‫ﻃﺮﺡ ﻳﻚ ﻣﺸﻜﻞ ﻭ ﺍﺭﺍﺋﻪ ﻳﻚ ﺭﺍﻩﺣﻞ‬
‫ﻣﺪﻝ ﻣﺪﻳﺮﻳﺘﻲ ﻛﻨﺘﺮﻝ ﺩﺳﺘﺮﺳﻲ ﻧﻘﺶ ﻣﺒﻨﺎ‬
‫ﺍﮔﺮ ﺳﻴﺴﺘﻤﻲ ﺑﺎ ﻫﺰﺍﺭﺍﻥ ﻛﺎﺭﺑﺮ ﻭ ﺻﺪﻫﺎ ﻧﻘﺶ ﻭ ﻣﺠﻮﺯ ﺩﺭ ﻧﻈﺮ ﺑﮕﻴﺮﻳﻢ‪ ،‬ﻣﺪﻳﺮﻳﺖ‬
‫ﻧﻘﺶﻫﺎ ﻭ ﺍﻧﺘﺴﺎﺏ ﻛﺎﺭﺑﺮﺍﻥ ﺑﻪ ﻧﻘﺶﻫﺎ ﻭ ﻣﺠﻮﺯﻫﺎ ﺑﻪ ﻧﻘﺶﻫﺎ ﻭ ﻫﻤﭽﻨﻴﻦ ﺳﺎﺧﺖ‬
‫ﺳﻠﺴﻠﻪ ﻣﺮﺍﺗﺐ ﺍﺯ ﻧﻘﺶﻫﺎ ﺑﺴﻴﺎﺭ ﭘﻴﭽﻴﺪﻩ ﻭ ﻣﺸﻜﻞ ﻣﻲﮔﺮﺩﺩ ﻭ ﻧﻤﻲﺗﻮﺍﻥ ﺁﻥ ﺭﺍ‬
‫ﺗﻮﺳﻂ ﻳﻚ ﻣﺪﻳﺮ ﺩﺭ ﺳﻴﺴﺘﻢ ﺍﻧﺠﺎﻡ ﺩﺍﺩ ‪.‬‬
‫ﺭﺍﻫﻜﺎﺭ‪ :‬ﻣﺪﻳﺮﻳﺖ ﻏﻴﺮ ﻣﺘﻤﺮﻛﺰ‪.‬‬
‫–‬
‫–‬
‫–‬
‫–‬
‫ﺍﻣﻨﻴﺖ ﭘﺎﻳﮕﺎﻩ ﺩﺍﺩﻩ ‪ ،‬ﺍﺭﺩﻳﺒﻬﺸﺖ ‪1392‬‬
‫ﺭﺳﻮﻝ ﺟﻠﻴﻠﯽ‬
‫ﺩﺭ ﻧﻈﺮ ﮔﺮﻓﺘﻦ ﻧﻘﺶﻫﺎﻱ ﻣﺪﻳﺮﻳﺘﻲ ﻭ ﺣﻮﺯﻩﻫﺎﻱ ﻣﺪﻳﺮﻳﺘﻲ ﺑﺮﺍﻱ ﻫﺮ ﻧﻘﺶ‬
‫ﻫﻤﭽﻨﻴﻦ ﺍﻳﺠﺎﺩ ﺳﻠﺴﻠﻪ ﻣﺮﺍﺗﺒﻲ ﺍﺯ ﺁﻧﻬﺎ‬
‫ﻭﺍﮔﺬﺍﺭﻱ ﻣﺪﻳﺮﻳﺖ ﺑﻪ ﺍﻓﺮﺍﺩ ﻣﺨﺘﻠﻒ ﺩﺭ ﺣﻮﺯﻩﻫﺎﻱ ﮔﻮﻧﺎﮔﻮﻥ ﺳﻴﺴﺘﻢ‬
‫ﻫﺮ ﻣﺪﻳﺮ ﻣﺴﺆﻭﻟﻴﺖ ﻣﺪﻳﺮﻳﺖ ﺩﺭ ﺣﻮﺯﻩ ﺧﻮﺩ ﺭﺍ ﺑﺮ ﻋﻬﺪﻩ ﺩﺍﺷﺘﻪ ﺑﺎﺷﺪ‬
‫‪2‬‬
‫ﺩﺍﻧﺸﮕﺎﻩ ﺻﻨﻌﺘﯽ ﺷﺮﻳﻒ ‪ ,‬ﺩﺍﻧﺸﮑﺪﻩ ﻣﻬﻨﺪﺳﯽ ﮐﺎﻣﭙﻴﻮﺗﺮ‬
‫ﻣﺪﻝ ﻣﺪﻳﺮﻳﺘﻲ‪RBAC‬‬
‫ﻣﺪﻳﺮﻳﺖ ﺩﺭ ﻛﻨﺘﺮﻝ ﺩﺳﺘﺮﺳﻲ ﻧﻘﺶ‪ -‬ﻣﺒﻨﺎ‬
‫ﺍﻧﻮﺍﻉ ﻣﺪﻝ ﻫﺎﻱ ﺑﺤﺚ ﺷﺪﻩ‪ ،‬ﺑﺮﺍﻱ ﻣﺪﻳﺮ ﻧﻴﺰ ﻣﻄﺮﺡ ﺍﺳﺖ‪ .‬ﺍﻟﺒﺘﻪ ﻣﻌﻤﻮﻻ ﻣﺪﻝ ﻣﺪﻳﺮ‬
‫ﺳﺎﺩﻩ ﺗﺮ ﺍﺯ ﺧﻮﺩ ﻣﺪﻝ ‪ RBAC‬ﺍﺳﺖ‪ .‬ﺑﻨﺎﺑﺮﺍﻳﻦ ﻣﻲ ﺗﻮﺍﻥ ﺍﺯ ‪ RBAC0‬ﺑﻪ ﺟﺎﻱ‬
‫‪ RBAC3‬ﺍﺳﺘﻔﺎﺩﻩ ﻧﻤﻮﺩ‪.‬‬
‫ﭼﮕﻮﻧﻪ ﻣﺪﻝ ﺳﻠﺴﻠﻪ ﻣﺮﺍﺗﺒﻲ ﻣﺪﻝ ﻣﺪﻳﺮ ﻣﺪﻳﺮﻳﺖ ﻣﻲ ﺷﻮﺩ؟‬
‫–‬
‫–‬
‫‪4‬‬
‫‪1‬‬
‫ﺩﺭ ﺳﻴﺴﺘﻢ ﺑﺰﺭﮒ ﮐﻪ ﺗﻌﺪﺍﺩ ﻧﻘﺶﻫﺎ ﺑﻪ ﺻﺪﻫﺎ ﻭ ﻫﺰﺍﺭﺍﻥ ﺍﻓﺰﺍﻳﺶ ﻣﻲﻳﺎﺑﺪ‪ ،‬ﻣـﺪﻳﺮﻳﺖ‬
‫ﺍﻳﻦ ﻧﻘﺶ ﻫﺎ ﻭ ﺭﻭﺍﺑﻂ ﻣﻴﺎﻥ ﺁﻧﻬﺎ ﻳﮏ ﮐﺎﺭ ﺳـﺨﺖ ﮐـﻪ ﺑـﻪ ﺻـﻮﺭﺕ ﻣﺮﮐـﺰﻱ ﺍﻧﺠـﺎﻡ‬
‫ﻣﻲﺷﻮﺩ ﻭ ﺑﻪ ﮔﺮﻭﻩ ﮐﻮﭼﮑﻲ ﺍﺯ ﻣﺪﻳﺮﺍﻥ ﺍﻣﻨﻴﺘﻲ ﻣﺤﻮﻝ ﻣﻲﮔﺮﺩﺩ‪.‬‬
‫ﻧﮑﺘﻪ ﺍﺻﻠﻲ ‪ RBAC‬ﺍﻳﻦ ﮐﻪ ﻣﺪﻳﺮﻳﺖ ﺭﺍ ﺳﺎﺩﻩ ﻣﻲﮐﻨﺪ << ﻣﻲﺗﻮﺍﻥ ﺍﺯ ﺧﻮﺩ ﺁﻥ‬
‫ﺩﺭ ﻣﺪﻳﺮﻳﺖ ﺧﻮﺩﺵ ﺍﺳﺘﻔﺎﺩﻩ ﻧﻤﻮﺩ‪.‬‬
‫ﻧﻘﺶﻫﺎﻱ ﻣﺪﻳﺮ ﻳﺎ ‪ AR‬ﻭ ﺍﺧﺘﻴﺎﺭﺍﺕ ﻣﺪﻳﺮ ﻳﺎ ‪ AP‬ﺭﺍ ﺍﺯ ﻧﻘﺶ ﻫﺎﻱ ﻣﻌﻤﻮﻟﻲ ﻳﺎ ‪R‬‬
‫ﻭ ﺍﺧﺘﻴﺎﺭﺍﺕ ﻣﻌﻤﻮﻟﻲ ﻳﺎ ‪ P‬ﺟﺪﺍ ﻣﻲﻛﻨﻴﻢ ‪.‬‬
‫ﺍﺧﺘﻴﺎﺭﺍﺕ ﺗﻨﻬﺎ ﺑﻪ ﻧﻘﺶ ﻫﺎ ﻧﺴﺒﺖ ﺩﺍﺩﻩ ﻣﻲﺷﻮﻧﺪ ﻭ ﺍﺧﺘﻴـﺎﺭﺍﺕ ﻣـﺪﻳﺮﻳﺘﻲ ﺗﻨﻬـﺎ ﺑـﻪ‬
‫ﻧﻘﺶﻫﺎﻱ ﻣﺪﻳﺮﻳﺘﻲ ﻧﺴﺒﺖ ﺩﺍﺩﻩ ﻣﻲﺷﻮﻧﺪ ‪.‬‬
‫ﺑﻪ ﻃﻮﺭ ﺗﺌﻮﺭﻳﮏ‪ ،‬ﺳﻄﺢ ﺩﻭﻡ ﺍﺯ ﺳﻠﺴﻠﻪ ﻣﺮﺍﺗﺐ ﻣﻲ ﺗﻮﺍﻧﺪ ﺑﺮﺍﻱ ﻣﺪﻳﺮﻳﺖ ﺳﻄﺢ ﺍﻭﻝ ﻣﻮﺭﺩ‬
‫ﺍﺳﺘﻔﺎﺩﻩ ﻗﺮﺍﺭ ﮔﻴﺮﺩ‪ .‬ﻭﻟﻲ ﺑﺮﺍﻱ ﻣﺪﻝ ﺿﺮﻭﺭﻱ ﻧﻤﻲ ﺑﺎﺷﺪ‪.‬‬
‫ﻣﺪﻳﺮﻳﺖ ﺳﻠﺴﻠﻪ ﻣﺮﺍﺗﺐ ﻣﺪﻳﺮ ﻣﻲﺗﻮﺍﻧﺪ ﺗﻮﺳﻂ ﻳﮏ ﻧﻔﺮ ﺭﺋﻴﺲ ﺳﻴﺴﺘﻢ ﻣﺪﻳﺮﻳﺖ ﺍﻧﺠﺎﻡ ﺷﻮﺩ‪.‬‬
‫ﻣﺠﻮﺯﻫﺎﻱ ﻣﺪﻳﺮ ﺩﺭ ‪ RBAC‬ﺗﻮﺍﻧﺎﻳﻲ ﺗﻐﻴﻴﺮ ﻧﺴﺒﺖ ﻧﻘﺶ ﺑﻪ ﮐﺎﺭﺑﺮﺍﻥ ﻭ ﻧﻴﺰ ﺗﻐﻴﻴﺮ ﺩﺍﺩﻥ‬
‫ﻧﺴﺒﺖ ﺍﺧﺘﻴﺎﺭﺍﺕ ﺑﻪ ﻧﻘﺶ ﻫﺎ ﻭ ﺭﻭﺍﺑﻂ ﻣﻮﺟﻮﺩ ﺩﺭ ﺳﻠﺴﻠﻪ ﻣﺮﺍﺗﺐ ﻧﻘﺶ ﻫﺎ ﺭﺍ ﺑﻪ ﻭﺟﻮﺩ ﺁﻭﺭﺩ‪.‬‬
‫‪3‬‬
‫ﺍﺟﺰﺍﺀ ﻣﺪﻝ ﻣﺪﻳﺮﻳﺘﻲ‪RBAC‬‬
‫ﺍﺟﺰﺍﺀ ﻣﺪﻝ ﻣﺪﻳﺮﻳﺘﻲ ‪RBAC‬‬
‫‪RH‬‬
‫ﺳﻠﺴﻠﻪ ﻣﺮﺍﺗﺐ‬
‫ﻧﻘﺸﻬﺎ‬
‫ﺍﻳﻦ ﻣﺪﻝ ﺩﺭ ﺳﺎﻝ ‪ 1997‬ﺗﻮﺳﻂ ‪ Sandhu‬ﺍﺭﺍﺋﻪ ﮔﺮﺩﻳﺪ‪ .‬ﺍﻳﺪﻩ‬
‫ﺍﺻﻠﻲ ﺁﻥ ﺍﺳﺘﻔﺎﺩﻩ ﺍﺯ ﺧﻮﺩ ﻣﺪﻝ ‪ RBAC‬ﺑﺮﺍﻱ ﻣﺪﻳﺮﻳﺖ ﺁﻥ ﺑﻮﺩ‪ .‬ﺍﻳﻦ‬
