Role-Based Access Controls

Figure 11-1(a). Taxonomy of RBAC Models Figure 11-1(b). Taxomony of ARBAC Models (11) NetWare 4 as an Example ofRole-Based Access ControlJeremy Epstein, Cordant, Inc., and Ravi Sandhu, George Mason Universityjepstein@, 11400 Commerce Park Drive, Reston VA 22091sandhu@, Department of Information and Software Systems Engineering,Fairfax, VA 220301.0IntroductionIn [SAND96a], the second author describes a taxonomy of role-basedaccess control (RBAC) models, divided into four classes shown inFigure 11-1(a), Taxonomy of RBAC Models . A complementary set ofmodels is used for administrative role-based access control (ARBAC), asshown in Figure 11-1(b), Taxonomy of ARBAC Models . In this positionpaper, we describe how the RBAC and ARBAC models can be partiallyimplemented using unmodified NetWare 4 servers.2.0NetWare Access Control PoliciesNetWare includes two major types of objects with separate but interrelatedsecurity policies. NetWare Directory Services (NDS) objects representabstractions such as users, roles, groups, and computers, while file systemobjects provide a traditional hierarchical file system. Both file and NDSobjects are supported by sophisticated access control mechanisms thatallow assignment of rights to users, groups, and other entities. In addition,they allow rights assignments to be inherited in a hierarchical fashion.Most importantly, they allow assignment of access rights in a granularfashion: rights to a file or directory can be controlled independently fromThe tree structure does not include anything akin to a “hard” link in a UNIX file system. However, objects of 1class Asias can be used to provide a symbolic link-like capability.Figure 11-2. Sample NDS Structurethe ability to change file or directory access rights. That is, a user can,through a role, be granted the ability to read, write, create, or delete fileswithout having any ability to share those files with others.2.1NDS Object Access Control PolicyNDS is an X.500-like system for managing data that represents anorganization's assets. Every object in NDS has a class, which is defined inthe schema . The schema contains approximately 20 built-in classes (e.g.,User, Organization), and can be extended by authorized users. Dependingon the class of an object, it will have one or more attributes , also known asproperties . Attributes are used to store information about some aspect ofan object. For example, an object of class User has attributes to representthe person's name, home directory, login script, etc. Some attributes aresecurity relevant (e.g., those relating to passwords) while others are not(e.g., the user's telephone number).NDS objects are organized in a tree, much as many file systems organizefiles and directories into a tree . NDS objects are either container objects,1which correspond to directories in a file system, or leaf objects, whichcorrespond to files in a file system. Whether an object is a container orleaf object is determined by its class, as defined in the NDS schema.Figure 11-2, Sample NDS Structure , shows an NDS structure that mightrepresent an organization. Objects are named by their complete path to theroot, starting at the leaf. For example, Sally.Finance.Acme is the completename of the left-most node in the tree.Users log in to NetWare servers by providing the name of their NDS Userobject. When presented with the proper password (and meeting otherrestrictions, such as an unexpired account), the user is logged in, and his or2her security equivalence list, which is used in calculating access rights, iscomputed as follows:All users are security equivalent to the pseudo-object named [Public].Users are security equivalent to all container objects in the path fromtheir User object to the root of the tree, designated [Root], includingboth themselves and [Root].Users are security equivalent to those objects to which they areexplicitly made security equivalent by the administrator.All rights in NDS are passed through security equivalence. Groupmembership is just one example of security equivalence, but does not playany special role (contrary to what is stated in [SCHA94]).Note that users cannot choose a subset of security equivalences to be usedfor a session: they gain all security equivalences. Thus, a given user maybe represented by several NDS User objects to reflect different uses of thesystem (e.g., as an administrator or as an ordinary user). The user wouldselect which NDS User object to use, depending on the task to beaccomplished.While NDS can be configured in many different ways, typicalconfigurations allow administrative users (but not ordinary users) to createand delete NDS objects in one or more containers. Administrative userscan usually modify the attributes of NDS objects that they are responsiblefor. Non-administrative users may be able to modify some of the attributesof their User objects, such as the Login Script or Telephone Numberattributes.2.1.1NDS Object Access Control AlgorithmEvery NDS object has an Access Control List (ACL), which is stored as anattribute of the NDS object. An ACL is a list of triples, where theelements of the triple are as follows:The subject name, which is either the name of an NDS object (e.g., aspecific User, Group, or Organization), or a pseudo-ID such as [Root],[Public], or [Inherited Rights Filter] (abbreviated IRF).Protected attribute, which for NDS object rights calculation is thereserved symbol [Entry Rights].Access rights, which is zero or more of Supervisor, Create, Delete,Rename, and Browse. The Supervisor right implies all other rights.An object O1's rights to object O2 is computed as follows:For each object O' to which O1 is security equivalent, compute therights for O' to O2 by searching from the root of the tree toward O2.2“Security equivalence” is a misnomer. Security equivalences are neither transitive nor reflexive.R, which is initially empty, represents the object rights O' has to O2.For each node N along the path, perform the following steps:-If N's ACL includes an entry with the subject name [InheritedRights Filter] and a protected attribute of [Entry Rights], thenremove all access rights from R except those listed in the IRF.-If N's ACL contains an entry with the subject name of O' and aprotected attribute of [Entry Rights], then set R to the accessrights for the entry.Union the value of R calculated in the first step for each O' together,yielding the rights of O1 to O2.This algorithm allows setting an ACL at one location in the NDS tree andallowing the rights to flow down using inheritance. For example, inFigure 11-1, if Edward.Acme has the Supervisor right to the Acme object,then he will have the Supervisor right (and therefore all rights) to allobjects in the NDS tree (unless they are blocked with an IRF). IfSally.Finance.Acme is made security equivalent to Edward.Acme, then shewill also have the Supervisor right to all objects. An alternate method is toassign Admin.Acme the Supervisor right to Acme, and makeEdward.Acme security equivalent to Admin.Acme. In this case,Sally.Finance.Acme would not gain the Superviso r right to Acme unlessshe is security equivalent to Admin.Acme (i.e., she does not obtain therights transitively through Edward.Acme).Note that groups are simply a particular case of security equivalence in thisscheme: assigning rights to an NDS Group object and making NDS Userobjects security equivalent to the Group object is no different thanassigning rights to any other class of NDS object and establishing securityequivalence of NDS user object to object of that other class.2.1.2NDS Attribute Access Control AlgorithmThe ACL for an NDS object is also used for NDS attributes, with thefollowing changes:The protected attribute can be either the name of a specific attribute(e.g., Home Directory) or the pseudo-attribute [All Properties Rights].The access rights are zero or more of Supervisor, Compare, Add or3Delete Self, Read, and Write. Note that the Supervisor attribute rightis different from the Supervisor object right.An object O1's rights to attribute A of object O2 is computed as follows:1.For each object O' to which O1 is security equivalent, compute therights for O' to all attributes of O2 by searching from the root of thetree toward O2. R, which is initially empty, represents the attributerights O' has to O2. For each node N along the path, perform thefollowing steps:3Add or Delete Self is one right, not two (i.e., the word “or” does not indicate there are two rights).a.If N's ACL includes an entry with the subject name [InheritedRights Filter] and a protected attribute of [All Properties Rights],then remove all access rights from R except those listed in theIRF.b.If N's ACL contains an entry with the subject name of O' and aprotected attribute of [All Properties Rights], then set R to theaccess rights for the entry.2.For node O2 only, perform the following steps:a.If O2's ACL includes an entry with the subject name [InheritedRights Filter] and a protected attribute of A, then remove allaccess rights from R except those listed in the IRF.b.If O2's ACL contains an entry with the subject name of O' and aprotected attribute of A, then set R to the access rights for theentry.3.Union the value of R calculated in steps 1 and 2 for each O' together,yielding the rights of O1 to attribute A of O2.4.For