以工作為基礎的存取控制之權責區分授權準則設計

Designing Authorization Rules for Separation of Duty in Task-based Access Control

10.6382/JIM.200107.0061

劉敦仁(Duen-Ren Liu)；吳美玉(Mei-Yu Wu)；黃景彰(Jing-Jang Hwang)

角色為基礎的存取控制 ； 工作為基礎的存取控制 ； 授權準則 ； 權責區分 ； Role-based Access Control ； Task-based Access Control ； Separation of Duty ； Authorization Rules

資訊管理學報

8卷1期（2001 / 07 / 01）

61 - 80

繁體中文

以「角色為基礎的存取控制」主要是依據權責衝突的角色，來建立授權準則以達到權責區分之目的。然而為因應企業環境之改變，企業之運作需提供有效的工作管理與工作為基礎的存取控制，因此若僅以角色為基礎的機制，並無法有效的管理企業之工作。近來雖已有以角色與工作為基礎的存取控制之研究，但並未探討權責區分授權準則或是僅為原來以角色為基礎的存取控制之簡單延伸，並未從工作之間不同的權責關係考量權責區分之授權準則。本研究提出新的分析觀點，從企業制訂規劃工作的角度，分析與定義不同的工作權責衝突關係，包括制衡、督導查核與非獨攬性等，並依據所定義的工作權責衝突關係來探討使用者、角色與工作之授權及指派，進而設計授權準則以達到在角色與工作為基礎的存取控制模式中之權責區分。本研究不僅定義新的工作權責關係，更推導出符合工作權責關係之新的授權準則，包括督導查核及相依執行等權責區分準則。

Mutual-exclusive roles are the basis for designing authorization rules to achieve separation of duty in role-based access control (RBAC) models. However, current RBAC models are not adequate to provide effective management of tasks within enterprises. Although research has been done in the context of role and task-based access control, there has been little work on the design of authorization rules to achieve separation of duty in this context. The designed authorization rules are merely simple extensions from the authorization rules of RBAC models. In addition, different duty-relationships among tasks are not considered. This work presents a novel view to analyze different duty-relationships among tasks from the aspect of how enterprises design and plan tasks. Several kinds of duty-conflict tasks are defined to represent various duty-relationships such as balancing, supervising and non-arbitrary relationships among tasks. Moreover, authorization rules for assigning tasks to roles and users are designed to achieve separation of duty. The proposed work not only defines new duty-conflict tasks but also deduces new authorization rules to achieve variations of separation of duty including supervision-based and execution-dependent separation of duty, etc.

1. Barkley, John(1995).First ACM Workshop on Role Based Access Control.
2. Bertino, Elisa,Ferrari, Elena,Atluri, Vijayalakshmi(1997).RBAC 97 Workshop.
3. Ferraiolo, David F.,Cugini, Janet A.,Kuhn, Richard D.(1996).Proceedings of 11th Annual Computer Security Application Conference.IEEE Computer Society Press.
4. Ferraiolo, David,Kuhn, Richard(1992).Proceedings of 15th NIST-NCSC National Computer Security Conference.
5. Giuri, Luigi,Lglio, Pietro(1996).Proceedings 12th Annual Computer Security Applications Conference.
6. Gligor, Virgil D.,Gavrila, Serban I.,Ferraiolo, David(1998).Proceedings of IEEE Symposium on Security and Privacy.IEEE Computer Society.
7. Gustafsson, Mats,Deligny, Benoit,Shahmehri, Nahid(1997).Proceedings of IEEE 6th Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises.
8. Nash, Michael J.,Poland, Keith R.(1990).Proceedings of IEEE Computer Society Symposium on Security and Privacy.IEEE Computer Society Press.
9. Sandhu, Ravi S.,Coyne, Edward J.,Feinstein, Hal L.,Youman, Charles E.(1996).Role-Based Access Control Models.IEEE Computer,29(2)
10. Sandhu, Ravi,Munawer, Qamar(1998).ACSAC98 conference.
11. Schier, Kathrin(1998).14th Annual Computer Security Applications Conference.
12. Simon, Richard T.,Zurko, Mary Ellen(1997).10th Computer Security Foundations Workshop.
13. Thomas, R. K.,Sandhu, R. S.(1997).Proceedings of the IFIP WG11.3 Workshop on Database Security.
14. 吳美玉 Wu, Mei-Yu(1999)。設計授權準則以達到在工作為基礎的存取控制模式中之權責區分。國立交通大學資訊管理研究所。