Access control background
Access control technology is evolved from the research and development results funded by the US Department of Defense (DOD). This study leads to the generation of two basic types of access control: DISCRETITINARY Access Control, DACs, and Mandatory Access Control, Mac. The initial research and application mainly in preventing confidential information from accessing unauthorized people, and recent applications mainly apply these strategies to commercial areas.
Autonomous Access Control allows the grant and cancellation of access control to individual users to determine. The license is granted and abolished for individual users who have no access control. The autonomous access control mechanism allows users to be authorized and unable to access any objects under control, in other words, the user is the owner of the object they under control. However, for most organizations, the end user does not have the right to have the information accessed. For these organizations, companies or agencies are in fact system objects and owners that handle their programs. Access priority is organized, and often based on employee functions instead of data ownership.
Forced access control, defined in the US Department of Defense Trusted Computer Security Evaluation Criteria (TCSec) as follows: "A means that restricts accessing objects, which is formally in which the information is sensitive to information in these objects and access these sensitivity information. Authorization information (such as clear) is based on. " The above access control strategy is not particularly suitable for handling some government and industry organizations that do not need confidential but sensitive information. In such an environment, security objectives support high-end organizational strategies from existing laws, ethics, regulations, or general practices. These environments typically need to control individual behavior, not just how to set tags according to the sensitivity of information to access this information personal capabilities.
What is based on Role-Based Access Control, RBAC? NIST has the following definitions. Access is the ability to use computer resources to do something, access control is a means, which is allowed or restricted in some cases (usually by physical and system-based control). . Computer-based access control not only specifically "who" or an operation is entitled to use specific system resources, but also specify the allowed access type. These control methods can be implemented in a computer system or external device. For role access control, access decisions are roles based on roles, and individual users are part of an organization. The user has a assigned role (such as doctors, nurses, gauge, manager). The process of defining the role should be based on a thorough analysis of the organization's operation, which should include input from a wider range of users in an organization. Access is packet group group, and the use of resources is limited to authorization to assume an individual that assumes associated roles. For example, in a hospital system, the doctor's role may include diagnostics, suspend prescriptions, indicating laboratory testing, etc .; researcher's role is limited to collected anonymous clinical information for research. Controlling access roles may be an effective means of developing and strengthening business special security policies for security management process.
User (User) and Roles (Role)
The user refers to the subject of the resource in the system, which is generally people, or can be an intelligent program such as Agent. The role refers to a semantic complex of a power and responsibility in the application field, which can be an abstract concept, or corresponding to a specific semantic body in the actual system, such as the organization's internal position. For role properties, some models are further subdivided into ordinary roles and administrator roles (understandable as a full role).
Permissions and Permissions Permits the permission of the role to the access and operation of the computer resource, which reflects the result of the authorization. For example, a role is a role to read permissions to computer resources, representing a license, this license means: The role has acquired a read license for computer resources. For operation, it describes an association relationship between licensing and operations, and this relationship indicates a role of permissions and permissions to a certain operation.
Role and Assignment
Assignment contains two aspects, user assignments and license assignments. The user assignment is indicated that the user is assigned to a specific role. The license assignment represents access and operation licenses for the role assigning computer resources.
Session (session)
The session is expressed as the relationship between users and characters. The user must activate the role each time you have to activate the role to get the corresponding access.
Role and Role Level (Role Hierarchies)
The role itself is just a noun, which does not represent the size of the authority. For example, we can set a "Director" role or set a "Project Leader" role. For reality, let's see the two roles, clear DIR's permissions is higher than the permission level of PL. But for the computer, these two roles are only two "words", which is equivalent. It can be used to achieve hierarchical role in the role to solve these problems. It is also possible to adopt a composite role (which represents a concept of a role group), which achieves a certain packet and composite to the role to facilitate assignment. A leveling role often occurs in some OA products.
Separation Of Duty in the Constraints model for controlling conflicts. Static Separation (Static SD) Specifies the mutual exclusive relationship of the role for the user assignment phase. Avoid the same user with a mutually exclusive role. Simple realization, the role mutual exclusion is clear, easy to manage is not flexible enough, can not handle some actual situation. Dynamic SDs Specifies the mutex of roles for role activation stages. Allows the same user to have some mutually exclusive roles, but this user is not allowed to simultaneously activate the role of mutual exclusion. More flexible, directly with the session, adapt to actual management needs, complex, not easy to manage.
Reference "An Introduction To Role-Based Access Control" NIST
"Workflow authorization control model" Hu Changcheng
"Role-based authority management review" Yu Shipeng
Finally, I would like to thank the seniors of Hongyun to guide the translation of this paper.
(Note that the reference should indicate the original author posted this article:! Rosen Jiang and Source: http: //blog.9cbs.net/rosen)