each object O' to which O1 is security equivalent, determinewhether O' has the Supervisor object right to O2 by searching from the root of the tree toward O2. S, which is initially false, representswhether O' has the Supervisor object right to O2. For each node Nalong the path, perform the following steps:a.If N's ACL includes an entry with the subject name [InheritedRights Filter], a protected attribute of [Entry Rights], and the IRFdoes not include the Supervisor right, then clear S.b.If N's ACL contains an entry with the subject name of O', aprotected attribute of [Entry Rights], and the access rights includethe Supervisor right, then set S.5.If the value of S for any of the values of O' computed in step 4 is set,then O1 has all rights to attribute A of O2, regardless of the results of step 3.There are certain attributes, which are flagged in special ways, that are not modified by the ACL. For example, attributes may be marked as Read-Only, which precludes modification to the attribute, even if the user has adequate rights. Other attributes are marked as Public-Read, which is equivalent to the ACL entry <[Public], A, Read> (where A is the name of the attribute). Attributes are marked as Read-Only or Public-Read as part of the attribute definition, and not as part of the ACL for the object.An important aspect of the above policy is that rights to individual attributes are not inherited, but rights to all attributes (as represented by the symbol [All Properties Rights]) are inherited. Thus, a user could be given the Read and Write rights to [All Properties] at the root of the NDS tree, which would provide access to all lower objects (unless modified by IRFs or subsequent trustee assignments), but giving the Read and Write rights to the Telephone Number attribute at the root would only affect access to the attribute of that particular object.There is no “protected attribute” field in a trustee list entry, whereas there is in an NDS ACL entry.4The Access Control right allows changing the trustee list, except to add an entry with the Supervisor right. Note 5that there is no Executive right, because users execute programs on workstations over which the server has no control. Similarly, there is no “setuid” concept as in UNIX for protected subsystems. The IRF for a file cannot block inheritance of the Supervisor right.6 2.2File System Object Access Control PolicyFiles in a NetWare file system are organized in a hierarchical tree, much asany traditional file system. Files are organized into volumes , whichtypically represent disk drives. File system rights rely on many of thesame concepts as NDS rights: security equivalence, inheritance, andinherited rights filters. The file system access control policy is similar, butnot identical, to the NDS object and NDS attribute policy. Every filesystem object (file or directory) may have a trustee list, which is equivalentto an ACL. Elements of a trustee list are pairs , where the first element is4the subject name and the second element is the access rights (zero or moreof Supervisor, Read, Write, Create, Erase, Modify, File Scan, or AccessControl ). Any NDS object with at least one right to a file system object is5called a trustee of the object, indicating that it has (partial) responsibilityfor the data contained in the file or directory. An object O1's rights to afile or directory F is computed as follows:For each object O' to which O1 is security equivalent, compute the rights for O' to F by searching from the root of the volume toward F.R, which is initially empty, represents the object rights O' has to F.For each node N along the path, perform the following steps:-If N's trustee list includes an entry with the subject name[Inherited Rights Filter], then remove all access rights from Rexcept those listed in the IRF .6-If N's ACL contains an entry with the subject name of O', thenset R to the access rights for the entry, unless R already containsthe Supervisor right, in which case R is unchanged. Union the value of R calculated in the first step for each O' together,yielding the rights of O1 to F.Just as inheritance is used to assign rights in a relatively small number oflocations in NDS, so too can it be used in the file system. For example,assigning the single trustee entry <[Public], {Read, File Scan}> to the\PUBLIC directory will allow all users access to all files in that directory(and all subdirectories) without assigning any rights to individual files inthe directory.Note that because of inheritance, rights are typically not assigned at theroot of a volume, because that would provide rights to the whole volume(unless blocked by an IRF).3.0Using NetWare for RBACNetWare 4 can be used to enforce portions of the RBAC0, RBAC1, ARBAC0, and ARBAC1 policies described in [SAND96a]. The objects to be protected for RBAC0 and RBAC1 are files and directories, while the objects to be protected for ARBAC0 and ARBAC1 are NDS objects. We do not believe that NetWare can be used for implementation of role constraints (RBAC2 and ARBAC2) and, therefore, it cannot be used for the consolidated model (RBAC3 and ARBAC3), which presumes the presence of role constraints.3.1RBAC0: Base ModelRBAC0 provides basic RBAC features. The objects we wish to protect using RBAC0 are files and directories in the file system. The users of RBAC0 are equivalent to users in NetWare, and the permissions are the NetWare file rights (Supervisor, Read, Write, Create, Erase, Modify, File Scan, and Access Control). Roles can be implemented using any NDS object, although the Organizational Role object is most suitable for the purpose because of its name.3.1.1What Can be DoneRBAC0 calls for a many-to-many relationship between roles and users and between roles and permissions. In NetWare, users may be security equivalent to an arbitrary number of other objects, and objects may have an arbitrary number of users that are security equivalent to them. This allows us to establish a many-to-many relationship between users and roles. Similarly, the same permission (right) can be assigned to any number of roles and vice versa.The essence of RBAC0 in NetWare is the ability to assign access rights independently from access control rights. That is, a role could have the ability to create, delete, read, and write files in a directory without the ability to grant others access to that directory. This would be done by not assigning the Access Control right to the role. In turn, user’s rights are limited by the roles to which they are security equivalent.3.1.2What Cannot be DoneAs noted above, NetWare has no concept of sessions operating in different roles as called for in RBAC0. Users obtain those rights associated with all objects to which they are security equivalent. Thus, there is no capability for dynamic activation and deactivation of roles during a session; a user must log out from one NetWare User account and log in as a different one to change their role. This is a weakness of NetWare, as it forces users to either have their maximum rights available at all times or to maintain multiple accounts, each of which is used for a different purpose (e.g., user or administrator).A client operating system could maintain a mapping of user identities to roles and transparently log the user in and out as necessary. For example, the user might present a name and a role, and the client would map that to an NDS User object. Similarly, given sufficient client operating system support, users could have multiple windows each of which is logged in to aNetWare server as a different user ID, thus presenting the facade of havingmultiple concurrent sessions. We are unaware of any implementation ofthis mechanism. In addition, maintaining multiple synchronized identitieswould be administratively cumbersome.3.1.3Possible ExtensionsNetWare has no concept of a granularity below files. For example, itmight be desirable to have RBAC to records in a database. This can beaccomplished by extending the NetWare server using NetWare Loadable7Modules (NLMs), which extend the server operating system. Additionalmessages could be defined between clients and servers to provide access todatabase records. Such messages could rely on the authentication servicesprovided by NetWare and could "piggy-back" by using the existing accesscontrols to enforce RBAC on a row or column basis.3.2RBAC1: Role HierarchiesThe purpose of role hierarchies is to allow structuring of rights as they aretypically done in an organization to reflect authority and responsibility.NetWare's rights inheritance coupled with NDS hierarchy works well forsuch a concept. Container objects, which are used for grouping NDSobjects, can be trustees of a file just as any other NDS object. Becauseusers are security equivalent to all containers they are transitivelycontained in, assigning rights to a container assigns those rights to all users(and other NDS objects) in that container.However, NDS containers are inverted with respect to the usualorganizational model that individuals near the top (i.e., root) have moreauthority and responsibility and authority than individuals closer to thebottom (i.e., the leaves).A second difficulty with mapping NetWare access controls to RBAC1 isthe notion of transitivity. [SAND96a] suggests that access controls shouldbe transitive, so a Vice President