| With the rapid development of Internet and related technology, Web has become a rich information base and interaction platform. Web system have changed from information shower earliest to the current all-inclusive, such as enterprise management systems, online trading platforms and instant messaging platforms, at the same time, people are increasingly accustomed to dealing with work and daily affairs in Web systems. With the rapid increase of resources and users in Web system, the existing performance has become increasingly weak, and it has become a pressing problem how to allocate resources and manage users effectively.In order to achieve the goal, there must me a new strategy, which can be used to deal with the increasing resources and users, so new way of permission management is necessary. The main content of permission management is access control, and it's divided into function-level and data-level in practical applications. In side of function-level access control, role-based access control RBAC brings in roles which provide a method which separates the users and permission, and it will meet most needs of Web systems now, however, facing the explosive growth of amount of information and users, RBAC need to be extended and improved more effectively to meet the new demands. In addition, in side of data-level access control, the traditional way which using third-party control to do the filtering work after access database operations is only in visualized level, so a new model has to be built, what really be able to achieve data-level access control in operational level.In functional-level access control of this thesis, a model named OS-RBAC is proposed by making some improvement on RBAC, such as joinning UR-constraints and RP-constraints, which convert a large of manual management operations automatically executed in the system. This method can reduce a lot of work of system administrator, and cut down the possibility of problem caused by human factor and risk of security. At the same time, by means of bring concept of standard matching in permission management, the method provides a effective way to solve the problem of multi-department and multi-service authorization in enterprise information systems. In data-level access control of this thesis, there are some analysis of traditional access control strategy. By replacing of the third-part control in traditional way with rule engine, data filtration of rule engine is brought in, which can achieve the filtering operation before data access by rule, reducing the work of data safety filtering in entire data access process greatly, spend fewer resourses, raise the system efficiency effectively and achieve the data-level access control ultimately. |
PDF Full Text Request