Upload
anquan
View
212
Download
0
Embed Size (px)
Citation preview
The Realization of RBAC Model in Office Automation System
JIE Anquan College of Computer Information & Engineering
Jiangxi Normal University, Nanchang, Jiangxi, 330022, China [email protected], [email protected]
Abstract
Efficiency and security is very important in office automation systems, this paper analyses how the role-based access control model (RBAC) works, and presents an effective authority control method based on RBAC model in web applications. Practice shows that the web application based on RABC model has excellent safety and stability. We have successfully developed a universal office automation management system based on RBAC model. The system has been successfully applied to several colleges in Jiangxi province. It has played an important role in improving administrative efficiency. 1. Introduction
Web applications can be out of geographical restrictions. It makes remote office and remote management becomes reality. The scale of colleges and universities had made tremendous development in recent years in China. These new building school campuses makes the task of administration office increasing onerous in recent years, in order to better meet the needs of computer-aided education and management for colleges. This paper analyses how the role-based access control (RBAC) works, then presents an effective authority control method based on RBAC model in web applications. We had developed a general office automation system based on RBAC model using the software automation technology in .NET platform successfully , according to the actual demand of the education department in Jiangxi province. It not only meets the needs of the school office through system configuration, but also can meet the demand of college for office. These systems have been successfully used in computer-aided education and management in some universities, and had made a very good effect.
Web applications are different in technically and psychologically, so an adapted version of conventional software engineering practice is well-worth considering. In order to protect sensitive content and provide secure modes of data transmission, strong security measures must be implemented throughout.
This paper describes the basic idea of RBAC, and shows the applications of RBAC model in the office automation software for colleges and universities. 2. The Implementation of RBAC Model in the Web Platform 2.1. RBAC Principle
In 1996, Ravi S. Sandhu described the basic framework of RBAC; this is a significant milestone in RBAC96 model. RBAC96 model has three entities: User, role and access. Its core idea is: protected access to resources associated with the role, users with the resources requested by the visit has no direct relationship each other, if the user want to access a resource, he must have access to this resource. Figure 1 shows how RBAC model works.
Figure 1 RBAC model
NIST's Ferraiolo and Kuhn made the same model of
the proposed RBAC, that is, NIST RBAC[1, 2]. In RBAC, the "role" is an important concept, that is a
user or a group within the system run the operation of the collection. For example, site visitors can have the role of the general membership, senior members of the webmaster, administrator and other columns etc. These roles are owned by “delete”, “search” operation access to the web site. Different users have different access in the system based on RBAC model because they are assigned different roles. In other words, the users linked to the resources directly in traditional access control model. Users and resources establish ties through the role of communication in RBAC model. A user can be authorized and has multiple roles; a role also has multiple users. Each
2008 International Seminar on Future Information Technology and Management Engineering
978-0-7695-3480-0/08 $25.00 © 2008 IEEE
DOI 10.1109/FITME.2008.85
360
role has a variety of operating authority; each operation can be executed by different roles too. The model has been successfully applied to many large-scale application systems now[3].
With the development of Web applications, how to effectively use RBAC control principle in the web application, which becomes many researchers study goal now[4]. 2.2. Web-Based Access Control Methods
College office automation system is a typical web application system based on B/S model, which has the following salient feature:
The user's privileges of protected resources will more frequent change when system's organizational structure or function constantly changing. If privileges are allocated to user instead of role directly, the maintenance for access will be large and complex.
The interactive between users and application always implemented by browser-page request and services application response. All of the user's operation through the Web page to complete. Therefore, the role-based access control in the
realization of Web applications can be summed up as "when and where, what role can access what pages".
If the system and its users will be linked with the role, this relationship relatively will be more durable, and the maintenance will be more systematic. The operation and management is stronger when authority is empowered to role than to individual. So through the intermediary role can greatly simplify the user and access management.
We design the following components based on the above principle.
(1)Permission: the unit of resources in web application is URL; the key of access management is control role access to their URL. The specific function for each URL can be broken down through the pages feature size to achieve.
(2)Role: it can be divided into a number of roles according to identity and responsibilities of users in the application system, a role represent system-related functions. Users have a role; on behalf of the user can use the relevant functions, which means that users can access the relevant pages. The role can be inherited; the relationship between the user and the corresponding role is many-to-many.
(3)Assigning role to user: that is distributing the role collections to users. It can be divided into specific roles and expansion of basic role when implementation.
(4)Assigning authority to roles: that is distributing the authority collections to roles that is set the role can visit the corresponding URL, role can inherit other roles.
To sum up, access control model in Office Automation system based RBAC model shown in Figure 2.
Authen-tication
System
Auth
ori
tyins
pec
tion
Pages loading system
Authorized
managem
entsubsystem
Figure 2 Access control model in Office Automation
system based RBAC model
3. The Implementation of University Office Automation System Based on RBAC model
3.1. The Demand of University Office Automation System
The demand for office automation system is different
between different schools, n order to increase the software reusability. We should try to identify the common characteristics of office systems in needs analysis stage. So, it can satisfy the majority of colleges and universities office automation needs.
University Office software is divided into client modules and server modules. The client modules include the notice issued, query, edit, and publish notice of teaching, work forum, educational administration, document management, messaging center and other functions. Server modules include user management, configuration management, role management, system management etc.
3.2. The Design Idea
(1) General requirements. In order to let the system to
meet the different schools demand, modular design methods was used in system development. It is easy to equip office system by the use of units according to their actual needs. These data for the database of information related to the realization of the respective module code (URL). The personalized settings are accomplished through the allocation of office systems owned by the module.