would obtain not only those rightsassigned to the Department Head role, but also transitively the rightsassociated to the Engineer role. However, security equivalence is nottransitive, so this concept must be implemented administratively (e.g.,either by assigning the Vice President role all of the rights of DepartmentHead and Engineer roles, or by making each instance of a user who is aVice President security equivalent to all three roles). [SAND96a] alsodescribes the notion of inheriting rights from multiple roles. This is doneeasily in NetWare by making a User object security equivalent to anarbitrary number of other NDS objects.NetWare does not meet the proposed requirement of role hierarchies beingpartial orders. Partial orders are reflexive, transitive, and anti-symmetric.NetWare's security equivalence mechanism provides reflexivity and anti-symmetry, but not transitivity.7Commercial database systems (e.g., ORACLE) that run on NetWare use this technology.As with RBAC0, RBAC1 includes the concept of sessions that can be usedfor a role. RBAC1 extends the concept further by requiring that users beable to assume any subset of the roles to which they are authorized, giventhe hierarchical nature of roles. This is impossible in NetWare, short ofcreating a separate user account for each unique combination of roles thata user might wish to exercise.3.3ARBAC0: Administrative Base ModelThe notion of ARBAC0 is identical to that of RBAC0, except that it isconcerned with administrative controls rather than access to files anddirectories. Just as NetWare's file access control policy can be used toprovide roles with access to files and directories, so can the NDS accesscontrol policy be used to provide roles with access to NDS objects andtheir attributes. For example, by providing a role with the Supervisorobject right to a container, individuals security equivalent to that role canadminister objects within the container, subject to access blocked by IRFs.The role-based administrative access can be divided at an arbitrarily fine-grained level. For example, a Telephone-Manager role could be definedthat has the Read and Write rights to the Telephone Number attribute of allNDS objects. However, to do this, the role would have to be listed on theACL for every object in the NDS tree, because attribute-specific rights arenot inherited.3.4ARBAC1: Administrative Role HierarchiesThe relationship of ARBAC1 to RBAC1 is the same as ARBAC0 toRBAC0. Just as hierarchies of users can be established to provide accessto file system objects, so too can hierarchies be used for access to NDSobjects. As with RBAC1, though, the lack of transitivity in the securityequivalence mechanism limits the ability to meet the criteria established in[SAND96a].4.0ExamplesIn this section we provide several examples of how the NetWaremechanisms can be used to implement an RBAC policy.4.1File System ExamplesConsider the NDS structure as shown previously in Figure 11-2 and thefile system structure as shown in Figure 11-3, Sample File SystemStructure.Figure 11-3. Sample File System StructureTable 11-1, Sample File System Trustee Assignments, shows sampletrustee assignments for this configuration. Recall that all users areautomatically security equivalent to each container in which their userobject is located and that users obtain the union of rights available to eachobject to which they are security equivalent. Thus, with no additionalassignments, users Alice and Bob will have File Scan, Create, Read, andWrite rights to all files and directories in \MKTG\EUROPE (by virtue ofbeing security equivalent to Europe.Marketing.Acme, which is a trustee ofthe directory). Similarly, users Cheryl and David will have the File Scan,Create, Read, and Write rights to all files and directories in \MKTG\ASIA(by virtue of being security equivalent to Asia.Marketing.Acme, which is atrustee of the directory). Alice, Bob, Cheryl, and David will all have theFile Scan, Create, Read, and Write rights to all files in\MKTG\COMMON (by virtue of being security equivalent toMarketing.Acme). Note that none of these assignments allow the users topropagate permissions, because no one has the Access Control orSupervisor right. Without any explicit security equivalences, no one hasrights to \MKTG\FORECAST.Table 11-1. Sample File System Trustee AssignmentsNow assume that Bob.Europe.Marketing.Acme is made security equivalent to Mgr.Europe.Marketing.Acme, and similarly .Marketing is made security equivalent to .Marketing.Acme. By this assignment, each will obtain the Access Control right to the respective\MKTG\EUROPE or \MKTG\ASIA directory, and the File Scan, Read, and Write rights to the \MKTG\FORECAST directory. If Bob goes on vacation, Cheryl can be made security equivalent toMgr.Europe.Marketing.Acme and will instantly obtain the rights usually exercised by Bob. Note that it is not sufficient for Cheryl to be made security equivalent to Bob, because Bob is not directly a trustee, and security equivalence is not transitive.By making Edward.Acme security equivalent to Mktg-Mgr.Marketing.Acme, he will obtain the Supervisor right to the marketing portion of the file system. Note that no one has access to the root of the file system tree: because of inheritance, access to the root is rarely granted.In an analogous fashion, we could assign rights to the \FINANCE portion of the file system. There is, of course, no reason why objects in Finance.Acme could not have rights to files in \MKTG, or vice versa.Thus, by using security equivalence and inheritance, a small number of access control assignments are sufficient for controlling a large file system tree. Using Organizational Role and Organizational Unit objects as trustees simplifies the management of the file system, which is a key goal of RBAC.4.2NDS ExamplesAgain consider the NDS structure as shown previously in Figure 11-2. Table 11-2, Sample NDS Trustee Assignments, shows sample ACL assignments for this configuration. With these trustee assignments, all users in Finance.Acme will have the Browse right to the Finance container, while all users in Marketing.Acme will have the Browse right to the Marketing container. The Finance organization has an administrator who has the Supervisor right to that portion of the NDS tree, while the Marketing organization has a less powerful administrator with Create and Delete rights, but not the Supervisor right. In addition, the organization as a whole has an administrator who has the Supervisor right to the entire tree.Table 11-2. Sample NDS Trustee AssignmentsBy making Edward.Acme security equivalent to Admin.Acme, he will obtain the Supervisor right to the whole tree. If Sally.Finance.Acme is made security equivalent to Manager.Finance.Acme, then she will have theSupervisor right to the Finance part of the NDS tree. Using an InheritedRights Filter, Admin.Acme could be blocked from having any rights inFinance.Acme, thus allowing only Sally to administer those portions of thetree.Because of security equivalence, any user can take over administration ofthe tree simply by being made security equivalent to Admin.Acme (orManager.Finance.Acme, for that portion of the tree). As in the file systemexamples, because security equivalence is not transitive, it is not sufficientto make a user security equivalent to Sally, because her rights are notassigned directly, but rather come from security equivalence.Thus, using assignment of rights to Organizational Unit and OrganizationalRole objects, we can configure access rights in the NDS tree with a bareminimum of configuration settings.5.0ConclusionsRBAC can be partially implemented using existing commercial products.The inability to provide some of the features suggested by the [SAND96a]family of models suggests that perhaps a finer-grained distinction offeatures would be desirable, rather than an all-inclusive definition ofmeeting a given set of RBAC criteria. By analogy, this is similar todefining a security target using the ITSEC [ITSEC91] or the proposedCommon Criteria [COMM96] and comparing a product to the target,rather than using a one-size-fits-all approach to security as in the OrangeBook [DOD85].NetWare provides many useful features for implementing RBAC. It wouldbe significantly more useful if it provided the ability for users to selectsessions by selecting at login time what objects they want to be securityequivalent to (as a subset of their authorized set), and transitivity insecurity equivalence.6.0References[COMM96] Common Criteria Editorial Board, Common[SCHA94] M. Schaefer, G. Grossman, and J. Epstein, Criteria for Information Technology Security Evaluation,“Using a Semiformal Model 2C a C2 Better,”Version 1.0, January 1996. Available from: Proceedings of the 17th National Computer Security /nistpubs/cc/read_l.Conference, Baltimore, MD, 11-14 October 1994,153-164.[DOD85] U.S. Department of Defense, Trusted ComputerSystems Evaluation Criteria, DOD 5200.28-STD,Washington, DC, December 1985.[ITSEC91] Information Technology Security EvaluationCriteria (ITSEC), Provisional Harmonised Criteria,Version 1.2, Luxembourg: Office for OfficialPublications of the European Communities, June 1991.[SAND96a] Ravi S. Sandhu, Edward J. Coyne, Hal L.Feinstein, and Charles E. Youman, “Role-Based AccessControl,” IEEE Computer, 29:2, February 1996, 38-47.。

