Analysis of role-based entree control theoretical account and role-based entree control theoretical account shortcomingsi??this article presents a mix of functions and undertakings based entree control theoretical account ( R-TBAC ) .In the R-TBAC, this article describes in item about the assignment relationship between the user, functions, permissions, licenses and other elements and the theoretical account dynamic and inactive restraint regulations, to guarantee that such a intercrossed entree control method is effectual. At last, take the device direction system in ERP in the information entree as illustration, R-TBAC theoretical account can be used to guarantee the feasibleness of entree to information in the procedure.
In the ERP system, big figure of pandemonium dispersed informations and information is classified, direction, storage, that will assist to better endeavor direction degree, to increase the fight of endeavors. However, due to web resources and opening up and sharing characteristics, information security issues become really of import. The user entree control is to guarantee that system security is one of the chief steps. In recent old ages, entree control engineering research focused hot on the theoretical account of role-based entree control ( RBAC ) and task-based hallmark control ( TBAC ) [ 1 ] [ 2 ] .
However, these two types of theoretical account have flaws [ 3 ] [ 4 ] .This paper will show a new entree control theoretical account ( Task-Role Based Access Control ) , and use it to ERP system and has made research and analysis.
Based on T-RBAC entree control theoretical account
From the user entree control facet, some experts raised a figure of new entree control theoretical account, in order to heighten the safety and convenience of ERP system [ 5 ] [ 6 ] .The thought of a theoretical account designed in this paper is to utilize the function to find the user ‘s inactive entree and to utilize the activity case permissions to find the current user ‘s permissions, the user really has entree permission is inactive and dynamic combination of competency in order to accomplish safe and convenient user entree control.
T-RBAC theoretical account design
T-RBAC theoretical account chiefly includes users, functions, Access permission, informations objects, operations, undertakings, task-flow, inactive restraints and dynamic restraints, etc.
The theoretical account construction chart
Users: Involved in the operation of the system activity case, including single and plan.
the user drawn from the section, duties and powers.
Access permission: Refers to with the operate ability to the application informations.
Role Hierarchy [ 7 ] : Refers to partial order that function can be passed, heritage.
Undertakings: Refers to workflow in a logical unit can separate between motions, including several sub-tasks. The work flow may tie in with multiple users.
Taskflow: Harmonizing to a certain grade of dependance and restraint, several undertakings form the work flow, and several undertakings exist state-dependent relationship.
Datas Objects: An activity-specific information in this theoretical account.
Operation: The actions of the user ‘s object.
Rhode island: In an case of an event, the user has a dynamic entree from the function of activity case and function.
RP: Functions associated with a set of operations permission.
Information science: Activity case identified by the task-flow and undertakings.
TP: Undertakings associated with a set of operations permission.
Exemplify the T-RBAC theoretical account
In this theoretical account, a function can hold multiple users and a user can besides belong to different functions, as in figure1.Role hierarchy defines the heritage relationship between the functions, and the function of heritage within this theoretical account reflects a relationship between rights and duties. Access permission matching to the double star group which are composed by an operation and informations objects. In the run-time, a user belongs to a undertaking associated with the function does non intend that a user has permission to finish all the activity case, merely indicates that the user has the ability to finish the undertaking, and the user is granted kineticss permission.
With respect to safety, the T-RBAC theoretical account supports two well-known security rules: The rule of separation of responsibilities [ 9 ] and the Principle of Least Privilege [ 10 ] .Users, functions, licensing and activities in this theoretical account are taken to certain restraints, in order to cut down the hazards of dynamic mandate. No affair what the function of the user to login, the undertaking permissions exist merely during the execution of activity case, and the undertaking in the non-implementation period has no permission. Therefore recognizing the dynamic separation of privileges and annulment, and to increase the system dynamic adaptability.
T-RBAC theoretical account in ERP System
In the paper, the T-RBAC theoretical account is applied to the device resource direction of ERP system. Full life-cycle direction of the equipment is divided into procurement direction and post-maintenance. Procurement direction can be divided into purchase requisitions, procurement audits, equipment usage and processing of fixed assets, and the latter portion of the care including equipment inactive information direction ( basic information ) and dynamic information direction ( equipment of regular care and equipment failure fix ) .More elaborate equipment direction procedure shown in Figure 2.
T-RBAC theoretical account design
Harmonizing to function and task-flow and task description of the relationship between the province depicted by the figure2, S means the order of dependance, merely after the current undertaking is completed ; F mean is dependent on the separation of powers and two undertakings must be to the different functions ; C mean is to take the dependence, when the undertaking can non be completed ; D mean is agents dependence ( task province ) , when current undertaking can non be completed, so to another undertaking.
The relationship between the two undertakings: ( 1 )
The relationship between a undertaking with several undertakings: ( 2 )
A undertaking flow composed of multiple undertakings: ( 3 )
As depicted by the figure2, in the device direction faculty, system determines user entree rights, through the functions and undertakings which carried out the execution procedure. This theoretical account is to accomplish inactive and dynamic entree control theoretical account based on a combination of function and undertaking.
A user can hold several functions: ( 4 )
Each function has its ain set of permissions: ( 5 )
Users have existent entree: ( 6 )
As in Figure 2, we set the function and the corresponding inactive entree rights.
Buyers: Be responsible for equipment procurance program.
Operators: Inactive information direction, the usage of information direction.
Upholders: Be responsible for equipment care every bit good as related information on the enrollment.
Leaderships: Be responsible for procurance, care and other applications for reappraisal.
In the pre-maintenance, when the User1 starts an equipment procurance program, so make a undertaking case a… . At this clip, case a… has merely User1 procurance program permissions. As the mission states S, F restraints, this clip merely User2 has the case a… procurance audit authorization, and Dynamic mandate depends on the case a… and undertakings of the province ‘s dependance restraint. In the latter portion of care, user3 applied for equipment care, so make a new undertaking a…? , At this point merely User4 has the inspection and repair authorization for case a…? , and Dynamic mandate depends on the instancea…? and undertakings of the province ‘s dependance restraint.
The entree control of equipment direction procedure includes the pre-maintenance and the latter portion of care, so the T-RBAC theoretical account can accomplish inactive and dynamic combination of entree control permissions.
Analysis of entree control theoretical account RBAC and TBAC defects, this article establishes the T-RBAC theoretical account and makes some analysis. Argument shows that the T-RBAC theoretical account is able to accomplish the entree control of user ‘s inactive and dynamic combination.