外文翻譯--web環(huán)境下基于角色的訪問(wèn)控制

1、<p><b>　　附錄A：英文原文</b></p><p>　　Role-Based Access Control for the Web</p><p>　　John F. Barkley, D. Richard Kuhn, Lynne S. Rosenthal, Mark W. Skall, and Anthony V. Cincotta,</p

2、><p>　　National Institute of Standards and Technology Gaithersburg, Maryland 20899 </p><p><b>　　ABSTRACT </b></p><p>　　Establishing and maintaining a presence on the World

3、Wide Web (Web), once a sideline for U.S. industry, has become a key strategic aspect of marketing and sales. Many companies have demonstrated that a well designed Web site can have a positive effect on their profitabilit

4、y. Enabling customers to answer their own questions by clicking their way through Web pages, instead of dealing with operators and voice response systems, increases the efficiency of the customer interface. </p>&

5、lt;p>　　One of the most challenging problems in managing large networked systems is the complexity of security administration. This is particularly true for organizations that are attempting to manage security in distr

6、ibuted multimedia environments such as those using World Wide Web services. Today, security administration is costly and prone to error because administrators usually specify access control lists for each user on the sys

7、tem individually. </p><p>　　Role-based access control (RBAC) is a technology that is attracting increasing attention, particularly for commercial applications, because of its potential for reducing the compl

8、exity and cost of security administration in large networked applications. The concept and design of RBAC is perfectly suited for use on both intranets and internets. It provides a secure and effective way to manage acce

9、ss to an organization’s Web information. This paper describes a research effort to develop RBAC on th</p><p>　　Introduction </p><p>　　Establishing and maintaining a presence on the World Wide We

10、b (Web), once a sideline for U.S. industry, has become a key strategic aspect of marketing and sales. Many companies have demonstrated that a well-designed Web site can have a positive effect on their profitability. Enab

11、ling customers to answer their own questions by clicking their way through Web pages, instead of dealing with operators and voice response systems, increases the efficiency of the customer interface. Companies are seizin

12、</p><p>　　More recently companies have begun using web technology to service the public as well as private and internal clients. Web sites are set up to segregate some information from the general public, pr

13、oviding it to only selected or "private" clients. Typically, public internet is cordoned off from the general public by having user accounts and passwords. Additionally, Web sites are now running inside the com

14、pany often created for and by employees. These internal private nets or "intranets" use the i</p><p>　　The Web can be used as an inexpensive yet powerful alternative to other forms of communication

15、s. A plethora of corporate information (e.g., procedures, training materials, directories, forms) can be converted to electronic form and made available via the Web. With a single source for these materials the cost of m

16、aintenance is significantly reduced, while greatly simplifying the task of ensuring currency. Thus an objective of enterprise computing, creation of a company wide system irrespective of</p><p>　　Although th

17、e internet and intranets can offer great benefits to a company or government agency, security threats remain. To date net enthusiasts tend to focus on how to link people and businesses, not on using the network as a way

18、to run and manage businesses securely. Although existing Web servers can effectively provide all or nothing access to a particular Web site and a number of popular Web servers can even provide fairly fine grained access

19、control, they provide very primitive tools to adm</p><p>　　This paper describes the benefits of RBAC and an implementation of RBAC on the Web (RBAC/Web), and in particular as RBAC applies to an intranet comp

20、uting environment. This will provide Web administrators with a capability for the first time to centrally administer and regulate user access to information in a manner that is consistent with the current set of laws, re

21、gulations, and practices that face their business today. Although this paper focuses on intranets, the benefits, concepts and implem</p><p>　　RBAC Description </p><p>　　Role-based access control

22、 (RBAC) [1], [2], [3], [4], [5] is an alternative to traditional discretionary (DAC) and mandatory access control (MAC) policies that is attracting increasing attention [6], particularly for commercial applications. The

23、principal motivation behind RBAC is the desire to specify and enforce enterprise-specific security policies in a way that maps naturally to an organization's structure. Traditionally, managing security has required m

