實作以工作為基礎的存取控制模式之授權管理

Abstract

以工作為基礎的存取控制（Task-Based Access Control, TBAC）模式是依據工作間不同的權責衝突關係來考量使用者、角色、工作和操作物件的指派與授權。TBAC模式比其他的存取控制方法更能夠符合企業組織以工作為導向的運作模式。 本研究即依據TBAC的權責區分準則，以物件導向技術及三層式的系統架構，實作出具擴充能力和符合授權準則的授權管理系統。本系統以圖形化的介面提供安全管理者快速、便利地進行工作、職務角色、使用者權限設定管理及工作、職務角色、使用者指派之授權準則的設定管理。藉由授權準則的設定得以限制使用者存取系統資源的範圍，安全政策管理者也可以依據企業運作需求來設定所需的授權準則。本研究最後並以實際物品採購案例導入系統中進行分析與驗證。

In task-based access control (TBAC) models, duty-conflict tasks are the basis of authorization management to determine the assignment of tasks to roles and users. Some studies have shown that TBAC models are more suitable for task-oriented operational business environments than other access control schemes are. Based upon object-oriented technology and three-tier system architecture, this study designs and implements an extensible system capable of conducting authorization management of TBAC models. The system is incorporated with various authorization rules to achieve separation of duty in the assignment of tasks to roles and users. Graphical interface is also supported for security managers to specify tasks, roles and users, as well as to enact appropriate authorization rules according to security requirements. Secured task-based access control to system resources can thus be enforced via effective authorization management. Finally, a real purchasing case is analyzed and employed into the system to demonstrate how authorization management can be effectively conducted via using the developed system.