‫ﻣﺪﻝ ﺷﺎﻣﻞ ﺳﻪ ﻣﺪﻝ ﺍﺻﻠﻲ ﺑﻪ ﺷﺮﺡ ﺯﻳﺮ ﻣﻲ ﺑﺎﺷﺪ ‪:‬‬
‫‪PA‬‬
‫ﺍﻧﺘﺴﺎﺏ ﻣﺠﻮﺯ ﺑﻪ ﻧﻘﺶ‬
‫‪UA‬‬
‫‪P‬‬
‫‪R‬‬
‫ﻣﺠﻮﺯﻫﺎ‬
‫ﻧﻘﺸﻬﺎ‬
‫ﺍﻧﺘﺴﺎﺏ ﮐﺎﺭﺑﺮ ﺑﻪ ﻧﻘﺶ‬
‫‪S‬‬
‫ﺟﻠﺴﺎﺕ‬
‫–‬
‫–‬
‫–‬
‫‪U‬‬
‫ﻣﺪﻝ ‪ URA‬ﻳﺎ ﻣﺪﻝ ﺍﻧﺘﺴﺎﺏ ﻛﺎﺭﺑﺮﺍﻥ ﺑﻪ ﻧﻘﺶ‬
‫ﻣﺪﻝ ‪ PRA‬ﻳﺎ ﻣﺪﻝ ﺍﻧﺘﺴﺎﺏ ﻣﺠﻮﺯﻫﺎ ﺑﻪ ﻧﻘﺶ‬
‫ﻣﺪﻝ ‪ RRA‬ﻳﺎ ﻣﺪﻝ ﺍﻧﺘﺴﺎﺏ ﻧﻘﺶ ﺑﻪ ﻧﻘﺶ‬
‫ﮐﺎﺭﺑﺮﺍﻥ‬
‫‪User‬‬
‫ﻣﺤﺪﻭﺩﻳﺘﻬﺎ‬
‫‪Roles‬‬
‫‪AP‬‬
‫‪AR‬‬
‫ﻣﺠﻮﺯﻫﺎﻱ‬
‫ﻣﺪﻳﺮﻳﺘﻲ‬
‫‪APA‬‬
‫ﺍﻧﺘﺴﺎﺏ ﻣﺠﻮﺯﻫﺎﻱ ﻣﺪﻳﺮﻳﺘﻲ ﺑﻪ ﻧﻘﺶ‬
‫ﻧﻘﺸﻬﺎﻱ‬
‫ﻣﺪﻳﺮﻳﺘﻲ‬
‫‪AUA‬‬
‫ﺍﻧﺘﺴﺎﺏ ﮐﺎﺭﺑﺮ ﺑﻪ ﻧﻘﺶ‬
‫‪ARH‬‬
‫ﺳﻠﺴﻠﻪ ﻣﺮﺍﺗﺐ‬
‫ﻧﻘﺸﻬﺎﻱ ﻣﺪﻳﺮﻳﺘﻲ‬
‫‪5‬‬
‫‪6‬‬
‫ﻣﺪﻝ ‪ URA‬ﻳﺎ ﻣﺪﻝ ﺍﻧﺘﺴﺎﺏ ﻛﺎﺭﺑﺮﺍﻥ ﺑﻪ ﻧﻘﺶ‬
‫ﻣﺪﻝ ‪URA97‬‬
‫ﺍﻳﻦ ﻣﺪﻝ ﺩﺍﺭﺍﻱ ‪ 2‬ﻣﺆﻟﻔﻪ ﺍﺻﻠﻲ ﺍﺳﺖ‪:‬‬
‫ﺗﺎﺑﻊ ‪ Can_assign‬ﺩﺍﺭﺍﻱ ﺳﻪ‬
‫ﭘﺎﺭﺍﻣﺘﺮ ﻭﺭﻭﺩﻱ ﺍﺳﺖ‪ X :‬ﻛﻪ ﻧﻘﺶ‬
‫ﻣﺪﻳﺮﻳﺘﻲ ﻓﺮﺩﻱ ﻛﻪ ﻣﻲ ﺧﻮﺍﻫﺪ ﻋﻤﻞ‬
‫ﺍﻧﺘﺴﺎﺏ ﺭﺍ ﺍﻧﺠﺎﻡ ﺩﻫﺪ ﺭﺍ ﻣﺸﺨﺺ ﻣﻲ‬
‫ﻛﻨﺪ‪ Y .‬ﻧﻘﺶ ﭘﻴﺶ ﺷﺮﻁ ﻓﺮﺩﻱ ﺍﺳﺖ‬
‫ﻛﻪ ﻣﻲ ﺧﻮﺍﻫﻴﻢ ﺑﻪ ﺍﻭ ﻧﻘﺶ ﺭﺍ ﺍﻧﺘﺴﺎﺏ‬
‫ﺩﻫﻴﻢ ﻭ ‪ Z‬ﻛﻪ ﺩﺍﻣﻨﻪ ﻧﻘﺶ ﻫﺎﻱ ﻗﺎﺑﻞ‬
‫ﺍﻧﺘﺴﺎﺏ ﺭﺍ ﻣﻌﻴﻦ ﻣﻲ ﻛﻨﺪ‪.‬‬
‫‪8‬‬
‫‪2‬‬
‫ﻳﻌﻨﻲ ﻓﺮﺩ ﺩﺍﺭﺍﻱ ﻧﻘﺶ ﻣﺪﻳﺮﻳﺘﻲ ‪ X‬ﺑﻪ‬
‫ﻳﻚ ﻛﺎﺭﺑﺮ ﻛﻪ ﻓﻌﻼ ﺩﺍﺭﺍﻱ ﻧﻘﺶ ‪ Y‬ﺍﺳﺖ‬
‫ﻣﻲ ﺗﻮﺍﻧﺪ ﻫﺮ ﻧﻘﺸﻲ ﺩﺭ ﺩﺍﻣﻨﻪ ‪ Z‬ﻋﻄﺎ‬
‫ﻛﻨﺪ‪.‬‬
‫–‬
‫–‬
‫‪Can-assign‬‬
‫ﺍﻧﺘﺴﺎﺏ ﻛﺎﺭﺑﺮﺍﻥ ﺑﻪ ﻧﻘﺶ ﻫﺎ ﻳﺎ ‪Grant‬‬
‫‪Can-revoke‬‬
‫ﺑﺎﺯ ﭘﺲ ﮔﻴﺮﻱ ﻋﻀﻮﻳﺖ ﺁﻧﻬﺎ ﺩﺭ ﻧﻘﺶ ﻫﺎ ﻳﺎ ‪Revoke‬‬
‫ﺭﺍﺑﻄﻪ ‪ Can-assign‬ﺑﻴﺎﻥ ﻣﻲﻛﻨﺪ ﻛﻪ ﭼﻪ ﺍﻓﺮﺍﺩﻱ ﺑﺎ ﭼﻪ ﭘﻴﺶﺷﺮﻁﻫﺎﻳﻲ‬
‫ﻣﻲﺗﻮﺍﻧﻨﺪ ﺩﺭ ﭼﻪ ﺣﻮﺯﻩﺍﻱ ﻛﺎﺭ ﺍﻋﻄﺎﺀ ﺭﺍ ﺍﻧﺠﺎﻡ ﺩﻫﻨﺪ‪ .‬ﺍﻓﺮﺍﺩ ﺭﺍ ﺑﺎ ﻧﻘﺶﻫﺎﻱ ﻣﺪﻳﺮﻳﺘﻲ‬
‫ﻛﻪ ﺩﺍﺭﺍ ﻫﺴﺘﻨﺪ ﻣﻌﻴﻦ ﻣﻲ ﻛﻨﺪ‪.‬‬
‫–‬
‫ﻧﻘﺸﻲ ﺭﺍ ﺑﻴﺎﻥ ﻣﻲ ﻛﻨﺪ ﻛﻪ ﺍﻓﺮﺍﺩ ﺑﺮﺍﻱ ﺍﻋﻤﺎﻝ ﻛﺎﺭﻫﺎﻱ ﻣﺪﻳﺮﻳﺘﻲ ﺩﺭ ﻳﻚ ﺣﻮﺯﻩ ﺧﺎﺹ ﺑﺎﻳﺪ ﺩﺍﺭﺍ‬
‫ﺑﺎﺷﻨﺪ‪.‬‬
‫ﺭﺍﺑﻄﻪ ‪ Can-revoke‬ﺑﻴﺎﻥ ﻣﻲﻛﻨﺪ ﻛﻪ ﭼﻪ ﺍﻓﺮﺍﺩﻱ ﺩﺭ ﭼﻪ ﺣﻮﺯﻩﻫﺎﻳﻲ ﻣﻲﺗﻮﺍﻧﻨﺪ‬
‫ﻋﻤﻞ ﺑﺎﺯﭘﺲﮔﻴﺮﻱ ﺭﺍ ﺍﻧﺠﺎﻡ ﺩﻫﻨﺪ‪.‬‬
‫ﺍﻳﻦ ﺗﻮﺍﺑﻊ ﺑﺮﺍﻱ ﻋﻤﻞ ﺍﻧﺘﺴﺎﺏ ﻭ ﺑﺎﺯﭘﺲﮔﻴﺮﻱ ﻧﻘﺶ ﻫﺎ ﺑﻪ ﻛﺎﺭﺑﺮﺍﻥ ﺑﻪ ﻛﺎﺭ ﻣﻲﺭﻭﺩ ﻭ‬
‫ﺑﺎﻳﺴﺘﻲ ﺩﺭ ﻫﺮ ﻋﻤﻞ‪ ،‬ﺍﻣﻜﺎﻥ ﺍﻧﺠﺎﻡ ﺁﻧﺮﺍ ﺗﻮﺳﻂ ﺁﻧﻬﺎ ﭼﻚ ﻛﺮﺩ‪.‬‬
‫‪7‬‬
‫ﻣﺪﻝ ‪ - URA97‬ﺭﺍﺑﻄﻪ ‪Can_Assign‬‬
‫ﻣﺪﻝ ‪URA97‬‬
‫ﺍﻭﻟﻴﻦ ﺳﻄﺮ ﺍﻳﻦ ﺟﺪﻭﻝ ﺑﻴﺎﻥ ﻣﻲﮐﻨـﺪ ﮐـﻪ ﮐـﺎﺭﺑﺮﻱ ﺑـﺎ‬
‫ﻧﻘﺶ "ﮐﺎﺭﺷﻨﺎﺱ ﺍﻣﻨﻴﺘﻲ ﺳﻴﺴﺘﻢ ﺻﻮﺭﺗﺤﺴﺎﺏ ﮔﻴـﺮﻱ"‬
‫)‪ (BCS‬ﻭ ﺩﺭ ﻧﺘﻴﺠﻪ "ﮐﺎﺭﺷﻨﺎﺱ ﺍﻣﻨﻴﺘﻲ ﺍﻣﻮﺭ ﺭﺍﻳﺎﻧـﻪ"‬
‫)‪ (CS‬ﻭ "ﻣﺪﻳﺮﮐﻞ ﺍﻣﻨﻴﺘـﻲ" )‪ (SSO‬ﻣـﻲ ﺗﻮﺍﻧـﺪ ﺑـﻪ‬
‫ﮐﺎﺭﺑﺮﻱ ﮐﻪ ﻫﻢﺍﮐﻨﻮﻥ ﺩﺍﺭﺍﻱ ﻧﻘﺶ ﻋﺎﺩﻱ "ﻭﺍﺣﺪ ﺭﺍﻳﺎﻧـﻪ"‬
‫)‪ (CD‬ﺍﺳﺖ‪ ,‬ﻧﻘﺶ "ﮐﺎﺭﺷﻨﺎﺱ ﺳﻴﺴﺘﻢ ﺻﻮﺭﺗﺤﺴـﺎﺏ‬
‫ﮔﻴﺮﻱ" )‪ (BC‬ﺭﺍ ﻋﻄﺎ ﮐﻨﺪ‪.‬‬
‫ﺗﺎﺑﻊ ‪ Can_Revoke‬ﺩﺍﺭﺍﻱ ﺩﻭ‬
‫ﭘﺎﺭﺍﻣﺘﺮ ﻭﺭﻭﺩﻱ ﺍﺳﺖ‪ X :‬ﻛﻪ ﻧﻘﺶ‬