24、apping an organization's security polic</p><p>　　With RBAC, security is managed at a level that corresponds closely to the organization's structure. Each user is assigned one or more roles, where rol

25、es are based on the user's job responsibilities and competencies in the organization. Each role is assigned one or more privileges (e.g., information access, deletion, creation), see Figure 1. It is a user's memb

26、ership into roles that determine the privileges the user is permitted to perform. Security administration with RBAC consists of determinin</p><p>　　The RBAC framework provides for mutually exclusive roles as

27、 well as roles having overlapping responsibilities and privileges. For example, some general operations may be allowed by all employees, while other operations may be specific to a role. Role hierarchies are a natural wa

28、y of organizing roles within an organization and defining the relationship and attributes of the roles. Complexities introduced by mutually exclusive roles or role hierarchies as well as regulating who can perform what a

29、c</p><p>　　Separation of Duty </p><p>　　RBAC mechanisms can be used by a system administrator in enforcing a policy of separation of duties. Separation of duties is considered valuable in deterr

30、ing fraud since fraud can occur if an opportunity exists for collaboration between various job related capabilities. Separation of duty requires that for particular sets of transactions, no single individual be allowed t

31、o execute all transactions within the set. The most commonly used examples are the separate transactions needed to initiate a </p><p>　　We define static separation of duty to mean that roles which have been

32、specified as mutually exclusive cannot both be included in a user's set of authorized roles. With dynamic separation of duty, users may be authorized for two roles that are mutually exclusive, but cannot have both ro

33、les active at the same time. In other words, static separation of duty enforces the mutual exclusion rule at the time an administrator sets up role authorizations, while dynamic separation of duty enforces the rul</p&

34、gt;<p>　　Role Administration and Visualization </p><p>　　The roles are established, manipulated and viewed using the RBAC/Web Admin tool. The Admin tool allows system administrators to create and defi

35、ne roles, role hierarchies, relationships and constraints. Once the RBAC framework is established for the organization, the principal administrative actions are the granting and revoking of users into and out of roles as

36、 job assignments dictate. These maintenance tasks are easily performed using the Admin tool. </p><p>　　Additionally, the Admin tool is being enhanced to utilize the Virtual Reality Modeling Language (VRML, p

37、ronounced 'vermal'). VRML is an interactive, inter-networked, 3D graphics language for the Web. It is used to represent graphics, test, sound, and links to other content as either a static or dynamic picture on t

38、he Web. The inclusion of VRML into RBAC lets system administrators use an interactive computer model to check and validate the role structure, relationship, and privileges. Being able </p><p>　　The VRML comp

39、onent will enable authorized users to navigate the RBAC database, finding and linking roles, and displaying attributes and graphics associated with those roles. By presenting a 3D model of established roles, the user can

40、 easily see which roles are mutually exclusive as well as the hierarchical structure of related roles and conflicts between roles (see Figure 2). VRML's navigational controls allows the user to interactively 'wal

41、k-through' and manipulate the view perspective of the 3</p><p>　　RBAC Example </p><p>　　Consider the branch office of a bank. In this environment, there are roles such as branch manager, tel

42、ler, and account representative, as illustrated in Figure 2. </p><p>　　The graph structure shows role hierarchy. The role financial_advisor inherits the role account_rep. An individual authorized for the rol

43、e financial_advisor is permitted to perform all of the operations permitted to an individual authorized for the role account_rep. Thus, an individual in the role of financial_advisor is able to create and remove accounts

44、. Because account representatives, branch managers, internal auditors, and tellers are all employees of the bank, their corresponding roles inhe</p><p>　　In Figure 2, the role account_rep is highlighted, app

45、earing as a dark sphere, in order to show the other role relationships for account_rep. The roles teller and account_holder are shown as yellow rectangular solids to indicate that these roles have a "Dynamic Separat

