| Today, as the Internet is well developed, people have been used to access-ing thousands of kinds of data or dealing with those stuffs via network. Informa-tion system has been the essential infrastructure in business. Also, governments are depending on information system more and more. Since data from govern-ment is special, control on access in government information system needs to be specific and flexible. In traditional access control model and role based ac-cess control model, whether access request is allowed is validated according to the requester's identification. However, in reality, environment that requester is in and circumstance of requester's necessary operation need to be considered to decide whether to allow access. As a result, traditional access control model and role based access control model are both insufficient to ensure the precision of access control. New generation of access control model, UCONABC, takes into account the attributes of both object and subject, authorization, obligation,condition and so on. It is flexible, which enables it to satisfy various access control requirements in government information system.Unfortunately, UCONABC model did not define delegation model. And in government's work, it is inevitable to delegate one's privilege to others. Aiming at solving the three problems, including means to delegate, validation of dele-gation and revoking delegation, this paper discusses them respectively. Taking advantage of UCONABC model and combining role based access control model,we propose a delegation model for UCONABC and employ it in information sys-tem of government. Main work is as follow:1. The government information system, which is the research background,is analyzed in detail. According to the characteristics of government sys-tem, their requirements to access control model are summarized. After researching and analyzing several main access control models including UCONABC model, taking into consideration the characteristics of govern-ment information system, this thesis selects UCONABC as the core model in the application.2. Research is done on role based access control model and delegation for it. The quintessence of delegation for role based access control model is employed in delegation for UCONABC as means of delegation.3. The method that use UCONABC as means to validating delegation is re-searched. Two constraints, delegation depth constraint and delegation width constraint, are set. Formalized description is given by exemplifying a scenario.4. Based on the model proposed in this thesis, which uses delegation roles as delegation means and UCONABC as validating method, a flexible revoking system is presented. And, an example is given to show its process.5. The model in the thesis is employed in government information system,which proves that it is useful for delegation and capable to make decision according to delegation constraints. |
PDF Full Text Request