中文摘要：

在多维数字媒体场景中，用户期望利用环境、时态等因素实现访问权限的自我约束。针对该需求，综合环境、时态、角色定义授权属性，提出面向多维数字媒体的访问控制机制，该机制定义用户一授权属性分配关系和授权属性一访问权限分配关系，根据用户的ID、属性信息、所处环境和时态、角色，用户一授权属性分配关系为用户分配相应授权属性；根据用户所赋予的授权属性，授权属性一访问权限分配关系为用户分配相应访问权限。引入约束条件，用户通过设置约束条件进行访问权限的自我约束，实现访问权限随环境、时态、角色等因素的变化而动态缩减。使用z符号对该机制进行形式化描述，通过实例分析验证其可行性，与现有工作的比较表明所提机制支持最小权限、职责分离、数据抽象等安全原则，支持访问权限的动态缩减。

英文摘要：

In the emerging scenario of multidimensional digital media, users desire the self-constraining access permission by using environmental state, temporal state and etc. To achieve this goal, an authorization attribute based on concepts of environmental state, temporal state and roles was defined, then a multidimensional digital media-oriented access control scheme was proposed. Specifically, the assignment relationships of user-authorization attribute and authorization attribute-access permission were defined. On the basis of this, the authorization attributes for users according to their ID, attribute information, environmental states, temporal states and roles were assigned using the assignment relationship of the user-authorization attribute, the access permission for users in accordance with the authorization attributes were as- signed with the assignment relationship of the authorization attribute-access permission. Additionally, constraint conditions were introduced into the proposed scheme to set self-constraining of the access permission for users in terms of the authorization attributes. Through this way, the dynamic reduction of the access permission was realized. Finally, the description of the Z-notation was employed to formalize our scheme. Results of instance analysis demonstrate that the proposed scheme is effective and efficiency. Comparing with related works, the proposed scheme is able to support the principles of the least privilege, separation of duty, data abstraction and etc.