Skip to product information
1 of 10

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GM/T 0032-2014 English PDF (GMT0032-2014)

GM/T 0032-2014 English PDF (GMT0032-2014)

Regular price $155.00 USD
Regular price Sale price $155.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: In 1-minute, 24-hr self-service. Click here GM/T 0032-2014 to get it for Purchase Approval, Bank TT...

GM/T 0032-2014: Specifications for role based privilege management and access control

This Standard specifies the role-based privilege and access control framework structure and the logical relationship between the various components within the framework, defines the functions, operating procedures and operating protocols of each component, and defines the uniform format of access control policy description language and privilege policy description language, and the standard interface for access control protocols.
GM/T 0032-2014
GM
CRYPTOGRAPHY INDUSTRY STANDARD
OF THE PEOPLE REPUBLIC OF CHINA
ICS 35.040
L 80
File No.. 44633-2014
Specifications for role based
privilege management and access control
ISSUED ON. FEBRUARY 13, 2014
IMPLEMENTED ON. FEBRUARY 13, 2014
Issued by. State Cryptography Administration
Table of Contents
Foreword . 3
1 Scope .. 4
2 Normative references .. 4
3 Terms and definitions .. 4
4 Abbreviations .. 6
5 Privilege and access control framework .. 6
5.1 Location of privilege and access control in the public key cryptography infrastructure application technology framework . 6
5.2 General of privilege and access control framework . 6
5.4 Access control enforcement function (AEF) .. 8
5.5 Access control decision function (ADF) .. 8
6 Access control policy description language . 11
6.1 Model .. 11
6.2 Syntax .. 14
7 Privilege policy description language . 18
7.1 Model . 18
7.2 Privilege policy description language syntax .. 19
8 Access control protocol .. 23
8.1 General . 23
8.2 Access control request message .. 24
8.3 Access control response message .. 28
9 Requirements for application systems .. 31
9.1 AEF implementation .. 31
9.2 Expression of roles . 31
9.3 Privilege process . 32
9.4 Description of access control policy . 32
9.5 Identity identification .. 32
Annex A (normative) Definition and description of access control decision status code .. 33
Bibliography .. 34
Foreword
This Standard was drafted in accordance with the rules given in GB/T 1.1-2009. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. The issuing authority shall not be held responsibility for identifying any or all such patent rights.
This Standard was proposed by and shall be under the jurisdiction of Code Industry Standardization Technical Committee.
Drafting organizations of this Standard. Changchun Jida Zhengyuan
Information Technology Co., Ltd., Wuxi Jiangnan Information Security
Engineering Technology Center, Chengdu Westone Information Industry Co., Ltd., Shandong De?€?an Information Technology Co., Ltd., Shanghai Koal
Software Co., Ltd., Beijing Digital Certificate Certification Center Co., Ltd., Shanghai Digital Certificate Certification Center Co., Ltd., Wanda Information Co., Ltd., Xingtang Communication Technology Co., Ltd.
Drafters of this Standard. Liu Ping, Li Weiping, Zhao Lili, He Changlong, Xu Qiang, Li Yuanzheng, Gao Zhiquan, Tan Wuzheng, Li Shusheng, Cui Jiuqiang, Zhou Dong, Wang Nina.
Specifications for role based
privilege management and access control
1 Scope
This Standard specifies the role-based privilege and access control framework structure and the logical relationship between the various components within the framework, defines the functions, operating procedures and operating protocols of each component, and defines the uniform format of access control policy description language and privilege policy description language, and the standard interface for access control protocols.
This Standard is applicable to the development of role-based privilege and access control systems under the public key cryptography technology system, and may guide the detection of such systems and the development of related applications.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the dated edition cited applies. For undated references, the latest edition of the referenced document (including all amendments) applies.
GB/T 20519 Information security technology - Public key infrastructures - Privilege Management Center technical specification
GM/T 0019 Universal cryptography service interface specification
3 Terms and definitions
For the purpose of this document, the following terms and definitions apply. 3.1
access control decision
Evaluation result of the access control decision function to the access request. 3.2
access control decision function
Component responsible for making the decision on the access request.
3.3
access control enforcement function
Component that performs the access control policy function.
3.4
access control policy
Binding relationship, determined by the application, between roles and
resources.
3.5
access control policy certificate
Attribute certificate that carries the application access control policy. 3.6
contextual information
Environmental information related to the access decision result when the request is happening.
