| Access control is generally concerned with determining what users and groups of users can perform what operations on what resources. With access control service, we can restrict the approach to critical resource, avoiding damage brought by illegal user's intrusions or legal user's inappropriate operations.Traditional access control techinique can be classified in two primary genres, that is, Discretionary Access Control (DAC) and Mandatory Access Control (MAC). Both of them have their own typical shortage. DAC leave partial privilege of grant or cancel access for user, which makes administrator difficult to decide which users can access which resource, and such is a disadvantage to implement universal access control.In 90's, Role-Based Access Control (RBAC) techinque emerges. It effectively overcomes the shortages of traditional access control techinque metioned above. It can reduce complexity of grant management and decrease the cost of management, as well as make the process of designating and executing specific policy of protection more flexible, which gives the administrator a better environment to implement policy of security.In RBAC, an important conception 'role' is introduced. Its fundmental idea is: access permission granted to a user is generally determined by the roles acted in an organization. Hence, RBAC enforce access controls based on a user's role in an organization. In other words, traditional access control directly bind access subject (the active entity who requests access or operation) with objects (the data to be invoked or accessed), whereas RBAC inserts role between them. By associating subject and object by role, the real decision-maker is the user's corresponding role.Our project wants to provide role-base access control capacity to Web servers in various platforms. The project is developed with Object-Oriented analysis and design, and be done in project management and quality assurance with unified software process. With the visualized role editing tool, the administrator can construct roles and their relationship quickly and straightforwardly; the system also provides extensible mechanism of identification-authentication, which can adapt requirement of various applications; besides, the URI-based resource descripting and locating way dramaticlly expand the applicable scope of the system. Theoretically, all resources, which can be described by URI, can be access controlled by the system. |
PDF Full Text Request