【正文】 tor is shown in a red hexahedron to indicate that this role has a Static Separation of Duties (SSD) relationship with the role account_rep. The SSD relationship is also a conflict of interest relationship like the DSD relationship but much stronger. If two roles have a DSD relationship, then they may both be authorized for an individual but that individual may not act in both roles simultaneously. If two roles have a SSD relationship, then they may not even be authorized for the same individual. In this example, the policy of the bank is that there is a fundamental conflict of interest between the roles of internal_auditor and account_rep. Thus, these two roles may never be authorized for the same individual. The new version of the Admin tool using VRML will allow us to represent conflicts of interest and other relationships in a more natural way and view the scene from an infinite number of viewpoints. VRML allows plex 3D objects to be created for this purpose. The user can 39?；诮巧脑L問(wèn)控制（RBAC）是一種逐漸吸引人們注意的技術(shù)，特別是在商務(wù)應(yīng)用上，因?yàn)樗哂袦p少大型網(wǎng)絡(luò)應(yīng)用的復(fù)雜性和費(fèi)用的潛力。促成客戶藉由Web網(wǎng)頁(yè)按他們的方法獲得他們想要的訊息，而不是通過(guò)處理操作員或聲音回應(yīng)系統(tǒng)，以增加客戶接口的效率。過(guò)剩的企業(yè)信息（,訓(xùn)練材料，目錄,表格）能經(jīng)由萬(wàn)維網(wǎng)制作而被轉(zhuǎn)換為電子形式。雖然本文的焦點(diǎn)在于企業(yè)內(nèi)部網(wǎng)、利益、觀念和和基于角色的訪問(wèn)控制在萬(wàn)維網(wǎng)環(huán)境下的執(zhí)行，但對(duì)數(shù)據(jù)的限制訪問(wèn)需要可以應(yīng)用在公司的因特網(wǎng)環(huán)境中。基于角色的訪問(wèn)控制的安全管理使得只有當(dāng)特定的操作者被判斷其動(dòng)作可以被運(yùn)行,然后分配職員到適當(dāng)?shù)慕巧蟛拍苓M(jìn)行。最常用的例子是交易的分期付款和授權(quán)付款。管理工具允許系統(tǒng)管理員產(chǎn)生并且定義角色，角色層次，關(guān)系和限制。基于角色的訪問(wèn)控制的虛擬現(xiàn)實(shí)建模語(yǔ)言 讓系統(tǒng)管理人使用一個(gè)交談式計(jì)算機(jī)模型檢查，而且使角色結(jié)構(gòu)，關(guān)系和特權(quán)有效。例如，與特權(quán)相關(guān)的角色或一個(gè)用戶的從屬清單。出納員角色和account_holder以黃色矩形顯示是為了說(shuō)明這些角色與account_rep有一個(gè)“動(dòng)態(tài)權(quán)責(zé)區(qū)分”（DSD）的關(guān)系。如果兩個(gè)角色間有一個(gè)靜態(tài)權(quán)責(zé)區(qū)分的關(guān)系，那么他們不可能同樣被一個(gè)個(gè)體所授權(quán)。RBAC/Web同時(shí)被UNIX（舉例來(lái)說(shuō)，對(duì)網(wǎng)景，NCSA，CERN 或阿帕契伺候器）和Windows NT（舉例來(lái)說(shuō), 對(duì)英特網(wǎng)數(shù)據(jù)伺候器，網(wǎng)站或承辦商）環(huán)境所應(yīng)用RBAC/Web的組件在表1中被顯示。當(dāng)提供基于用戶的角色以訪問(wèn)控制的時(shí)候，RBAC/Web配置文件名的網(wǎng)址文件圖，RBAC/Web CGI的安裝與Web的安裝類似?；赨NIX的RBAC/Web有兩種途徑以UNIX Web服務(wù)器來(lái)使用RBAC/Web。使用者能“進(jìn)入”一個(gè)被挑選出的角色而且探究一些和那個(gè)角色相互關(guān)聯(lián)的程度方面的細(xì)節(jié)（也就是數(shù)據(jù)）。一個(gè)坐在遠(yuǎn)離出納員桌子上的account_rep角色即使被授權(quán)了出納員的角色也不能同時(shí)被允許擁有出納員的個(gè)體行動(dòng)權(quán)限。單獨(dú)被授權(quán)的角色financial_advisor被允許進(jìn)行所有account_rep角色所能進(jìn)行的活動(dòng)。虛擬現(xiàn)實(shí)置標(biāo)語(yǔ)言的導(dǎo)航控制允許使用者以交互式“初排”而且操縱 3D立體模型的視野遠(yuǎn)景,即一個(gè)場(chǎng)景曲線圖。vermal39。 我們定義靜態(tài)職責(zé)的分離意味著互斥的給定角色不能同時(shí)被包括在用戶的授權(quán)權(quán)限集合里。 在基于角色的訪問(wèn)控制軟件全部處理后，被互斥的角色或組織角色的復(fù)雜引入也調(diào)節(jié)了誰(shuí)能運(yùn)行什么行動(dòng),何時(shí), 從哪里, 以什么次序, 和在某些情形之下表示關(guān)系的環(huán)境。藉由基于角色的訪問(wèn)控制技術(shù)，安全在一個(gè)比較接近符合組織結(jié)構(gòu)的水平上被處理。熱心者們往往集中于人或生意上，而忽視了以使用網(wǎng)絡(luò)作為運(yùn)行和管理商業(yè)安全的方式。具體才說(shuō)，公共網(wǎng)絡(luò)封鎖住了使用者的帳戶和密碼以免公開(kāi)。為使用萬(wàn)維網(wǎng)協(xié)議的網(wǎng)絡(luò)服務(wù)器提供基于角色的訪問(wèn)控制的安全和軟件組件，這些內(nèi)容都已經(jīng)被實(shí)現(xiàn)并且在本文中得到了描述。許多公司示范了一個(gè)設(shè)計(jì)良好的萬(wàn)維網(wǎng)能讓他們?cè)谑找嫘陨袭a(chǎn)生積極的效果。flat39。s set of authorized roles. With dynamic separation of duty, users may be authorized for two roles that are mutually exclusive, but cannot have both roles active at the same time. In other words, static separation of duty enforces the mutual exclusion rule at the time an administrator sets up role authorizations, while dynamic separation of duty enforces the rule at the time a user selects roles for a session. Role Administration and Visualization The roles are established, manipulated and viewed using the RBAC/Web Admin tool. The Admin tool allows system administrators to create and define roles, role hierarchies, relationships and constraints. Once the RBAC framework is established for the organization, the principal administrative actions are the granting and revoking of users into and out of roles as job assignments dictate. These maintenance tasks are easily performed using the Admin tool. Additionally, the Admin tool is being enhanced to utilize the Virtual Reality Modeling Language (VRML, pronounced 39。附錄A：英文原文RoleBased Access Control for the WebJohn F. Barkley, D. Richard Kuhn, Lynne S. Rosenthal, Mark W. Skall, and Anthony V. Cincotta,National Institute of Standards and Technology Gaithersburg, Maryland 20899 ABSTRACT Establishing and maintaining a presence on the World Wide Web (Web), once a sideline for . industry, has bee a key strategic aspect of marketing and sales. Many panies have demonstrated that a well designed Web site can have a positive effect on their profitability. Enabling customers to answer their own questions by clicking their way through Web pages, instead of dealing with operators and voice response systems,