‫ﻣﺪﻳﺮﻳﺘﻲ ﻓﺮﺩﻱ ﻛﻪ ﻣﻲ ﺧﻮﺍﻫﺪ ﻋﻤﻞ‬
‫ﺑﺎﺯﭘﺲ ﮔﻴﺮﻱ ﻧﻘﺶ ﺭﺍ ﺍﻧﺠﺎﻡ ﺩﻫﺪ ﺭﺍ‬
‫ﻣﺸﺨﺺ ﻣﻲ ﻛﻨﺪ ﻭ ‪ Z‬ﺩﺍﻣﻨﻪ ﻧﻘﺶ‬
‫ﻫﺎﻳﻲ ﺭﺍ ﻛﻪ ﻣﻲ ﺗﻮﺍﻧﺪ ﺑﺎﺯﭘﺲ ﮔﻴﺮﺩ‬
‫ﺗﻌﻴﻴﻦ ﻣﻲ ﻛﻨﺪ‪.‬‬
‫ﻣﺪﻳﺮ ﻋﺎﻣﻞ ﺍﺩﺍﺭﻩ ﺭﺍﻳﺎﻧﻪ )‪(CDM‬‬
‫ﺩﺍﻣﻨﻪ ﻧﻘﺶﻫﺎ‬
‫ﭘﻴﺶﺷﺮﻁ‬
‫ﻧﻘﺶ ﻣﺪﻳﺮﻳﺘﻲ‬
‫]‪[BC,BC‬‬
‫]‪[PO,‬‬
‫]‪[BO,BO‬‬
‫]‪[CC,CC‬‬
‫]‪[RO,RO‬‬
‫]‪[CO,CO‬‬
‫]‪[BCM,BCM‬‬
‫]‪[CCM,CCM‬‬
‫)‪(CD,CDM‬‬
‫]‪[CD,CD‬‬
‫]‪(CD,CDM‬‬
‫‪CD‬‬
‫‪BC ^ ¬BO‬‬
‫‪BC ^ ¬PO‬‬
‫‪CD‬‬
‫‪CC ^ ¬CO‬‬
‫‪CC ^ ¬RO‬‬
‫‪CD ^ ¬CCM‬‬
‫‪CD ^ ¬BCM‬‬
‫‪CD‬‬
‫‪E‬‬
‫‪CD‬‬
‫‪BCS‬‬
‫‪BCS‬‬
‫‪BCS‬‬
‫‪CCS‬‬
‫‪CCS‬‬
‫‪CCS‬‬
‫‪CS‬‬
‫‪CS‬‬
‫‪CS‬‬
‫‪SSO‬‬
‫‪SSO‬‬
‫ﻣﺪﻳﺮ ﮐﻞ ﺍﻣﻨﻴﺘﻲ )‪(SSO‬‬
‫ﻫﻴﭻ ﭘﻴﺶ ﺷﺮﻃﻲ ﺑﺮﺍﻱ ﺍﻳﻦ ﺗﺎﺑﻊ ﺗﻌﺮﻳﻒ‬
‫ﻧﻤﻲ ﮔﺮﺩﺩ‪.‬‬
‫ﺭﺋﻴﺲ ﺳﻴﺴﺘﻢ ﺻﻮﺭﺗﺤﺴﺎﺏ ﮔﻴﺮﻱ )‪(BCM‬‬
‫ﺭﺋﻴﺲ ﺳﻴﺴﺘﻢ ﻣﺘﻘﺎﺿﻴﺎﻥ –ﻣﺸﺘﺮﮐﻴﻦ)‪(CCM‬‬
‫ﮐﺎﺭﺷﻨﺎﺱ ﺍﻣﻮﺭ ﻣﺸﺘﺮﮐﻴﻦ )‪(CO‬‬
‫ﮐﺎﺭﺷﻨﺎﺱ ﺻﻮﺭﺗﺤﺴﺎﺑﻬﺎ )‪(BO‬‬
‫ﮐﺎﺭﺷﻨﺎﺱ ﺍﻣﻮﺭﻣﺘﻘﺎﺿﻴﺎﻥ)‪(RO‬‬
‫ﮐﺎﺭﺷﻨﺎﺱ ﺍﻣﻨﻴﺘﻲ ﺍﻣﻮﺭ ﺭﺍﻳﺎﻧﻪ‬
‫ﮐﺎﺭﺷﻨﺎﺱ ﻭﺻﻮﻟﻴﻬﺎ)‪(PO‬‬
‫)‪(CS‬‬
‫ﮐﺎﺭﺷﻨﺎﺱ ﺳﻴﺴﺘﻢ ﺻﻮﺭﺗﺤﺴﺎﺏ ﮔﻴﺮﻱ)‪(BC‬‬
‫ﮐﺎﺭﺷﻨﺎﺱ ﺳﻴﺴﺘﻢ ﻣﺘﻘﺎﺿﻴﺎﻥ ‪ -‬ﻣﺸﺘﺮﮐﻴﻦ)‪(CC‬‬
‫ﮐﺎﺭﺷﻨﺎﺱ ﺍﻣﻨﻴﺘﻲ ﺳﻴﺴﺘﻢ ﻣﺘﻘﺎﺿﻴﺎﻥ ‪-‬‬
‫ﻣﺸﺘﺮﮐﻴﻦ‬
‫ﻭﺍﺣﺪ ﺭﺍﻳﺎﻧﻪ)‪(CD‬‬
‫‪9‬‬
‫‪10‬‬
‫–‬
‫ﻣﺪﻝ ‪ Grant‬ﺑﺮﺍﻱ ﺍﻋﻄﺎﺀ ﻣﺠﻮﺯﻫﺎ ﺑﻪ ﻧﻘﺶ ﻫﺎ‬
‫–‬
‫ﻣﺪﻝ ‪ Revoke‬ﺑﺮﺍﻱ ﺑﺎﺯﭘﺲ ﮔﻴﺮﻱ ﻣﺠﻮﺯ ﺍﺯ ﻧﻘﺶ ﻫﺎ‬
‫)‪(CCS‬‬
‫ﮐﺎﺭﻣﻨﺪ)‪(E‬‬
‫ﺳﻄﺮ ﺩﻭﻡ ﺍﻳﻦ ﺟﺪﻭﻝ ﺑﻴﺎﻥ ﻣـﻲ ﮐﻨـﺪ ﮐـﻪ "ﮐﺎﺭﺷـﻨﺎﺱ‬
‫ﺍﻣﻨﻴﺘﻲ ﺑﺨـﺶ ﻣﺘﻘﺎﺿـﻴﺎﻥ ﻭ ﻣﺸـﺘﺮﮐﻴﻦ" ﻣـﻲﺗﻮﺍﻧـﺪ ﺍﺯ‬
‫ﺗﻤـﺎﻡ ﮐــﺎﺭﺑﺮﺍﻥ ﺳﻴﺴــﺘﻢ‪ ,‬ﻧﻘــﺶ "ﮐﺎﺭﺷــﻨﺎﺱ ﺳﻴﺴــﺘﻢ‬
‫ﻣﺘﻘﺎﺿــﻴﺎﻥ ﻭ ﻣﺸــﺘﺮﮐﻴﻦ" )‪" , (CC‬ﮐﺎﺭﺷــﻨﺎﺱ ﺍﻣــﻮﺭ‬
‫ﻣﺘﻘﺎﺿـﻴﺎﻥ" )‪ (RO‬ﻭ "ﮐﺎﺭﺷـﻨﺎﺱ ﺍﻣـﻮﺭ ﻣﺸـﺘﺮﮐﻴﻦ"‬
‫)‪ (CO‬ﺭﺍ ﺑﺎﺯﭘﺲﮔﻴﺮﺩ‪.‬‬
‫ﺍﻳﻦ ﻣﺪﻝ ﻧﻴﺰ ﻣﺸﺎﺑﻪ ﻣﺪﻝ ﻗﺒﻠﻲ ﺩﺍﺭﺍﻱ ‪ 2‬ﻣﺆﻟﻔﻪ ﺍﺻﻠﻲ ﺍﺳﺖ‪:‬‬
‫‪Can-revokep‬‬
‫)‪(BCS‬‬
‫ﻣﺪﻝ ‪ - URA97‬ﺭﺍﺑﻄﻪ ‪Can_Revoke‬‬
‫ﻣﺪﻝ ‪ PRA97‬ﻳﺎ ﻣﺪﻝ ﺍﻧﺘﺴﺎﺏ ﻣﺠﻮﺯﻫﺎ ﺑﻪ ﻧﻘﺶ‬
‫‪Can-assignp‬‬
‫ﮐﺎﺭﺷﻨﺎﺱ ﺍﻣﻨﻴﺘﻲ ﺳﻴﺴﺘﻢ ﺻﻮﺭﺗﺤﺴﺎﺏ ﮔﻴﺮﻱ‬
‫ﺭﺍﺑﻄﻪ ﺍﻭﻝ ﻭﻇﻴﻔﻪ ﺗﻌﻴﻴﻦ ﺍﻓﺮﺍﺩ ﻭ ﺷﺮﻁ ﻫﺎ ﺑﺮﺍﻱ ﺍﻧﺠﺎﻡ ﻋﻤﻞ ﺍﻧﺘﺴﺎﺏ ﺩﺭ‬
‫ﻳﻚ ﺣﻮﺯﻩ ﺧﺎﺹ ﻭ ﺭﺍﺑﻄﻪ ﺩﻭﻡ ﻭﻇﻴﻔﻪ ﺗﻌﻴﻴﻦ ﺍﻓﺮﺍﺩ ﺑﺮﺍﻱ ﺍﻧﺠﺎﻡ ﻋﻤﻞ‬
‫ﺑﺎﺯﭘﺲ ﮔﻴﺮﻱ ﺩﺭ ﻳﻚ ﺣﻮﺯﻩ ﺧﺎﺹ ﺭﺍ ﺑﺮ ﻋﻬﺪﻩ ﺩﺍﺭﺩ‪.‬‬
‫ﺩﺍﻣﻨﻪ ﻧﻘﺶﻫﺎ‬
‫ﻧﻘﺶ ﻣﺪﻳﺮﻳﺘﻲ‬
‫)‪[BC,BCM‬‬
‫)‪[CC,CCM‬‬
‫)‪(CD,CDM‬‬
‫]‪[CD,CDM‬‬
‫‪BCS‬‬
‫‪CCS‬‬
‫‪CS‬‬
‫‪SSO‬‬
‫ﻣﺪﻳﺮ ﻋﺎﻣﻞ ﺍﺩﺍﺭﻩ ﺭﺍﻳﺎﻧﻪ )‪(CDM‬‬
‫ﺭﺋﻴﺲ ﺳﻴﺴﺘﻢ ﺻﻮﺭﺗﺤﺴﺎﺏ ﮔﻴﺮﻱ )‪(BCM‬‬
‫ﺭﺋﻴﺲ ﺳﻴﺴﺘﻢ ﻣﺘﻘﺎﺿﻴﺎﻥ –ﻣﺸﺘﺮﮐﻴﻦ)‪(CCM‬‬
‫ﻣﺪﻳﺮ ﮐﻞ ﺍﻣﻨﻴﺘﻲ )‪(SSO‬‬
‫ﮐﺎﺭﺷﻨﺎﺱ ﺍﻣﻮﺭ ﻣﺸﺘﺮﮐﻴﻦ )‪(CO‬‬