A Know l e d ge-Base d Approach t o I nt e rne t Aut h oriz at ion Using PKI Al ong L inT rust ed E-Se rv ic e s L aborat oryH P L aborat orie s Brist olH P L-2000-133Oc t ob e r 13t h , 2000*E-m ail: al in@h pl b.h pl.h pol ic y-driv e nm anage m e n t, se c urit ym anage m e n t,aut h oriz at ion I n t h is pape r, a k n ow l e d ge-base d approac h t o In t e rn e taut h oriz at ions is proposed by using Publ ic-Key I nf rast ruc t ure(PKI)based digit al c e rt if ic at e s, t rustm ode l s, Rol e-Base d Ac c e ss Cont rol(RBAC), andint e l l ige n t bac k t rac k ing. Se c urit y pol ic ie s are e xpre sse d as t h erul e s in a k now l e d ge b ase. An inf e re n c e e n gine is ut il ise d t oe v al uat e pol ic ie s, dynam ic al l y assign rol e s t o In t e rn e t use rs, and re d o rol e s assignm e n t aut om at ic al l y.*I nt e rnal Accession Dat e O n l y Approv ed f or Ext e rnal Publ icat ion © Copyrigh t H e w l e t t-Pack ard Com pany 2000A Knowledge-Based Approach to Internet Authorizations Using PKIAlong LinTrusted E-Services LaboratoryHewlett-Packard LaboratoriesFilton Road, Stoke GiffordBristol BS34 8QZ, U.K.Email: alin@AbstractIn this paper, a knowledge-based approach to Internet authorizations is proposedby using Public-Key Infrastructure (PKI) based digital certificates, trust models,Role-Based Access Control (RBAC), and intelligent backtracking. Securitypolicies are expressed as the rules in a knowledge base. An inference engine isutilised to evaluate policies, dynamically assign roles to Internet users, and redoroles assignment automatically.Keywords: Policy-Driven Management, Security Management, Authorization1 IntroductionWith more electronic services being deployed for access over the Internet, security is becoming an increasingly critical issue. Existing access control mechanisms do not provide a flexible management solution to Internet authorizations. Discretionary Access Control (DAC) prevents unauthorized users from performing operations on resources by administering the relevant Access Control List (ACL), which is not scalable for Internet environments. Mandatory Access Control (MAC) eases the security management by attaching security labels to subjects and objects, and enforces a specific security policy that allows only one-directional information flow between those subjects and objects. However, it does not provide any support for general Internet authorizations. Although several RBAC systems have been developed, they still have the following drawbacks: manual user-role assignment, business logic coupled privileges, and the assumption that users are known to resource providers in advance. Attribute and authorization certificates contain accessing rights within them and seem to be a promising solution [5].Attribute Certificates (ACs) bind attributes to users Distinguished Names (DNs). They can be used with identity certificates to achieve the mapping: attributes ?DN ?public key. The motivation for introducing ACs in PKI technology was that X.509 public key certificates were used for identity purpose by establishing a secure certified relationship between issued public keys and their owners. Although attribute information can beincluded in X.509 v3 certificates as extensions to satisfy application-specific needs, this is not worthy from the perspectives of interoperability, jurisdiction, and revocation. First, private attributes extensions make it hard for disparate systems to interoperate with each other. Second, it is difficult for an organization to issue a certificate containing both the identity information and attributes that may be accessing rights. Finally, attributes are more volatile than identity information, and therefore need revoking more frequently. However, having authorizations in an AC has drawbacks too. First, an attribute certificate authority must issue ACs to potential Internet users before they can access the controlled resources, which is inconvenient to users and sometimes can be disastrous to security managers from certificates management perspective. Second, for those ACs that have a long period of validity, revoking them can be much of a burden to the issuing CA when the accessing rights in them have to be updated due to the business policy changes.In this paper, it is assumed that ACs contain only users comparatively stable attributes without any accessing rights. A user may have several ACs issued by different trusted CAs that have intimate knowledge of the user. E.g., an accredited university or institute issues its graduates normal ACs containing such attributes as degrees, qualifications, majors, graduation dates, and the like. A bank issues each of its account owners an AC that contains account number, account type, branch name, opening date, and so on. A trusted driving license agency may issue a qualified driver an AC that includes driving license number, car categories, validity dates, address, and the like. A user’s ACs will then be used by various resource providers to make authorization decisions based on their business-specific security policies.In the following, a knowledge-based RBAC is discussed first. Second, an automated user-role assignment based on their digital certificates and intelligent backtracking is described. Third, a knowledge-based approach to Internet authorizations is proposed by using PKI, trust models, RBAC, automated user-role assignment, and intelligent backtracking.2 Knowledge-Based RBACIn RBAC [1, 2, 3], permissions are only associated with roles and users get permissions by being members of appropriate business roles. This greatly simplifies a system’s security management. Security officers create business roles and assign those roles to users based on their qualifications and responsibilities in organizations. Users can be easily reassigned from one role to another. Roles may be granted new permissions as new services are deployed, and permissions can be revoked from roles as needed. However, traditional RBAC systems assume that a user’s role is known when it requests particular resources, which requires the user to register with the resource providers in advance. This is neither convenient to Internet users nor cost-effective from systemmanagement perspective. In Internet situations, it may be helpful to allow authorized users to access resources without asking them to register with resource providers in advance. An automated user-role assignment solution has been suggested [4], but it did not discuss how digital certificates are exchanged between users and resource providers. In Knowledge-Based RBAC (KBRBAC), application-specific user-role assignment policy, trust models, and business logic on roles privileges are provided as a knowledge base. Any changes to it will dynamically drive the changes in an organization’s security policies on its business processes, thus significantly alleviating the security management in a system. An independent knowledge base also gives security managers a lot of flexibility. When the knowledge base for configuring an RBAC system is empty, roles must be assigned to users manually and there is no extra business logic on roles privileges; otherwise, if the user-role assignment policies are enforceable and described in the knowledge base, those roles may be assigned to users automatically at run-time. For other roles that must be manually assigned to users, their role-assignment policy attributes are ‘null’. To be more flexible, each role privilege is associated with a predicate used as the business logic on it. A predicate is defined by a set of rules. A privilege consists of a set of operations and objects to be performed on by role members. The role definition and an example are given in appendixes A, B, respectively.Even though the knowledge base can be built by the security manager of an RBAC system with the help of an authoring tool on the resource controller’s side, it still requires some information about the potential Internet users. What kind of information about a resource requestor should or can be sent to resource providers? How can the trust relationship be established between the unknown Internet users and service providers? These issues will be discussed in the following sections.3 Automated Role-Assignment Using PKI and Intelligent Backtracking An approach has been proposed to dynamically map a user to predefined business roles based on the user’s digital certificates issued by trusted Certificate Authorities (CAs) and role-assigning policies pre-set by resource providers [4]. Because the user does not know anything about a resource provider’s authorization policy, various digital certificates may be required to present to the resource provider for accessing a particular resource [5]. An intelligent backtracking mechanism is therefore necessary for supporting the non-deterministic automated user-role assignment, which means there will be a lot of traffic between a resource requestor and a resource provider at run-time. Furthermore, in order to validate Internet users digital certificates, the trust relationships between resource providers and CAs have to be defined in the trust models of a knowledge base.Although a user may be assigned several business roles based on its digital certificates and pre-set role-assigning policies, only some of them will authorize it to access the requested resource. For those roles that have privileges matching the user’s current accessrequest, the policy evaluator will be called to evaluate the policies enforced on those privileges. If the policy evaluates true, the user’s current request is authorized and the relevant actions can then be performed on the resource; otherwise, alternative roles will be tried. For each assigned role, if either it does not have a matching privilege for the user’s current request or the matching privilege’s associated authorization policy evaluates false, the inference engine will redo the previous role assignment automatically. If all roles have been tried, the user’s request will be denied. Because the inference engine can support backtracking and policy evaluation, it can be combined into one on the resource provider side.To avoid assigning a user to the roles that do not have the required privilege, an efficient indexing mechanism is needed to support the retrieval of the candidate assignable roles. Only those roles having the required privilege will be tried assigning to the user for current request. However, whether a role will be assigned to a user still depends on the user’s presented digital certificates, the service provider’s role-assignment policy and trust models, which are expressed as rules in a knowledge base. The service provider may not trust some Certificate Authority (CA), and asks the user to present other digital certificates issued by particular CAs. When a user accesses a resource, the resource provider will first get a set of candidate roles whose privileges match the user’s current request to improve the role-assignment efficiency. Then, it will try to assign those roles to the user based on the presented digital certificates and the knowledge base.separation of duties when role-assigning policies are set, an automated mechanism for guaranteeing this is very helpful so that two conflicting roles will not be assigned to auser at run-time. This can be achieved by not satisfying the policies on two conflicting roles assignment simultaneously or storing users assigned roles information in a database persistently. A user’s candidate assignable roles must not be in conflict with the roles that have already been assigned to the user (see Fig. 1). If such conflicts occur, the security manager will be informed of them and take necessary measures as required.Our automated role-assignment solution based on PKI and intelligent backtracking has a unique advantage over the traditional RBAC and others [4] in that it enables users to specify various domain-specific security policies in a knowledge base. It allows Internet users to access resources more conveniently and security policies can be managed flexibly. Furthermore, because much of the user-role assignment management has been automated, the security manager’s work will be reduced to a minimum by using a configurable knowledge base.4 A Knowledge-Based Approach to Internet Authorizations Using PKI Now that we have discussed how to authorize a user’s request based on its digital certificates, a knowledge base, and intelligent backtracking, we need to consider what information needs to be exchanged between the user and the resource provider without disclosing the server side security policies to the user. It is not reasonable to ask the user to submit all its digital certificates, most of which may be irrelevant to its current request, and the user may not be willing to do that. Therefore, during the authorization decision-making, users digital certificates may be requested. For simplicity, we assume that the user has already been authenticated and we will only focus on the authorizations below. There are three steps in requesting a user’s digital certificates. First, the Server Security Agent (SSA) needs to decide what digital certificates are required for the current user’s request. Based on the request and the security policies in the knowledge base, the SSA can automatically find the potential set of digital certificates using a logical reasoning. Second, the SSA checks if some of those digital certificates have already been cached in a directory and are still valid, and then sends a request for unavailable digital certificates to the user. Finally, the user sends the requested digital certificates back to the SSA, which will then cache them in its directory for future use using Lightweight Directory Access Protocol (LDAP).However, sending digital certificates is only part of the Internet authorization (illustrated in Fig. 2). If any of the following conditions holds, the SSA will have to redo its previous role assignment and find another set of digital certificates to try other alternative roles for the user’s current request, and re-evaluate the associated authorization policy.