Study On Role-based Multi-step Delegation And Revocation

Delegation refers to delegator may delegate his permissions to delegatee, which can be divided into single-step delegation and multi-step delegation. The former means that delegator can delegate delegation authority and permissions to delegatee, but the delegatee can not reassign the role and delegated authority to others. The latter refers to the delegatee can be can be assigned to delegated authority to re-assign. In addition, the role-based multi-step delegation is a mechanism for multi-step delegation, only that the role bacame the delegation unit. The user, who initiates role delegation action, is called delegating user or delegator. The role delegated by the delegating user, is known as delegated role, and the user to accept delegated role, is called delegated user or delegatee.Revocation is known as the inverse process of delegation authority, which means that the delegated role cancellation of the process, viz the delegator can revoke his permissions delegated to other users. Moreover, the revocation of role privileges can be divided into cancellation of source roles permission and revocation of delegated role permission, such as the system administrator revocation, as is an important example of the former.Currently, for permissions revocation, researchers are focusing on roles permissions cancellation of source user allocation, while multi-step delegation revocation research less than the former. In consequence, based on analysis of existing permissions revocation mechanism, this thesis proposed cascading revocation by means of directed graphs modeling. Contributions of the thesis lie on:①Research on the present access control model and the delegation model, including RBAC96, RBDM0, RDM2000 and support Time limit model.②Focus on the study of multi-step delegation authorizations ,the forming process of the delagtion digraph, and the Cascading Revocation based on the digraph.③In the process of analyzing multi-step delegation authorizations, the thesis focus on the study of time limit,and give time limit definition. Its goal is creates the condition for system's automatic revocation.④In the process of the digraph's production , by the two mappings'definition, the thesis make the deleation's all elements map into the digraph; The thesis defined multi-step delegation authorizations algorithm based on the digraph, and adopts the example to perform the algorithm. And the thesis gave the digraph the nature, and proved.⑤The thesis mainly studied in the three revocation mechanism, the system manager revocation, system automatic revocation based on time triggering and Cascading Revocation. This had mainly studied Cascading Revocation, and proposed Cascading Revocation algorithm based on the digraph, and proved the algorithm. Finally, the thesis proved system automatic revocation and Cascading Revocation would not have in the rescission disturbance, will be may coexist.⑥In the digraph, carries on the design and make true with the code to system automatic revocation based on time triggering and Cascading Revocation.Through the experimental system to simulate the operation of the multi-step delegation authorizations, system automatic revocation based on time triggering and Cascading Revocation, the experiment results show that the digraph can achieved the operation of multi-step delegation and revocation.