‫ﮐﺎﺭﺷﻨﺎﺱ ﺻﻮﺭﺗﺤﺴﺎﺑﻬﺎ )‪(BO‬‬
‫ﮐﺎﺭﺷﻨﺎﺱ ﺍﻣﻮﺭﻣﺘﻘﺎﺿﻴﺎﻥ)‪(RO‬‬
‫ﮐﺎﺭﺷﻨﺎﺱ ﻭﺻﻮﻟﻴﻬﺎ)‪(PO‬‬
‫ﮐﺎﺭﺷﻨﺎﺱ ﺍﻣﻨﻴﺘﻲ ﺍﻣﻮﺭ ﺭﺍﻳﺎﻧﻪ‬
‫)‪(CS‬‬
‫ﮐﺎﺭﺷﻨﺎﺱ ﺳﻴﺴﺘﻢ ﺻﻮﺭﺗﺤﺴﺎﺏ ﮔﻴﺮﻱ)‪(BC‬‬
‫ﮐﺎﺭﺷﻨﺎﺱ ﺳﻴﺴﺘﻢ ﻣﺘﻘﺎﺿﻴﺎﻥ ‪ -‬ﻣﺸﺘﺮﮐﻴﻦ)‪(CC‬‬
‫ﻭﺍﺣﺪ ﺭﺍﻳﺎﻧﻪ)‪(CD‬‬
‫‪12‬‬
‫‪3‬‬
‫‪11‬‬
‫ﮐﺎﺭﻣﻨﺪ)‪(E‬‬
‫ﮐﺎﺭﺷﻨﺎﺱ ﺍﻣﻨﻴﺘﻲ ﺳﻴﺴﺘﻢ ﻣﺘﻘﺎﺿﻴﺎﻥ ‪-‬‬
‫ﻣﺸﺘﺮﮐﻴﻦ‬
‫ﮐﺎﺭﺷﻨﺎﺱ ﺍﻣﻨﻴﺘﻲ ﺳﻴﺴﺘﻢ ﺻﻮﺭﺗﺤﺴﺎﺏ‬
‫ﮔﻴﺮﻱ‬
‫)‪(CCS‬‬
‫)‪(BCS‬‬
‫ﻣﺪﻝ ‪ - PRA97‬ﺭﺍﺑﻄﻪ ‪Can_AssignP‬‬
‫ﺳﻄﺮ ﺍﻭﻝ ﺍﻳﻦ ﺟﺪﻭﻝ ﺑﻴﺎﻥ ﻣﻲﺩﺍﺭﺩ ﮐﻪ ﮐﺎﺭﺑﺮﻱ ﺑﺎ ﻧﻘﺶ‬
‫"ﮐﺎﺭﺷﻨﺎﺱ ﺍﻣﻨﻴﺘﻲ ﺍﻣﻮﺭ ﺭﺍﻳﺎﻧﻪ" )‪ (CS‬ﻳﺎ "ﻣﺪﻳﺮﮐﻞ‬
‫ﺍﻣﻨﻴﺘﻲ" )‪ (SSO‬ﻣﻲﺗﻮﺍﻧﺪ ﺗﻤﺎﻡ ﻣﺠﻮﺯﻫﺎﻱ ﺻﺮﻳﺢ ﻭ‬
‫ﺿﻤﻨﻲ ﻧﻘﺶ "ﻣﺪﻳﺮﻋﺎﻣﻞ ﺍﺩﺍﺭﻩ ﺭﺍﻳﺎﻧﻪ" )‪ (CDM‬ﻳﻌﻨﻲ‬
‫ﺩﺭ ﻭﺍﻗﻊ ﺗﻤﺎﻡ ﻣﺠﻮﺯﻫﺎﻱ ﻣﻮﺟﻮﺩ ﺩﺭ ﺳﻴﺴﺘﻢ ﺭﺍ ﺑﻪ ﻧﻘﺶ‬
‫"ﺭﻳﺎﺳﺖ ﺳﻴﺴﺘﻢ ﺻﻮﺭﺗﺤﺴﺎﺏﮔﻴﺮﻱ" )‪ (BCM‬ﻋﻄﺎ‬
‫ﮐﻨﺪ‪.‬‬
‫ﻣﺪﻝ ‪PRA97‬‬
‫ﺩﺍﻣﻨﻪ ﻧﻘﺶﻫﺎ‬
‫ﭘﻴﺶﺷﺮﻁ‬
‫ﻧﻘﺶ ﻣﺪﻳﺮﻳﺘﻲ‬
‫]‪[BCM,BCM‬‬
‫]‪[CCM,CCM‬‬
‫]‪[PO,‬‬
‫]‪[BO,BO‬‬
‫]‪[RO,RO‬‬
‫]‪[CO,CO‬‬
‫‪CDM‬‬
‫‪CDM‬‬
‫‪BCM ^ ¬BO‬‬
‫‪BCM ^ ¬PO‬‬
‫‪CCM ^ ¬CO‬‬
‫‪CCM ^ ¬RO‬‬
‫‪CS‬‬
‫‪CS‬‬
‫‪BCS‬‬
‫‪BCS‬‬
‫‪CCS‬‬
‫‪CCS‬‬
‫ﺗﺎﺑﻊ ‪ Can_Assignp‬ﺩﺍﺭﺍﻱ ﺳﻪ‬
‫ﭘﺎﺭﺍﻣﺘﺮ ﻭﺭﻭﺩﻱ ﺍﺳﺖ‪ X .‬ﻛﻪ ﻧﻘﺶ‬
‫ﻣﺪﻳﺮﻳﺘﻲ ﻣﺠﺮﻱ ﻋﻤﻞ ﺍﻧﺘﺴﺎﺏ ﺭﺍ‬
‫ﻣﺸﺨﺺ ﻣﻲ ﻛﻨﺪ‪ Y .‬ﻧﻘﺶ ﺍﻱ ﺍﺳﺖ‬
‫ﻛﻪ ﻣﻲ ﺗﻮﺍﻥ ﻣﺠﻮﺯﻫﺎﻱ ﺁﻥ ﺭﺍ ﺑﺮﺍﻱ ﻋﻤﻞ‬
‫ﺍﻧﺘﺴﺎﺏ ﺍﻧﺘﺨﺎﺏ ﻛﺮﺩ‪ ، Z .‬ﺣﻮﺯﻩ ﻧﻘﺶ‬
‫ﻫﺎﻳﻲ ﺍﺳﺖ ﻛﻪ ﻣﻲ ﺗﻮﺍﻥ ﻣﺠﻮﺯ ﺍﻧﺘﺨﺎﺏ‬
‫ﺷﺪﻩ ﺭﺍ ﺑﻪ ﺁﻥ ﻧﺴﺒﺖ ﺩﺍﺩ‪.‬‬
‫ﻣﺪﻳﺮ ﻋﺎﻣﻞ ﺍﺩﺍﺭﻩ ﺭﺍﻳﺎﻧﻪ )‪(CDM‬‬
‫ﺭﺋﻴﺲ ﺳﻴﺴﺘﻢ ﺻﻮﺭﺗﺤﺴﺎﺏ ﮔﻴﺮﻱ )‪(BCM‬‬
‫ﺭﺋﻴﺲ ﺳﻴﺴﺘﻢ ﻣﺘﻘﺎﺿﻴﺎﻥ –ﻣﺸﺘﺮﮐﻴﻦ)‪(CCM‬‬
‫ﻣﺪﻳﺮ ﮐﻞ ﺍﻣﻨﻴﺘﻲ )‪(SSO‬‬
‫ﮐﺎﺭﺷﻨﺎﺱ ﺍﻣﻮﺭ ﻣﺸﺘﺮﮐﻴﻦ )‪(CO‬‬
‫ﮐﺎﺭﺷﻨﺎﺱ ﺻﻮﺭﺗﺤﺴﺎﺑﻬﺎ )‪(BO‬‬
‫ﮐﺎﺭﺷﻨﺎﺱ ﺍﻣﻮﺭﻣﺘﻘﺎﺿﻴﺎﻥ)‪(RO‬‬
‫ﮐﺎﺭﺷﻨﺎﺱ ﻭﺻﻮﻟﻴﻬﺎ)‪(PO‬‬
‫ﮐﺎﺭﺷﻨﺎﺱ ﺍﻣﻨﻴﺘﻲ ﺍﻣﻮﺭ ﺭﺍﻳﺎﻧﻪ‬
‫)‪(CS‬‬
‫ﮐﺎﺭﺷﻨﺎﺱ ﺳﻴﺴﺘﻢ ﺻﻮﺭﺗﺤﺴﺎﺏ ﮔﻴﺮﻱ)‪(BC‬‬
‫ﮐﺎﺭﺷﻨﺎﺱ ﺳﻴﺴﺘﻢ ﻣﺘﻘﺎﺿﻴﺎﻥ ‪ -‬ﻣﺸﺘﺮﮐﻴﻦ)‪(CC‬‬
‫ﻭﺍﺣﺪ ﺭﺍﻳﺎﻧﻪ)‪(CD‬‬
‫‪14‬‬
‫ﮐﺎﺭﺷﻨﺎﺱ ﺍﻣﻨﻴﺘﻲ ﺳﻴﺴﺘﻢ ﻣﺘﻘﺎﺿﻴﺎﻥ ‪-‬‬
‫ﻣﺸﺘﺮﮐﻴﻦ‬
‫ﮐﺎﺭﺷﻨﺎﺱ ﺍﻣﻨﻴﺘﻲ ﺳﻴﺴﺘﻢ ﺻﻮﺭﺗﺤﺴﺎﺏ‬
‫ﮔﻴﺮﻱ‬
‫)‪(CCS‬‬
‫)‪(BCS‬‬
‫‪13‬‬
‫ﮐﺎﺭﻣﻨﺪ)‪(E‬‬
‫ﻣﺪﻝ ‪PRA97‬‬
‫ﻣﺪﻝ ‪ - PRA97‬ﺭﺍﺑﻄﻪ ‪Can_RevokeP‬‬
‫ﺳﻄﺮ ﺍﻭﻝ ﺍﻳﻦ ﺟﺪﻭﻝ ﺑﻴﺎﻥ ﻣﻲ ﮐﻨﺪ ﮐﻪ "ﮐﺎﺭﺷﻨﺎﺱ‬
‫ﺍﻣﻨﻴﺘﻲ ﺳﻴﺴﺘﻢ ﺻﻮﺭﺗﺤﺴـﺎﺏ ﮔﻴـﺮﻱ" )‪ (BCS‬ﻭ‬
‫ﻃﺒﻴﻌﺘﺎ "ﮐﺎﺭﺷﻨﺎﺱ ﺍﻣﻨﻴﺘﻲ ﺍﻣﻮﺭ ﺭﺍﻳﺎﻧـﻪ" )‪ (CS‬ﻭ‬
‫"ﻣــﺪﻳﺮﮐﻞ ﺍﻣﻨﻴﺘــﻲ" )‪ (SSO‬ﻣــﻲﺗﻮﺍﻧﻨــﺪ ﻫــﺮ‬
‫ﻣﺠﻮﺯﻱ ﺭﺍ ﺍﺯ "ﮐﺎﺭﺷﻨﺎﺱ ﺻﻮﺭﺗﺤﺴﺎﺏ ﻫـﺎ" )‪(BO‬‬
‫ﻭ "ﮐﺎﺭﺷﻨﺎﺱ ﻭﺻﻮﻟﻲﻫﺎ" )‪ (PO‬ﺑﺎﺯﭘﺲﮔﻴﺮﻧﺪ‪.‬‬
‫ﺩﺍﻣﻨﻪ ﻧﻘﺶﻫﺎ‬
‫ﻧﻘﺶ ﻣﺪﻳﺮﻳﺘﻲ‬
‫)‪(BC,BCM‬‬
