| Summary: | 碩士 === 中原大學 === 資訊工程研究所 === 93 === In traditional RBAC systems, a user’s access rights will be checked and authorized before system resources can be used. But this is not enough in some situations, so that the concepts of usage control were introduced. Usage control allows three kinds of authorization decisions: authorization, obligation and condition. Obligation means that a user needs to do some things to get access rights, and conditions may be used to restrict a user’s access rights. There are also mutable property and continuity property in usage control. Thus, the roles that a user can use can be decided at runtime. For example, in an on-line service system, a user must have more cash in order to obtain the read service. Like reading a book, and system will ask the user to pay more in order to continue reading when the access rights expire.
In this thesis, we studied on how to integrate usage control model into a role-based access control system, and implemented a system for checking user’s rights at runtime. The implementation includes (1) an administrator's interface to help the administrator to manage users and their attributes, (2) attributes update that allows pre-update, ongoing-update and post-update of user’s attributes, and (3) dynamic separation of duty to check the values of user’s attributes to prevent a user from holding exclusive roles at the same time.
|
|---|
