以 RBAC 為基礎建構網頁存取控管機制

Abstract

以職務為基礎的執行權管制 (Role-Based Access Control，簡稱RBAC)，是以職務概念為核心，建立使用者對資訊資源執行權限的管理，為一套符合企業需求，同時兼顧組織層級架構與權責區分的存取權限控管機制。然而，要將 RBAC 機制導入現有 web-based 的企業資訊系統，卻常常面臨系統難以整合的困境。因此，本論文針對導入 RBAC機制於現有 web-based 系統為主題，分析 web 應用程式的發展模式，開發出具有 RBAC 精神的存取控制模組 (稱為 Role Capabilities Access Module，簡稱為RCAM)，以整合企業應用系統的存取控管，展現 RBAC 卓越的功能與效用。 藉由本論文所開發的 RCAM存取控管模組，可於網站底層建構「單一網頁的職能存取控管機制」(Page-based Role Capabilities Access Control)，提供個別網頁的權限控管，以強化企業資訊系統的安全。採用單一網頁 (Page-based) 作為存取控管單位的好處，除了可以完全控管系統的的每個物件，達成高安全性外，還可透過職務資訊的收集與整理，進行職務屬性的使用者行為分析，輔助資訊系統的稽核。最後，本論文以保險公司與 IC 設計公司作為案例，來探討 RCAM 的可行性，並提出導入 RCAM 的策略與方法，作為實作上的參考。

RBAC (Role-Based Access Control) is an access control model that is most applicable in the organizational context. It is, however, hard to implement the model with popular web-based systems. The main purpose of this thesis is to design a methodology for embedding RBAC implementations into web-based systems. The author has programmed a computer code, called Role Capabilities Access Module (RCAM), as the basic unit to be integrated into web systems. The author uses RCAM in the bottom layer of web sites to achieve page-based access control. In other words, access control in such systems is done on a page-by-page base. As such, two advantages are achieved: (1) Access control is implemented in the most strict sense; (2) Role information about users is retained in log trails, which can be used to support analysis of users’ behavior. Finally, the author has studied two cases—one for an IC design company and the other for an insurance company—to demonstrate the operability of the RCAM code in various application domains.