‫)‪(CC,CCM‬‬
‫)‪(CD,CDM‬‬
‫]‪[CD,CDM‬‬
‫‪BCS‬‬
‫‪CCS‬‬
‫‪CS‬‬
‫‪SSO‬‬
‫ﺗﺎﺑﻊ ‪ Can_Revokep‬ﺩﺍﺭﺍﻱ ﺩﻭ‬
‫ﭘﺎﺭﺍﻣﺘﺮ ﻭﺭﻭﺩﻱ ﺍﺳﺖ ﻛﻪ ‪ x‬ﻧﻘﺶ ﻣﺪﻳﺮﻳﺘﻲ‬
‫ﻣﺠﺮﻱ ﻋﻤﻞ ﺑﺎﺯﭘﺲ ﮔﻴﺮﻱ ﻭ ‪ z‬ﺣﻮﺯﻩ ﻧﻘﺶ‬
‫ﻫﺎﻳﻲ ﺍﺳﺖ ﻛﻪ ﻣﻲ ﺗﻮﺍﻥ ﺩﺭ ﺁﻥ ﺣﻮﺯﻩ ﻋﻤﻞ‬
‫ﺑﺎﺯﭘﺲ ﮔﻴﺮﻱ ﻣﺠﻮﺯ ﻫﺎ ﺭﺍ ﺍﻧﺠﺎﻡ ﺩﺍﺩ‪.‬‬
‫‪ y‬ﺩﺭ ‪ PRA‬ﺣﻮﺯﻩ ﺍﻧﺘﺨﺎﺏ ﻣﺠﻮﺯﻫﺎ ﺭﺍ ﺩﺭ‬
‫ﺗﺎﺑﻊ ‪ Can_Assignp‬ﻣﺸﺨﺺ ﻣﻲ‬
‫ﻛﻨﺪ‪ .‬ﺩﺭ ﺣﺎﻟﻲ ﻛﻪ ﺩﺭ ‪ URA‬ﭘﻴﺶ ﺷﺮﻁ‬
‫ﺑﺮﺍﻱ ﺍﺧﺬ ﻧﻘﺶ ﺑﻮﺩ‪ .‬ﺑﻨﺎﺑﺮﺍﻳﻦ ﺩﺭ ‪ PRA‬ﻣﻲ‬
‫ﺗﻮﺍﻥ ‪ y‬ﺭﺍ ﺑﻪ ﻋﻨﻮﺍﻥ ‪Permission‬‬
‫‪pool‬ﻳﺎ ﺣﻮﺯﻩ ﺍﻱ ﺑﺮﺍﻱ ﺍﻧﺘﺨﺎﺏ ﻣﺠﻮﺯ ﻫﺎ‬
‫ﺟﻬﺖ ﺍﻧﺘﺴﺎﺏ ﺩﺍﻧﺴﺖ‪.‬‬
‫ﻣﺪﻳﺮ ﻋﺎﻣﻞ ﺍﺩﺍﺭﻩ ﺭﺍﻳﺎﻧﻪ )‪(CDM‬‬
‫ﺭﺋﻴﺲ ﺳﻴﺴﺘﻢ ﺻﻮﺭﺗﺤﺴﺎﺏ ﮔﻴﺮﻱ )‪(BCM‬‬
‫ﺭﺋﻴﺲ ﺳﻴﺴﺘﻢ ﻣﺘﻘﺎﺿﻴﺎﻥ –ﻣﺸﺘﺮﮐﻴﻦ)‪(CCM‬‬
‫ﮐﺎﺭﺷﻨﺎﺱ ﺍﻣﻮﺭ ﻣﺸﺘﺮﮐﻴﻦ )‪(CO‬‬
‫ﻣﺪﻳﺮ ﮐﻞ ﺍﻣﻨﻴﺘﻲ )‪(SSO‬‬
‫ﮐﺎﺭﺷﻨﺎﺱ ﺻﻮﺭﺗﺤﺴﺎﺑﻬﺎ )‪(BO‬‬
‫ﮐﺎﺭﺷﻨﺎﺱ ﺍﻣﻮﺭﻣﺘﻘﺎﺿﻴﺎﻥ)‪(RO‬‬
‫ﮐﺎﺭﺷﻨﺎﺱ ﻭﺻﻮﻟﻴﻬﺎ)‪(PO‬‬
‫ﮐﺎﺭﺷﻨﺎﺱ ﺳﻴﺴﺘﻢ ﺻﻮﺭﺗﺤﺴﺎﺏ ﮔﻴﺮﻱ)‪(BC‬‬
‫ﮐﺎﺭﺷﻨﺎﺱ ﺳﻴﺴﺘﻢ ﻣﺘﻘﺎﺿﻴﺎﻥ ‪ -‬ﻣﺸﺘﺮﮐﻴﻦ)‪(CC‬‬
‫ﮐﺎﺭﺷﻨﺎﺱ ﺍﻣﻨﻴﺘﻲ ﺍﻣﻮﺭ ﺭﺍﻳﺎﻧﻪ‬
‫)‪(CS‬‬
‫ﮐﺎﺭﺷﻨﺎﺱ ﺍﻣﻨﻴﺘﻲ ﺳﻴﺴﺘﻢ ﻣﺘﻘﺎﺿﻴﺎﻥ ‪-‬‬
‫ﻣﺸﺘﺮﮐﻴﻦ‬
‫ﮐﺎﺭﺷﻨﺎﺱ ﺍﻣﻨﻴﺘﻲ ﺳﻴﺴﺘﻢ ﺻﻮﺭﺗﺤﺴﺎﺏ‬
‫ﮔﻴﺮﻱ‬
‫)‪(CCS‬‬
‫)‪(BCS‬‬
‫ﻭﺍﺣﺪ ﺭﺍﻳﺎﻧﻪ)‪(CD‬‬
‫‪16‬‬
‫‪4‬‬
‫ﮐﺎﺭﻣﻨﺪ)‪(E‬‬
‫‪15‬‬
‫ﻣﺪﻝ ‪ RRA‬ﻳﺎ ﻣﺪﻝ ﺍﻧﺘﺴﺎﺏ ﻧﻘﺶ ﺑﻪ ﻧﻘﺶ‬
‫ﻣﺪﻝ ‪Role Graph‬‬
‫ﺍﺯ ﺩﻳﺪ ﺩﻳﮕﺮ ﻣﺪﻝ ﻛﻨﺘﺮﻝ ﺩﺳﺘﺮﺳﻲ ﻧﻘﺶ ﻣﺒﻨﺎ ﺭﺍ ﻣﺒﺘﻨﻲ ﺑﺮ ﺳﻪ ﮔﺮﺍﻑ‬
‫ﺩﺭ ﺳﻪ ﺣﻮﺯﻩ ﻣﺨﺘﻠﻒ ﺑﺮﺭﺳﻲ ﻣﻲ ﻛﻨﻨﺪ‪:‬‬
‫–‬
‫ﺍﻳﺠﺎﺩ ﻳﻚ ﺳﻠﺴﻠﻪ ﻣﺮﺍﺗﺐ ﺍﺯ ﻧﻘﺶ ﻫﺎ‬
‫ﻓﺮﺍﻫﻢ ﺁﻭﺭﺩﻥ ﺑﺴﺘﺮﻱ ﺑﺮﺍﻱ ﺳﺎﺧﺖ ﻣﺪﻝ ‪RBAC1‬‬
‫ﮔﺮﺍﻑ ﺍﺧﺘﻴﺎﺭﺍﺕ ﻳﺎ ﻣﺠﻮﺯ ﻫﺎ ‪:‬‬
‫ﺍﻳﻦ ﮔﺮﺍﻑ ﺑﻴﺎﻧﮕﺮ ﺳﻠﺴﻠﻪ ﻣﺮﺍﺗﺐ ﺣﺎﻛﻢ ﺑﺮﺍﻧﻮﺍﻉ ﻣﺠﻮﺯﻫﺎﻱ ﻣﺨﺘﻠﻒ ﺍﺳﺖ‪ .‬ﻣﻤﻜﻦ ﺍﺳﺖ‬
‫ﺩﺍﺷﺘﻦ ﻳﻚ ﻣﺠﻮﺯ ‪ ،‬ﺩﺍﺷﺘﻦ ﻳﻚ ﻣﺠﻮﺯ ﺩﻳﮕﺮ ﺭﺍ ﺍﻳﺠﺎﺏ ﻛﻨﺪ ‪.‬‬
‫–‬
‫ﻭﻗﺘﻲ ﻧﻘﺸﻲ‪ ،‬ﺑﺎﻻﺗﺮ ﺍﺯ ﻳﻚ ﻧﻘﺶ ﺩﻳﮕﺮ ﻗﺮﺍﺭ ﻣﻲ ﮔﻴﺮﺩ‪ ،‬ﺗﻤﺎﻡ ﻣﺠﻮﺯﻫﺎﻱ ﻧﻘﺶ ﻗﺒﻠﻲ‬
‫ﺭﺍ ﺑﻪ ﺍﺭﺙ ﻣﻲ ﺑﺮﺩ‪.‬‬
‫ﺍﻳﻦ ﻣﺪﻝ ﺳﻠﺴﻠﻪ ﻣﺮﺍﺗﺒﻲ ﺑﺎ ﺗﻮﺟﻪ ﺑﻪ ﺳﺎﺧﺘﺎﺭ ﺳﻠﺴﻠﻪ ﻣﺮﺍﺗﺒﻲ ﻧﻘﺶ ﻫﺎﻱ ﺳﺎﺯﻣﺎﻧﻲ‬
‫ﻣﻲ ﺗﻮﺍﻧﺪ ﺷﻜﻞ ﺑﮕﻴﺮﺩ ﻭ ﺑﻪ ﻫﺮ ﭼﻪ ﺑﻬﺘﺮ ﻣﺪﻝ ﻛﺮﺩﻥ ﻧﻘﺶ ﻫﺎ ﻭ ﻧﻘﺶ ﻫﺎﻱ‬
‫ﻣﺪﻳﺮﻳﺘﻲ ﻣﻮﺟﻮﺩ ﺳﺎﺯﻣﺎﻥ ﺩﺭ ﺳﻴﺴﺘﻢ ﻛﻤﻚ ﻛﻨﺪ‪.‬‬
‫ﮔﺮﺍﻑ ﮔﺮﻭﻩ ﻫﺎ ﻳﺎ ﻛﺎﺭﺑﺮﺍﻥ ‪:‬‬
‫ﺩﺭ ﺍﻳﻦ ﮔﺮﺍﻑ ﻛﺎﺭﺑﺮﺍﻥ ﻳﺎ ﮔﺮﻭﻫﺎﻱ ﻛﺎﺭﺑﺮﻱ ﻭ ﺳﻠﺴﻠﻪ ﻣﺮﺍﺗﺐ ﺁﻧﻬﺎ ﻧﻤﺎﻳﺶ ﺩﺍﺩﻩ ﻣﻲ ﺷﻮﺩ‪.‬‬
‫–‬
‫ﮔﺮﺍﻑ ﻧﻘﺶ ﻫﺎ ﻳﺎ ‪: Role Graph‬‬
‫ﺩﺭ ﺍﻳﻦ ﮔﺮﺍﻑ ﻧﻘﺶ ﻫﺎﻱ ﻣﻮﺟﻮﺩ ﺳﻴﺴﺘﻢ ‪ ،‬ﮔﺮﻩ ﻫﺎﻱ ﮔﺮﺍﻑ ﺭﺍ ﺗﺸﻜﻴﻞ ﻣﻲ ﺩﻫﻨﺪ ﻭ ﺧﻂ‬
‫ﺑﻴﻦ ﺁﻧﻬﺎ ﺍﺭﺗﺒﺎﻁ ﺷﺎﻣﻞ ﺷﺪﻥ ﺭﺍ ﻣﻌﻴﻦ ﻣﻲ ﻛﻨﺪ‪.‬‬
‫‪17‬‬
‫‪18‬‬
‫ﺍﺟﺰﺍﺀ ﻣﺪﻝ‪Role Graph‬‬
‫ﻣﺪﻳﺮﻳﺖ ﻏﻴﺮﻣﺘﻤﺮﻛﺰ ﺩﺭ ﻣﺪﻝ ‪Role Graph‬‬
‫ﻣﻄﺎﺑﻖ ﻫﻤﻴﻦ ﺩﻳﺪ ﺑﻪ ﻣﺪﻝ ﻛﻨﺘﺮﻝ ﺩﺳﺘﺮﺳﻲ ‪ ،‬ﮔﺮﺍﻑ ﻧﻘﺶ ﻫﺎﻱ ﻣﺪﻳﺮﻳﺘﻲ ﻧﻴﺰ‬
