| The concern over workflow system security has been gradually increased with the extensive application of workflow system, and as is well known, the permission control module plays very critical role in the security issue. Therefore this paper focuses on the permission control of workflow system.Per XPDL, Discretionary Access Control and Mandatory Access Control combine user permissions with related operations. These two models work well under most circumstances but still need to be improved respectively. For this reason, an advanced model Role-Based Access Control is proposed to serve in workflow system.Following description of the models RBAC and ARBAC, this paper introduces an improved ARBAC02 that involves the original ARBAC02 plus the concept activity of workflow. In the new ARBAC02, activities can be assigned to and associated with operations so that the flexible control over workflow system permissions will be easily achieved. And the new feature constraint makes the permission control more suitable for workflow system.This paper also describes the designs of permission system database and function module, including role authorization administration, user authorization administration and permission architecture. Permission inheritance can be implemented without any effort as the organization structure is a natural role hierarchy. As a result, the role authorization is divided into global access, node access and self access. Moreover, the special roles consist of system administrators and security administrators, which is in agreement with the minimum principle of RBAC and avoids abuse of permissions.This paper ends with an example-The Meteorological Emergency Services System, where MVC pattern and Spring+Hibernate+Struts frameworks are adopted. More importantly, Acegi is used to implement role and permission verification, so that the permission control module is decoupled from the whole system and can be easily extended without much effect on other modules. |
PDF Full Text Request