摘要
数据权限控制是软件系统安全性和质量的重要方面,也是SaaS多租户软件系统权限管理和授权访问的重要组成部分。数据权限控制的核心需求是不同角色的用户,访问的数据范围不同,如果能够设计出一套通用的数据权限控制方法,降低授权管理的复杂性,提升软件系统安全具有一定的现实意义。在以RBAC授权模型为理论的基础上,提出了一种基于组织架构的数据权限控制模型(Organization-Based Data Authority Control,ODAC),ODAC模型中SaaS软件系统提供的各类服务统称为资源,资源分为数据受控资源和数据不受控资源,在将数据受控资源分配给角色时,指定该资源可访问的租户组织架构,用户在访问数据时,系统通过用户角色对应资源的租户组织架构,来实现数据访问控制的目的。在此基础上,基于Spring MVC、Spring Security和MyBatis框架对OADC模型进行了实现。多种实际生产系统使用了该模型,验证了其具有较好的通用性和可行性。
Data permission control is an important aspect of software system security and quality,and is also an important part of permission management and authorized access of SaaS multi-tenant software system.The core requirements of data permission management are users set into different roles,which has corresponding data access scopes.If a general set of data permission control methods can be designed to reduce the complexity of authorization management and improve software system security,it has certain practical significance.The common SaaS basically uses the RBAC-based permission control component to meet the needs of user data permission control.However,RBAC is still relatively complicated in configuring of permissions,and the form of ODAC to control data permissions can simplify the configuration of permissions.Based on the theory of the RBAC authorization model,an organization-based data authority control model(Organization-Based Data Authority Control,ODAC)is proposed.In the ODAC model,various services provided by the SaaS multi-tenant software system are collectively called resources.Resources are divided into data-controlled resources and data-uncontrolled resources.When data-controlled resources are assigned to roles,the organizational structure that can access the resources is specified.When users under the SaaS service tenant organization access data,the system uses the organization corresponding to the user role in the resource tenant,to achieve data access control.On this basis,the OADC model is implemented based on Spring MVC,Spring Security and MyBatis framework.Implemented with these mature frameworks,the data authority management system based on the OADC model shows good performance,guarantee for the realization of the data permission system,and reduces the difficulty of logic implementation.The model has been used in a variety of actual production systems,which has been verified to have good versatility and feasibility.
作者
程学林
杨小虎
卓崇魁
CHENG Xue-lin;YANG Xiao-hu;ZHUO Chong-kui(School of Software Technology,Zhejiang University,Ningbo,Zhejiang 315103,China)
出处
《计算机科学》
CSCD
北大核心
2021年第S01期558-562,共5页
Computer Science
关键词
SAAS
角色
组织架构
数据权限
访问控制
受控资源
SaaS
Role
Organization structure
Data permission
Access control
Controlled resources
