Research On Multi-Dimensional Role-Based Access Control Models

Role-Based Access Control (RBAC) is an access control model that is researched widely in theory and applications now. However, when RBAC is applied in large-scale management information system, there still exist the problems of users, roles, permissions management complexity and high cost operation and maintenance. As for roles have the characteristic of multi-layer semantic in real RBAC application system, this thesis puts forward a family of multi-dimensional role-based access control (MDRBAC). The main work as follow:In RBAC application system, role-represented users are always in a variety of multi-dimensional models consisted of management framework. If we define roles according to the principle of minimum operation privileges, there will be too many roles in system and role`s connotation will be mixed with multi-layer semantic, therefore, enhance the management complexity of system. In terms of the problems pointed out above, a multi-dimensional role-based access control model is presented in this thesis. In the model, roles are expressed as multi-dimensional role segments form according to user`s multiple attributes, and definitions of role hierarchy, role constraint and role permission assignment are given upon the role segment. Therefore, this makes role`s expression can better comply with the job functions within an organization, makes clear the role semantics and simplifies the role management and role permission assignment in the model.In MDRBAC model, the mapping relationship of roles and permissions is build upon role segment sets. This thesis presents taking advantage of predicate clause consisted of resource property to express resource access authority whose clause set corresponds to a role segment, and gives methods of integrating role segment permission sets into multi-dimensional role permission sets. Furthermore, this thesis also proves that from partial order relationship based upon role segment sets hierarchy can elicit partial order relationship based upon role set hierarchy; that after synthesizing role segments to roles ,constraints based on role segment sets are still satisfy with corresponding constraints based on role set and ensures the integrity of the model. In this thesis, an application example is given to further verify the proposed multi-dimensional role-based access control model. Furthermore, we also give the grammar rules and formal description method (defined in the form of XML document) of resource and its access authority constraints, user role assignment, role segment authorization and so on when the model is applied to a real system. Finally, we design and implement a management working platform of MDRBAC model, through this platform, the administrator of application system can define access control elements based on MDRBAC model. The platform also provides the function of checking consistency of permission assignment and standard functions for checking dynamic role constraints for application system.