This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
Analysis of role-based access control model and role-based access control model shortcomingsï¼Œthis article presents a mix of roles and tasks based access control model(R-TBAC).In the R-TBAC, this article describes in detail about the assignment relationship between the user, roles, permissions, permits and other elements and the model dynamic and static constraint rules, to ensure that such a hybrid access control method is effective. At last, take the device management system in ERP in the information access as example,R-TBAC model can be used to ensure the feasibility of access to information in the process.
In the ERP system, large number of chaos dispersed data and information is classified, management, storage, that will help to improve enterprise management level, to increase the competitiveness of enterprises. However, due to network resources and opening up and sharing features, information security issues become very important. The user access control is to ensure that system security is one of the main measures. In recent years, access control technology research focused hot on the model of role-based access control(RBAC) and task-based authentication control(TBAC).
However, these two types of model have flaws.This paper will present a new access control model(Task-Role Based Access Control) ,and apply it to ERP system and has made research and analysis.
Based on T-RBAC access control model
From the user access control aspect, some experts raised a number of new access control model, in order to enhance the safety and convenience of ERP system.The idea of a model designed in this paper is to use the role to determine the user's static access and to use the activity instance permissions to determine the current user's permissions, the user actually has access permission is static and dynamic combination of competence in order to achieve safe and convenient user access control.
T-RBAC model design
T-RBAC model mainly includes users, roles, Access permission, data objects, operations, tasks, task-flow, static constraints and dynamic constraints, etc.
The model structure chart
Users: Involved in the operation of the system activity instance, including individual and program.
the user drawn from the department, responsibilities and powers.
Access permission: Refers to with the operate ability to the application data.
Role Hierarchy: Refers to partial order that role can be passed, inheritance.
Tasks: Refers to workflow in a logical unit can distinguish between movements, including several sub-tasks. The workflow may associated with multiple users.
Taskflow:According to a certain degree of dependence and constraint, several tasks form the workflow, and several tasks exist state-dependent relationship.
Data Objects: An activity-specific data in this model.
Operation: The actions of the user's object.
RI:In an instance of an event, the user has a dynamic access from the mapping of activity instance and role.
RP:Roles associated with a set of operations permission.
IP:Activity instance identified by the task-flow and tasks.
TP: Tasks associated with a set of operations permission.
Illustrate the T-RBAC model
In this model, a role can have multiple users and a user can also belong to different roles, as in figure1.Role hierarchy defines the inheritance relationship between the roles, and the role of inheritance within this model reflects a relationship between rights and responsibilities. Access permission corresponding to the binary group which are composed by an operation and data objects. In the run-time, a user belongs to a task associated with the role does not mean that a user has permission to complete all the activity instance, only indicates that the user has the ability to complete the task, and the user is granted dynamics permission.
With regard to safety, the T-RBAC model supports two well-known security principles: The principle of separation of duties and the Principle of Least Privilege.Users, roles, licensing and activities in this model are taken to certain constraints, in order to reduce the risks of dynamic authorization. No matter what the role of the user to login, the task permissions exist only during the implementation of activity instance, and the task in the non-implementation period has no permission. Thus realizing the dynamic separation of privileges and revocation, and to increase the system dynamic adaptability.
T-RBAC model in ERP System
In the paper, the T-RBAC model is applied to the device resource management of ERP system. Full life-cycle management of the equipment is divided into procurement management and post-maintenance. Procurement management can be divided into purchase requisitions, procurement audits, equipment use and processing of fixed assets, and the latter part of the maintenance including equipment static information management (basic information) and dynamic information management (equipment of regular maintenance and equipment failure repair).More detailed equipment management process shown in Figure 2.
T-RBAC model design
According to role and task-flow and task description of the relationship between the state depicted by the figure2,S means the order of dependence, only after the current task is completed;F mean is dependent on the separation of powers and two tasks must be to the different roles;C mean is to remove the dependency, when the task can not be completed; D mean is agents dependency(task state),when current task can not be completed, then to another task.
The relationship between the two tasks : (1)
The relationship between a task with several tasks: (2)
A task flow composed of multiple tasks: (3)
As depicted by the figure2, in the device management module, system determines user access rights, through the roles and tasks which carried out the implementation process. This model is to achieve static and dynamic access control model based on a combination of role and task.
A user can have several roles : (4)
Each role has its own set of permissions: (5)
Users have real access: (6)
As in Figure 2,we set the role and the corresponding static access rights.
Buyers: Be responsible for equipment procurement plan.
Operators: Static information management, the use of information management.
Maintainers: Be responsible for equipment maintenance as well as related information on the registration.
Leaders: Be responsible for procurement, maintenance and other applications for review.
In the pre-maintenance, when the User1 starts an equipment procurement plan, then create a task instance â… . At this time, instance â… has only User1 procurement plan permissions. As the mission states S, F constraints, this time only User2 has the instance â… procurement audit authority,and Dynamic authorization depends on the instance â… and tasks of the state's dependence constraint. In the latter part of maintenance,user3 applied for equipment maintenance, then create a new task â…¡, At this point only User4 has the overhaul authority for instance â…¡,and Dynamic authorization depends on the instanceâ…¡ and tasks of the state's dependence constraint.
The access control of equipment management process includes the pre-maintenance and the latter part of maintenance,so the T-RBAC model can achieve static and dynamic combination of access control permissions.
Analysis of access control model RBAC and TBAC defects, this article establishes the T-RBAC model and makes some analysis. Argument shows that the T-RBAC model is able to achieve the access control of user's static and dynamic combination.