Rule-based User - Role Assignment Model And Web Implementation

The main task of traditional Role-Based Access Control system lies in the security managers assigning or revoking roles of user. When the quantity of system user increases unceasingly, the work load of maintenance and management user-role assignment also increases. For completing the task of authorization needs to expand the number of security manager. This will increase the complexity of the authorized management and the unreliability of system.Moreover, Traditional RBAC is suitable for the closed-enterprise environment, which dose not provided the nimble authorized mechanism for the exterior users of enterprise (for example clients, partners and so on). The increasing service-enterprises make their services available to users via the Internet. Very many enterprises system besides having many internal staff, also have several hundred of thousand, several million exterior users. Facing massive enterprises exterior users, it is impossible to assign the role for each of them. It also is impossible to let user choose role of the system. This will increase the discommodiousness for user and the insecurity for system.In order to solve above two problems, a good method is to realize automation of the user-role assignment, which dynamically assigns user to role basing on user individual information and enterprise security policy, and does not need the security manager maintain and manage the user-role assignment. This article described a model called RB-RBAC (Rule-based RBAC), which assigns user to role based on the rule dynamically. RB-RBAC mainly expanded the user-role assignment in the traditional RBAC model. The user-role assignment is designated in the traditional RBAC model, however it is crytic and realized through the authorized rule of enterprise in the RB-RBAC model. These authorized rules have considered the user attribute and the enterprise security policy. The model also allows dynamic revocation of assigned roles based on conditions specified in the security policy.In RB-RBAC model, because the authorized rule has the level relation, whichcauses the role that they infers also to have the level relation, this relation is different to role hierarchy in traditional RBAC. This article has made the detailed discussion about it; One user has tow states in a role which is discriminated by a session, so wo can further discusse constraint in RB-RBAC model based on them, and propose the more nimble restraint mechanism.The structure of traditional RBAC model on the web cannot suit completely to the RB-RBAC, This article proposed RB-RBAC/Web structure witch is based on the structure Server-pull of RBAC/web and used the the characteristics of User-pull structure. According to changes of user's attribute in the last time session, the RB-RBAC/Web structure definite user's role after the user is correctly authenticated. The RB-RBAC/Web structure enhanced the web server efficiency, the repeating usage of role, and guarantee role prompt renewal.According to RB-RBAC model and RB-RBAC/Web structure, we design the RB-RBAC access control plan, which is suitable in the modern enterprise system with the massive exterior users. This plan provides the automated role assignment mechanism for the enterprise, which can be configurable, and has the nimble and highly effective characteristic in the access control aspect. Separating safe logic from the service has realized the separation of security and application. In access control decision-making and implementation process of plan, we use the cache technology to enhance the access control decision-making and the implementation efficiency of RB-RBAC system. For realizing role hierarchy, we used data structure of binary tree to express well role hierarchy, and we used two binary trees' traversal to realize the query of role's permissions.