| 摘要: | 傳統電腦系統的權限認定,一直是針對個別使用者來考量,也就是存取權限的授予是針對個別使用者,但這種方式在人員有異動時,將會造成權限設定的大量更動。而「以角色為基礎的存取控制(RBAC, Role-Based Access Control)」,是以角色為對象來配置權限,並指定使用者擔任某一或多種角色,透過使用者─角色─程式三個層次對應,來形成整個權控架構,其優點是人員變動時,只需要更改使用者與角色的對映即可。 RBAC雖然提供了管理上的便利性,但卻缺乏企業管理中十分重要的工作流程管理。此外,「以工作為基礎的存取控制(TBAC, Task-based Authorization Control)」,是以工作為控制對象,針對工作與工作間可能發生的衝突來考量,建立一種授權步驟來控管每個工作流程。 本研究以RBAC為基礎,結合了強調工作流程的TBAC,提出一套在執行時期的動態存取控制模型,並從工作與工作間相對的關係來驗證此模型的可行性。我們所提的方法可輕易解決權責衝突、工作順序與工作相依等限制問題。此模型不僅解決了角色缺乏工作流程的缺點,也應付了執行時期可能的流程變動所引發的問題。由於此模型涵蓋了靜態與動態存取控制時的需求,因此也相當具有彈性與實用性。
Traditionally, the individual users are the main consideration in computer authorization-identification system. However, it needs to set a large amount of installation when the employees changed. Role-Based Access Control (RBAC), distributes the user's authorization by the subject of roles, single or multiple, which builds the formation of whole access control structure. What the merit of this structure is to renew the user and the roles only when the members changed. Though the RBAC is a convenient managerial tool, it is lack of workflow-management, which is very important to an enterprise. On the other hand, Task-Based Authorization Control (TBAC), focus on the object of tasks, not only considers the conflicting between tasks, but also builds an authorization-step to manage every workflow. The study is based on RBAC and combined the TBAC which stressed workflow. It proposes a model of dynamic state access control to examine the probability of the model from the correlativity between tasks, and to break through the limitation of duty-conflict, task order, and task dependency during the executive period. The model not only resolves the problem of the roles lacked of workflow, but also deals with the flaw caused by the change of workflow during the executive period possibly. Because of concluding the need of static state and dynamic state access control, it is full of elasticity and practicability. |