46、ion of Duties" (DSD) relationship with the role account_rep. This relationship is a conflict in interest relationship indicating that an individual acting in the role of account_rep cannot also be acting in either o

47、f the roles of ac</p><p>　　The role internal_auditor is shown in a red hexahedron to indicate that this role has a "Static Separation of Duties" (SSD) relationship with the role account_rep. The SS

48、D relationship is also a conflict of interest relationship like the DSD relationship but much stronger. If two roles have a DSD relationship, then they may both be authorized for an individual but that individual may not

49、 act in both roles simultaneously. If two roles have a SSD relationship, then they may not even be authorized </p><p>　　The new version of the Admin tool using VRML will allow us to represent conflicts of in

50、terest and other relationships in a more natural way and view the scene from an infinite number of viewpoints. VRML allows complex 3D objects to be created for this purpose. The user can 'enter' a selected role a

51、nd explore several levels of detail (i.e., information) associated with that role. In addition, the sound capabilities of VRML can be utilized to give audio warnings when roles are used which cause con</p><p&g

52、t;　　RBAC for World Wide Web Applications </p><p>　　Role Based Access Control (RBAC) for the World Wide Web (RBAC/Web) is an implementation of RBAC for use by World Wide Web (Web) servers. Because RBAC/Web pl

53、aces no requirements on a browser, any browser that can be used with a particular Web server can be used with that server enhanced with RBAC/Web. RBAC/Web is implemented for both UNIX (e.g., for Netscape, NCSA, CERN, or

54、Apache servers) and Windows NT (e.g., for Internet Information Server, WebSite, or Purveyor) environments.</p><p>　　Components of RBAC/Web are shown in Table 1. RBAC/Web for UNIX uses all of the components i

55、n Table 1. Because built-in NT security mechanisms are closely compatible with RBAC, the NT version uses only the Database, Session Manager, and Admin Tool components. RBAC/Web for NT requires no modification of Web serv

56、er internals or access to source code. With RBAC/Web for UNIX, there are two ways to use RBAC/Web with a UNIX Web server.</p><p>　　The simplest way is by means of the RBAC/Web CGI. The RBAC/Web CGI can be us

57、ed with any existing UNIX server without modifying its source code. RBAC URLs are passed through the Web server and processed by the RBAC/Web CGI. RBAC/Web configuration files map URLs to file names, while providing acce

58、ss control based on the user's roles. Installation of the RBAC/Web CGI is similar to the installation of the Web server.</p><p><b>　　附錄B：中文翻譯</b></p><p>　　Web環(huán)境下基于角色的訪問(wèn)控制</p&g

59、t;<p>　　John F. Barkley, D. Richard Kuhn, Lynne S. Rosenthal, Mark W. Skall, 和 Anthony V. Cincotta,</p><p>　　國(guó)家研究院所定規(guī)則及蓋瑟斯堡技術(shù)，馬里蘭20899 </p><p><b>　　摘要</b></p><p>

60、　　建立和維持一個(gè)萬(wàn)維網(wǎng)（Web），它作為美國(guó)工業(yè)的一種附屬形式，已經(jīng)成為了買賣和銷售戰(zhàn)略中的重點(diǎn)。許多公司示范了一個(gè)設(shè)計(jì)良好的萬(wàn)維網(wǎng)能讓他們?cè)谑找嫘陨袭a(chǎn)生積極的效果。促成客戶藉由Web網(wǎng)頁(yè)按他們的方法獲得他們想要的訊息，而不是通過(guò)處理操作員或聲音回應(yīng)系統(tǒng)，以增加客戶接口的效率。</p><p>　　特別是對(duì)于嘗試使用萬(wàn)維網(wǎng)服務(wù)器來(lái)管理多媒體環(huán)境安全的組織來(lái)說(shuō)，最挑戰(zhàn)性的問(wèn)題之一在于管理大的網(wǎng)絡(luò)系統(tǒng)時(shí)，所面對(duì)的安

