional RBAC model are not applicable any more[2]. In order to
accommodate RBAC to the new virtualized situation, some of changes have to
been made: (1) supports VM authorizing in RBAC, (2) propose an automatic
conflict checking and solving method when a VM motion, replication or resource
assignment operation performed.
The VM concept is actually a sub-concept deriving from Resource. It behaves
more like a resource container instead of an individual resource. In VBRAC
model, VM is regarded as one of the most primary concepts from the perspective
of information services and resources sharing in the virtualized environment.
3.2 New Relations and Policies of VRBAC
Given the new elements of VRBAC, we will have some discussions about the
changes of relevant relations in this section.
The foundations of VRBAC are the UA and PA relations defined between its
elements as the form:
•
UA
:
USERS
×
ROLES
ₒ
[0
,
1]
•
PA
:
ROLES
×
PRMS
ₒ
[0
,
1]
A UA relation means a mapping relating users with roles, and a PA means
a mapping relating roles with permissions. According to these relations, we can
describe relevant policies as below:
•
Policy
access
=(
USERS
∪
ROLES
)
×
PRMS
•
Policy
inherit
=(
USERS
∪
ROLES
)
×
ROLES
