| Computer network is the foundation of information society, which can be carried out for resource sharing, while information security and resource sharing are contradicted. With the development of resource sharing, the problem of information security is more and more serious. Identity authentication, privilege management and access control are the important parts in network security. Thus they are the research focus in information security area.It's important to recognize the right user and implement the effective privilege management, which is the basis to ensure the information security. PKI has supplied the authentication feature for the information user and holder, but what can user do after the authentication, in this area PKI can't support. In order to solve the problem, PMI (Privilege Management Infrastructure) generated. PMI aims to provide with authorization management service to the user and application, and to provide the function of mapping the user identity to application authorization. It can also provide the authorization and control mechanism responding to the practical application processing mode. This authorization and control mechanism has no relation with specific application system development and management. The relationship between Authorization and access control is not divided. Now, in the access control area, RBAC (Role-based Access Control) provoke more attention in international.According to this paper, author makes more effort on the authorization and access control, designs and implements RBAC-based PMI architecture. Firstly, on the foundation of PMI basic model and role-based features, author designs a role-based authorization model (RBAM). And present a user-role-authorization module. Then, combining with PKI, PMI and RBAM, author establishes a role-based authorization access system RAPMI, while describe the implementation procedure. And, according to its features, author defines the authorization-access policy. On the end, RAPMI is applied in online bank system; the application model is designed at the same time, and then describes the actual value. |