61、全管理方面的復(fù)雜性。今天，安全管理昂貴和容易出錯(cuò)是因?yàn)楣芾砣送ǔ为?dú)為每個(gè)在系統(tǒng)上的使用者指定訪問(wèn)控制目錄。</p><p>　　基于角色的訪問(wèn)控制（RBAC）是一種逐漸吸引人們注意的技術(shù)，特別是在商務(wù)應(yīng)用上，因?yàn)樗哂袦p少大型網(wǎng)絡(luò)應(yīng)用的復(fù)雜性和費(fèi)用的潛力。 RBAC的概念和設(shè)計(jì)是為了能完全適應(yīng)企業(yè)內(nèi)部網(wǎng)和因特網(wǎng)。它提供了一個(gè)安全有效的方法去管理和組織其萬(wàn)維網(wǎng)信息的訪問(wèn)。本文描述了如何才能致力于在萬(wàn)維網(wǎng)上去應(yīng)用基

62、于角色的訪問(wèn)控制。為使用萬(wàn)維網(wǎng)協(xié)議的網(wǎng)絡(luò)服務(wù)器提供基于角色的訪問(wèn)控制的安全和軟件組件，這些內(nèi)容都已經(jīng)被實(shí)現(xiàn)并且在本文中得到了描述?；诮巧脑L問(wèn)控制組件能被用于商務(wù)的萬(wàn)維網(wǎng)服務(wù)器上，并且不需要服務(wù)器軟件的修正。</p><p><b>　　引言</b></p><p>　　建立和維持一個(gè)萬(wàn)維網(wǎng)（Web），作為美國(guó)工業(yè)的一種附屬形式，已經(jīng)成為了買賣和銷售戰(zhàn)略中的重點(diǎn)。許

63、多公司示范了一個(gè)設(shè)計(jì)良好的萬(wàn)維網(wǎng)能讓他們?cè)谑找嫘陨袭a(chǎn)生積極的效果。促成客戶藉由Web網(wǎng)頁(yè)按他們的方法獲得他們想要的訊息，而不是通過(guò)處理操作員或聲音回應(yīng)系統(tǒng)，以增加客戶接口的效率。公司紛紛抓住萬(wàn)維網(wǎng)這樣一個(gè)迅速的精簡(jiǎn)辦法——甚至不惜轉(zhuǎn)變他們的組織。</p><p>　　越來(lái)越多的新公司開始使用萬(wàn)維網(wǎng)技術(shù)去為公眾或私人以及國(guó)內(nèi)客戶提供服務(wù)。萬(wàn)維網(wǎng)站的建立是用來(lái)分隔一些來(lái)自普通大眾的信息，提供給他唯一的選擇或設(shè)定“私人

64、”用戶。具體才說(shuō)，公共網(wǎng)絡(luò)封鎖住了使用者的帳戶和密碼以免公開。此外，在企業(yè)內(nèi)部運(yùn)行的萬(wàn)維網(wǎng)站經(jīng)常是為其雇員而產(chǎn)生設(shè)立的。這些內(nèi)部私人站點(diǎn)或使用基礎(chǔ)設(shè)施、因特網(wǎng)標(biāo)準(zhǔn)和萬(wàn)維網(wǎng)的“內(nèi)部網(wǎng)”是通過(guò)防火墻來(lái)與公共網(wǎng)絡(luò)相封鎖的。萬(wàn)維網(wǎng)能被當(dāng)作一種可供選擇的便宜而又強(qiáng)有力的通信形式。過(guò)剩的企業(yè)信息（e.g.程序,訓(xùn)練材料，目錄,表格）能經(jīng)由萬(wàn)維網(wǎng)制作而被轉(zhuǎn)換為電子形式。借助此單一途徑，為這些材料維護(hù)的費(fèi)用顯著地減少了，這也確保了流通任務(wù)的簡(jiǎn)化。如此一

