Article Preview
TopIntroduction
With the explosive rate of global information system, an increasing portion of information sharing is becoming an information security catastrophe. (Qiu et al., 2020) summarizes the documents in the field of information security in recent years, which indicates that information security is an urgent problem to be solved in the field of the Internet of things. The increasingly serious problem of information disclosure and security attacks has a dramatic impact on personal and national security (Michel & King, 2019).
In order to prevent the destruction or disclosure of information caused by the intrusion of illegal users or the careless operation of legal users, many scholars have proposed a variety of solutions to insure the security of the information system. Access control (Sandhu & Samarati, 1994) has gradually become a fundamental tenets of information system. Access control restricts the permissions of users to access system resources, and resources that exceed user permissions are not allowed to be accessed. The existing access control methods form two main group: autonomous control (Downs et al., 1985) and mandated access control (Jiang et al., 2004). In automatic access control, users can divert permissions directly or indirectly to other users. In spite of its great versatility and unlimited redirect ability, it makes information disclosure possible. On the other hand, the mandatory access control strictly limits the user permissions in the system, but lacks flexibility. In order to ensure the flexibility under the premise of system security, role-based access control (Samarati & Vimercati, 2011; Sandhu et al., 1996) arises at the historic moment, and dominates a mainstream position in the field of access control. The RBAC model introduces the role between users and permissions and regards roles as a bridge between users and permissions, and grants and revokes user access permissions by distributing and canceling roles to users, thus bringing about the logical separation (HC, 2019) between users and access permissions.
However, the complexity of RBAC model is getting higher and higher (Bertino, 2003) with the increasing complexity of information systems. In the design and application of traditional RBAC, system analysts and administrators restrict the relationship between “users and roles” and “roles and permissions” according to their intuitive experience and system requirements. With the research of the information system, the information system is becoming more and more complex and multifarious. In the meantime, the number of access control users and permission resources is also increasing in the system, which makes the information system face some drawbacks (Alessandro & Alberto, 2012). It is often difficult to meet the functional and security needs of users only relying on manpower to design and manage a RBAC system. On the other hand, the high time complexity about conventional RBAC systems and the unavailability to obtain the hierarchical relationship (Vaidya et al., 2007) between roles have turned out to be the fatal flaws of the conventional RBAC.