職位基礎執行權管制模式之系統設計及實作研究—以銀行放款業務流程為例

Abstract

以職位為基礎職行權管制模組(RBAC Model, Role-Based Access Control Model)是一個可以讓企業將內部控管政策與資訊系統結合的存取控制模組，其主要的概念是以職位(role)主體，利用職位來聯合(associate)權限，使用者可利用其被指派的職位來使用權限；如此的設計，大幅度的降低管理的複雜度並提供一個有彈性及系統化的方式來定義安全政策。 在目前討論RBAC模組的文獻，多著重於理論的探討，較少關於實作上的討論，本論文主要目的是著重於如何將RBAC導入企業實際工作流程。文章中首先會對RBAC模組作說明，並提出將RBAC模組導入工作流程的三個步驟：(1)定義職位、權限及職位與權限間的指派關係；(2)定義職位階層關係；(3)規劃管理政策(限制式)及政策執行時機。作者是利用資料庫的共通語言—SQL來作為撰寫管理政策語言，並設計以RBAC為主的XML(Extensible Markup Language)標籤，用以製作相關RBAC授權資訊的文件。最後以銀行放款業務為例，針對文中所提出的方式做實作，以驗證作者所提實作方式之可行性。根據本研究結果，SQL是描述企業管理政策的較佳選擇，目前所提出RBAC限制式語言，由於並未提出解譯器等相關研究，其實用性並不高；除此之外，利用XML文件不受平台限制的特性，可方便RBAC授權資訊在異質平台中使用。 在文中所提出的方式，都是以「務實」及「簡單」為設計的準則，故可有效降低企業將RBAC模組導入資訊系統的門檻，讓此存取控制模組可廣泛使用於企業中，讓企業更有效率來管制資訊的使用。

Role-based Access Control (RBAC) is a model for defining security policies in enterprises. The central concept of RBAC is “role”. Permissions are associated with roles. Users are made members of appropriate roles, thereby acquiring roles’ permissions. This idea greatly simplifies management of authorization and also yields a flexible and systematic way of defining security policies. Much of the discussion on RBAC has focused on theoretical issues but practical implement. Our main objective here is to offer a method to implement RBAC features in the context of certain workflows in enterprises. The task is divided into several steps: (1) Define role, permissions, permission-to-role assignments; (2) Define the hierarchical structure of the roles; (3) Formulate security policies and specify the timing of enforcing these polices. The author utilizes the well-known database language—SQL—as the language for describing a RBAC implementation. Furthermore, the author designs an XML standardization to define documents, which are used to present authorization statements based on RBAC. A case study on the lending workflow in banks is conducted to demonstrate the implementation feasibility using SQL and XML. As a research result, SQL is a good choice, provided that domain-specific languages have not been developed for this purpose. As a second result, the XML standardization makes the transfer of authorization statements between heterogeneous platforms mush easier.