存取控制是資訊安全重要的一環,控制著如何讓使用者可以在適當的情境下,合法地 獲得權限來存取資源。在企業裏由於使用的資訊系統越來越多,權限的設定也越來越複 雜,例如在團隊的權限設定上可能需要新的方法,因為團隊是有特定目標的組織,且由多 人所組成,因此不容易使用現有的存取控制方法。 因為團隊的組成有成員及其目標屬性,故本論文基於團隊的這些特性上提出一個新的 權限模型。也就是在原本的 Attribute RBAC 上,提出一個新的團隊模型 Team RBAC。使 用者可以先定義團隊的目標,以及團隊成員組成時的一些限制屬性,設定好團隊模型後, 然後系統判斷團隊的組成是否成立,若系統判斷團隊成立,才給予團隊的權限。使用了 Team RBAC 後,因可随時修改團隊的屬性,減少了人為的判斷,使用者因此獲得更加方 便的管理。 我們並使用兩個實例來介紹 Team RBAC 的應用,一個是線上遊戲的打寶團隊組成、 一個是在公司的 ISO 稽核團隊應用。我們並依此實作出一個 Demo 程式,示範如何在線 上遊戲系統中使用這個團隊模型。
Access control is an important part of information security. It decides how a user can legally obtain permission to access resources in appropriate situations. Because more information systems are deployed in a models enterprise, it become more complicated to set permissions. For example we may need new methods to set the permissions of a team. Since a team has specific targets and is composed of people, it may be difficult to use currently available access control methods. Since a team is composed of the team members and has target attributes, we proposed a new permissions model based on these team characteristics. The model, called Team RBAC, is based on Attribute RBAC. A user can define the team's targets, the team member’s attributes and limitations, then the system can decide whether a team can be composed. The team will be given permissions if it is composed. Team RBAC has the advantages that it allows a more convenient management and can be more flexibly applied, because in Team RBAC, the attributes of a team can be dynamically modified. Two examples were presented to demonstrate possible applications of Team RBAC, one is an online game play treasure team composition, and the other is ISO audit team composition for a company. We also implemented a prototype system to show how an online gaming system can use Team RBAC model.