65、來(lái)，企業(yè)計(jì)算機(jī)的一個(gè)目的：創(chuàng)造一個(gè)公司的大型系統(tǒng)，在其下分布的信息科技系統(tǒng)內(nèi)的各部分是能被實(shí)現(xiàn)的。</p><p>　　雖然互聯(lián)網(wǎng)和內(nèi)部網(wǎng)能為公司或政府機(jī)構(gòu)提供非常好的利益，但安全威脅依然殘留。熱心者們往往集中于人或生意上，而忽視了以使用網(wǎng)絡(luò)作為運(yùn)行和管理商業(yè)安全的方式。已經(jīng)存在的萬(wàn)維網(wǎng)服務(wù)器能有效地提供所有的或不存在訪問(wèn)給一個(gè)特別的網(wǎng)站，許多流行的萬(wàn)維網(wǎng)伺候器甚至能更清楚而又細(xì)膩地提供訪問(wèn)控制，他們提供非常原始

66、的工具來(lái)管理這些單一企業(yè)的遠(yuǎn)程控制。</p><p>　　本文描述了有關(guān)基于角色的訪問(wèn)控制和基于角色的訪問(wèn)控制在萬(wàn)維網(wǎng)環(huán)境下執(zhí)行（RBAC/Web）的優(yōu)勢(shì)，而且在個(gè)別項(xiàng)目中基于角色的訪問(wèn)控制適用于一個(gè)企業(yè)內(nèi)網(wǎng)絡(luò)計(jì)算環(huán)境。今天在此將會(huì)第一次提供給萬(wàn)維網(wǎng)管理人一種核心管理能力和管理使用者訪問(wèn)信息的方式，同時(shí)與法規(guī)流向保持一致并適應(yīng)他們的商務(wù)要求。雖然本文的焦點(diǎn)在于企業(yè)內(nèi)部網(wǎng)、利益、觀念和和基于角色的訪問(wèn)控制在萬(wàn)維網(wǎng)環(huán)

67、境下的執(zhí)行，但對(duì)數(shù)據(jù)的限制訪問(wèn)需要可以應(yīng)用在公司的因特網(wǎng)環(huán)境中。</p><p>　　基于角色的訪問(wèn)控制描述</p><p>　　基于角色的訪問(wèn)控制 (RBAC) 是傳統(tǒng)的隨意權(quán)限控制(DAC) 和強(qiáng)制性的訪問(wèn)控制 (MAC) 的替代品，在商業(yè)申請(qǐng)后成為了一種正在不斷吸引人們注意的技術(shù) 。 在基于角色的訪問(wèn)控制背后的主要推動(dòng)力是自然的對(duì)組織結(jié)構(gòu)進(jìn)行規(guī)定和加強(qiáng)企業(yè)專項(xiàng)安全性策略的渴望。傳統(tǒng)上

68、來(lái)說(shuō), 安全管理需要把組織的安全政策放置到一個(gè)相對(duì)低水平的控制上去,傳統(tǒng)地存取控制目錄。</p><p>　　藉由基于角色的訪問(wèn)控制技術(shù)，安全在一個(gè)比較接近符合組織結(jié)構(gòu)的水平上被處理。 在角色以組織中的使用者其工作職責(zé)和能力為基礎(chǔ)的地方，每個(gè)使用者被分配一個(gè)或多個(gè)角色。每個(gè)角色又被分配一個(gè)或多個(gè)權(quán)限 (例如數(shù)據(jù)訪問(wèn)，劃除,創(chuàng)造)。 只有進(jìn)入決定特權(quán)使用者的角色范圍之內(nèi)后，使用者的全體操作才被允許?；诮巧脑L問(wèn)控

