| In the design of large-scale information system,access control is always a complicate task. RBAC(Role-Based Access Control)has been widely used, and it can provide better flexibility and scalability. But with the expansion of the size of the application system, the number of RBAC roles and permissions also increased, which will result in redundant data storage.One possible solution is to extend the model itself to resolve the access control based on instance level, which will reduce the universality of the model.This paper describes a kind of instantiation of RBAC using dynamic parametrization, which is mainly applicable in information systems based on relational DBS.It can solve the problem of redundant storage by using dynamic authorization and parametrization in implementation of the model. The implementation of dynamic authorization and parametrization depends on metadatas of parameter templates and dynamic authorization rules, which decribe many-to- one relationship between data objects and many to many relationship between user object and data objects.RBAC elements can be created automatically based on those metadatas.A universal access control system based on instantiation above is also introduced. Information systems call its interfaces for access control. This paper describes the features and implementation of the main modules of the access control system.In order to verify the validity of the instantiation, a typical SNS system including basic applications such as users and friends, messages, photo album, vote, forum is also introduced in this paper. It calls interfaces of the access control system. |
PDF Full Text Request