Research On Role-Based Access Control In Multi-domain Authorization Management

With the continuous development and progress of computer network technology, in particular the increasing popularity of the Internet nowadays, major changes have taken place in our study, work, and the way of our life. Currently, in the case of the Internet applications growing and the distributed technology widely being used, There are some administrative domains among the large companies or the each departments within the enterprise. And each administrative domain has its own security policy. So, it is a concern that we develop security policy mechanism which can meet the inter-domain interoperability needs, but also ensure that all the domain security policy will not be destroyed in such a distributed multi-domain heterogeneous environments.First of all, we study the basic access control technology and access control model in this paper, and then analyze the IRBAC2000 model. IRBAC2000 model presents a method of inter-domain interoperability. The model aims to achieve inter-domain authorization by constructing the roles associations between domains. However, IRBAC2000 model has some shortcomings, such as the roles associated with conflict and violations of the static separation of duties. In the article we analyzed the causes of IRBAC2000 roles associated with conflict and violations of the static separation of duties, and gives the conflict detection algorithms and the detection algorithm of static separation of duty constraint respectively.Secondly, we proposed a multi-domain access control model-MD_RBAC based on the analysis on the IRBAC2000 safety problems。This model is also through the establishment of the associations of roles to achieve inter-domain authorization. MD_RBAC model maintains the basic needs of RBAC model, role hierarchy, as well as the principle of separation of duties constraints. It makes up for lack of IRBAC2000 model.Finally, we initially designed a multi-domain authorization management system based on the model of MD_RBAC, and described the various components of the system and function of them. This system provides a reference for the practical application.