Abstract: Considering the problem of unauthorized access and malicious attacks in multi-tenant application in the cloud services, this paper presents a Multi-Tenant Access Control Model（MTACM） which combines clustering and Ciphertext-
Policy Attribute-Based Encryption strategy（CP-ABE）. The model separates persona task into different task group according to multi-tenant service feature, and utilizes matching factor to mark task group, then manages persona attribute that is authorized by task group, which not only achieves persona’s fine-grained authorization access control management but also reduces the computational cost of the system and complexity of the system. The algorithm is realized in the virtual environment, and the model security and system access effectively is proof of logical deductions.

Key words: multi-tenant, cloud services, CP-ABE, authorization management

摘要： 针对云服务中多租户应用面临越权访问和联合恶意攻击问题，综合聚类思想和基于密文策略的属性加密（CP-ABE）提出一种多租户授权管理访问控制模型（MTACM）。该模型根据多租户的业务特点将角色任务聚类为任务组，并采用匹配因子标记任务组，进而通过任务组授权管理角色属性，以实现角色的细粒度授权访问控制管理，减少系统计算量开销，降低系统的复杂度。在虚拟环境下实现了该模型算法，且通过逻辑推理证明了模型的安全性和系统访问的高效性。

关键词: 多租户, 云服务, CP-ABE, 授权管理