Extended access control model based on roles and user groups

Source: Internet
Author: User

In the information system security mechanism, access control is an important mechanism and has many important applications. The access control or permission management system is currently one of the most frequently used modules in computer application systems. In enterprises, almost all different application systems have an independent permission management system. Different permission management systems may have different data storage, permission access, and access control mechanisms. In recent years, access control research has developed rapidly, and many access control models have been proposed ~ 3]. The establishment of a standardized access control model is necessary to implement strict access control policies. Therefore, the study of the access control model is of great practical significance.

Currently, role-based access control (RBAC) has been a hot topic in system security management and has been well applied in application systems ~ 6]. However, I found that in most of the current RBAC applications, users of the same role have the same access permissions to functional objects, different users of the same role have different permissions to access data or resource objects. Its Resource permission control is usually based on the actual access control requirements, directly grant permissions to users as objects, the user's access permissions to data or resources are expressed by some business data in the database. During authorization, the data is manually extracted from the relevant business table and stored in the resource permission table in static form. During permission query, the user's resource permissions are determined through the Table query method. However, because these permission data contains a large amount of business data, as user roles or functions change, the system administrator must manually update a large amount of corresponding permission data, this not only increases their workload, but also easily leads to data inconsistency. To address the above problems, this article adds user groups based on RBAC so that the user's function and resource permissions are determined by the roles and user groups.

1. Role-Based Access Control Model

Traditional access control, such as discretionary access control and mandatory access control, grant permissions to users as basic objects, this makes the authorization management of large and complex systems complicated and prone to errors. With the development of multi-user and multi-system research, the concept of role is gradually formed, and a role-centered access control model is gradually developed, that is, RBAC. RBAC contains three entities: User, role, and privilege ). A user is the subject of operations on data objects, including people, machines, and computers. permissions are the right to operate on a data object. The concept of a role is derived from a role in actual work. A specific role represents the right to process certain transactions at work. Role management is an idea for managing large database users. When this concept is introduced into authorization management, roles serve as an intermediate bridge to link users with permissions. A role and permission management can be viewed as a set of permissions owned by the role, and associated with the user can be viewed as a set of users with system identities. The core idea of Role-Based Access Control Technology is to convert access permissions into role permissions. by assigning different roles to users, users can be granted different permissions. It requires the Administrator to create a role based on the situation, grant the relevant permissions to the role, and finally grant the role to the appropriate user, so that the user can obtain the permissions of the user.

 

RBAC model 1. The association between a user and a role indicates a license set owned by several users with the same identity. A user can be granted several roles, and a role can also be granted to several specific users, there is a many-to-many relationship between the two. The Association of roles and permissions indicates a set of permissions owned by a role. A role can have multiple permissions, and a permission can be granted to multiple different roles, they are also many-to-many relationships. RBAC makes access control more adaptive. Managers can adjust the hierarchy between roles of users, role-related operations, and roles to flexibly control the way users access resources. In addition, it is easy to combine the role structure with the internal user structure of the Department to simplify management and clarify responsibilities. From these features, we can see that the introduction of the role concept achieves logical separation between users and permissions, greatly facilitating permission management, which is also the reason why this article chooses to develop the access control Extension Model Based on RBAC.

2. The extended access control model (ERBAC) after the user group is introduced)

2.1 User Group Definition
The RBAC specification does not mention how users are organized. To make the system suitable for decentralized permission management, the user group concept is added, which refers to a group of users. In actual application of many systems in the industry, due to the huge number of organizations in the industry, if the system does not introduce user groups, authorization is messy and cumbersome when authorizing internal users in the Department. When the departments involved in the industry are organized according to the administrative or other affiliation in a tree-based structure, authorization is much clearer. In addition, when all the user functions of a group are the same, you can create a group role and assign this role to the entire group. Then, all the members of the group are granted permissions; when the permissions of the group role are changed, the permissions of the entire group are also changed, which greatly simplifies authorization management. Users are access subjects controlled by permissions in the system. It is necessary to introduce user groups.

 
2.2 Relationship between user groups and Roles
Since the user group can be authorized directly, can the user group replace the role? From the above analysis, we can see that when the user group has the same personnel function, the user group can replace the role, this is also why users often regard user group-based access control mode as role-based access control mode. However, users in the same user group have different functions. If authorization is performed in the group authorization mode, users with different functions in the group will be unauthorized, and the entire system is obviously insecure. According to the role analysis in RBAC, although there are similarities between roles and user groups, there is a fundamental difference: A group is a collection of users, not a collection of permissions; a role is used as an intermediary, it is a collection of users and permissions. Therefore, user groups cannot replace roles.

 
2.3 ERBAC model
In large enterprise systems, the definition of roles is complicated in permission management due to the large number of users and complex business objects. The user's business needs are flexible and changing. The system's functions and data resources may be constantly increased or updated, and permissions may also change. At the same time, due to the needs of the system's work responsibilities, their respective permissions may also change accordingly. Therefore, the role definition usually changes with the adjustment of time and department. At the same time, permissions of multiple roles often overlap with each other, and the access permissions to data resources cannot be differentiated. If authorization is changed only by adjusting the definition of the role, it is difficult to meet the changing needs of complex situations. Currently, in most RBAC applications, users of the same role have the same access permissions to function objects, different users of the same role have different permissions to access data or resource objects. For example, in a management information system, users with the same roles but different departments access the same menu, window, button, and other functional objects of each function module, however, it can only access data of its own department in the same functional operation interface. The user's access permissions to function objects can be fully managed by RBAC, that is, the Administrator creates a role based on the situation, then grants the relevant function permissions to this role, and finally grants this role to the appropriate user, in this way, the user can obtain the functional permissions of the user. Now, the key is how to flexibly meet users' personalized access requirements for data resource objects? After observation, I found that the data in the system is organized by Department or user group. Therefore, data resource permissions can be allocated by user group. Based on this idea, this article adds user group resource permissions based on RBAC and uses a hybrid authorization method for roles and user groups to make permission control more flexible and secure. Figure 2 uses the extended role-based permission Control Model (Extended rolebased access control, ERBAC) that is jointly authorized to user groups and roles ).

