Research On Access Control Mechanism In Information Systems And Its Implementation

With the popularity of information technology, a growing number of organizations establishinformation systems to manage their own business, and the information resources are becomingincreasingly important, but also face varieties of security threats. The access control technology canprotect them by restricting users’ behavior, but there are some shortcomings in the existing accesscontrol mechanisms. For example, the granularity of access control is not fine enough, themanagement of admission is not rigorous enough. These may bring severe damage to informationresources. Thus, this paper improves the T-RBAC, and also proposes a delegation method. Theachievements of this paper are as follows:First, an improved model of T-RBAC which focus on admission control and separation of duties,called I-TRBAC, is proposed. New model simplifies the task classification of T-RBAC, adds contextand state property to task, and builds a close relationship between permissions granting, task contextand state property, which strengthens the dynamic management of permissions. It also solves theproblem that mutually exclusive rights are possessed by one role when inherited in roles hierarchyusing private roles, and ensures the dynamic separation of duties by checking the records of taskperformance. New model provides a better permissions management, and better meets the separationof duties and least privilege principles.Second, this paper proposes a task-delegation method which depends on I-TRBAC, and designsan algorithm to determine the delegatee. This algorithm determines the delegatee by making a chainof strict checks, which exam the role of delegatee, the constraints of delegation and separation ofduties. In addition, the delegation method controls the permissions of tasks strictly and dynamically,which ensures the security of information system after the delegation of permissions.At last, this paper applies the I-TRBAC model and delegation method to a document processingsystem, and designs and implements the access control engine and the task delegation modules basedon the model, thus verifies and analyzes the effectiveness and practicability of the model.