【作者】 段鹏松；

【导师】 傅鹂；

【作者基本信息】 重庆大学 ， 计算机软件与理论， 2007， 硕士

【摘要】 当前,互联网技术的迅速发展及其应用的极大普及,标志着信息时代的到来。在信息时代,信息资源是最宝贵的财富,谁掌握了最及时有用的信息,谁就能在激烈的竞争中快人一步,占得先机。在这个大背景下,各行各业的信息化建设就势在必行。在信息化建设的道路上,信息系统的访问控制策略和机制是一个关键问题,特别对一些用户和信息资源数量巨大的信息系统。访问控制策略是避免信息系统内部信息被非法获取、修改、破坏和避免系统被未授权使用的重要手段之一。健壮的、有效的用户访问控制策略不仅可以大大减少工作量、提高效率和减少错误,而且可以有效保证信息系统数据和服务的保密性、完整性、可用性(C.I.A)。基于角色的访问控制模型(Role-Based Access Control Model,简称RBAC模型)功能强大,操作简单,是当前信息系统访问控制策略主要采取的模型。但是传统的RBAC模型一般只考虑功能方面的实现,而没有实现用户操作权限的可审计性。目前的网络安全,尤其是信息系统内部的网络安全问题存在着极大的隐患,RBAC模型这个缺点的影响将随着人们对内网安全问题的重视程度增加而愈加凸显。虽然信息系统的访问控制机制和信息审计功能可以分开单独实现,但是由于访问控制机制和信息安全审计功能都和信息系统的用户及权限资源有着密切的联系,把它们集成起来作为一个独立的组件,不仅可以减少系统设计时的复杂度,而且也符合软件工程模块化的思想。本文从实际应用的角度出发,先对RBAC模型进行了深入的研究分析,接着简述了信息安全审计的内容,然后根据RBAC模型对用户权限操作不可审计的缺点及信息安全审计可增强信息系统内网安全性的优点,提出了一种可审计的基于角色的访问控制模型—RBAC-a模型(其中a代表auditable,即可审计),并且给出了该模型的详细定义。最后,本文依托重庆市信息安全技术中心案例信息系统(以下简称:案例系统)开发项目,结合目前我国高校用户和信息系统的特点,对在案例系统中采用RBAC-a模型的访问控制策略进行了详细的可行性分析,然后对在案例系统中如何实现RBAC-a模型组件的过程进行了详细的说明,最后给出了相应的测试结果。对测试结果的分析以及和传统的访问控制模型进行比较后证明,RBAC-a模型较之传统的RBAC模型确有进步之处,这正是本文价值所在之处。更多还原

【Abstract】 Currently, with the development of Internet technology and popularization of its application, it is the information times. At this time, information is the most valuable property. The people who have most useful information will succeed more quickly. Under this background, every industry has to do its information construction.Access control mode is very important on the way of informationization, especially for some information system that has large amount of users and resource. Access control is important to prevent inner information is lawlessly obtained, modified and destroyed and to prevent the system is unauthorized use. Therefore to design a stable, efficient access control policy not only can decrease the workload and mistake, elevate the efficiency but also can insure the Confidentiality, Integrity and Availability (C.I.A) of data and service. Because of Role-Based Access Control Model‘s powerful function and easy operation, it is very prevalent in the current day. But, traditional RBAC focused on the function of system, it can’t make users’operation record auditable.RBAC’s this flaw will get more obvious by the more focus on the information system’s interior security.Access control and information audit of information system can be implemented separately, but both of them are closely linked with users and permission resource, so integrating them as a separate component can not only reduce system the complexity of the design, but also in line with the thinking of modular software engineering. In this paper, from a practical application point of view, firstly, carried out in-depth research and analysis on RBAC model, and then analyzed the content of information security audit, then according to the shortcoming that RBAC model can not be auditable for user’s permission operation and strongpoint that information security audit can strengthen network security, it gives a new access control mode—RBAC-a model (a means auditable) and gives a detailed analysis based on characteristics of China’s current college users and information systems and a detailed note on implement of RBAC-a model component in case system. Finally, the test results are given.The analysis of test results and comparison with traditional access control models how that RBAC-a model does more progress than traditional RBAC model. That is the value of this paper.更多还原