•Some digital certificates presented have already been revoked by their CAs using Certificate Revocation Lists (CRLs) or the Online Certificate Status Protocol (OCSP).• Some digital certificates are neither valid nor trusted by the SSA according to the trust models described in the knowledge base.• The presented digital certificates cannot assign the user a role that authorizes the current request based on the resource provider’s role-assigning policy expressed in the knowledge base.• The authorization policy on the assigned role’s matching privilege evaluates false using the system models in the current context.The client’s digital certificates can be sent to the SSA by using a trusted applet digitally signed by the resource provider or a plug-in for the client’s Web browser. The communication between the user and the resource provider is based on Secure Socket Layer (SSL). The client can optionally configure the certificate-sending policy on what digital certificates can be sent automatically without being informed in advance. If there is no policy configured for sending a particular certificate, a user will be informed of thecertificate request by default, and will decide whether to send it to the SSA for the user’s current request. If there is a certificate-sending policy and it evaluates false, the requested digital certificate will not be sent to the SSA; otherwise, it will be sent to the SSA automatically without the user’s intervention. In Business-to-Business situations, client side authorization for sending digital certificates to the server side also needs a knowledge base that describes the client’s certificate-sending policy and trust models (as shown in Fig. 3).Regarding the client’s trust in an applet, there are two primary types of models. One is hierarchical and the other is based on the web of trust. The former assumes that the user’s chain of digital certificates is rooted by a CA trusted by its receivers. The latter allows any of the digital certificates in a chain can be cross-certified by more than one CAs. Because trust policies are always business related and application-specific, they must be configurable by means of an independent knowledge base so that the SSA, a Web browser or a trusted applet can use it to make trust decisions.As pointed out in [6,7,8], a logic-based knowledge representation is expressive enough and has several advantages over other approaches. PROLOG (PROgramming in LOGic) is based on Horn-clauses, which is a subset of first order logic, and has a solid theoretical foundation. What is more, both policy evaluation and policy conflict detection can be easily done within the logic framework as well. Therefore, it is adopted as the policy representation language in this paper.5 ConclusionsIn this paper, a knowledge-based approach to Internet authorizations is proposed by using PKI-based digital certificates, trust models, policy-based roles privileges, automated user-role assignment, and intelligent backtracking. Security policies are expressed as the rules in an independent knowledge base. An inference engine is utilized to evaluate various policies, dynamically assign roles to Internet users, and redo roles assignment automatically. The innovative approach makes the administration of Internet users accesses to resources less of a burden to security managers. The proposed architecture for Internet authorizations is capable of dealing with both unknown Internet users and automatic user-role administration. It overcomes some of the drawbacks of existing RBAC systems, which are neither flexible for access control management nor convenient to Internet users.A policy-authoring tool is strongly recommended to be used to alleviate the administration task of security managers. The tool should be capable of mapping a user’s access request to a role’s privilege and even refining a high-level security policy into executable rules, so that security managers can focus on the specification of authorization policies, trust models, and role-assigning policies in the knowledge base.References[1] Ferraiolo D F, Barkley J F, Kuhn D R, A Role-Based Access Control Model and Reference Implementation Within a Corporate Intranet, ACM Transactions on Information and System Security, Vol. 2, No. 1, (1999) 34-64.[2] Ferraiolo D F, Cugini J A, Kuhn D R, Role-Based Access Control (RBAC): Features and Motivations, In Proc. of 11th Annual Computer Security Applications Conf., (1995) 241-248, /rbac/newpaper/rbac.html.[3] Giuri L and Iglio P, A formal model for role based access control with constraints, In Proc. of the Computer Security Foundations Workshop, (1996) 136-145.[4] Herzberg A, Mass Y, Mihaeli J, Naor D, and Ravid Y, Access Control Meets Public Key Infrastructure, Or: Assigning Roles to Strangers, /TrustEstablishment/paper.htm.[5] Johnston W, Mudumbai S, and Thompson M, Authorization and Attribute Certificates for Widely Distributed Access Control, In Proc. of the IEEE 7th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE-98), (1998) 340-345.[6] Li N, Feigenbaum J and Grosof B, A Logic-based Knowledge Representation for Authorization with Delegation, In Proc. of the 12th IEEE Computer Security Foundations Workshop, (1999) 162-174.[7] Massacci F, Reasoning about Security: a Logic and a Decision Method for Role-Based Access Control, In Proc. of the International Joint Conference on Qualitative and Quantitative Practical Reasoning (ECSQARU/FAPR-97), Lecture Notes in Artificial Intelligence, Vol. 1244 (1997) 421-435.[8] Seamons K E, Winsborough W and Winslett M, Internet Credential Acceptance Policies, In Proc. of the Workshop on Logic Programming for Internet Applications, July 1997, /~winsboro/papers/CAP.html.Appendix A – the role syntax<Role> ::= ‘Name:’<Role Name>‘.’‘Role-Assigning Policy:’{<Predicate> | ‘null’}‘.’‘Authorizations:’<Privileges>‘.’<Role Name> ::= <Symbolic Atom><Privileges> ::= <Privilege>*<Privilege> ::= <Policy> ‘,’{<Method>}+‘.’Where, <Policy> is a predicate and is described by a set of PROLOG clauses defined as below, and <Method> is defined as an external function in models. A special predicate is symbolic atom ‘true’.<Clause> :: = <Fact> | <Rule><Fact> ::= <Predicate>‘.’<Rule> ::= <Predicate> ‘:-’<Conditions>‘.’<Conditions> ::= ‘(’<Conditions> ‘)’| <Expression> | ‘!’<Expression>| <Expression> ‘,’ <Conditions><Expression> ::= <Argument><RelOp><Argument> | <Predicate><RelOp> ::= ‘==’| ‘<’| ‘>’| ‘<=’| ‘>=’| ‘!=’<Symbolic Atom> ::= [‘a’-‘z’]{[‘a’-‘z’] | [‘A’-‘Z’] | [‘0’-‘9’] | ‘_’}*<Argument> ::= <Symbolic Atom> | <String> | <Number> | <Logical Variable>| <Functor><Parameters><Functor> ::= <Symbolic Atom> | ‘.’| <Arithmetic Operators><Parameters> ::= ‘(‘<Argument>{‘,’<Argument>}*‘)’<Logical Variable> ::= ‘_’| [‘A’-‘Z’]{[‘a’-‘z’] | [‘A’-‘Z’] | [‘0’-‘9’] | ‘_’}*<Predicate> ::= <Symbolic Atom>[<Parameters>]<Policy> ::= <Predicate>Appendix B – A Bank ExampleWe use a simple example to demonstrate the ideas contained in the paper. It is assumed that a full-time student has already been issued an identity certificate by an accredited university, and has got a digital driving license issued by the Driving License Agency (DLA) after having passed both the theory and practical tests. The student wants to getthe service of car rental or hotel reservation on the Internet, which requires the student to open an account in a recognized bank first to get digital credit certificates.The bank provides a set of E-services, including new account creation, normal bank account transactions, and interest enquiries. In the following, various kinds of policies are modeled by PROLOG rules and the methods of privileges are left undefined. Some predicates are simply defined and even omitted here.Name: bank_account_owners.Role-Assigning Policy: bank_account_attribute_certs( Account_ids, Certificates ). Authorizations:transfer_accounts_policy( Request, Account_ids, [From, To, Amount] ),transfer_money( From, To, Amount ).account_access_policy( Request, Account_id, Account_ids ),get_balance( Account_id, Balance ). // get the balance of the bank account.account_access_policy( Request, Account_id, Account_ids ),deposit_money( Account_id, Amount ).withdraw_policy( Account_id, Amount),withdraw_money( Account_id, Amount )..Name: bank_account_creators.Role-Assigning Policy: certificates_for_bank_account_creation( Request, Identity ). Authorizations:true, issue_account_attribute_certificate( Identity, Request )..Name: default.Role-Assigning Policy: true.Authorizations:get_interest_rate_policy( Request, Type ),report_interest_rate( Type ). // return the interest rate to the user..// If the request is to create a new bank account and the user has valid and acceptable // identity certificates, collect them into Accepted_certificates; Otherwise, return false.certificates_for_bank_account_creation( Request, Identity_cert ) :-creating_bank_account( Request ),request_certificates( Certificates ), // Its definition is omittedvalid_and_accepted_certificates( Certificates, Accepted_Certificates ),has_acceptable_identity_certificate( Accepted_certificates, Identity_cert ).// Test if there is a valid and acceptable identity certificate in the given set of certificates withdraw_policy( Account_id, Amount ) :-get_balance(Account_id, Balance),get_credit_limit( Account_id, Credit_limit),Amount <= Balance + Credit_limit.transfer_accounts_policy( Request, Account_ids, [From, To, Amount] ) :-get_transfer_parameters( Request, From, To, Amount ),member( From, Accounts_ids ),member( To, Accounts_ids ),withdraw_policy( From, Amount ).// Request attribute certificates issued by the bank to the user, and collect bank account // numbers into Account_numbers. If the user doesn’t have valid and acceptable attribute // certificate issued by the bank, it returns false.bank_account_attribute_certs( Account_numbers, Certificates ) :-request_certificates( Certificates ), // Its definition is omittedvalid_and_accepted_certificates( Certificates, Accepted_Certificates ),get_account_numbers( Accepted_Certificates, Accounts_numbers ),Accounts_numbers \= [].// Get the bank account numbers of valid and accepted bank account attribute certificates get_account_numbers( [Certificate|Rest], [No|Account_Nos] ) :-get_account_identifier( Certificate, No ),get_account_numbers( Rest, Account_Nos ).get_account_numbers( [_|Rest], Account_Nos ) :-get_account_numbers( Rest, Account_Nos ).get_account_numbers( [], [] ).// Get the bank account number of a valid and accepted bank account attribute certificate get_account_identifier( Certificate, Id ) :-valid_certificate( Certificate ),this_bank_service_accepted_certificate( Certificate ),bank_account_no( Certificate, Id ).account_access_policy( Request, Account_id, Account_ids ) :-get_account_id_from_request( Request, Account_id ),// get the account number from the user’s requestmember( Account_id, Account_ids ).valid_and_accepted_certificates( [Valid|Rest], [Valid|Certificates] ) :- valid_and_accepted_certifiacte(Valid ),// test if the certificate is valid and accepted by the bank service provider valid_and_accepted_certificates ( Rest, Certificates ).valid_and_accepted_certificates ( [_|Rest], Certificates ) :-valid_and_accepted_certificates ( Rest, Certificates ).valid_and_accepted_certificates( [], [] ).。

