基于X-RBAC模型的访问控制方法研究与实践

传统的RBAC模型基于一套角色不能同时为用户选择功能主体，规范数据操作行为和数据操作对象。为解决此问题，本文提出了X-RBAC模型。该模型通过引入角色组的概念并在其中定义了功能角色组、行为角色组和数据角色组，通过功能角色实现功能主体的过滤，行为角色实现数据操作行为的过滤，数据角色实现数据客体的过滤。在对用户进行授权的同时授予用户功能角色、行为角色和数据角色，以保证授权用户对授权数据执行授权操作。实践表明，X-RBAC模型具有良好的扩展性、适应性和灵活性，适用于数据保密性要求高的复杂信息系统的访问控制。

Research and Implementation of Access Control Based on the Extended Role-Based Access Control (X-RBAC) Model

Traditional role-based access control can not filter the functional entities, data operations and business data at one time, because it has only one set of roles. To resolve this problem, we extend it by importing the concept of role group and defining three role groups, i.e. functional role group, behavioral role group and data role group. Functional roles are used to filter the functional entities; behavioral roles are used to restrict the data operation activities; and data roles are used to filter the business data. We assign at least a functional role, a behavioral role and a data role to every user, so as to ensure only the authorized user can do the authorized data operation activities on the authorized data. Applications indicate that, the extended role based access control model possesses favorable expansibility, adaptability and flexibility, and it can be used as the access control model for complex information systems with a high demand of data security.