設計授權準則以達到在工作為基礎的存取控制模式中之權責區分

Abstract

以「角色為基礎的存取控制」主要是依據權責衝突的角色，來建立授權準則以達到權責區分之目的；然而為因應企業環境之改變，企業之運作需提供有效的工作管理與工作為基礎的存取控制，因此若僅以角色為基礎的機制，並無法有效的管理企業之工作。近來雖已有以角色與工作為基礎的存取控制之研究，但並未探討權責區分準則或是僅為原來以角色為基礎的存取控制之簡單延伸，並未從工作之間不同的權責關係考量權責區分之授權準則。 本研究提出新的分析觀點，從企業制訂規劃工作的角度，分析與定義不同的工作權責衝突關係，包括制衡、督導查核與非獨攬性等，並依據所定義的工作權責衝突關係來探討使用者、角色與工作之授權及指派，進而設計授權準則以達到在角色與工作為基礎的存取控制模式中之權責區分。本研究不僅定義新的工作權責關係，更推導出符合工作權責關係之新的授權準則，包括督導查核、相依執行及協調合作等權責區分準則。

Mutual-exclusive roles are the basis for designing authorization rules to achieve separation of duty in role-based access control (RBAC) models. However, in order to adapt to the changing business environments, enterprises need to operate with effective task management as well as task-based access control. Current RBAC models are not adequate to provide effective management of tasks within enterprises. Although some works have been done in the context of role and task-based access control, very few works have designed authorization rules on separation of duty in this context. The designed authorization rules are merely simple extensions from the authorization rules of RBAC models. Moreover, different duty-relationships among tasks are not considered. This work presents a novel view to analyze different duty-relationships among tasks from the aspect of how enterprises design and plan tasks. Several kinds of duty-conflict tasks are defined to represent various duty-relationships such as balancing, supervising and non-arbitrary relationships among tasks. On the basis of the defined duty-conflict tasks, authorization rules for assigning tasks to roles and users are designed to achieve separation of duty. The proposed work not only defines new duty-conflict tasks but also deduces new authorization rules to achieve variations of separation of duty including supervision-based, work-dependent and coordination-based separation of duty, etc.