Abstract:  In 2001, NIST defined RBAC2001 which provided a standard for Role Based Access Control（RBAC）. There still are a lot of details needed to be studied. For the wider scope of application, this paper introduces an Extended Role Based Access Control（ERBAC）, which provides the function of the clear partition of permission and the constraint of conditions. It divides the permission directly instead of the classification of roles, which reduces the difficulty of assigning permission between roles and permissions and offers the support for dynamic permission assignment. The new model inherits all merits of the traditional RBAC and can be used in the system of workflow without any modification. It also provides access control dynamically.

Key words: access control, role, permission, session, condition

摘要： 美国国家标准与技术研究局（NIST）建立的RBAC2001技术的参考模型，只规定了最基本的概念需求，还有许多方面值得研究。为使RBAC适用于更广泛的范围，提出一种具有条件约束的权限清晰的基于角色的访问控制扩展模型（ERBAC）。不同于以往对角色集的划分，直接对权限集进行划分，降低了角色-权限授权的难度，为角色-权限的自动配置提供了支持。此ERBAC模型不仅继承了传统RBAC的所有优势，而且可以不作任何修改地嵌入到工作流系统中，在工作流系统中实现动态的访问控制。

关键词: 访问控制, 角色, 权限, 会话, 条件