Extended access control mechanism forcross-domain data exchange

Aiming at the controlled sharing for cross-domain data exchange for complicated application systems, an ex- tended access control mechanism was proposed. The control process was divided into two steps: constraint control and propagation control. The constraint control was used to ensure that access to data was authorized before access request, and the propagation control was used for further extension control after obtaining data access right. In addition, by con- sidering data self and data provenance, the direct and indirect access control were realized. Theoretically, the security and effectiveness of the proposed mechanism were proved. Finally, taking the control of electronic invoice as an example, the implementation approach was proposed. The example shows that the proposed mechanism can perform the fine-grained extended control before and after data in the cross-domain and cross-system are exchanged.