Research And Design Of RB-RBAC_ex-Based PMI System

Access control is a key content in Information Security System. It focuses on issues including date confidentiality, integrity and availability. Nowadays role-based access control (RBAC) is the most deeply researched model.In RBAC, administrators manually assign users to roles based on criteria specified by the enterprise. With the increase of the system scale, the number of users is also increasing and this makes the user-to-role assignment a formidable work. Rule-based RBAC (RB-RBAC) modifies RBAC and introduces user attributes and rules to automatically assign users to roles. But there are still shortcomings in RB-RBAC. First, besides user-role assignment, role-permission assignment is also important. The large number of resources also makes role-permission assignment a difficult work and this problem is not solved in RB-RBAC. Second, in RB-RBAC, access control decision is only determined by user's authority and this mode can not meet the demand of some special requirement.After the research of RB-RBAC, this paper proposes an access control model of RB-RBACex. This model uses the permission expression (based on object attribute expression) to dynamically associate permission with role. It reduces the difficulty of the role-permission assignment and this kind of relations can be adjusted automatically when new resources are added or existing resources are changed. The model uses role activate condition to implement multi-factor decision and authorization is not the only the factor which will influence the result of access control decision, other factors such as user attributes, environment attributes, system status etc. are also taken in account.PMI (Privilege Management Infrastructure) is a universal platform for privilege management and service. It uses attribute certificate to represents and accommodates users'privilege information. This paper describes the design of a PMI system based on RB-RBACex. The composition of the system and the method to represent the authorization rules and role activate conditions are given. The process of the attribute certificate management and the process of access control decision are described in detail. The RB-RBACex based PMI is general, extendable, live and safe. It can meet the strict requirement of those high security level access control system.