69、制的安全管理使得只有當(dāng)特定的操作者被判斷其動(dòng)作可以被運(yùn)行,然后分配職員到適當(dāng)?shù)慕巧蟛拍苓M(jìn)行。 </p><p>　　基于角色的訪問(wèn)控制結(jié)構(gòu)可以提供給互斥的角色和角色有交疊處理職責(zé)的特權(quán)。 舉例來(lái)說(shuō)，一些一般的操作可能被所有的職員允許,當(dāng)其他的操作可能是對(duì)一個(gè)角色的特性時(shí)候。 角色層次是在一個(gè)組織里面組織角色而且定義關(guān)系和角色屬性的自然方法。 在基于角色的訪問(wèn)控制軟件全部處理后，被互斥的角色或組織角色的復(fù)雜引入也

70、調(diào)節(jié)了誰(shuí)能運(yùn)行什么行動(dòng),何時(shí), 從哪里, 以什么次序, 和在某些情形之下表示關(guān)系的環(huán)境。 </p><p><b>　　職責(zé)的分離</b></p><p>　　基于角色的訪問(wèn)控制機(jī)制可能被系統(tǒng)管理人用在執(zhí)行一種政策分立的職責(zé)。自從面臨在類似的工作或機(jī)會(huì)中詐騙能夠發(fā)生后，分立的職責(zé)被認(rèn)為在防止詐騙方面是有價(jià)值的。分立的職責(zé)必須是為了交易的特殊集合，沒(méi)有簡(jiǎn)單單一的被允許去

71、執(zhí)行所有在集合里的交易。最常用的例子是</p><p>　　交易的分期付款和授權(quán)付款。沒(méi)有單個(gè)的個(gè)體能夠運(yùn)行兩個(gè)交易。系統(tǒng)管理人對(duì)企業(yè)傳統(tǒng)的處理生意的方式是一個(gè)自然而又抽象化的程度控制訪問(wèn)。且由靜止又動(dòng)態(tài)地經(jīng)過(guò)角色，角色等級(jí)，關(guān)系和限制的建立和定義管理使用者的行動(dòng)被達(dá)成了。 </p><p>　　我們定義靜態(tài)職責(zé)的分離意味著互斥的給定角色不能同時(shí)被包括在用戶的授權(quán)權(quán)限集合里。根據(jù)動(dòng)態(tài)的職責(zé)

72、分離，用戶也許被授權(quán)了兩個(gè)互斥的角色，但是不能同時(shí)操控這兩個(gè)角色。換句話說(shuō)，當(dāng)一位管理人建立角色授權(quán)的時(shí)候，靜態(tài)職責(zé)的分離迫使規(guī)則互斥；而當(dāng)一個(gè)用戶選擇角色的時(shí)候，動(dòng)態(tài)職責(zé)的分離迫使規(guī)則同樣互斥。</p><p><b>　　管理和顯示角色</b></p><p>　　使用基于角色的訪問(wèn)控制/萬(wàn)維網(wǎng)管理工具的角色被建立和操縱。管理工具允許系統(tǒng)管理員產(chǎn)生并且定義角色，角

73、色層次，關(guān)系和限制。一旦基于角色的訪問(wèn)控制結(jié)構(gòu)被確定是為了組織，首要的管理行動(dòng)是用戶進(jìn)入的許可和廢除并且缺乏對(duì)角色的分配指示。這些維護(hù)工作使用管理工具將被容易運(yùn)行。</p><p>　　另外，管理工具正在被用以提高利用虛擬的真實(shí)靠模切語(yǔ)言（虛擬現(xiàn)實(shí)建模語(yǔ)言 ,發(fā)音 'vermal'）。虛擬現(xiàn)實(shí)建模語(yǔ)言 是交談式的、網(wǎng)際企業(yè)式的、同時(shí)也是用于萬(wàn)維網(wǎng)的3D立體圖形語(yǔ)言。它用來(lái)表現(xiàn)圖形，測(cè)試，聲音和萬(wàn)維

