Privilege Management Model Based on RBAC for Meteorological Data Resource Service

Li Dequan; Ruan Yuzhi; Yang Runzhi; Ma Tinghuai

Vol.23, NO.5, 2012

Article Contents

Article Navigation > Journal of Applied Meteorological Science > 2012 > 23(5): 614-623

Li Dequan, Ruan Yuzhi, Yang Runzhi, et al. Privilege management model based on RBAC for meteorological data resource service. J Appl Meteor Sci, 2012, 23(5): 614-623.

Citation:

Li Dequan, Ruan Yuzhi, Yang Runzhi, et al. Privilege management model based on RBAC for meteorological data resource service. J Appl Meteor Sci, 2012, 23(5): 614-623.

Li Dequan, Ruan Yuzhi, Yang Runzhi, et al. Privilege management model based on RBAC for meteorological data resource service. J Appl Meteor Sci, 2012, 23(5): 614-623.

Citation:

Li Dequan, Ruan Yuzhi, Yang Runzhi, et al. Privilege management model based on RBAC for meteorological data resource service. J Appl Meteor Sci, 2012, 23(5): 614-623.

PDF( 1245 KB)

Privilege Management Model Based on RBAC for Meteorological Data Resource Service

1.
National Meteorological Information Center, Beijing 100081
2.
Nanjing University of Information Science & Technology, Nanjing 210044

Received Date: 2011-11-10
Rev Recd Date: 2012-05-30
Publish Date: 2012-10-31

Abstract

Abstract

In recent years, Role-Based Access Control (RBAC) is apopular privilege management model at home and abroad, which has a distinct advantage than the other traditional access control technologies such as MAC and DAC.The basic principle of RBAC introduces the concept of role endued with authority between user and privilege, and user is also endued with role.However, RBAC still has its limitations when it comes to applications in meteorological department of CMA with fine-grained data access control, and distinct definition.To meet the growing demand for data sharing, a novel access control management model must be built.According to the requirements and characteristics of meteorological data sharing, a model is proposed for a general solution of data-sharing privilege management and multi-dimensional data-sharing privilege management, which is improved from RBAC model.As a shared data resource, meteorological data have a large number of classifications, with a complex hierarchical structure, and very fine particle size of retrieving. In consideration of these comprehensive characteristics, this model introduces the concept of targeted object dimensions in RBAC on the basis of more flexible rights management mechanisms and calculation formula, which improves the security and flexibility of the data sharing services to meet the needs.This model decomposes the fine-grained access privilege of sources by object dimension, and realizes access control of different levels from coarse-grained to fine-grained. The model can authorize directly not only the role but also the user, which greatly improves the flexibility and scalability.The model has been developed as re-pilot study in China Integrated Meteorological Information Sharing System (CIMISS), which is the key project and the practical application of operational systems involved in the meteorological department. A prototype system is built to verify this model. Its deployment is helpful to manage the data retrieving and information access, and simplifies data authorization, maintenance management process, and improves data security. The model supports general security framework of the meteorological database information services, which prevents unauthorized user to access data. As a result, high stability and good security of the simple privilege management model are achieved, and security management information systems based on this model will play an important role in the meteorological data service in the future operations.
- RBAC;
- privilege management model;
- multi-objective dimension;
- data sharing

FullText(HTML)

References(19)

Figures and Tables

Fig. 1 Multi-dimensional role access control model for data resource

DownLoad: Full-Size Img PowerPoint

Fig. 2 Multiple properties of data resource

DownLoad: Full-Size Img PowerPoint

Fig. 3 Concept of target object dimension

DownLoad: Full-Size Img PowerPoint

Fig. 4 Hierarchy of station property for data sourc

DownLoad: Full-Size Img PowerPoint

Fig. 5 Framework of multi-objective dimension access controls

DownLoad: Full-Size Img PowerPoint

Fig. 6 E-R model of multi-objective dimension access controls

DownLoad: Full-Size Img PowerPoint

Table 1 Description of the rights management database

数据表名称	说明	重要字段
Users	记录系统用户基本信息	userID：用户ID groupID：所属的群组ID
Roles	记录角色信息	rolesID：角色ID rolesName：角色名称 rolesDesc：角色描述
UserRoles	存储用户和角色的关系数据	UserRolesID:用户-角色关联ID
Groups	记录用户所属群组信息	groupID:群组ID groupName:群组名称 groupParentID:上级节点群组ID
UserGroup	存储用户与群组的关系数据	UserGroupID:用户-群组关联ID
GroupRoles	存储部门与角色的关系数据	GroupRolesID:群组-角色关联ID
SubRoles	各个客体维角色分量与角色对应表	subRoleID:角色-维角色分量关联ID
DimensionRoles	存储每个维度的角色与权限的关系数据	dimenRolesID:维角色分量ID dimenRolesName:维角色分量名称 dimensionID:所属维的ID
Privilege	记录对数据资源的具体权限	privilegeDataID:权限值ID privilegeDesc:权限描述
DataResource	记录数据资源具体信息，名称、类别、地址等	dataResourceID:资源ID dataResName:资源名称 dataResCategory:资源类型 dataFileType:资源文件类型
Operations	记录具体的操作信息，例如增加、修改等	operationID:具体操作ID operationName:操作名称
Dimensions	记录客体维的定义信息	dimensionID:所属维的ID semanticDesc:维应用场景描述 hierarchyXMLFile:客体维层次结构XML文件

