A Role & Task-based Access Control Research On Enterprise Environment

With the development of internet technology and the enlarging of enterprise scale, information management in the intranet becomes complicated increasingly. The sensitive data in the system need protect at different levels. The workflow technologies are used widely that increases the difficulty of security control for data. The emergence of new business connection makes the cooperation scope larger than before. Exchanging information with each other among enterprises becomes frequent increasingly. The complexity and frangibility of the business information system cause the security problems arisen continuously. Access control is one of the indispensable functions of Information Security, it is to protect the resource which is saved or handled in enterprise information system against misusing. This thesis takes the modern enterprise application requirement as study background, takes the limit of restricting the capability of accessing key resource and the prevention of protecting the data from invading by illegal visitor or misusing by legal user because of the carelessly operating as the aim, mainly studies and discusses the problems that how to enhance the security of information system and workflow and cooperative exchanging between business connection at the aspect of access control. After analyzing the condition and progress that are relevant to this studying field, base on several typical access control models, according to the character of this studying background, this thesis proposes a role-task based access control model that is applicable to local general resource and workflow and cooperative exchanging in different enterprises. This thesis makes a deep discussion on core technologies involved in the model and a detailed analysis of several key components of the model realization, put forward the corresponding solution. In this model, it makes the permission and the user separate in logic meaning by use of the concept of the role to improve the management of access control; it constructs the role attribute to resolve the problem of private permission for multi-inherited case and realize partial inheritance; it adopts the authorization relations form to express user's access ability to remain high efficiency; it put forward the role match thought to realize the security visiting each other in different systems; it integrates the concept of role and the standpoint of task to carry out the access control for workflow in order to force the validness of role permission change along the alteration of task's state. Finally, this thesis gives the main frame of this model and the design of the central modules.