概念：⽤户⾓⾊权限的管理（Role-BasedAccessControl）RBAC ⽤户管理规范概念：每个user有多个accounts，每个account 有⼀个account binding，有多个roles和多个tasks举个例⼦：某个⽤户现在manager，这是admin添加了另⼀个⾓⾊supervisor的⾓⾊给他，数据结构是这样的（HdLogin）user{accounts : [{type : "administrator" //可以抽象或具体： administrator, managerpassword : "1234",roles ：[{type: "manager",roleTaskss : ",manager,supervisor,"},{type: "supervisor",roleTaskss : ",supervisor,"}],accountBindings : [{type : "email",primaryKey : "xxx@xxx"}]}]}*primaryKey是email format，电话号码，webchat。

*灰⾊是之前的需求，保留⽽已⾃动登⼊，在employer page 登⼊后，会有cookies，去到candidate page时，会⾃动登⼊。

过程是发现有cookies同时type 是customer。

如果在candidate 登出时，employer 也会⾃动登出。

因为在登出后，在refresh⼜会⾃动登⼊，死循环很奇怪！半⾃动登⼊，在employer page 登⼊后，会有cookies，去到candidate page时，点击登⼊，在这⾥看当下页⾯的业务逻辑，如果是只有⼀个⾓⾊可以登⼊的话，就直接帮他登⼊如果是2个⾓⾊，就会有⼀个选项让他选择哪个⾓⾊，如果是选择的⾓⾊在HdLogin有记⼊的话，会⾃动登⼊（cookies是属于当下界⾯）如果是选者的⾓⾊是不在HdLogin的话，会需要⾃⼰登⼊⼿动登⼊，意思是每⼀个页⾯的业务逻辑都是只有⽀持⾃⼰页⾯的cookies。