 

The ERBAC model is described as follows: if a user U has permissions on an object o as P (u, O), the relationship is as follows:
P (u, O) = Pr (R (u), of) ∪ PG (G (u), or ). Pr (R (u), of) is the permission to the function object through the role R of user U; PG (G (u), or) is the resource object or permission determined by the user's department authorization; P (u, O) is the union of PR and PG, that is, the sum of the permissions of the role to the function object and the permissions of the Department to the resource object.

In addition to Role authorization of RBAC, The ERBAC model adds user groups to authorize data resources. Among them, users and roles, roles and functional permissions, and user groups and resource permissions are many-to-many relationships. Authorization is divided into two steps: function authorization and resource authorization. the user's permissions are the sum of the functional permissions of the user's role and the resource permissions of the user's department. This hybrid authorization method not only effectively solves the problems caused by dynamic changes in role definitions, user responsibilities, functions, and resources, but also enhances the flexibility and maintainability of user authorization. After permission authorization, when a specific user requires access to the functions of a certain module of the system, the system determines the role of the user and the user group, you can also determine the functional permissions of a role and the resource permissions of a user group so that you can obtain all the functional and resource permissions of the role. Based on the aforementioned authorization methods and permission access control, the ERBAC model has a great advantage in enterprise applications:
A) Setting of users, user groups, roles, and permissions maps the enterprise structure and responsibilities of employees to the enterprise application system, this makes the design and application of system permissions more intuitive, flexible, and easy to manage and maintain;
B) if the responsibilities of a job in an enterprise need to be changed, you do not need to change the permissions of all the staff in the job one by one. Instead, you only need to change the role permissions for performing the duties of the job;
C) if the responsibilities of some enterprise users change and the user group or department does not change, simply modify the user role;
D) when some enterprise users are dispatched by the Department, but the user's responsibilities are not changed, you only need to change the user group to which the user belongs. In this way, the user's permissions on resources are changed accordingly, instead, you do not need to authorize the user one by one;
E) If the roles and departments of some enterprise users change at the same time, you need to modify the User Role and user group to which the user belongs, so that the user's function and resource permissions are modified accordingly.
These features of the ERBAC model make system permission maintenance simple, fast, secure, and effective, and are very suitable for system development in large enterprise organizations.

3. Design and Implementation of ERBAC

3.1 basic design of ERBAC
The basic idea of ERBAC is to add roles and user groups, and then add user-role relationship tables and user group-user relationship tables, associate users with functions and users with resources, as shown in figure 3. The User Group allocates resources to the user group through the user group-resource relationship table, the user group adds users to the user group through the user group-user relationship table, and the user grants roles to the user through the user-role relationship table, the role is assigned to the role through the role-function relationship table, so that the user and function, user and resource have a corresponding relationship.

 

3.2 Database Design
Based on the entire process, the ERBAC system can be divided into different functional modules, and users can be divided into users with different permissions by department. According to the above design ideas, the user and permission information are stored in nine tables of the system database, user table, user group table, role table, function permission table, resource permission table, user group and resource relationship table, user group and user relationship table, user and role relationship table, role and function relationship table table. The detailed design of each table and its relationship 4 are shown in.

 

ERBAC aims to establish a ing between users and functions and resources. Figure 4 shows that a user does not have a direct relationship with a function or a user or a resource. Instead, roles and user groups are added, and user-role relationship table and user group-user relationship table are added, relationship between users and functions, and between users and resources. The advantage of such processing is that the addition and maintenance of users and roles are relatively independent without mutual interference, making the database design more flexible, you can also establish dynamic mappings between users and roles. Roles and functions are not directly related, but are related to each other through the role-menu to avoid the mutual influence between roles and functions, this dynamically maps roles and functions. The design between users, user groups, and resources is also the case, making database maintenance easier.

 
3.3 Implementation of ERBAC
With Visual C #2005 as the development tool and Oracle 10 Gb as the database, the author designed and implemented an access control module in an information management system, the model in this article is verified through experiments using simulated data. Compared with the general information management system, the system has the characteristics of a large organizational structure, complex internal personnel administrative affiliation, frequent changes in user responsibilities, and a large number of users. The ERBAC model designed in this article is well adapted to the characteristics of the information management system and effectively solves the problems caused by dynamic changes in role definitions, user responsibilities, functions, and resources, enhances the flexibility and maintainability of user authorization. To a certain extent, the access control system is independent of the entire information management system and has good reusability.

In the access control system, the system administrator dynamically sets different access permissions for users in different user groups. When you open the system, first start the user logon interface. After you enter the user name and password, the system determines which pages or forms can be used based on the user-role relationship table and role-function relationship table stored in the database. For each button of each form, determine whether a button is available based on the user's role. The invalid button is set to Gray. Determine the resources or data that can be used based on the user-user group relationship table and user group-resource relationship table stored in the database. The basic process is shown in step 5.

 

 
4 Conclusion

The ERBAC model effectively makes up for the defects of RBAC Role authorization mechanism through Hybrid authorization of users and roles, and conforms to the management features of the modern enterprise organizational structure, this makes the entire system permission management convenient, flexible, secure, and effective, and achieves good results in the user permission management of the actual application system. At the same time, this model has a strong versatility and can be widely used in other system permission management.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.