Abstract: Treating attribute as authorization constraints, an extended model of RBAC with attributes is proposed. An OWL-based policy representation method of attributive-based RBAC model is presented, in which complex attribute expressions, partial ordering relations between attribute values, role hierarchies, and constraints can be explicitly defined. Access control decisions, dominance relations between attribute expressions, and consistency of policy information can be drawn via an OWL reasoner. A study case is presented to show the feasibility of the method.

Key words: Role Based Access Control（RBAC）, attribute expression, Web Ontology Language（OWL）, reasoning

摘要： 将属性作为授权约束，给出了属性扩展的RBAC模型。提出了一种基于OWL的属性RBAC策略定义和表示方法。该方法支持复杂属性表达式、属性值偏序关系、角色层次关系和约束的定义；在推理机的支持下，可以执行访问控制决策推理，属性表达式支配关系判定和策略知识一致性检测。具体应用案例说明了该方法的可行性。

关键词: 基于角色的访问控制（RBAC）, 属性表达式, Web本体语言（OWL）, 推理