Abstract: Considering the security and functionality deficiencies of delegation in access control, this paper proposes an RBAC delegation model with security audit function and gives its formal definition and description based on the contrastive analysis of RBAC delegation model’s features and the concept of security audit. This model defines the restrictions and transmission constraints for delegation, which reflects the traits of delegation, implements the process of delegation, revocation and session authorization by applying audit record sets, and improves the security audit function by audit monitoring and rule event response to make the delegation authorization have its autonomy and variability. The application and practice in management information system implies that this model is a secure and easily manageable delegation authorization mechanism, which can suit multiple delegation strategy.

Key words: security audit, access control, delegation, authorization

摘要： 针对访问控制中委托在安全性和功能性上的不足，通过对比分析RBAC委托模型的特点，结合安全审计概念提出了具有安全审计功能的RBAC委托模型，并给出了形式化的定义和描述。该模型定义了委托的限制条件和传递约束来体现委托的特性，利用审计记录集合实现了委托、撤销和会话授权的过程，通过审计监控和规则事件响应完善了安全审计功能，使委托授权具有自主性和可变性的特点。在管理信息系统的应用和实践表明，该模型是一种安全易管理的委托授权机制，能适应多种委托策略。

关键词: 安全审计, 访问控制, 委托, 授权