Research And Implementation Of Zone-based RBAC Model

At present,Role-based access control(RBAC)is adopted in more and more fields.With the increasing of users and roles in application scenarios,manual operation to apply for roles has brought more and more workload to user.Planarization way to manage these large number of users and roles,and manual manipulation to match roles for users both bring a lot of work to administrator.Especially,with the cloud age arriving,these problems are becoming more and more prominent.Therefore,how to effectively manage a large number of users and roles,how to reduce the workload of user to apply for roles,how to reduce the workload of administrator to match the right role,all are the research motivation of this subject.In this paper,the Zone-based RBAC model is designed to manage users and roles hierarchically by introducing the concept of Zone,which solves the deficiencies of the planar management mode.The concept of Zone is based on object-oriented thinking.A Zone can be seen as a class.Users and roles belong to a specific Zone.Users and roles in different Zones don't interfere with each other.A child Zone can inherit users and roles from parent Zone to avoid redefinition of users and roles.The child Zone cannot modify or delete anything defined in parent Zone to ensure that the parent Zone is safe,but a user defined in child Zone can overwrite the same user defined in parent Zone.At the same time,Zone management also extends the traditional RBAC model.Firstly,in additional to the role can be inherited in the traditional model,users can be inherited too.Secondly,the permissions contained in the role are also extended.The Zone make the management of users and roles more convenient,at the same time,because the system only needs to care about the users and roles in the current Zone,the reduction of information makes the execution of the system more efficient,and the scope of the users and roles is limited in the current Zone,which makes the system more secure.And based on the context information of the Zone user,the matching algorithm of the minimum Zone role is designed and implemented.By replacing Zone user's login shell,can obtain the Zone user's context information from the Zone user login session,and according to the context information automatically determines whether the user has the authority to do the current command.If has,this command will be executed normally,otherwise the system will try to use the context information to match the minimum Zone role for the user,if can't match a role,this command will not be allowed to execute,or else will automatically send the role application information to administrator,besides,the context information which can provides useful auxiliary information for administrator during Zone role approval will be sent together to ensure the security of role assignment.The correctness of the model is verified by implementing the model with lightweight directory access protocol(LDAP),and the automation of Zone role matching and application greatly reduces the workload of user and administrator,it also ensures the accuracy and minimization of the role matched and increases the security of the system.