1、PDF外文:http:/ A:英文原文 Role-Based Access Control for the Web John F. Barkley, D. Richard Kuhn, Lynne S. Rosenthal, Mark W. Skall, and Anthony V. Cincotta, National Institute of Standards and Technology Gaithersburg, Maryland20899 ABSTRACT Establishing and maintaining a presence on the World
2、 Wide Web (Web), once a sideline for U.S. industry, has become a key strategic aspect of marketing and sales. Many companies have demonstrated that a well designed Web site can have a positive effect on their profitability. Enabling customers to answer their own questions by clicking their way throu
3、gh Web pages, instead of dealing with operators and voice response systems, increases the efficiency of the customer interface. One of the most challenging problems in managing large networked systems is the complexity of security administration. This is particularly true for organizations tha
4、t are attempting to manage security in distributed multimedia environments such as those using World Wide Web services. Today, security administration is costly and prone to error because administrators usually specify access control lists for each user on the system individually. Role-based a
5、ccess control (RBAC) is a technology that is attracting increasing attention, particularly for commercial applications, because of its potential for reducing the complexity and cost of security administration in large networked applications. The concept and design of RBAC is perfectly suited for use
6、 on both intranets and internets. It provides a secure and effective way to manage access to an organizations Web information. This paper describes a research effort to develop RBAC on the Web. The security and software components that provide RBAC for networked servers using Web protocols have been
7、 implemented and are described in this paper. The RBAC components can be linked with commercially available web servers, and require no modification of the server software. Introduction Establishing and maintaining a presence on the World Wide Web (Web), once a sideline for U.S. industry, has
8、become a key strategic aspect of marketing and sales. Many companies have demonstrated that a well-designed Web site can have a positive effect on their profitability. Enabling customers to answer their own questions by clicking their way through Web pages, instead of dealing with operators and voic
9、e response systems, increases the efficiency of the customer interface. Companies are seizing the Web as a swift way to streamline - even transform their organizations. More recently companies have begun using web technology to service the public as well as private and internal clients. Web si
10、tes are set up to segregate some information from the general public, providing it to only selected or "private" clients. Typically, public internet is cordoned off from the general public by having user accounts and passwords. Additionally, Web sites are now running inside the company oft
11、en created for and by employees. These internal private nets or "intranets" use the infrastructure and standards of the Internet and the World Wide Web but are cordoned off from the public Internet through firewalls. The Web can be used as an inexpensive yet powerful alternative to o
12、ther forms of communications. A plethora of corporate information (e.g., procedures, training materials, directories, forms) can be converted to electronic form and made available via the Web. With a single source for these materials the cost of maintenance is significantly reduced, while greatly si
13、mplifying the task of ensuring currency. Thus an objective of enterprise computing, creation of a company wide system irrespective of the underlying information technology infrastructure can be fulfilled. Although the internet and intranets can offer great benefits to a company or government agency,
14、 security threats remain. To date net enthusiasts tend to focus on how to link people and businesses, not on using the network as a way to run and manage businesses securely. Although existing Web servers can effectively provide all or nothing access to a particular Web site and a number of popular
15、Web servers can even provide fairly fine grained access control, they provide very primitive tools to administer these controls from the perspective of a single enterprise. This paper describes the benefits of RBAC and an implementation of RBAC on the Web (RBAC/Web), and in particular as RBAC applie
16、s to an intranet computing environment. This will provide Web administrators with a capability for the first time to centrally administer and regulate user access to information in a manner that is consistent with the current set of laws, regulations, and practices that face their business today. Al
17、though this paper focuses on intranets, the benefits, concepts and implementation of RBAC/Web are also applicable to a company s internet environment where restrictive access to information is desired. RBAC Description Role-based access control (RBAC) 1, 2, 3, 4, 5 is an alternative to traditi
18、onal discretionary (DAC) and mandatory access control (MAC) policies that is attracting increasing attention 6, particularly for commercial applications. The principal motivation behind RBAC is the desire to specify and enforce enterprise-specific security policies in a way that maps naturally to an
19、 organization's structure. Traditionally, managing security has required mapping an organization's security policy to a relatively low-level set of controls, typically access control lists. With RBAC, security is managed at a level that corresponds closely to the organization's structure
20、. Each user is assigned one or more roles, where roles are based on the user's job responsibilities and competencies in the organization. Each role is assigned one or more privileges (e.g., information access, deletion, creation), see Figure 1. It is a user's membership into roles that deter
21、mine the privileges the user is permitted to perform. Security administration with RBAC consists of determining the operations that must be executed by persons in particular jobs, and assigning employees to the proper roles. The RBAC framework provides for mutually exclusive roles as well as roles having overlapping responsibilities and privileges. For example, some general operations may be allowed by all employees, while other
