基于RBAC的责任分离机制的研究与实现
摘要
本文对RBAC(Role-Based Access Control)模型在应用系统中责任分离进行了研究,目的在于实现一个基于RBAC的,重用性良好的,企业内部公用的权限管理系统。
本文分别从理论与实际应用两个方面对标准的RBAC模型进行了广泛地研究,结合实际项目提出并解决了一系列实现责任分离所遇到的问题,参照RBAC2模型中约束的思想,引入了任务和任务实例这两个新元素来扩展RBAC0模型,设计了责任分离机制的理论解决方案。
本文在上述理论解决方案的具体实现过程中,选择以过滤器的方式来进行责任分离验证,使得验证过程同业务逻辑完全脱离,提高了权限管理系统的独立性;并结合实际的应用环境,合理地定义了模型中的几个关键元素,实现了此方案。
目前,该系统已经成功地投入使用,企业内部的管理信息系统都在此系统的基础上做二次开发。实践证明,本文所实现的权限管理系统能够解决实际应用环境下的重复性开发问题,提高了开发效率。
This dissertation is aim to implement a public privilege management system based on the model of RBAC (Role-Based Access Control) after the deep research on the SOD (Separation of Duty) based on RBAC in the application system.
First of all, this thesis makes an extensive research on the standard model of RBAC in theory and practical application respectively. Considering the reality, it comes up with a serial of problems about how to implement the SOD and has solved these problems in the end. Referring to the thought of constraints mentioned in the model of RBAC2, it adds two new elements named Task and Task Instance to extend the model of RBACO. After that, it designs the theoretical solution of the SOD.
During the course of the implement of the theoretical solution mentioned above, the dissertation utilizes the filter to validate the SOD so that it is able to separate the business from the course of validation in order to enhance the independence of the public privilege management system. In the meantime, given the practical environment, it defines several key elements reasonably in the solution. Finally, it implements this theoretical solution by coding.
At present, the public privilege management system has been applied to several MIS (Management Information System) in the firm successfully. In addition, these MIS have re-developed the SOD on the basis of the original privilege management system. In fact, this system is able to solve the problem about repeated developments in the practical application. Above all, it has improved the development efficiency.
本文分别从理论与实际应用两个方面对标准的RBAC模型进行了广泛地研究,结合实际项目提出并解决了一系列实现责任分离所遇到的问题,参照RBAC2模型中约束的思想,引入了任务和任务实例这两个新元素来扩展RBAC0模型,设计了责任分离机制的理论解决方案。
本文在上述理论解决方案的具体实现过程中,选择以过滤器的方式来进行责任分离验证,使得验证过程同业务逻辑完全脱离,提高了权限管理系统的独立性;并结合实际的应用环境,合理地定义了模型中的几个关键元素,实现了此方案。
目前,该系统已经成功地投入使用,企业内部的管理信息系统都在此系统的基础上做二次开发。实践证明,本文所实现的权限管理系统能够解决实际应用环境下的重复性开发问题,提高了开发效率。
This dissertation is aim to implement a public privilege management system based on the model of RBAC (Role-Based Access Control) after the deep research on the SOD (Separation of Duty) based on RBAC in the application system.
First of all, this thesis makes an extensive research on the standard model of RBAC in theory and practical application respectively. Considering the reality, it comes up with a serial of problems about how to implement the SOD and has solved these problems in the end. Referring to the thought of constraints mentioned in the model of RBAC2, it adds two new elements named Task and Task Instance to extend the model of RBACO. After that, it designs the theoretical solution of the SOD.
During the course of the implement of the theoretical solution mentioned above, the dissertation utilizes the filter to validate the SOD so that it is able to separate the business from the course of validation in order to enhance the independence of the public privilege management system. In the meantime, given the practical environment, it defines several key elements reasonably in the solution. Finally, it implements this theoretical solution by coding.
At present, the public privilege management system has been applied to several MIS (Management Information System) in the firm successfully. In addition, these MIS have re-developed the SOD on the basis of the original privilege management system. In fact, this system is able to solve the problem about repeated developments in the practical application. Above all, it has improved the development efficiency.