附录A：英文原文Role-Based Access Control for the WebJohn F. Barkley, D. Richard Kuhn, Lynne S. Rosenthal, Mark W. Skall, and AnthonyV. Cincotta,National Institute of Standards and Technology Gaithersburg, Maryland 20899ABSTRACTEstablishing and maintaining a presence on the World Wide Web (Web), once a sideline for U.S. industry, has become a key strategic aspect of marketing and sales. Many companies have demonstrated that a well designed Web site can have a positive effect on their profitability. Enabling customers to answer their own questions by clicking their way through Web pages, instead of dealing with operators and voice response systems, increases the efficiency of the customer interface.One of the most challenging problems in managing large networked systems is the complexity of security administration. This is particularly true for organizations that are attempting to manage security in distributed multimedia environments such as those using World Wide Web services. Today, security administration is costly and prone to error because administrators usually specify access control lists for each user on the system individually.Role-based access control (RBAC) is a technology that is attracting increasing attention, particularly for commercial applications, because of its potential for reducing the complexity and cost of security administration in large networked applications. The concept and design of RBAC is perfectly suited for use on both intranets and internets. It provides a secure and effective way to manage access to an organization’s Web information. This paper describes a research effort to develop RBAC on the Web. The security and software components that provide RBAC fornetworked servers using Web protocols have been implemented and are described in this paper. The RBAC components can be linked with commercially available web servers, and require no modification of the server software.IntroductionEstablishing and maintaining a presence on the World Wide Web (Web), once a sideline for U.S. industry, has become a key strategic aspect of marketing and sales. Many companies have demonstrated that a well-designed Web site can have a positive effect on their profitability. Enabling customers to answer their own questions by clicking their way through Web pages, instead of dealing with operators and voice response systems, increases the efficiency of the customer interface. Companies are seizing the Web as a swift way to streamline - even transform their organizations.More recently companies have begun using web technology to service the public as well as private and internal clients. Web sites are set up to segregate some information from the general public, providing it to only selected or "private" clients. Typically, public internet is cordoned off from the general public by having user accounts and passwords. Additionally, Web sites are now running inside the company often created for and by employees. These internal private nets or "intranets" use the infrastructure and standards of the Internet and the World Wide Web but are cordoned off from the public Internet through firewalls.The Web can be used as an inexpensive yet powerful alternative to other forms of communications. A plethora of corporate information (e.g., procedures, training materials, directories, forms) can be converted to electronic form and made available via the Web. With a single source for these materials the cost of maintenance is significantly reduced, while greatly simplifying the task of ensuring currency. Thus an objective of enterprise computing, creation of a company wide system irrespective of the underlying information technology infrastructure can be fulfilled.Although the internet and intranets can offer great benefits to a company or government agency, security threats remain. To date net enthusiasts tend to focus on how to link people and businesses, not on using the network as a way to run and manage businesses securely. Althoughexisting Web servers can effectively provide all or nothing access to a particular Web site and a number of popular Web servers can even provide fairly fine grained access control, they provide very primitive tools to administer these controls from the perspective of a single enterprise.This paper describes the benefits of RBAC and an implementation of RBAC on the Web (RBAC/Web), and in particular as RBAC applies to an intranet computing environment. This will provide Web administrators with a capability for the first time to centrally administer and regulate user access to information in a manner that is consistent with the current set of laws, regulations, and practices that face their business today. Although this paper focuses on intranets, the benefits, concepts and implementation of RBAC/Web are also applicable to a company’s internet environment where restrictive access to information is desired. RBAC DescriptionRole-based access control (RBAC) [1], [2], [3], [4], [5] is an alternative to traditional discretionary (DAC) and mandatory access control (MAC) policies that is attracting increasing attention [6], particularly for commercial applications. The principal motivation behind RBAC is the desire to specify and enforce enterprise-specific security policies in a way that maps naturally to an organization's structure. Traditionally, managing security has required mapping an organization's security policy to a relatively low-level set of controls, typically access control lists.With RBAC, security is managed at a level that corresponds closely to the organization's structure. Each user is assigned one or more roles, where roles are based on the user's job responsibilities and competencies in the organization. Each role is assigned one or more privileges (e.g., information access, deletion, creation), see Figure 1. It is a user's membership into roles that determine the privileges the user is permitted to perform. Security administration with RBAC consists of determining the operations that must be executed by persons in particular jobs, and assigning employees to the proper roles.The RBAC framework provides for mutually exclusive roles as well as roles having overlapping responsibilities and privileges. For example, some general operations may be allowed by all employees, while otheroperations may be specific to a role. Role hierarchies are a natural way of organizing roles within an organization and defining the relationship and attributes of the roles. Complexities introduced by mutually exclusive roles or role hierarchies as well as regulating who can perform what actions, when, from where, in what order, and in some cases under what relational circumstances, is all handled by the RBAC software. Separation of DutyRBAC mechanisms can be used by a system administrator in enforcing a policy of separation of duties. Separation of duties is considered valuable in deterring fraud since fraud can occur if an opportunity exists for collaboration between various job related capabilities. Separation of duty requires that for particular sets of transactions, no single individual be allowed to execute all transactions within the set. The most commonly used examples are the separate transactions needed to initiate a payment and to authorize a payment. No single individual should be capable of executing both transactions. The system administrator can control access at a level of abstraction that is natural to the way that enterprises typically conduct business. This is achieved by statically and dynamically regulating users' actions through the establishment and definition of roles, role hierarchies, relationships, and constraints.We define static separation of duty to mean that roles which have been specified as mutually exclusive cannot both be included in a user's set of authorized roles. With dynamic separation of duty, users may be authorized for two roles that are mutually exclusive, but cannot have both roles active at the same time. In other words, static separation of duty enforces the mutual exclusion rule at the time an administrator sets up role authorizations, while dynamic separation of duty enforces the rule at the time a user selects roles for a session.Role Administration and VisualizationThe roles are established, manipulated and viewed using the RBAC/Web Admin tool. The Admin tool allows system administrators to create and define roles, role hierarchies, relationships and constraints. Once theRBAC framework is established for the organization, the principal administrative actions are the granting and revoking of users into and out of roles as job assignments dictate. These maintenance tasks are easily performed using the Admin tool.Additionally, the Admin tool is being enhanced to utilize the Virtual Reality Modeling Language (VRML, pronounced 'vermal'). VRML is an interactive, inter-networked, 3D graphics language for the Web. It is used to represent graphics, test, sound, and links to other content as either a static or dynamic picture on the Web. The inclusion of VRML into RBAC lets system administrators use an interactive computer model to check and validate the role structure, relationship, and privileges. Being able to view and interact with complex models, allows the administrator to identify conflicts, eradicate flaws and improve the implementation early in the RBAC setup.The VRML component will enable authorized users to navigate the RBAC database, finding and linking roles, and displaying attributes and graphics associated with those roles. By presenting a 3D model of established roles, the user can easily see which roles are mutually exclusive as well as the hierarchical structure of related roles and conflicts between roles (see Figure 2). VRML's navigational controls allows the user to interactively 'walk-through' and manipulate the view perspective of the 3D model, known as a scene graph. For example, the scene graph can be rotated to show the 'backside' of the graph where role relationships may have been obscured when viewed as a 'flat', 2D graph. To improve readability, clarity and flexibility, the role hierarchy is organized into layers, where each layer contains another level of detail. By 'clicking' on a role, the role opens to reveal the next layer of related roles or information about the role, e.g., the privileges associated with that role or a user membership list.RBAC ExampleConsider the branch office of a bank. In this environment, there are roles such as branch manager, teller, and account representative, as illustrated in Figure 2.The graph structure shows role hierarchy. The role financial_advisor inherits the role account_rep. An individual authorized for the rolefinancial_advisor is permitted to perform all of the operations permitted to an individual authorized for the role account_rep. Thus, an individual in the role of financial_advisor is able to create and remove accounts. Because account representatives, branch managers, internal auditors, and tellers are all employees of the bank, their corresponding roles inherit the employee role.In Figure 2, the role account_rep is highlighted, appearing as a dark sphere, in order to show the other role relationships for account_rep. The roles teller and account_holder are shown as yellow rectangular solids to indicate that these roles have a "Dynamic Separation of Duties" (DSD) relationship with the role account_rep. This relationship is a conflict in interest relationship indicating that an individual acting in the role of account_rep cannot also be acting in either of the roles of account_holder or teller. The policy of the bank is that an account representative, an employee of the bank, can have an account in the bank but such an individual may not simultaneously process their personal account while processing accounts of others. Likewise, because a teller has an open cash drawer that must balance when closed, an individual acting in the role of account_rep and sitting at a desk away from a teller's window is not permitted to simultaneously act in the role of teller even if authorized for that role.The role internal_auditor is shown in a red hexahedron to indicate that this role has a "Static Separation of Duties" (SSD) relationship with the role account_rep. The SSD relationship is also a conflict of interest relationship like the DSD relationship but much stronger. If two roles have a DSD relationship, then they may both be authorized for an individual but that individual may not act in both roles simultaneously. If two roles have a SSD relationship, then they may not even be authorized for the same individual. In this example, the policy of the bank is that there is a fundamental conflict of interest between the roles of internal_auditor and account_rep. Thus, these two roles may never be authorized for the same individual.The new version of the Admin tool using VRML will allow us to represent conflicts of interest and other relationships in a more natural way and view the scene from an infinite number of viewpoints. VRML allows complex3D objects to be created for this purpose. The user can 'enter' a selected role and explore several levels of detail (i.e., information) associated with that role. In addition, the sound capabilities of VRML can be utilized to give audio warnings when roles are used which cause conflicts of interest or other problems, or when improper procedures are used. RBAC for World Wide Web ApplicationsRole Based Access Control (RBAC) for the World Wide Web (RBAC/Web) is an implementation of RBAC for use by World Wide Web (Web) servers. Because RBAC/Web places no requirements on a browser, any browser that can be used with a particular Web server can be used with that server enhanced with RBAC/Web. RBAC/Web is implemented for both UNIX (e.g., for Netscape, NCSA, CERN, or Apache servers) and Windows NT (e.g., for Internet Information Server, WebSite, or Purveyor) environments.Components of RBAC/Web are shown in Table 1. RBAC/Web for UNIX uses all of the components in Table 1. Because built-in NT security mechanisms are closely compatible with RBAC, the NT version uses only the Database, Session Manager, and Admin Tool components. RBAC/Web for NT requires no modification of Web server internals or access to source code. With RBAC/Web for UNIX, there are two ways to use RBAC/Web with a UNIX Web server.The simplest way is by means of the RBAC/Web CGI. The RBAC/Web CGI can be used with any existing UNIX server without modifying its source code. RBAC URLs are passed through the Web server and processed by the RBAC/Web CGI. RBAC/Web configuration files map URLs to file names, while providing access control based on the user's roles. Installation of the RBAC/Web CGI is similar to the installation of the Web server.附录B：中文翻译Web环境下基于角色的访问控制John F. Barkley, D. Richard Kuhn, Lynne S. Rosenthal, Mark W. Skall, 和Anthony V. Cincotta,国家研究院所定规则及盖瑟斯堡技术，马里兰20899摘要建立和维持一个万维网（Web），它作为美国工业的一种附属形式，已经成为了买卖和销售战略中的重点。