‫ﻗﺎﺑﻞ ﺗﺮﺳﻴﻢ ﺍﺳﺖ‪ .‬ﺍﻳﻦ ﮔﺮﺍﻑ ﺷﺎﻣﻞ ﻧﻘﺶ ﻫﺎﻱ ﻋﺎﺩﻱ ﻭ ﻧﻘﺶ ﻫﺎﻱ ﻣﺪﻳﺮﻳﺘﻲ ﺍﺳﺖ‬
‫ﻭ ﺩﻭ ﺭﺍﺑﻄﻪ ﺩﺭ ﺁﻥ ﺗﻌﺮﻳﻒ ﻣﻲ ﮔﺮﺩﺩ‪:‬‬
‫–‬
‫–‬
‫ﺭﺍﺑﻄﻪ ﺍﻭﻝ‪ Is-Junior ،‬ﺍﺳﺖ ﮐﻪ ﺭﺍﺑﻄﻪ ﺍﻱ ﺑﻴﻦ ﻧﻘﺶ ﻫﺎﻱ ﻋﺎﺩﻱ ﻭ ﻳﺎ ﺑﻴﻦ ﻧﻘﺶ ﻫﺎﻱ‬
‫ﻣﺪﻳﺮﻳﺘﻲ ﺍﺳﺖ‪ .‬ﺍﻳﻦ ﺭﺍﺑﻄﻪ ﻧﺸﺎﻥ ﺩﻫﻨﺪﻩ ﺷﺎﻣﻞ ﺑﻮﺩﻥ ﻳﻚ ﻧﻘﺶ ﺑﺮ ﻧﻘﺶ ﺩﻳﮕﺮ ﺍﺳﺖ‪.‬‬
‫ﺭﺍﺑﻄﻪ ﺩﻭﻡ‪ ،‬ﺭﺍﺑﻄﻪ ‪ Administrates‬ﺍﺳﺖ ﻛﻪ ﺑﺎ ﺧﻂ ﻫﺎﻱ ﺧﻂ ﭼﻴﻦ ﺩﺭ ﺷﻜﻞ ﻧﺸﺎﻥ ﺩﺍﺩﻩ‬
‫ﺷﺪﻩ ﺍﺳﺖ‪.‬‬
‫ﺍﻳﻦ ﮔﺮﺍﻑ ﺑﺎ ﺩﻭ ﮔﺮﻩ ﺑﻪ ﻧﺎﻣﻬﺎﻱ ‪ MinRole‬ﻭ ‪ MaxRole‬ﻭ ﻫﻤﭽﻨﻴﻦ‬
‫‪ SSO‬ﻛﻪ ﻭﻇﻴﻔﻪ ﻣﺪﻳﺮﻳﺖ ﻛﻞ ﺳﻴﺴﺘﻢ ﺭﺍ ﺑﺮ ﻋﻬﺪﻩ ﺩﺍﺭﺩ ‪ ،‬ﺩﺭ ﻧﻈﺮ ﮔﺮﻓﺘﻪ ﻣﻲ‬
‫ﺷﻮﺩ‪.‬‬
‫‪20‬‬
‫‪5‬‬
‫‪19‬‬
‫ﺳﺎﺧﺖ ﮔﺮﺍﻑ ﻧﻘﺸﻬﺎﻱ ﻣﺪﻳﺮﻳﺘﻲ‬
‫ﺣﻮﺯﻩ ﻫﺎﻱ ﻣﺪﻳﺮﻳﺘﻲ ﺩﺭ ‪Role Graph‬‬
‫ﻣﻄﺎﺑﻖ ﺷﻜﻞ ‪ a‬ﺩﺭ‬
‫ﺍﺑﺘﺪﺍ ﺳﻪ ﻧﻘﺶ ﻭ ﻳﻚ‬
‫ﺣﻮﺯﻩ ﻣﺪﻳﺮﻳﺘﻲ ﻛﻠﻲ ﺑﺎ‬
‫ﻣﺪﻳﺮﻳﺖ ‪ SSO‬ﻭﺟﻮﺩ‬
‫ﺩﺍﺭﺩ‪.‬‬
‫ﻣﻄﺎﺑﻖ ﺷﻜﻞ ‪ b‬ﺑﺨﺸﻬﺎ‬
‫ﺑﻪ ﺗﺪﺭﻳﺞ ﺍﺿﺎﻓﻪ ﻣﻲ‬
‫ﺷﻮﻧﺪ ﻭ ﮔﺮﺍﻑ ﺑﺰﺭﮔﺘﺮ‬
‫ﻣﻲ ﺷﻮﺩ‪.‬‬
‫‪21‬‬
‫‪22‬‬
‫ﻣﺪﻝ ﻣﺪﻳﺮﻳﺘﻲ ‪ RBAC‬ﺗﻮﺳﻌﻪ ﻳﺎﻓﺘﻪ‬
‫ﺳﻌﻲ ﺷﺪﻩ ﺍﺳﺖ ﻣﺸﻜﻼﺕ ﻣﻄﺮﺡ ﺷﺪﻩ‪ ،‬ﺩﺭ ﻣﺪﻝ ﺗﻮﺳﻌﻪ ﻳﺎﻓﺘﻪ ﻳﻌﻨﻲ‬
‫‪ ARBAC02‬ﺣﻞ ﮔﺮﺩﻧﺪ‪ .‬ﺩﺭ ﺍﻳﻦ ﻣﺪﻝ ﻣﻔﺎﻫﻴﻢ ‪ User Pool‬ﻭ‬
‫‪ Permission Pool‬ﻣﻄﺮﺡ ﻣﻲ ﺷﻮﺩ ﻭ ﺳﻌﻲ ﻣﻲ ﮔﺮﺩﺩ ﺗﺎ ﺑﺎ ﺣﻞ ﺗﺪﺍﺧﻞ‬
‫ﻫﺎﻱ ﻏﻴﺮﻻﺯﻡ ﻣﻮﺟﻮﺩ ‪ ،‬ﻣﺸﻜﻼﺕ ﻣﻄﺮﺡ ﺷﺪﻩ ﻛﻨﺎﺭ ﮔﺬﺍﺷﺘﻪ ﺷﻮﺩ‪.‬‬
‫ﺑﺮﺍﻱ ﻏﻠﺒﻪ ﺑﺮ ﻣﺸﻜﻼﺕ ﻣﻄﺮﺡ ﺷﺪﻩ ﺩﺭ ﻣﺪﻝ ﻗﺒﻞ‪ ،‬ﺩﻭ ﺍﺳﺘﺮﺍﺗﮋﻱ ﺩﺭ ﺍﻳﻦ ﻣﺪﻝ‬
‫ﺍﺗﺨﺎﺫ ﺷﺪﻩ ﺍﺳﺖ‪:‬‬
‫–‬
‫–‬
‫‪24‬‬
‫‪6‬‬
‫ن‬
‫ﺍﻭﻝ‪ ،‬ﺍﺯ ﺳﺎﺧﺘﺎﺭ ﺳﺎﺯﻣﺎﻧﻲ ﺑﻪ ﻋﻨﻮﺍﻥ ‪ User pool‬ﻭ ‪ Permission pool‬ﺍﺳﺘﻔﺎﺩﻩ ﻣﻲ‬
‫ﺷﻮﺩ ﺑﻪ ﺟﺎﻱ ﺍﻳﻨﻜﻪ ﺍﺯ ﭘﻴﺶ ﺷﺮﻁ ﻫﺎﻳﻲ ﺩﺭ ﺳﻠﺴﻠﻪ ﻣﺮﺍﺗﺐ ﻧﻘﺶ ﻫﺎ ﺍﺳﺘﻔﺎﺩﻩ ﻛﺮﺩ ‪.‬‬
‫ﺩﻭﻡ‪ ،‬ﺗﻮﺳﻂ ﺍﻳﻦ ﺳﺎﺧﺘﺎﺭ ﺳﺎﺯﻣﺎﻧﻲ ﻳﻚ ﺭﻭﻧﺪ ﭘﺎﺋﻴﻦ ﺑﻪ ﺑﺎﻻ ﺑﺮﺍﻱ ﺍﻧﺘﺴﺎﺏ ﻣﺠﻮﺯ ﻫﺎ ﺑﻪ ﻧﻘﺶ ﻫﺎ‬
‫ﻣﻄﺮﺡ ﻣﻴﺸﻮﺩ‪.‬‬
‫‪23‬‬
‫ﺳﺎﺧﺘﺎﺭ ﺳﺎﺯﻣﺎﻧﻲ‬
‫ﺳﺎﺧﺖ ‪User & Permission Pool‬‬
‫ﺑﺮﺍﻱ ﺗﻮﺳﻌﻪ ﺳﻴﺴﺘﻢ ﻫﺎﻱ ﺍﻃﻼﻋﺎﺗﻲ‪"،‬ﺳﺎﺯﻣﺎﻥ" ﻳﻚ ﻣﻔﻬﻮﻡ ﺧﻮﺏ ﺑﺮﺍﻱ ﺗﺤﻠﻴﻞ‬
‫ﻓﻌﺎﻟﻴﺖ ﻫﺎﻱ ﻣﻮﺟﻮﺩ ﺩﺭ ﻫﺮ ﺩﺍﻣﻨﻪ ﺍﺳﺖ‪.‬‬
‫ﺳﺎﺧﺘﺎﺭ ﺳﺎﺯﻣﺎﻧﻲ ﻳﻚ ﺳﺎﺧﺘﺎﺭ ﺩﺭﺧﺘﻲ ﺑﺎ ﻭﻳﮋﮔﻲ ﺳﻠﺴﻠﻪ ﻣﺮﺍﺗﺒﻲ ﺍﺳﺖ‪ .‬ﺍﻳﻦ ﺳﺎﺧﺘﺎﺭ‬
‫ﺍﺯ ﻋﻨﺎﺻﺮ ﺳﺎﺯﻣﺎﻧﻲ ﺗﺸﻜﻴﻞ ﻣﻲ ﺷﻮﺩ ﻛﻪ ﺍﻓﺮﺍﺩ ﻣﺘﻌﻠﻖ ﺑﻪ ﻫﺮ ﻳﻚ ﺩﺍﺭﺍﻱ ﻳﻚ ﻫﺪﻑ‬
‫ﻣﺸﺘﺮﻙ ﺩﺭ ﺳﺎﺯﻣﺎﻥ ﻫﺴﺘﻨﺪ ﻭ ﻳﻚ ﺳﺮﻱ ﻓﻌﺎﻟﻴﺘﻬﺎﻱ ﺧﺎﺹ ﺑﺮﺍﻱ ﺭﺳﻴﺪﻥ ﺑﻪ ﺁﻧﻬﺎ‬
‫ﺍﻧﺠﺎﻡ ﻣﻲ ﺩﻫﻨﺪ‪.‬‬
‫ﻛﺎﺭﻫﺎﻱ ﺍﻧﺠﺎﻡ ﻳﺎﻓﺘﻪ ﺑﺎ ﺩﺍﺩﻩ ﻫﺎﻱ ﻣﻮﺭﺩ ﺩﺳﺘﺮﺳﻲ ﺍﺭﺗﺒﺎﻁ ﻣﺴﺘﻘﻴﻢ ﺩﺍﺭﺩ‪ .‬ﭘﺲ‬
‫ﻓﻌﺎﻟﻴﺖ ﻫﺎ ﻭ ﻛﺎﺭﻫﺎﻱ ﻳﻚ ﺑﺨﺶ ﺑﺎ ﻣﺠﻮﺯ ﻫﺎﻱ ﺁﻥ ﺍﺭﺗﺒﺎﻁ ﺩﺍﺭﺩ‪.‬‬
‫ﭘﺲ ﻣﻲ ﺗﻮﺍﻥ ﻭﺍﺣﺪ ﺳﺎﺯﻣﺎﻧﻲ ﺭﺍ ﺑﻪ ﻋﻨﻮﺍﻥ ﻳﻚ ﮔﺮﻭﻩ ﺍﺯ ﻛﺎﺭﺑﺮﺍﻥ ﻭ ﻣﺠﻮﺯ ﻫﺎ‬
‫ﺑﺮﺍﻱ ﺭﺳﻴﺪﻥ ﺑﻪ ﻫﺪﻑ ﺧﺎﺹ ﺗﻌﺮﻳﻒ ﻛﺮﺩ ‪.‬‬
‫ﺳﺎﺧﺘﺎﺭ‬
‫ﺳﺎﺯﻣﺎﻧﻲ‬
