Research On Administration Model And Delegation Model For Role-Based Access Control

The development of access control, which is an important information security technology, can be divided into many phases. In recent years, many researches are focused on role-based access control (RBAC). The concept of role is brought in to achieve the logical separation of the user from permission. RBAC has been generally recognized because it can more effectively implement the security policies. It became the ANSI standard in 2004.One basic aim of the RBAC model is to provide an effective and precise way of managing access control data. The normal RBAC model is not dependent on policies. But in the specific access control administration by adopting RBAC model, it is necessary to extend its various factors and re-describe some aspects of the model in order to meet the administrative demands in its specific application. Plenty of research has been conducted. However, some remarkable virtues of the normal RBAC model becomes greatly unnoticeable in the new models. As a result, the new extended models have lost the universality. Therefore, it is essential to provide more scrupulous description of the RBAC model’s factors without changing its flexibility and independence of policies. Undoubtedly this is also helpful to its application to the actual access control.Large numbers of users, roles, permissions, and constraints are invovled in access control by adopting RBAC policy. With the refinement of access control administration, the descriptive granularity of access control administrative information has a tendency to become smaller. Consequently, the access control information rapidly explodes. How to better solve the RBAC administrative problems has become a new research hot spot in the area of access control.Delegation is an important security policy that RBAC should support. Delegation means that an active entity in a system can delegate its privileges to other active entities, who are enabled to perform these privileges on behalf of the delegating entity. The role-based user-to-user delegation has gained the widest research. Delegation enhances the flexibility of permission in access control and poses some new challenges to the maintenance of access control policies. Without changing the present virtues of RBAC model, this dissertation provides an overall solution that embodies its original design ideas. The main contributions of this dissertation are as follows.(1) Based on the viewpoint that the delegation is a personal behavior, the dissertation proposes an improved D-RBAC (Delegation-supported RBAC) model. It adds a delegation-supported module to the RBAC model and accordingly provides a user-to-user delegation-supported extension. It is a policy-independent, simply designed and extensively applicable delegation model. It supports all personal delegation behaviors under the recent research. Furthermore, it supports administrator intervention, reducing his work as much as possible and enabling the administrator to regulate the delegators’behavior without violating the access control policies of an enterprise or an organization.(2) The dissertation proposes the concept of administrative domain which applies not only to centralized administration but also distributed administration. Administrative domain retains the stratified attribute of RBAC and effectively constrains the administrator’s authority. It also resolves the problem that the administrator role and regular role are different but related.(3) Based on the concept of the administrative domain, the dissertation proposes a D-ARBAC (Domain supported administration of RBAC) model. These problems are avoided: Multi-step user/permission assignments, the information of access control are redundant, and the permission of the administrator is unstable. D-ARBAC model can better fulfill the task of RBAC, regulate the relationship between the administrator and regular users, control and distribute administrator’s permission. D-ARBAC model strengthens security control in the administration of the system, which has nothing to do with RBAC’s realization manners and can administrate RBAC model and its extended models on any levels.(4) The dissertation proposes an attribute supported RBAC model. The user, role and permission are described by using uniform enterprise or organizational attributes. It helps implement RBAC in a simple and universal way, and thus facilitates the administration and applications of RBAC on different platforms.(5) The dissertation elaborates the definitions of attribute and constraint expression under the BNF criterion. The attribute value supports various data types, including number, date, time, string, set and range. And it defines comparability and comparison methods among attributes. (6) The dissertation proposes a method for implementing a RBAC system, including RBAC model, RBAC delegation and RBAC administration. XML is used in the method because it has some virtues, such as openness, universality, standardization and portability, etc. The dissertation provides an access control realization by using XML as data description language in the delegation model and administration model.(7) The dissertation presents an example of the strengthened RBAC system. It supports user-to-user delegation and is managed with the D-ARBAC model. It is verified that these models are feasible, convenient and essential.The above research work is a helpful exploration of a complete RBAC solution. A simple, powerful, and secure solution is worked out.