面向安全信息系统的二维角色访问控制模型

在安全信息系统应用中，传统的基于角色的访问控制模型不能为用户过滤业务数据，容易导致数据失密。为解决此问题，本文提出基于二维角色的访问控制模型。该模型为用户定义功能角色和数据角色。功能角色用来规定用户对某类业务数据的操作权限，而数据角色则用来为用户选择和过滤能够操作的业务数据。这样，通过为不同部门的用户赋予不同的数据角色，可以确保该用户只能操作本部门的数据。应用表明，所提出的基于二维角色的访问控制模型既具有“最小权限”特性，又具有“最少数据”特性，适用于安全性要求高的信息系统访问控制。

A Two Dimensional Role-Based Access Control Model for Secure Information Systems

In the application of secure information systems,the traditional role-based access control model can not filter business data for users,which easily results in secret data leakage.To resolve this problem,we present a two dimensional role-based access control model.There are two types of roles defined in this model,i.e.functional role and data role.Functional roles are used to describe operation permission on business data,on the other hand,data roles are used to select and filter the business data that users can operate.So,we can assign different data roles to users from different departments,so as to ensure users can only operate the data from their own departments.Applications indicate that,the proposed two dimensional role based access control model possesses both "minimal permission" and "least data" characteristics,and it can be used as the access control model for secure information systems.