The Research Of Centralized Authorization System Supporting Various Access Control Methods

In distributed computing environment, a large number of network equipments, the host computer systems and application systems belong to different departments and different business systems, and if all of these business systems need a set of access control system which maintained by relevant system administrators, when administrators maintain these systems simultaneously, the work will become complicated, which may cause inconvenience to consumer's job. Now, a development tendency of access control method in the environment of distributed computer is adopting centralized dignity and permission management, which means using a special system provide centralized identity and authorization policy manages for enterprise, any kinds of computer system of organizations and application server system.The authorization system of many company adopt centralized dignity and permission management, and implement access control base on it. But the centralized dignity and authorization manager systems are faced with some technical problem in practical application. Some significant problem,such as, how to support different access control methods such as ACL (Access Control List),RBAC (Role-based Access Control),ABAC (Attribute-based Access Control));How to make a unified and effective authorization and policy management for numerous resources.This thesis focuses on centralized dignity and authorization management technology, and proposes a new technique of centralized permission and policy management. In order to support various access control methods, this technique defines different type of authorization policies simultaneity aiming at different access control methods,and make the authorization system choose the authorization policy according to the required of access control methods flexibility.And this thesis proposes a Manager-Provider frame for inquiring and distributing automatically, which uses the multi-provider to provide authorization function according to different access control methods. These providers are controlled by one manager. This frame help the providers to authorize by supplying the querying service to them, and induct the outer's choice automatically. The Manager-Provider frame helps the centralized authorization system to embed into various system platforms more effective, and could add new module dynamically for extending authorization and decision function.Furthermore, this research proposes an inheritable policy mechanism. The mechanism can simplify the structure of information organization structure, enhance the efficiency of authorization online and reduce administrator's work. Finally, this thesis analyses the executive efficiency of this inheritable policy mechanism, summarize two authorization model on theory, and through comparing the operating efficiency of those two models, we can find that the model based on inherited policy are more efficiency to the system.