| As an important part of information system, the data access control mechanism provides the key functions for the system such as privilege management and access authorization. The core requirement of information system is similar for data access control. If we can provide a universal method which realizes data access control in the both levels of functional and data, then it had certain practical significance to reduce the complexity of authorization management and to reduce system security burden. The main work of this paper includes:Firstly, designing a model of the filter-field-based data access control(FDAC) based on the RBAC authorization model. The basic principle of FDAC is predicate addition rule. The model modifies the SQL statement dynamically according to users' permissions at the runtime to meet the goal of access control. FDAC has strong ability to express permissions, allows to define users' permissions by hash-value, range, comparison, dynamic attribute and the combination of these ways.Secondly, designing and implementing the data access control subsystem based on the FDAC model. This paper introduces the design idea of the system from several aspects such as requirement analysis, function module design and data model design, and then expounds the implement process of some important modules.Last, taking an order management system as an example, this paper introduces how to apply the data access control subsystem to manage the data access rights of business system. According to the operation results of order management system, the data access control method of FDAC model is feasible. |
PDF Full Text Request