Rbac-based Workflow Access Control Management

Today, the commercial competition becomes more and more fierce, and enterprises come to improve their product and service efficiency by using workflow technology. But the share of resource which is between the different business workflow in the workflow system always arouse a series of safe problems, which is described as the access and control strategy. But the traditional access control model is difficult to satisfy the environment need in complicated enterprise system.Due to the special security requirement for working flow system, this dissertation briefly introduces the access control model against the current prevailing ones. In order to improve the inefficient performance on access control of the current working flow system, an enhanced access control model XPDLRBAC based on roles of working flow system is put forward. Standing upon RBAC, XPDLRBAC divides the privilege authorization into two categories, static authorization and dynamic authorization so as to make sure meeting the requirement of combining the features of dynamic task allocation and static access control together for working flow system as well as meeting the requirement of the lowest access privilege principle which is indispensable for this system.XPDLRBAC module is the sub-module of project which is named of content creation which is supported massive network cooperation, so the important problem which is in front of XPDLRBAC module is how to manage massive people and role efficiently. In the realizations of project, the module of organization management module uses the tree-shape realization method, and also creates the conception of user-group, which is the muster of people who will finish a project or workflow instance together. The XPDLRBAC module also assign role to user-group, and modify the operation of role assignment.In privilege distribution module, XPDLRBAC takes advantage of task to strengthen the dynamics feature of RBAC model by taking the features of static and dynamic privilege control into account while granting privileges to static data and resources. Here task is the element of workflow, and workflow could be considered as a set of several tasks, each of which is a node of this system. From task's point of view, if a client gets the privilege of executing a task, he gets the privilege of accessing all the resources to complete the task as well. In other word, once the task is completed, the privilege on the client is revoked. Since it is necessary to clear the duties, privilege restraints are introduced into system as the aid.This XPDLRBAC module has been implemented successfully in the project of content creation which is supported massive network cooperation, and can assure the access control and data Integrity.