| Access control is a very important aspect in security of information system. Role-Based Access Control (RBAC) can enhance access control capability and reduce the complexity of authorization management effectively. It has been a hotspot of access control, especially in large-scale distributed system.Generalized Role-Based Access Control (GRBAC) extends the traditional RBAC by incorporating subject roles, environment roles and object roles, thus offer more expressive power. However, RBAC and GRBAC are difficult to meet dynamic access control requirements because they are essentially established on the static subject-object view.In this paper, RBAC and GRBAC are analyzed, and the dimension of tasks is associated with generalized role-based access control mechanism, thus permissions are managed according to the context such as the states of environment and requirements of current task. Critical transaction set and task authorization indicator are introduced to allow for finer granular permission control, thus some problems of complex constrains such as history-based separation of duty can be solved effectively, and this provide a good base for active access control. A design architecture of the defined access control policy is presented detailing the components and their interactions. Authentication, one of the fundamental concerns required for application of the design to distributed computer environments, is discussed deeply. And a prototype system based on middleware is implemented and applied to a hospital information system.The Work has improved RBAC on the capability of dynamic access control, and can be used for reference by their practical application, especially in distributed environment.
|
PDF Full Text Request