74、網(wǎng)上任意靜態(tài)或動(dòng)態(tài)圖象的鏈接內(nèi)容。基于角色的訪問(wèn)控制的虛擬現(xiàn)實(shí)建模語(yǔ)言 讓系統(tǒng)管理人使用一個(gè)交談式計(jì)算機(jī)模型檢查，而且使角色結(jié)構(gòu)，關(guān)系和特權(quán)有效。能夠觀察和互相影響復(fù)雜的模型，允許管理人識(shí)別沖突，根除缺點(diǎn)而且早在基于角色的訪問(wèn)控制安裝時(shí)就對(duì)安裝啟用進(jìn)行改良。</p><p>　　虛擬現(xiàn)實(shí)建模語(yǔ)言 成份將會(huì)使經(jīng)認(rèn)可的使用者能夠執(zhí)行基于角色的訪問(wèn)控制數(shù)據(jù)庫(kù)，發(fā)現(xiàn)而且鏈接角色，而且顯示屬性和被和那些角色整合的圖形。藉由

75、一個(gè)確定角色的3D立體模型呈現(xiàn)，用戶能很容易地看出哪一個(gè)角色是互斥的和在角色之間的相關(guān)角色，以及沖突的階層結(jié)構(gòu)。虛擬現(xiàn)實(shí)置標(biāo)語(yǔ)言的導(dǎo)航控制允許使用者以交互式“初排”而且操縱 3D立體模型的視野遠(yuǎn)景,即一個(gè)場(chǎng)景曲線圖。舉例來(lái)說(shuō)，當(dāng)看“平面” 或2 D 曲線圖的時(shí)候，角色關(guān)系可能已經(jīng)被隱藏的情況下場(chǎng)景曲線圖可能被旋轉(zhuǎn)來(lái)顯示曲線圖的“背部”。為了改善可讀性、清晰度和適應(yīng)性，角色層次被組織成層，而每個(gè)層又包含著其它級(jí)別的細(xì)節(jié)。通過(guò)一個(gè)角色，角色

76、能開啟和展現(xiàn)相關(guān)的角色層或角色信息。例如，與特權(quán)相關(guān)的角色或一個(gè)用戶的從屬清單。</p><p>　　基于角色的訪問(wèn)控制舉例</p><p>　　考慮銀行的分公司。 在這環(huán)境中,有角色 , 像是部門經(jīng)理，講話者和帳戶代表。</p><p>　　曲線圖結(jié)構(gòu)展示了角色的層次，角色financial_advisor繼承了角色account_rep。單獨(dú)被授權(quán)的角色fina

77、ncial_advisor被允許進(jìn)行所有account_rep角色所能進(jìn)行的活動(dòng)。因此，被授權(quán)的角色financial_advisor能夠創(chuàng)建和修改帳戶。因?yàn)閹舸恚块T經(jīng)理，內(nèi)部的審計(jì)員和出納員都是銀行的職員,他們的對(duì)應(yīng)角色也繼承了職員的角色。 </p><p>　　在圖2中，角色account_rep是突出的，為了顯示其他角色關(guān)系，account_rep的表現(xiàn)形式是一個(gè)暗球的形狀。出納員角色和account

78、_holder以黃色矩形顯示是為了說(shuō)明這些角色與account_rep有一個(gè)“動(dòng)態(tài)權(quán)責(zé)區(qū)分”（DSD）的關(guān)系。這個(gè)關(guān)系是一個(gè)抵觸的利益關(guān)系指標(biāo)，而account_rep 角色的個(gè)體權(quán)限不能在另一半的account_holder或teller角色上被給予權(quán)限。銀行的政策是帳戶代表或銀行職員能有銀行的帳戶，但是如此的個(gè)體在處理其它的帳戶時(shí)候不可能同時(shí)處理他們的個(gè)人帳戶。同樣的，因?yàn)橐粋€(gè)出納員有一個(gè)公開的現(xiàn)金抽屜且在關(guān)閉時(shí)一定結(jié)算了。一個(gè)坐在

