关键词: XACML策略, 访问控制, 业务流程, 策略, 委托

Abstract: By analyzing the requirements of access control for business process, an extended enforcement framework that supports policy management based on state of business process is proposed. By introducing element < PolicyIssuer> and defining semantic of element <Condition> in policy schema, access control policy and delegation policy can both be described and least privilege at task level can be achieved. In order to reduce time cost of policy decision in case that numbers of unrelated policies and delegation policies are large, two methods which can reduce the numbers of matching policies and policy elements are proposed.

Key words: Extensible Access Control Makeup Language（XACML）, access control, business process, policy, delegation