基于RBAC的气象多维数据权限管理模型的建立

在传统的基于角色访问权限管理 (RBAC) 模型基础上结合气象数据自身特点及共享服务中的权限控制需求，提出了一种符合气象资料管理特点的多维度权限管理模型。该模型充分考虑了气象数据进行资源共享时资料分类众多、层次化结构复杂、检索粒度不同等特点，有针对性引入了客体维度概念和更灵活的权限管理机制，较好地满足了气象部门数据共享服务系统建设的需求。该方案作为全国综合气象信息共享平台 (CIMISS) 数据服务权限控制模型的前期试验研究，构建一个多维数据权限管理原型系统用于数据访问控制。作为通用性模型，该模型可以延伸用于气象数据服务类系统应用，对确保数据库的信息安全、防止用户越权访问数据、保障管理信息系统的正常运行具有重要意义。

Privilege Management Model Based on RBAC for Meteorological Data Resource Service

In recent years, Role-Based Access Control (RBAC) is apopular privilege management model at home and abroad, which has a distinct advantage than the other traditional access control technologies such as MAC and DAC.The basic principle of RBAC introduces the concept of role endued with authority between user and privilege, and user is also endued with role.However, RBAC still has its limitations when it comes to applications in meteorological department of CMA with fine-grained data access control, and distinct definition.To meet the growing demand for data sharing, a novel access control management model must be built.According to the requirements and characteristics of meteorological data sharing, a model is proposed for a general solution of data-sharing privilege management and multi-dimensional data-sharing privilege management, which is improved from RBAC model.As a shared data resource, meteorological data have a large number of classifications, with a complex hierarchical structure, and very fine particle size of retrieving. In consideration of these comprehensive characteristics, this model introduces the concept of targeted object dimensions in RBAC on the basis of more flexible rights management mechanisms and calculation formula, which improves the security and flexibility of the data sharing services to meet the needs.This model decomposes the fine-grained access privilege of sources by object dimension, and realizes access control of different levels from coarse-grained to fine-grained. The model can authorize directly not only the role but also the user, which greatly improves the flexibility and scalability.The model has been developed as re-pilot study in China Integrated Meteorological Information Sharing System (CIMISS), which is the key project and the practical application of operational systems involved in the meteorological department. A prototype system is built to verify this model. Its deployment is helpful to manage the data retrieving and information access, and simplifies data authorization, maintenance management process, and improves data security. The model supports general security framework of the meteorological database information services, which prevents unauthorized user to access data. As a result, high stability and good security of the simple privilege management model are achieved, and security management information systems based on this model will play an important role in the meteorological data service in the future operations.