DownLoad: Download CSV

References

[1]	Sandhu R S, Coyne E J, Feinsteinh L, et al. Role-based access models. IEEE Computer, 1996, 29(2):38-47. doi: 10.1109/2.485845
[2]	Crook R, Ince D, Nuseibeh B. Modeling access policies using roles in requirements engineering. Information and Software Technology, 2003, 45(14):979-991. doi: 10.1016/S0950-5849(03)00097-1
[3]	杨柳, 危韧勇, 陈传波.一种扩展型基于角色权限管理模型 (E-RBAC) 的研究.计算机工程与科学, 2006, 28(9):126-128. http://www.cnki.com.cn/Article/CJFDTOTAL-JSJK200609041.htm
[4]	胡林平. PDM系统中权限管理方法的研究与应用.航空计算技术, 2007, 37(1):84-87. http://cdmd.cnki.com.cn/Article/CDMD-10183-1011100613.htm
[5]	刘建圻, 曾碧, 郑秀璋.基于RBAC权限管理模型的改进与应用.计算机应用, 2008, 28(9):2449-2451. http://www.cnki.com.cn/Article/CJFDTOTAL-JSJY200809079.htm
[6]	朱磊, 周明辉, 刘天成, 等.一种面向服务的权限管理模型.计算机学报, 2005, 28(4):677-684. http://www.cnki.com.cn/Article/CJFDTOTAL-JSJX20050400Q.htm
[7]	陈琛, 陈学广, 王煜, 等.一种基于改进RBAC模型的EIS权限管理框架的研究与实现.计算机应用研究, 2010, 27(10):3855-3858. http://www.cnki.com.cn/Article/CJFDTOTAL-JSYJ201010069.htm
[8]	何云强, 李建凤.RBAC中基于概念格的权限管理研究.河南大学学报:自然科学版, 2011, 41(3):308-311. http://www.cnki.com.cn/Article/CJFDTOTAL-HDZR201103019.htm
[9]	仪清菊, 高梅, 接连淑, 等.网络与气象信息共享研究.应用气象学报, 2001, 12(1):127-128. http://qikan.camscma.cn/jams/ch/reader/view_abstract.aspx?file_no=20010118&flag=1
[10]	王国复, 徐枫, 吴增祥.气象元数据标准与信息发布技术研究.应用气象学报, 2005, 16(1):114-121. http://qikan.camscma.cn/jams/ch/reader/view_abstract.aspx?file_no=20050115&flag=1
[11]	吴焕萍, 罗兵, 王维国, 等.GIS技术在决策气象服务系统建设中的应用.应用气象学报, 2008, 19(3):380-384. http://qikan.camscma.cn/jams/ch/reader/view_abstract.aspx?file_no=20080362&flag=1
[12]	祝婷, 李湘.WMO信息系统中气象元数据的设计与实现.应用气象学报, 2012, 23(2):238-244. http://qikan.camscma.cn/jams/ch/reader/view_abstract.aspx?file_no=20120213&flag=1
[13]	马渝勇, 徐晓莉, 宋智, 等.省级气象信息共享系统的设计与实现.应用气象学报, 2011, 22(4):505-512. http://qikan.camscma.cn/jams/ch/reader/view_abstract.aspx?file_no=20110414&flag=1
[14]	王国复, 李集明, 邓莉, 等.中国气象科学数据共享服务网总体设计与建设.应用气象学报, 2004, 15(增刊):10-16. http://www.cnki.com.cn/Article/CJFDTotal-YYQX2004S1002.htm
[15]	周峥嵘, 王琤, 何文春.分布式气象元数据同步系统的探索研究.应用气象学报, 2010, 21(1):121-128. http://qikan.camscma.cn/jams/ch/reader/view_abstract.aspx?file_no=20100117&flag=1
[16]	高峰, 王国复, 喻雯, 等.气象数据文件快速下载服务系统的设计与实现.应用气象学报, 2010, 21(2):243-249. http://qikan.camscma.cn/jams/ch/reader/view_abstract.aspx?file_no=20100215&flag=1
[17]	高峰, 王国复, 孙超, 等.后台管理模式在数据共享平台中的应用.应用气象学报, 2011, 22(3):367-374. http://qikan.camscma.cn/jams/ch/reader/view_abstract.aspx?file_no=20110314&flag=1
[18]	苗传海, 卢娟, 张凯, 等.省级公众气象信息服务业务系统.气象与环境学报, 2008, 24(5):48-51. http://www.cnki.com.cn/Article/CJFDTOTAL-LNQX200805011.htm
[19]	QX/T 102-2009. 气象资料分类与编码. 气象行业标准 (QX), 2009.