在一個以角色為主的權限控管 (RBAC)系統中,如何有效的減少不必要的角色對於降低系統複雜度是很重要的。隨著組織日益龐大和工作流程的日益複雜,會使角色和權限增加,而使得維護和設計的工作更為困難。在一個階層式RBAC中,上層角色會繼承下層角色的權限。但在實際狀況中,由於不同工作流程和其它安全限制,上層角色不一定能夠擁有下層角色的權限,因此繼承可能需要有範圍限制。 我們將物件導向的觀念融入設計中,將系統權限依使用範圍分類。我們的角色繼承方式可以限制特定權限的使用範圍,並以安全等級來表示,所以特定權限不會無條件的往上繼承,也不用產生新的角色來處理不能繼承的權限。此方法簡單且可減少角色數量。
It is important to reduce unnecessary roles to reduce the complexity of an RBAC system. In a large enterprise with complex workflows, there are large number of roles and permissions that are difficult to manage and design. In a hierarchical RBAC system, senior roles inherit junior roles’ permissions. But in real world, it is possible that a senior role can not have all the permissions of its junior roles, due to different tasks performed or other security constraints. Thus, it is desirable to define the scope of permission inheritance. We proposed to use object-oriented concepts to classify permissions by their scopes. The scope of a permission is specified by both inheritance and security level. Therefore, a permission can not be inherited unconditionally. We do not need to create more roles to handle permissions that can not be inherited. This method is simple and can reduce role number.