The Design And Implementation Of RBAC Based On Tree-Like Organizaion Structure

Information technology is being applied into all kinds of society area deeply, for example economy, government and so on, when it is developing rapidly. The information system is becoming larger and larger because the object areas are expanding, and the number of system user increases. An IT system is not limited in several offices or in a few buildings any more. So the access control model to IT system faces more challenges.In this paper three traditional access control models, DAC, MAC and RBAC, are introduced firstly and their advantages and shortages are explained. Then we analyze the complex organization structure and the access control requirement in a real project. Based on modeling a treelike organization structure, we extend the traditional RBAC and propose a new RBAC based on treelike organization structure: TO-RBAC.To the problem of traditional RBAC that does not manage the scopes of subjects and objects, TO-RBAC manages definitely the scopes through the functions of group management and function management. Applying the new RBAC concept into the treelike organization structure, a nesting RBAC appears, which includes Sys-RBAC for system level and Grp-RBAC for group level. The subjects of Sys-RBAC are independent groups, and the objects are all of the functions registered in system. Meanwhile, the subjects of Grp-RBAC are system users of this independent group, and the objects are the functions which are authorized to this independent.The first chapter introduces the previous study of RBAC, the business background and the technology background of project. The second chapter is the core of this paper, the model of TO-RBAC is developed step by step in this chapter. Based on the theory model, the design and implementation of TO-RBAC are described in chapter 3, so that we can validate the model and make it transfer from theory to practice. In chapter 4, by the explanation for DMS project that adopted TO-RBAC model, we analyze the administration problem of TO-RBAC including its advantage and its weakness to enhance. In the last chapter, we summarize the whole paper and forecast the directions to study in the future.UML is used to describe the system model in this paper. J2EE is selected to implement a TO-RBAC instance in the real project. TO-RBAC model is proved to be convenient and flexible through the usage of end users in practice. It can be expected to become an authority subsystem based on J2EE for enterprise application.