The characteristics of delegation are analyzed and defined in this paper, including time, totality, level, multi-delegation, agreement and revocation. Based on RBAC, an extended role and permission-based delegation model is redefined by separating delegate roles from original roles. Security administrators (SAs) and ordinary users have different functions and duties in the authorization and delegation. SAs only participate in the original authorization work, but ordinary users can engage in role assignment more actively. They can reassign permissions to roles. As a result the extended role and permission-based delegation model hold more flexibility in the complex application environment. The temporal constraints of delegation also imply the complexity of delegation revocation.
展开▼