79、遠(yuǎn)離出納員桌子上的account_rep角色即使被授權(quán)了出納員的角色也不能同時(shí)被允許擁有出納員的個(gè)體行動(dòng)權(quán)限。</p><p>　　角色internal_auditor的表現(xiàn)形式是一個(gè)紅色的六面體形狀是為了說(shuō)明這些角色與account_rep有一個(gè)“靜態(tài)權(quán)責(zé)區(qū)分”（SSD） 的關(guān)系。這個(gè)靜態(tài)權(quán)責(zé)區(qū)分的關(guān)系同樣是一個(gè)和動(dòng)態(tài)權(quán)責(zé)區(qū)分關(guān)系一樣相互抵觸的利益關(guān)系，但是這個(gè)關(guān)系更強(qiáng)勁一些。如果兩個(gè)角色間有一個(gè)動(dòng)態(tài)權(quán)責(zé)區(qū)分的

80、關(guān)系，那么他們可能同樣被一個(gè)個(gè)體所授權(quán)，但是那個(gè)個(gè)體不可能同時(shí)在兩個(gè)角色上被運(yùn)用。如果兩個(gè)角色間有一個(gè)靜態(tài)權(quán)責(zé)區(qū)分的關(guān)系，那么他們不可能同樣被一個(gè)個(gè)體所授權(quán)。在這一個(gè)例子中，銀行的政策是在internal_auditor 和 account_rep的角色之間有一個(gè)基本的利害沖突，這二個(gè)角色可能無(wú)法被相同的個(gè)體所授權(quán)。</p><p>　　使用虛擬現(xiàn)實(shí)建模語(yǔ)言的管理工具的新版本將會(huì)允許我們以一種自然的方法表現(xiàn)相互抵

81、觸的利益或是其它關(guān)系，而且是由無(wú)數(shù)的情況所組成的。虛擬現(xiàn)實(shí)建模語(yǔ)言允許復(fù)雜的3D立體物體為這一個(gè)目的而被產(chǎn)生。使用者能“進(jìn)入”一個(gè)被挑選出的角色而且探究一些和那個(gè)角色相互關(guān)聯(lián)的程度方面的細(xì)節(jié)（也就是數(shù)據(jù)）。除此之外，當(dāng)角色被應(yīng)用的時(shí)候，虛擬現(xiàn)實(shí)建模語(yǔ)言的聲音能力可能可能被利用上，在引起利害沖突、當(dāng)不合適的程序被用或其他問(wèn)題的時(shí)候給予聲音的警告。 </p><p>　　基于角色的訪問(wèn)控制在萬(wàn)維網(wǎng)中的應(yīng)用</p

82、><p>　　為萬(wàn)維網(wǎng)(RBAC/Web)而設(shè)的基于角色的訪問(wèn)控制(RBAC)是萬(wàn)維網(wǎng)(Web)服務(wù)器對(duì)基于角色的訪問(wèn)控制技術(shù)的具體執(zhí)行。因?yàn)镽BAC/Web點(diǎn)沒(méi)有瀏覽器上的需求, 任何瀏覽器都能被用于一個(gè)特殊的用以增強(qiáng)RBAC/Web服務(wù)器的Web服務(wù)器。RBAC/Web同時(shí)被UNIX（舉例來(lái)說(shuō)，對(duì)網(wǎng)景，NCSA，CERN 或阿帕契伺候器）和Windows NT（舉例來(lái)說(shuō), 對(duì)英特網(wǎng)數(shù)據(jù)伺候器，網(wǎng)站或承辦商）環(huán)境所

83、應(yīng)用</p><p>　　RBAC/Web的組件在表1中被顯示?；赨NIX的RBAC/Web可以使用表1中的所有組件。因?yàn)閮?nèi)建的NT安全機(jī)制與基于角色的訪問(wèn)控制非常適合，NT版本只使用數(shù)據(jù)庫(kù)，會(huì)話管理員，和管理工具組件。NT的RBAC/Web需要Web伺候器的無(wú)修正或原代碼的訪問(wèn)?；赨NIX的RBAC/Web有兩種途徑以UNIX Web服務(wù)器來(lái)使用RBAC/Web。</p><p>