扩展的基于角色的访问控制模型

提出了一种扩展的基于角色的访问控制RBAC(Role Based Access Control)模型--RTBAC (Role & Task Based Access Control)模型.该模型在RBAC96模型之上引入了任务和任务实例的概念,形式化地定义了任务和任务实例的层次结构,界定了传统会话同任务实例之间的关系以及任务实例同权限之间的关系,并且提供了几种辅助函数.该模型可以更为自然地描述业务流程和访问控制策略,更适合分布式协作应用,特别是工作流和组合服务.基于该模型定义了一种新的动态职责分离约束--基于任务的动态职责分离约束,并且同传统动态职责分离约束进行了比较.该约束可以更准确地刻画访问控制相关的系统运行时上下文的范围,从而提高运行时访问控制的效率.

Extended role-based access control model

An extended RBAC(role based access control) model, RTBAC (role & task based access control) model was presented. The model introduced the notions of task and task instance into RBAC96 model, formally defined the hierarchies of tasks and task instances, specified the relationships between traditional sessions and task instances as well as the relationships between task instances and permissions. Several assistant functions were defined. The model could be used to depict daily business procedures and related access control policies more naturally, so was more suitable for distributed collaborative applications, especially for workflows and service compositions. Based on this model, a new dynamic separation of duty constraint, namely task-based dynamic separation of duty constraint, was formally defined and compared with traditional dynamic separation of duty constraints using a typical example. The new constraint can specify access control related system runtime context more accurately. It can increase the efficiency of access control at runtime.