| As the enterprise information management has been constantly deepened; in an open network platform, cross-boundary application systems have been widely used. Enterprises make use of these systems to manage production, sales, operation, and so on, which has brought about tremendous business facilitation and efficiency. All these management activities need to manage and access the sensitive information and resources. In order to ensure the safety of systems, making the right people at the right time to visit the appropriate resources, there must use access control technology.The Trusted Computer System Evaluation Criteria of United States Department of Defense takes the access control as one of the key indicators of evaluating system security. Currently this research area is particularly active. There are a number of relevant theories and technologies arising. For example, in the access control strategy theory area, there are mandatory access control, role-based access control (RBAC), organizations based access control (Or-BAC) and generally RBAC (GRBAC); in the access control strategy implementation technology, there are access control lists, the ability table, relationships authorized table and extensible Access Control Markup Language (XACML).RBAC refers to authorize user's access rights through roles. When the user was given a role, the user has this role with all the access. At present, the RBAC model is gradually being theoretical and industry accepted.XACML is an OASIS standard that describes both a policy language and an access control decision request/response language (both encoded in XML). The policy language is used to describe general access control requirements, and has standard extension points for defining new functions, data types, combining logic, etc. The request or response language lets you IV form a query to ask whether or not a given action should be allowed, and interpret the result. The response always includes an answer about whether the request should be allowed using one of four values: Permit, Deny, Indeterminate (an error occurred or some required value was missing, so a decision cannot be made) or Not Applicable (the request can't be answered by this service).With RBAC being widely used, XACML language has drawn up RBAC Profile to support RBAC strategy. With this specification, it is easier to make use of RBAC strategy to implement an access control security system. Plus, because XACML is the standard, as XACML becomes more widely deployed, it will be easier to interoperate with other applications using the same standard language.Nowadays, Web Services is a popular distributed network application technique. It is based on some liberal standards and it makes good use of Web application techniques that already exists, including various models, standards, and protocols. Besides, it is service-oriented, which accomplishes the goal of inter-exchanging heterogeneous information with the help of proper use of existing Web application techniques. Its modulation, extensibility, ability of custom and the heterogeneous information interaction are all impressive, which will greatly shorten the application distance between organization's business and the services.After I studied RBAC strategy, XACML and XACML RBAC profile, I found that the description of RBAC profile there are many restrictions and flaws. It does not include all the functionalities an RBAC may require. Furthermore, it reduces the capabilities, and does not make use of all the advantages of the XACML language that is considered to be a very powerful and rich language. At the same time, it does not support the current other outstanding RBAC model strategy, such as Or-BAC, GRBAC and TBAC. In order to perfect the XACML RBAC profile, on the one hand, I link it with some existent access control model to be enough to express, in addition to RBAC, other access control models such as GRBAC, TBAC and Or-BAC. Then, it can help security administrators with standard language for a lot of access control strategy and choose to use the most suitable model under different circumstances; On the other hand, I make best use of XACML to extend the RBAC profile of XACML with new functionalities that should overcome its current limitations.Currently, sunxacml development kit, targeted at XACML, don't support the XACML RBAC profile. I have added new classes to not only support current RBAC profile, but also support the extended XACML RBAC profile. Then the developers could use this development kit to develop RBAC strategy model, Or-BAC strategy model and GRBAC strategy model. Based on the extended XACML RBAC profile, I made use of new sunxacml development kits to implement a RBAC web service. As we all known, it is easy to integrate the web services into other applications. In addition, the RBAC web service verifies the feasibility of the new RBAC framework and provides a template for developers to implement RBAC application with the new sunxacml development kits. Finally, I provide a platform for new RBAC profile policy configuration.However, new profile retained one of the primary problems with the RBAC profile: it requires prior knowledge of potential roles, views and activities .Each of them should be tested individually for each request. This appears to be expensive. Performance should be studied in the future and some improvement should be done in the way each request is evaluated. Another problem is that XACML standard RBAC profile doesn't support constrained RBAC. I hope I can resolve this problem in future. |