‫‪By IT Management Group‬‬
‫‪By Human Resource Group‬‬
‫‪Permission‬‬
‫‪pool‬‬
‫‪User pool‬‬
‫ﺣﺎﻝ ﻣﺪﻳﺮ ﻫﺎﻱ ﺍﻣﻨﻴﺘﻲ‪ ،‬ﻛﺎﺭﺑﺮﺍﻥ ﻭ ﻣﺠﻮﺯﻫﺎﻱ ﻣﻮﺟﻮﺩ ﺩﺭ ﻫﺮ ﻭﺍﺣﺪ ﺳﺎﺯﻣﺎﻧﻲ ﺭﺍ ﺑﻪ ﻧﻘﺶ ﻫﺎ‬
‫ﻧﺴﺒﺖ ﻣﻲ ﺩﻫﻨﺪ‪.‬‬
‫‪25‬‬
‫‪26‬‬
‫ﺳﺎﺧﺘﺎﺭ ﻣﺪﻝ ﻣﺪﻳﺮﻳﺘﻲ ‪ RBAC‬ﺗﻮﺳﻌﻪ ﻳﺎﻓﺘﻪ‬
‫ﺍﺻﻼﺡ ﻣﺪﻝ ﺑﺎ ﺍﻋﻤﺎﻝ ﻣﻔﻬﻮﻡ ﺳﺎﺧﺘﺎﺭ ﺳﺎﺯﻣﺎﻧﻲ‬
‫ﺗﻮﺍﺑﻊ ‪ Can_Assign‬ﻭ ‪ Can_Assignp‬ﻫﻤﺎﻥ ﺗﻮﺻﻴﻒ‬
‫ﻣﻮﺟﻮﺩ ﺩﺭ ‪ ARBAC97‬ﺭﺍ ﺩﺍﺭﺍ ﻫﺴﺘﻨﺪ ﻭ ﻓﻘﻂ ﭘﻴﺶ ﺷﺮﻁ ﻫﺎ ﺩﺭ‬
‫ﺁﻥ ﻣﺠﺪﺩﺍ ﺗﻌﺮﻳﻒ ﺷﺪﻩ ﺍﺳﺖ‪:‬‬
‫–‬
‫–‬
‫‪28‬‬
‫‪7‬‬
‫ﭘﻴﺶ ﺷﺮﻁ ﻫﺎ ﺩﺭ ‪ URA‬ﻳﻚ ﻋﺒﺎﺭﺕ ﺑﺎ ﺗﺮﻛﻴﺐ ﻋﻤﻠﮕﺮﻫﺎﻱ ‪ And‬ﻭ ‪Or‬‬
‫ﺭﻭﻱ ﻧﻘﺶ ﻫﺎﻱ ﻋﺎﺩﻱ ﻭ ﻳﺎ ﻭﺍﺣﺪ ﻫﺎﻱ ﺳﺎﺯﻣﺎﻧﻲ ﺩﺭ ﺳﺎﺧﺘﺎﺭ ﺳﺎﺯﻣﺎﻧﻲ ﺗﻬﻴﻪ‬
‫ﺷﺪﻩ ﺗﻮﺳﻂ ﮔﺮﻭﻩ ‪ HR‬ﻳﻌﻨﻲ ‪ User Pool‬ﺍﺳﺖ‪.‬‬
‫ﭘﻴﺶ ﺷﺮﻁ ﻫﺎ ﺩﺭ ‪ PRA‬ﻳﻚ ﻋﺒﺎﺭﺕ ﻣﻨﻄﻘﻲ ﺍﺯ ﻋﻤﻠﮕﺮ ﻫﺎﻱ ‪ And‬ﻭ ‪Or‬‬
‫ﺭﻭﻱ ﻋﺒﺎﺭﺍﺕ ‪ x‬ﻭ ‪ ~x‬ﺍﺳﺖ ﻛﻪ ‪ x‬ﻳﻚ ﻧﻘﺶ ﻋﺎﺩﻱ ﻳﺎ ﻳﻚ ﻭﺍﺣﺪ ﺳﺎﺯﻣﺎﻧﻲ ﺩﺭ‬
‫ﺳﺎﺧﺘﺎﺭ ﺳﺎﺯﻣﺎﻧﻲ ﺗﻬﻴﻪ ﺷﺪﻩ ﺗﻮﺳﻂ ﮔﺮﻭﻩ ﻓﺎ ﻳﺎ ‪Permission Pool‬‬
‫ﺍﺳﺖ ‪.‬‬
‫‪27‬‬
ARBAC02 ‫ﺍﺟﺰﺍﺀ ﻣﺪﻝ‬
MAC ‫ ﻭ‬DAC ‫ ﺑﺮﺍﻱ ﺍﻋﻤﺎﻝ‬RBAC ‫ﺍﺳﺘﻔﺎﺩﻩ ﺍﺯ‬
OS-P ‫ ﺑﺎ ﻳﮏ ﺳﺎﺧﺘﺎﺭ ﺳﺎﺯﻣﺎﻧﻲ ﺑﻪ ﻧﺎﻡ‬Permission Pool ‫ﺳﺎﺧﺖ‬
OS-U ‫ ﺑﺎ ﻳﮏ ﺳﺎﺧﺘﺎﺭ ﺳﺎﺯﻣﺎﻧﻲ ﺑﻪ ﻧﺎﻡ‬User Pool ‫ﺳﺎﺧﺖ‬
‫ ﺭﺍ ﺷﺒﻴﻪ‬DAC ‫ ﻭ‬MAC ‫ ﺑﻪ ﺍﻧﺪﺍﺯﻩ ﺍﻱ ﻛﻠﻲ ﺍﺳﺖ ﻛﻪ ﺑﺘﻮﺍﻧﺪ‬RBAC ‫ﻣﻜﺎﻧﻴﺰﻡ‬
.‫ﺳﺎﺯﻱ ﻛﻨﺪ‬
‫ﻳﻚ ﺧﺼﻮﺻﻴﺖ ﻣﻬﻢ ﺍﻳﻨﻜﻪ ﺧﻂ ﻣﺸﻲ ﺩﺭ ﻃﻮﻝ ﭼﺮﺧﻪ ﻋﻤﺮ ﺳﻴﺴﺘﻢ ﻣﻲ ﺗﻮﺍﻧﺪ‬
.‫ﺗﻐﻴﻴﺮ ﻛﻨﺪ‬
RH
‫ﺳﻠﺴﻠﻪ ﻣﺮﺍﺗﺐ‬
‫ﻧﻘﺸﻬﺎ‬
PA
‫ﺍﻧﺘﺴﺎﺏ ﻣﺠﻮﺯ ﺑﻪ ﻧﻘﺶ‬
UA
‫ﺍﻧﺘﺴﺎﺏ ﮐﺎﺭﺑﺮ ﺑﻪ ﻧﻘﺶ‬
R
P
‫ﻧﻘﺸﻬﺎ‬
‫ﻣﺠﻮﺯﻫﺎ‬
S
‫ﺟﻠﺴﺎﺕ‬
U
‫ﮐﺎﺭﺑﺮﺍﻥ‬
User
Permission
Pool
‫ﻣﺤﺪﻭﺩﻳﺘﻬﺎ‬
OS-P
‫ﻧﻘﺸﻬﺎﻱ‬
‫ﻣﺪﻳﺮﻳﺘﻲ‬
–
AP
AR
AUA
‫ﺍﻧﺘﺴﺎﺏ ﮐﺎﺭﺑﺮ ﺑﻪ ﻧﻘﺶ‬
–
MAC ‫ﺗﻌﺮﻳﻒ ﻳﻚ ﺳﺮﻱ ﻗﻮﺍﻧﻴﻦ ﻭ ﻣﺤﺪﻭﺩﻳﺖ ﻫﺎ ﺑﺮﺍﻱ ﺷﺒﻴﻪ ﺳﺎﺯﻱ‬
DAC ‫ﺗﻌﺮﻳﻒ ﻳﻚ ﺳﺮﻱ ﻋﻤﻠﻴﺎﺕ ﺑﻪ ﺍﺯﺍﻱ ﻫﺮ ﺭﺧﺪﺍﺩ ﺑﺮﺍﻱ ﺷﺒﻴﻪ ﺳﺎﺯﻱ‬
Roles
User Pool
‫ ﺟﺮﻳﺎﻥ ﻳﻚ ﻃﺮﻓﻪ ﺍﻃﻼﻋﺎﺕ‬: MAC
Owner Based Administration : DAC
APA
‫ﻣﺠﻮﺯﻫﺎﻱ‬
‫ﻣﺪﻳﺮﻳﺘﻲ‬
‫ﺍﻧﺘﺴﺎﺏ ﻣﺠﻮﺯﻫﺎﻱ ﻣﺪﻳﺮﻳﺘﻲ‬
‫ﺑﻪ ﻧﻘﺶ‬
ARH
OS-U
‫ﺳﻠﺴﻠﻪ ﻣﺮﺍﺗﺐ‬
‫ﻧﻘﺸﻬﺎﻱ ﻣﺪﻳﺮﻳﺘﻲ‬
29
‫ﻣﺮﺍﺟﻊ‬
30
‫ ﻫﺎﻱ ﺗﺠﺎﺭﻱ‬DBMS‫ ﺩﺭ‬RBAC ‫ﻣﺸﺨﺼﺎﺕ‬
Oracle Enterprise Server version 8.0
Informix Online Dynamic Server Version 7.2
Sybase Adaptive Server release 11.5
:‫ﺍﺯ ﺳﻪ ﺟﻨﺒﻪ ﻣﻮﺭﺩ ﺑﺮﺭﺳﻲ ﻗﺮﺍﺭ ﺧﻮﺍﻫﻨﺪ ﮔﺮﻓﺖ‬
[1] S. Oh and R. Sandhu, “A model for role administration using organization structure”, ACM
SACMAT, 155-162, 2002.
[2] S. Osborn, “Information flow analysis of an RBAC system”, ACM SACMAT, 163-168, 2002.