3.7
privilege management
Management of the distribution relationship between subjects and roles. 3.8
privilege information
Information that identifies the distribution relationship between subjects and roles.
3.9
privilege certificate
Attribute certificate that carries the privilege information.
to complete the binding of subjects and roles, roles and resources, such as using privilege certificates and access control policy certificates. When using the attribute certificate to carry the binding relationship, the system shall follow the requirements of GB/T 20519.
5.4 Access control enforcement function (AEF)
The AEF receives the access request, encapsulates the access request
according to the access control protocol and controls the access to the resource based on the decision result.
When the decision result is ?€?permit?€?, the AEF authorizes the initiator's access to the resource; if the decision result is ?€?deny?€?, the AEF shall block the initiator's access to the resource.
The use mode of the AEF includes share and non-share. In the share mode, multiple applications use one AEF; in the non-share mode, each application uses its own AEF.
5.5 Access control decision function (ADF)
The ADF makes the decision on the access request based on the privilege information, the access control policy and other information.
The input of the ADF includes the access request, the privilege information, the access control policy and the ADF retention information. The output of the ADF is the access control decision result.
The ADF decision result includes ?€?permit?€? and ?€?deny?€?. ?€?Permit?€? means that the access request meets the resource's access control policy constraints; ?€?deny?€? means that the access request does not meet the access control policy
constraints.
The input and output information of the ADF is shown in Figure 3.
1) Initiator identity.
The initiator identity includes three types, which are.
- simple string;
- signature certificate serial number + signature certificate issuer subject; - signature public key.
2) Resource information.
The resource information is the resource identity string carried in the access request.
3) Contextual information.
The contextual information is the information related to the access request and capable of identifying the environment characteristics of the access request. It may need this information when making access request
decisions. They are, respectively.
- time. the time when the access request is initiated;
- location. the source address where the access request is initiated;
- type of initiator identity;
- custom information. the information defined by the application,
participating in the access decision.
4) Role identity.
The role identity is the role information that the subject shall use to access resources in the current scenario when an access occurs.
See Clause 8 for detailed access request formats.
5.5.2 Privilege information
The privilege information in the role-based privilege and access control model refers to the binding relationship between subjects and roles.
See Clause 7 for a detailed description of privilege information.
The privilege information of the initiator may be carried by using the privilege certificate, or may be carried by other methods, but the authenticity and integrity of the privilege information shall be ensured.
see the definition of access request carrying protocol. For example, the HTTP protocol defines the GET, POST and other actions.
6.1.2 Rules
The rule is the criteria for controlling access to the resource, including four elements. roles, resources, actions and conditions, among which conditions are optional factors. The evaluation result may be ?€?permit?€? or ?€?deny?€?. Multiple rule evaluation results for the same resource shall be combined into a single evaluation result using the merge algorithm.
The ADF selects appropriate rules based on the role of the access request initiator and resources, actions and related environmental factors of the request. For unconditional rules, the access request initiator may perform corresponding actions on the resource as long as it is the role specified in rules. For conditional rules, the access request initiator shall be the role specified in rules and meet the requirements of the conditions before performing corresponding actions on the resource.
For conditional rules, the evaluation result of rules depends on the evaluation result of conditions. The ADF evaluates each condition and combines multiple condition evaluation results into a logical expression through the logical combination algorithm, which finally forms the evaluation result for all conditions. 6.1.3 Conditions
The condition is the contextual restriction (such as the time limit of actions) that shall be satisfied when performing the specified action on the resource. The evaluation result is TRUE or FALSE.
The condition is a relational expression consisting of one of four kinds of contextual information. time, location, initiator identity type and custom information. Multiple conditions may be connected by using logical operators and form a logical expression...

View full details