Research And Realization Of Access Control

With the high-speed development of computer and network technology, the network security has become more and more important, as a five-level type of security services, access control has become a research hotspot. The access control is one method which controls and limits the access-rights and access-scope via some way explicitly. Under the electronic commerce environment, it serves as one of the key approaches to solve the enterprise information system security. At present, there are many kinds of access control model proposed, but almost all the present models are confined to certain limitations, such as cannot satisfying enough frequent position changes in the modern enterprise, more and more complex business process, as well as distributing management and so on.On the basis of the present access control models to be researched, this thesis analyzes the superiorities and its limitations of each kind of model, and combines Role-Based Access Control (RBAC) and Task-Based Access Control (TBAC) according to the characteristics and the demands of access control under the enterprise environment, proposes a Task-Based Access Control (T-RBAC) model on distributed enterprise environment. This kind of model can satisfy the request of the enterprise access control well, it has the flexibility and the versatility.This thesis gives primary conception of the model, the formalized description of T-RBAC and a detailed analysis of several key components of the model realization, puts forward the corresponding solution. In this model, it makes the concept of role for non-workflow, the permission and the user separate in logical meaning by use of the concept of the role to improve the management of access control; It integrates the concept of role and the standpoint of task to carry out the access control for workflow in order to force the validness of role permission change along the alteration of task's state, enhancing the security.This thesis introduces the main framework of the model and the design of its main function components. This thesis uses both LADP and relation database; it uses LDAP to store the data which is not often modified; it uses relation database to store the data that is often modified. At last, this thesis introduces the implementation of the main function components in detail.