The Design And Implementation Of RBAC In Distributed System

As an important mechanism in security services, access control can protect system resources from invalid usage. Traditional access control policies, such as discretionary access control or mandatory access control, do not play so satisfyingly in robustness and flexibility for distribute systems' requirements. Role-based access control (RBAC) model can meet these requirements coincidently. Its structure and administration characteristics are naturally fit for enterprise distributed applications.This thesis discusses RBAC and its administration model, according to RBAC96 and ARBAC97 criterion, and summarizes some principles in RBAC design. Here I introduce a formalization method named "ABLP calculus" to analyze RBAC, and describe Massacci's research upon this calculus.During my studies and research in ISCAS, I participated "the Integrated Business Management System" (IBMS) project, and adopted RBAC policy in the authentication and authorization module as the production of my research. The thesis presents a "Converse Tree" model for constructing role hierarchies which simplified our role management and a mechanism for authorization management by using function as privilege, emphasizes the classifying and of roles and functions, and describes the design and implementation of the subsystem. And I also introduce the authentication and audit briefly. At the end of this part, I make some comments on the performance and improvements.Finally, the thesis discusses how to use RBAC in enterprise distributed systems as a prospect on the development of RBAC. I present several facts for "Enterprise Access Control Framework" in general, and analyze the process of RBAC in J2EE platform.