(2) Definition dynamic role. System's role is a logical concept; different systems in the same role may have different means. System initialization by the administrator based on the use of units in a dynamic definition, the number and names are unrestricted. For example, we can set many roles, such as "teacher", "president", "graduate",
361
"counselor", "undergraduates", "Teaching” and "Research Director" when used in college.
(3) Definition dynamic department. All specific office entities include some specific administrative departments, so in office automation system should also reflect it. Dynamic systems can be set up in the executive departments. User’s administrative privileges will be assigned to designated users in the department. It is easy to achieve the dual management authority in the system based on the roles or based on department. 3.3. The Implementation Method of RBAC Model
(1) System design patterns In order to control the access of the application
procedures in the Web application, all various entities (user, role, access) and the inter-relationship between the entities should be expressed out first.
The user’s role information and user’s information are easy expressed by abstract, that including user ID, password, the role of ID, the role name, etc. The most important thing is the subject to the protection resources about this problem.
Web access in the resource can be carried out through the URL, in the realization of the system, using the name and URL resources ways.
It is easy to control the role of the authority through “RolePermission” table, which was assigned different roles for different privileges through “UserRole” table to control the user's role. The user in the system can have multiple roles, so indirect control of user’s access to resources is achieved successfully.
(2) System Application C#.Net development platform, SQL or Oracle database
system can be used when office automation system are developed. Web-based RBAC model of control can be achieve by the following steps:
1) The user requests for resources to be sent to the web server.
2) The user ID, password and the role of these documents are verified by the identity verification process. It is divided into two working methods according to the way users offered. If the user is first visiting, users will be re-targeted to a login page, so that users enter the certificate information, if the certificate is valid information, the user information is stored in session on the server or the client cookie is determined by the user's choice, if users are visiting again, these users will automatically submit information to the server for validation.
3) Testing authority will be carry out according to the server's role and request the resources. If the role allows access to the requested resources, system will be responding to requests, otherwise the visit will be denied.
The program “amxAddCookie” gives a solution of preserving the user’s login information.
private bool amxAddCookie(string uid,string pwd,int rid,long timeSpan){ if(this.Request.Browser.Cookies==false) return false; // cookie HttpCookie cookie = new HttpCookie("UserInfo"); if(timeSpan<1)
{ if(this.Request.Cookies["UserInfo"]!=null) { cookie.Expires=System.DateTime.Now.AddHours(-1); this.Response.Cookies.Set(cookie); } return false;}
cookie.Expires=System.DateTime.Now.AddHours(timeSpan); string tmpStr=this.Session["IP"].ToString(); Amx.AmxEncrypt et=new Amx.AmxEncrypt(tmpStr); tmpStr=et.amxEncrypt(uid); cookie.Values.Add("UserName",tmpStr); tmpStr=et.amxEncrypt(pwd); cookie.Values.Add("PassWord",tmpStr); tmpStr=et.amxEncrypt(rid.ToString()); // User name cookie.Values.Add("UserRole",tmpStr); // Role name if (this.Request.Cookies["UserInfo"]!=null) this.Response.Cookies.Set(cookie); else this.Response.Cookies.Add(cookie);//Add cookie return true;}
In order to improve the reliability of software, we had
used some software automation technology in the database design. Such as PAR platform[5,6], in which the operation of the database described by abstract programming language (Apla)[6] can directly convert into the optimization SQL query language. It improved the efficiency of the system's development. These measures effectively ensure the efficiency of the system.
4. The Configuration and Application of Office System
The office automation system has fully considered the
variability of applications, system configuration can be completed using the initialization unit, including setting user’s role, distributing role’s operation, configuring role interface, and so on.
The roles are created by system administrator according to units circumstances. Object-oriented design has been used in system design, if a departments is created, the system will automatically create the functions of the department operations. For example, system will generate “Issued notice of the Department of Artificial Intelligence", "Read the Notice of the Department of Artificial Intelligence" and "Edit notice of Artificial Intelligence Department " operation automatically, when
362
"Artificial Intelligence Department" is created by administrator. So the administrator can be assigned these operations to the appropriate members of the department of artificial intelligence based on user role. This measures improved work efficiency greatly within the department.
5. Conclusions
We have succeeded applied RBAC theory to the
development of office automation system. Under the guidance of RBAC theory, we have successfully developed a universal office automation management system, which has high efficiency and security. The system has been successfully applied to several colleges in Jiangxi province. It has played an important role in improving administrative efficiency. Acknowledgement
This work is supported by the project of the Education Department of Jiangxi province Grant #GJJ08155 of
China. The author is grateful for the anonymous reviewers who made constructive comments. References [1] Ravi Sandhu,Edward Coyne, Hal Feinstein, et a1. Role-
based access control models [J].IEEE Computer, 1996,29 (2):38-47.
[2] Ferraiolo D,Sandhu R,Gavrila S,et a1 . A proposed standard for role-based access control[J].ACM Transactions on Information and System Security,2001,4(3):224-274
[3] Song Xin, Xia Hui, Wang Xuetong. Access Control of Web Application Based on RBAC model in .NET Environment [J], Computer technology and development, 2006.4:218-222
[4] Yang Wenbo, ZhangHui, LiuRui.A New Role-based Access Control Model [J], Computer Engineering,2006.11: 167-169
[5] Li YingLong. The Description and Realization of RelationalDatabase Mechanism in PAR Method [D], NangChang, Jiangxi Normal University, 2007
[6] Jie AnQuan. A Parallel and Concurrent Programming Method Based on Apla-Java Reusable Components [J], Microelectronics and Computer, 2006.9:165-168
363