利⽤RBAC模型实现⼀个通⽤的权限管理系统本⽂主要描述⼀个通⽤的权限系统实现思路与过程。

也是对此次制作权限管理模块的总结。

制作此系统的初衷是为了让这个权限系统得以“通⽤”。

就是⽣产⼀个web系统通过调⽤这个权限系统（⽣成的dll⽂件），就可以实现权限管理。

这个权限系统会管理已⽣产系统的所有⽤户，菜单，操作项，⾓⾊分配，权限分配，⽇志等内容。

实现此功能从正常访问和⾮法访问两个⽅⾯⼊⼿。

正常访问即⽤户登录系统后只能看到或操作⾃⼰拥有的菜单；⾮法访问即通过拼写url等途径访问系统的某个功能；所以程序除了实现⽤户登录后获取⽤户拥有的菜单权限，更要挡住⽤户的⾮法请求。

两者缺⼀不可。

⼀.概念　实现这个功能主要利⽤RBAC权限设计模型，英⽂（Role-Based Access Control）译为基于⾓⾊的权限管理⼜叫基于⾓⾊的访问控制。

⼆.数据库设计1.系统表：因为要达到"通⽤"，所以这个表会记录各个系统。

其他⽤户、菜单、操作、权限表每条记录都会对应系统代码。

字段说明：Code —> 系统标识代码SysName —> 系统名称2.菜单表：记录菜单。

每个功能当成⼀个菜单，菜单有url属性，⽤户通过点击菜单来访问对应功能；字段说明：ID —> 主键，⾃增标识MenuName —> 菜单名称 PageUrl —> 菜单对应url PId —> 菜单⽗级Id Lv —> 菜单等级，分⼀级菜单和⼆级菜单ControllerAction —> 菜单唯⼀标识，⽤来做权限控制SystemCode —> 系统标识代码3.操作表：此表主要是为了判断⽤户是否有来操作某个具体功能，如常⽤的【删除】功能等操作都放在这个表⾥；字段说明：ID —> 主键，⾃增标识OprateName —> 操作名称 OperateCode —> 操作标识代码SystemCode —> 系统标识代码4.⽤户表：记录所有系统的使⽤⽤户。

2008年9月September 2008—183—计 算 机 工 程Computer Engineering 第34 第17期Vol 卷.34 No.17 ·安全技术·文章编号：1000—3428(2008)17—0183—03文献标识码：A中图分类号：TP309针对基于多父角色RBAC 模型的研究与应用史永昌，鲁书喜(平顶山学院计算机科学与技术学院，平顶山 467000)摘 要：针对基于角色的访问控制(RBAC)模型中由于继承关系产生的子角色不能拥有私有权限问题进行了研究。

当前的解决方案在表示同一机构或相同业务性质的角色共有特定权限方面存在不足，也不能满足多父角色权限继承的要求。

对RBAC 模型进行了扩展，给出一种基于域和域权限的解决方案，并结合实际项目具体分析系统实现权限管理的方法，提出多父角色权限继承的算法，解决了多父角色权限继承问题，在系统的安全管理中实现了基于角色和域的访问控制。

关键词：RBAC 模型；角色；权限；访问控制；域Research and Application on Multi Father Role Based RBAC ModelSHI Yong-chang, LU Shu-xi(Institute of Computer Science and Technology, Pingdingshan University, Pingdingshan 467000)【Abstract 】A problem that child role cannot obtain private permissions because of inherited relation in the Role-Based Access Control(RBAC)model is researched. The specific permission of the roles in same department or similar business, is not discussed in the past solutions, and the permission cannot be inherited by multi father role. Thus a new solution with domain and domain’s permission is presented. The method of permission management is analyzed, an algorithm to inherit permissions from one child for multi father roles is provided, and the question of inheritance is solved. The access control theory based on role and domain in the application system is realized. 【Key words 】Role-Based Access Control(RBAC) model; role; permission; access control; domain访问控制是安全技术的重要部分，而基于角色的访问控制(Role-Based Access Control, RBAC)作为目前主流的访问控制模型，成为研究的热点。