中文摘要：

针对复杂的应用系统，提出了一种基于风险分析的访问控制模型，该模型通过风险概念建立了业务目标和访问控制策略间的直接对应关系，以业务流程运营绩效指标作为风险度量的基准，并将风险计算作为访问控制授权决策的约束方程，同时，在最小权限原则和职责分离原则基础上，还给出了“业务一安全”均衡原则，并建立了相应授权决策规则．本文的研究成果有助于摈弃“安全或不安全”的二元制授权决策规则，建立适应业务灵活性和互操作性发展的柔性授权决策方法．

英文摘要：

Facing to the complex application systems, an access control model based on the risk analysis is proposed. The directed connection between the business objectives and the access control strategies is established in the model according to the concept of risk, with business process operational performance indicators as a basis on the risk measurement and the risk calculation as the constraint equation of the access control authorization decision. At the same time, besides the principle of least privilege and the principle of responsibility of separation, the principle of ＂business-security＂ equilibrium is also given, and the appropriate authorization decision rules are also established. The research results in the article aid to establish a flexible decision-making method to adapt the development of the business flexibility and interoperability, as well as get rid of the ＂safe or unsafe＂ dual authorization decision rule.