Method and system of access control based on a constraint controlling role assumption

摘要

In an RBAC system, a capability is defined as including an operation and an object on which the operation is to be performed. The capability is assigned to a role, which is in turn assigned to a user. Whether a user's request to perform an operation on an object should be authorized is determined based on whether a capability to perform the operation on the object is assigned to a role which is in turn assigned to the user. Further, the authorization is determined based on the evaluation of the constraint(s) attached to the role. If the evaluation result of the constraint(s) disallows the user to assume the role, the user is prohibited from performing the operation on the object even the user has such capability.