引文
[1]Oh S,Park S.Task-Role-Based Access Control Model[J].Information Systems.2003.28(6).533-562
[2]Crampton J.Specifying and Enforcing Constraints in Role-Based Access Control[A].In:Proceedings of ACMSymposiumon Access ControlModels and Technologies[C].New York.ACM Press.2003.43-50
[3]Steinmuller B,Safarik K.Extending Role-Based Access Control Model with States[A].In:International Conference on Trends in Communications[C].Brastislava.2001.New York.IEEE Press.2001.398-399
[4]Ferraiolo D F,Sandhu R,Gavrila S.Proposed NIST Standard for Role-Based Access Control[J].ACM Transactions on Information and System Security.2001.4(3).224-274
[5]Ahn G J,Sandhu R.Role-Based Authorization Constraints Specification[J].ACM Transactions on Information and System Security.2000.3(4).207-226
[6]Thomas R K,Sandhu R.Task-Based Authorization Controls(TBAC).Models for Active and Enterprise Oriented Authorization Management[A].In:Proceedings of the IFIP TC11 WG11.3Eleventh International Conference on Database Security Ⅺ.Statusand Prospects[C].London.Chapman&Hall.1998.262-275
[7]Gligor V D,Gavrila S I,Ferraiolo D F.On the Formal Definition of Separation of Duty Policies and Their Composition[A].In:Proceedings of 1998 Symposium on Research in Security and Privacy[C].Washington.IEEE.Computer Society.1998.172-185
[8]Thomas R K.Team-Based Access Control(TMAC).A Primitive for Applying Role-Based Access Controls in Collaborative Environments[A].In:Proceedings of the Second ACM Workshop on Role Based Access Control[C].New York.ACM Press.1997.13-19
[9]Simon R T,Zurko M E.Separation of Duty in Role-Based Environments[A].In:Proceedings of Computer Security Foundations Workshop X[C].Washington.IEEE Computer Society.1997.183-194
[10]Sandhu R S,Coyne E J,Feinstein H L.Role-Based Access Control Models[J].IEEE Computer.1996.29(2).38-48
[11]David F,Ferraiolo,D.Richard et al.Role-Based Access Control.Artech House.2005
[12]雷钧。RBAC安全策略实现的研究。湖北汽车工业学院学报。2006.20(3)
[13]周伟平,陆松年。RBAC访问控制研究
[14]丁振国,吴环宇。RBAC在管理信息系统中的应用。中文核心期刊《微计算机信息》(管控一体化)。2007.23(63)
[15]王兴伟,王宇。Web信息系统中基于RBAC模型的访问控制模块设计与实现。大连理工大学学报。2005.45(增刊)
[16]陈军冰,王志坚,艾萍等。关于RBAC模型中约束的研究综述。计算机工程。2006.32(9)
[17]薛伟,怀进鹏。扩展的基于角色的访问控制模型。北京航空航天大学学报。2005.31(3)
[18]姜卫,李卉,汪厚祥等。RBAC中的用户与组管理。信息工程大学学报。2005.6(4)
[19]孔广黔,李坚石,郭晓明。基于RBAC的职责分离约束关系研究。中国科技论文在 线
[20]李键,陈杰。RBAC模型权限管理中三种新的角色继承机制和授权策略
[21]张海藩。软件工程导论。第四版。北京。清华大学出版社。2003.12-14
[22]Shari Lawrence Pfleeger,Joanne M.Atlee.杨卫东。软件工程。第三版。北京。人民邮电出版社。2007.5
[23]Ivar Jacobson,Grady Booch,James Rumbaugh.周伯生,冯学民,樊东平。统一软件开发过程。机械工业出版社。2002.1
[2]Crampton J.Specifying and Enforcing Constraints in Role-Based Access Control[A].In:Proceedings of ACMSymposiumon Access ControlModels and Technologies[C].New York.ACM Press.2003.43-50
[3]Steinmuller B,Safarik K.Extending Role-Based Access Control Model with States[A].In:International Conference on Trends in Communications[C].Brastislava.2001.New York.IEEE Press.2001.398-399
[4]Ferraiolo D F,Sandhu R,Gavrila S.Proposed NIST Standard for Role-Based Access Control[J].ACM Transactions on Information and System Security.2001.4(3).224-274
[5]Ahn G J,Sandhu R.Role-Based Authorization Constraints Specification[J].ACM Transactions on Information and System Security.2000.3(4).207-226
[6]Thomas R K,Sandhu R.Task-Based Authorization Controls(TBAC).Models for Active and Enterprise Oriented Authorization Management[A].In:Proceedings of the IFIP TC11 WG11.3Eleventh International Conference on Database Security Ⅺ.Statusand Prospects[C].London.Chapman&Hall.1998.262-275
[7]Gligor V D,Gavrila S I,Ferraiolo D F.On the Formal Definition of Separation of Duty Policies and Their Composition[A].In:Proceedings of 1998 Symposium on Research in Security and Privacy[C].Washington.IEEE.Computer Society.1998.172-185
[8]Thomas R K.Team-Based Access Control(TMAC).A Primitive for Applying Role-Based Access Controls in Collaborative Environments[A].In:Proceedings of the Second ACM Workshop on Role Based Access Control[C].New York.ACM Press.1997.13-19
[9]Simon R T,Zurko M E.Separation of Duty in Role-Based Environments[A].In:Proceedings of Computer Security Foundations Workshop X[C].Washington.IEEE Computer Society.1997.183-194
[10]Sandhu R S,Coyne E J,Feinstein H L.Role-Based Access Control Models[J].IEEE Computer.1996.29(2).38-48
[11]David F,Ferraiolo,D.Richard et al.Role-Based Access Control.Artech House.2005
[12]雷钧。RBAC安全策略实现的研究。湖北汽车工业学院学报。2006.20(3)
[13]周伟平,陆松年。RBAC访问控制研究
[14]丁振国,吴环宇。RBAC在管理信息系统中的应用。中文核心期刊《微计算机信息》(管控一体化)。2007.23(63)
[15]王兴伟,王宇。Web信息系统中基于RBAC模型的访问控制模块设计与实现。大连理工大学学报。2005.45(增刊)
[16]陈军冰,王志坚,艾萍等。关于RBAC模型中约束的研究综述。计算机工程。2006.32(9)
[17]薛伟,怀进鹏。扩展的基于角色的访问控制模型。北京航空航天大学学报。2005.31(3)
[18]姜卫,李卉,汪厚祥等。RBAC中的用户与组管理。信息工程大学学报。2005.6(4)
[19]孔广黔,李坚石,郭晓明。基于RBAC的职责分离约束关系研究。中国科技论文在 线
[20]李键,陈杰。RBAC模型权限管理中三种新的角色继承机制和授权策略
[21]张海藩。软件工程导论。第四版。北京。清华大学出版社。2003.12-14
[22]Shari Lawrence Pfleeger,Joanne M.Atlee.杨卫东。软件工程。第三版。北京。人民邮电出版社。2007.5
[23]Ivar Jacobson,Grady Booch,James Rumbaugh.周伯生,冯学民,樊东平。统一软件开发过程。机械工业出版社。2002.1
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |