Li Dequan, Ruan Yuzhi, Yang Runzhi, et al. Privilege management model based on RBAC for meteorological data resource service. J Appl Meteor Sci, 2012, 23(5): 614-623.
Citation: Li Dequan, Ruan Yuzhi, Yang Runzhi, et al. Privilege management model based on RBAC for meteorological data resource service. J Appl Meteor Sci, 2012, 23(5): 614-623.

Privilege Management Model Based on RBAC for Meteorological Data Resource Service

  • Received Date: 2011-11-10
  • Rev Recd Date: 2012-05-30
  • Publish Date: 2012-10-31
  • In recent years, Role-Based Access Control (RBAC) is apopular privilege management model at home and abroad, which has a distinct advantage than the other traditional access control technologies such as MAC and DAC.The basic principle of RBAC introduces the concept of role endued with authority between user and privilege, and user is also endued with role.However, RBAC still has its limitations when it comes to applications in meteorological department of CMA with fine-grained data access control, and distinct definition.To meet the growing demand for data sharing, a novel access control management model must be built.According to the requirements and characteristics of meteorological data sharing, a model is proposed for a general solution of data-sharing privilege management and multi-dimensional data-sharing privilege management, which is improved from RBAC model.As a shared data resource, meteorological data have a large number of classifications, with a complex hierarchical structure, and very fine particle size of retrieving. In consideration of these comprehensive characteristics, this model introduces the concept of targeted object dimensions in RBAC on the basis of more flexible rights management mechanisms and calculation formula, which improves the security and flexibility of the data sharing services to meet the needs.This model decomposes the fine-grained access privilege of sources by object dimension, and realizes access control of different levels from coarse-grained to fine-grained. The model can authorize directly not only the role but also the user, which greatly improves the flexibility and scalability.The model has been developed as re-pilot study in China Integrated Meteorological Information Sharing System (CIMISS), which is the key project and the practical application of operational systems involved in the meteorological department. A prototype system is built to verify this model. Its deployment is helpful to manage the data retrieving and information access, and simplifies data authorization, maintenance management process, and improves data security. The model supports general security framework of the meteorological database information services, which prevents unauthorized user to access data. As a result, high stability and good security of the simple privilege management model are achieved, and security management information systems based on this model will play an important role in the meteorological data service in the future operations.
  • Fig. 1  Multi-dimensional role access control model for data resource

    Fig. 2  Multiple properties of data resource

    Fig. 3  Concept of target object dimension

    Fig. 4  Hierarchy of station property for data sourc

    Fig. 5  Framework of multi-objective dimension access controls

    Fig. 6  E-R model of multi-objective dimension access controls

    Table  1  Description of the rights management database

    数据表名称 说明 重要字段
    Users 记录系统用户基本信息 userID:用户ID
    groupID:所属的群组ID
    Roles 记录角色信息 rolesID:角色ID
    rolesName:角色名称
    rolesDesc:角色描述
    UserRoles 存储用户和角色的关系数据 UserRolesID:用户-角色关联ID
    Groups 记录用户所属群组信息 groupID:群组ID
    groupName:群组名称
    groupParentID:上级节点群组ID
    UserGroup 存储用户与群组的关系数据 UserGroupID:用户-群组关联ID
    GroupRoles 存储部门与角色的关系数据 GroupRolesID:群组-角色关联ID
    SubRoles 各个客体维角色分量与角色对应表 subRoleID:角色-维角色分量关联ID
    DimensionRoles 存储每个维度的角色与权限的关系数据 dimenRolesID:维角色分量ID
    dimenRolesName:维角色分量名称
    dimensionID:所属维的ID
    Privilege 记录对数据资源的具体权限 privilegeDataID:权限值ID
    privilegeDesc:权限描述
    DataResource 记录数据资源具体信息,名称、类别、地址等 dataResourceID:资源ID
    dataResName:资源名称
    dataResCategory:资源类型
    dataFileType:资源文件类型
    Operations 记录具体的操作信息,例如增加、修改等 operationID:具体操作ID
    operationName:操作名称
    Dimensions 记录客体维的定义信息 dimensionID:所属维的ID
    semanticDesc:维应用场景描述
    hierarchyXMLFile:客体维层次结构XML文件
    DownLoad: Download CSV
  • [1]
    Sandhu R S, Coyne E J, Feinsteinh L, et al. Role-based access models. IEEE Computer, 1996, 29(2):38-47. doi:  10.1109/2.485845
    [2]
    Crook R, Ince D, Nuseibeh B. Modeling access policies using roles in requirements engineering. Information and Software Technology, 2003, 45(14):979-991. doi:  10.1016/S0950-5849(03)00097-1
    [3]
    杨柳, 危韧勇, 陈传波.一种扩展型基于角色权限管理模型 (E-RBAC) 的研究.计算机工程与科学, 2006, 28(9):126-128. http://www.cnki.com.cn/Article/CJFDTOTAL-JSJK200609041.htm
    [4]
    胡林平. PDM系统中权限管理方法的研究与应用.航空计算技术, 2007, 37(1):84-87. http://cdmd.cnki.com.cn/Article/CDMD-10183-1011100613.htm
    [5]
    刘建圻, 曾碧, 郑秀璋.基于RBAC权限管理模型的改进与应用.计算机应用, 2008, 28(9):2449-2451. http://www.cnki.com.cn/Article/CJFDTOTAL-JSJY200809079.htm
    [6]
    朱磊, 周明辉, 刘天成, 等.一种面向服务的权限管理模型.计算机学报, 2005, 28(4):677-684. http://www.cnki.com.cn/Article/CJFDTOTAL-JSJX20050400Q.htm
    [7]
    陈琛, 陈学广, 王煜, 等.一种基于改进RBAC模型的EIS权限管理框架的研究与实现.计算机应用研究, 2010, 27(10):3855-3858. http://www.cnki.com.cn/Article/CJFDTOTAL-JSYJ201010069.htm
    [8]
    何云强, 李建凤.RBAC中基于概念格的权限管理研究.河南大学学报:自然科学版, 2011, 41(3):308-311. http://www.cnki.com.cn/Article/CJFDTOTAL-HDZR201103019.htm
    [9]
    仪清菊, 高梅, 接连淑, 等.网络与气象信息共享研究.应用气象学报, 2001, 12(1):127-128. http://qikan.camscma.cn/jams/ch/reader/view_abstract.aspx?file_no=20010118&flag=1
    [10]
    王国复, 徐枫, 吴增祥.气象元数据标准与信息发布技术研究.应用气象学报, 2005, 16(1):114-121. http://qikan.camscma.cn/jams/ch/reader/view_abstract.aspx?file_no=20050115&flag=1
    [11]
    吴焕萍, 罗兵, 王维国, 等.GIS技术在决策气象服务系统建设中的应用.应用气象学报, 2008, 19(3):380-384. http://qikan.camscma.cn/jams/ch/reader/view_abstract.aspx?file_no=20080362&flag=1
    [12]
    祝婷, 李湘.WMO信息系统中气象元数据的设计与实现.应用气象学报, 2012, 23(2):238-244. http://qikan.camscma.cn/jams/ch/reader/view_abstract.aspx?file_no=20120213&flag=1
    [13]
    马渝勇, 徐晓莉, 宋智, 等.省级气象信息共享系统的设计与实现.应用气象学报, 2011, 22(4):505-512. http://qikan.camscma.cn/jams/ch/reader/view_abstract.aspx?file_no=20110414&flag=1
    [14]
    王国复, 李集明, 邓莉, 等.中国气象科学数据共享服务网总体设计与建设.应用气象学报, 2004, 15(增刊):10-16. http://www.cnki.com.cn/Article/CJFDTotal-YYQX2004S1002.htm
    [15]
    周峥嵘, 王琤, 何文春.分布式气象元数据同步系统的探索研究.应用气象学报, 2010, 21(1):121-128. http://qikan.camscma.cn/jams/ch/reader/view_abstract.aspx?file_no=20100117&flag=1
    [16]
    高峰, 王国复, 喻雯, 等.气象数据文件快速下载服务系统的设计与实现.应用气象学报, 2010, 21(2):243-249. http://qikan.camscma.cn/jams/ch/reader/view_abstract.aspx?file_no=20100215&flag=1
    [17]
    高峰, 王国复, 孙超, 等.后台管理模式在数据共享平台中的应用.应用气象学报, 2011, 22(3):367-374. http://qikan.camscma.cn/jams/ch/reader/view_abstract.aspx?file_no=20110314&flag=1
    [18]
    苗传海, 卢娟, 张凯, 等.省级公众气象信息服务业务系统.气象与环境学报, 2008, 24(5):48-51. http://www.cnki.com.cn/Article/CJFDTOTAL-LNQX200805011.htm
    [19]
    QX/T 102-2009. 气象资料分类与编码. 气象行业标准 (QX), 2009.
  • 加载中
  • -->

Catalog

    Figures(6)  / Tables(1)

    Article views (2712) PDF downloads(1606) Cited by()
    • Received : 2011-11-10
    • Accepted : 2012-05-30
    • Published : 2012-10-31

    /

    DownLoad:  Full-Size Img  PowerPoint