Research On The Hierarchical Authorization Management Of Role-based Access Control

In recent years, with the continuous development of Information Technology,information security has become a very important issue in the design of informationsystem. As a part of the information security system and one of five criteria securityservices defined by the International Standards Organization, Access Control hasbecome research focus of scholars. Access Control means that the subject implementsdifferent authorized access to object by some of strategies or permissions. AccessControl can effectively prevent unauthorized users access to confidential information;restrict legitimate users of illegal operation and the damage caused by the misuse due tonegligence.This thesis describes several mainstream Access Control technologies, includingDiscretionary Access Control Mandatory Access Control and Role-Based AccessControl, analyzes the advantages and disadvantages of these Access Controltechnologies and emphatically introduces RBAC technology.After deep research on RBAC technique,“administration unit” was introduced intothe traditional RBAC model. Essentially, administration unit is an assemble ofadministration object, every administration unit contains the corresponding userassemble, roles assemble, permissions assemble and constraints assemble. In anadministration unit, hierarchy model of RBAC is adopted, which realizes themanagement of role and the assignment of permission. By hierarchy-structureadministration unit, it can realize the hierarchy management to users and permissions.Hierarchy authorization management model can better reflect the demand policy ofsystems and make system authorization more simple and visualized; hierarchyauthorization also makes the operation of system administrator disperse, and balancesthe operation of administrators, at the same time restrains the permission abuse.Finally, this thesis designs and implements the hierarchical RBAC with thecombination of Privilege Management Infrastructure, including the design of systemframework, the description of authorization policy and the management of the attributecertificate.