[3] Chandramouli Ramaswamy and Ravi Sandhu “Role-Based Access Control Features in
Commercial Database Management Systems” , 21st National Information Systems Security , Jun
2005
[4] Bertino, E.; Sandhu, R. “Database security - concepts, approaches, and challenges” ,
Dependable and Secure Computing, IEEE Transactions, March 2005
[5] Ravi Sandhu and Venkata Bhamidipati “An Oracle Implementation of the PRA97 Model for
Permission-Role Assignment” , ACM Workshop on Role-Based Access FairFax VA , 1998
[6] He Wang and Sylvia L. Osborn "An Administrative Model for Role Graph Model" , Natural
Sciences and Engineering Research Council of Canada.
[7] Ravi s.Sandhu, Edward J.Coyne and Charles E.Youman, “ Role-Based Access Cotrol Models”
, IEEE, 38-47, February 1996
[8] Ravi Sandhu, Venkata Bhamidipati, Edward Coyne, Sirinivas Ganta, and Charles Youman,
"The ARBAC97 model for role-based administration of roles: Preliminary description and outline",
In Preceeding of 2nd ACM Workshop on Role-Based Access Control, Fairfax, VA, November 6-7
1997. ACM.
[9] He Wang and Sylvia L. Osborn "An Administrative Model for Role Graphs", In Data and
Applications Security XVII, pages 39–44, Kluwer, 2003.
‫ﺍﻋﻄﺎﻱ ﻧﻘﺶ ﺑﻪ ﮐﺎﺭﺑﺮ‬
‫ﭘﺸﺘﻴﺒﺎﻧﻲ ﺍﺭﺗﺒﺎﻃﺎﺕ ﻭ ﻗﻴﻮﺩ ﺩﺭ ﻧﻘﺶ‬
‫ﺍﻣﺘﻴﺎﺯﺍﺕ ﻗﺎﺑﻞ ﺍﻋﻄﺎ‬
31
–
–
–
32
8
‫‪Oracle‬ﻭ ﭘﺸﺘﻴﺒﺎﻧﻲ ﺍﺭﺗﺒﺎﻁ ﻭ ﻗﻴﻮﺩ ﺩﺭ ﻧﻘﺶ‬
‫‪Oracle‬ﻭ ﺍﻋﻄﺎﻱ ﻧﻘﺶ ﺑﻪ ﮐﺎﺭﺑﺮ‬
‫ﺩﺭ ﺍﻭﺭﺍﮐﻞ ﺍﻣﮑﺎﻥ ﺩﺍﺩﻥ ﻧﻘﺶ ﺑﻪ ﻳﮏ ﻧﻘﺶ ﺩﺭ ﻧﺘﻴﺠﻪ ﺍﻳﺠﺎﺩ ﺳﺎﺧﺘﺎﺭ‬
‫ﺳﻠﺴﻠﻪ ﻣﺮﺍﺗﺒﻲ ﻧﻘﺶ ﺭﺍ ﺩﺍﺭﺩ‪ .‬ﮔﺮ ﭼﻪ ﻧﻤﻲ ﺗﻮﺍﻥ ﻗﻴﻮﺩ ﺍﺿﺎﻓﻲ ﻳﺎ‬
‫ﺍﺭﺗﺒﺎﻃﺎﺕ ﺭﺍ ﺑﻴﻦ ﻧﻘﺶ ﻫﺎ ﺩﺭ ‪ declaration‬ﺗﻌﺮﻳﻒ ﮐﺮﺩ‪:‬‬
‫–‬
‫ﺍﻭﺭﺍﮐﻞ ﺍﺭﺗﺒﺎﻁ ﭼﻨﺪ ﺑﻪ ﭼﻨﺪ ﺑﻴﻦ ﮐﺎﺭﺑﺮ ﻭ ﻧﻘﺶ ﺭﺍ ﭘﺸﺘﻴﺒﺎﻧﻲ ﻣﻲ ﮐﻨﺪ‪.‬‬
‫‪PUBLIC‬ﺩﺭ ﺟﻤﻠﻪ ‪GRANT‬‬
‫‪ADMIN OPTION‬‬
‫‪SET ROLE‬‬
‫ﺍﮔﺮ ﻧﻘﺶ ﺩﺍﺭﺍﻱ ﺭﻣﺰ ﻋﺒﻮﺭ ﺑﺎﺷﺪ‪ ،‬ﺭﻣﺰ ﻋﺒﻮﺭ ﺑﺎ ﻋﺒﺎﺭﺕ ‪ IDENTIFIED BY‬ﻣﺸﺨﺺ ﻭ ﻓﻌﺎﻝ‬
‫ﻣﻴﺸﻮﺩ‪.‬‬
‫ﺩﺭ ﺍﻭﺭﺍﮐﻞ ﻣﻲ ﺗﻮﺍﻥ ﺑﻴﺶ ﺍﺯ ﻳﮏ ﻧﻘﺶ ﺭﺍ ﺩﺭ ‪ SET ROLE‬ﻣﺸﺨﺺ ﮐﺮﺩ‪.‬‬
‫ﺍﻭﺭﺍﮐﻞ ﺩﻭﮔﻮﻧﻪ ﺩﻳﮕﺮ ﺍﺯ ﺟﻤﻠﻪ ‪ SET ROLE‬ﺭﺍ ﺩﺍﺭﺩ ﮐﻪ ﺑﻪ ﺁﻥ ﺍﻧﻌﻄﺎﻑ ﭘﺬﻳﺮﻱ ﺑﻴﺸﺘﺮﻱ ﺩﺭ‬
‫ﻓﻌﺎﻟﻴﺖ ﻫﺎ ﻣﻲ ﺩﻫﺪ‪:‬‬
‫ﺑﻨﺎﺑﺮﺍﻳﻦ ﺍﻭﺭﺍﮐﻞ ﺟﺪﺍﺳﺎﺯﻱ ﻭﻇﺎﻳﻒ ﻳﺎ ‪ SoD‬ﺭﺍ ﭘﺸﺘﻴﺒﺎﻧﻲ ﻧﻤﻲ ﮐﻨﺪ ‪.‬‬
‫ﺗﻌﻴﻴﻦ ﻣﺤﺪﻭﺩﻳﺖ ﺩﺭ ﺗﻌﺪﺍﺩ ﻧﻘﺶ ﻫﺎ ﺑﺮﺍﻱ ﺍﻋﻀﺎ ﻣﻤﮑﻦ ﻧﻴﺴﺖ‪.‬‬
‫ﺍﻣﻜﺎﻥ ﺗﻌﺮﻳﻒ ﻗﻴﻮﺩ ﻓﻘﻂ ﺗﺎ ﺣﺪﻱ ﻭﺟﻮﺩ ﺩﺍﺭﺩ‪.‬‬
‫–‬
‫–‬
‫‪34‬‬
‫‪33‬‬
‫‪Oracle‬ﻭ ﺍﻣﺘﻴﺎﺯﺍﺕ ﻗﺎﺑﻞ ﺍﻋﻄﺎ‬
‫ﻣﻘﺎﻳﺴﻪ ﺧﺼﻴﺼﻪ ﻫﺎ ﺩﺭ ‪ DBMS‬ﻫﺎ‬
‫ﻣﻮﺭﺩ‬
‫‪36‬‬
‫‪9‬‬
‫‪All & Except‬‬
‫‪None‬‬
‫ﺧﺼﻴﺼﻪ‬
‫‪Informix‬‬
‫‪Sybase‬‬
‫‪Oracle‬‬
‫‪١‬‬
‫ﺍﻣﮑﺎﻥ ﺩﺍﺩﻥ ﻧﻘﺶ ﺑﻪ ﺩﻳﮕﺮ ﮐﺎﺭﺑﺮﺍﻥ ﺗﻮﺳﻂ‪grantee‬‬
‫√‬
‫‪-‬‬
‫√‬
‫‪٢‬‬
‫ﺩﺍﺷﺘﻦ ﭼﻨﺪ ﻧﻘﺶ ﻓﻌﺎﻝ ﺑﺮﺍﻱ ﻳﮏ ﮐﺎﺭﺑﺮ ﺩﺭ ﻳﮏ ﻧﺸﺴﺖ‬
‫‪-‬‬
‫√‬
‫√‬
‫‪٣‬‬
‫ﻣﺸﺨﺺ ﮐﺮﺩﻥ ﻧﻘﺶ ﻓﻌﺎﻝ ﺑﻄﻮﺭ ﭘﻴﺶﻓﺮﺽ ﺑﺮﺍﻱ ﮐﺎﺭﺑﺮ‬
‫‪-‬‬
‫√‬
‫√‬
‫ﺍﻳﺠﺎﺩ ﺳﺎﺧﺘﺎﺭ ﺳﻠﺴﻠﻪ ﻣﺮﺍﺗﺒﻲ ﻧﻘﺶ‬
‫√‬
‫√‬
‫√‬
‫ﺟﺪﺍ ﮐﺮﺩﻥ ﺍﺳﺘﺎﺗﻴﮏ ﻭﻇﺎﻳﻒ ﻭ ﻗﻴﻮﺩ ﺭﻭﻱ ﻧﻘﺶ ﻫﺎ‬
‫‪-‬‬
‫√‬
‫‪-‬‬
‫ﺟﺪﺍ ﮐﺮﺩﻥ ﺩﻳﻨﺎﻣﻴﮏ ﻭﻇﺎﻳﻒ ﻭ ﻗﻴﻮﺩ ﺭﻭﻱ ﻧﻘﺶ ﻫﺎ‬
‫√‬
‫√‬
‫‪-‬‬
‫‪٧‬‬
‫ﻣﺸﺨﺺ ﮐﺮﺩﻥ ﺣﺪﺍﮐﺜﺮ ﻭ ﺣﺪﺍﻗﻞ ﮐﺎﺭﺩﻳﻨﺎﻟﻴﺘﻲ ﺍﻋﻀﺎﻱ ﻧﻘﺶ‬
‫‪-‬‬
‫‪-‬‬
‫‪-‬‬
‫‪٨‬‬
‫ﺩﺍﺩﻥ ﺍﻣﺘﻴﺎﺯﺳﻴﺴﺘﻤﻲ ‪ DBMS‬ﺑﻪ ﻳﮏ‪Role‬‬
‫‪-‬‬
‫√‬
‫√‬
‫‪٩‬‬
‫ﺩﺍﺩﻥ ﺍﻣﺘﻴﺎﺯﺷﻲﺍﻱ ‪ DBMS‬ﺑﻪ ﻳﮏ‪Role‬‬
‫√‬
‫√‬
‫ﺍﻣﺘﻴﺎﺯﺍﺕ ﺳﻴﺴﺘﻤﻲ ﺣﻘﻮﻗﻲ ﻫﺴﺘﻨﺪ ﮐﻪ ﺑﺎ ﻓﺮﻣﺎﻧﻬﺎﻳﻲ ﻧﻈﻴﺮ ‪CREATE‬‬
‫‪SESSION‬ﻭ ‪ CREATE TABLE‬ﻭ ﻏﻴﺮﻩ ﺍﺟﺮﺍ ﻣﻲ ﺷﻮﻧﺪ ‪.‬‬
‫ﺍﻣﺘﻴﺎﺯﺍﺕ ﺷﻲ ﺍﻱ ﺑﻪ ﮐﺎﺭﺑﺮﺍﻥ ﺍﺟﺎﺯﻩ ﻣﻲ ﺩﻫﺪ ﮐﻪ ﻳﮏ ﻋﻤﻞ ﺧﺎﺹ ﺭﺍ ﺭﻭﻱ ﻳﮏ‬
‫ﺟﺪﻭﻝ ﺧﺎﺹ ‪ view‬ﻳﺎ ﺩﻧﺒﺎﻟﻪ ﺍﺟﺮﺍ ﮐﻨﻨﺪ ‪.‬‬
‫ﻫﺮ ﺩﻭ ﺷﺎﺧﻪ ﺍﻣﺘﻴﺎﺯﺍﺕ ﻣﻲ ﺗﻮﺍﻧﻨﺪ ﺑﻪ ﻧﻘﺶ ﻫﺎ ﺩﺍﺩﻩ ﺷﻮﻧﺪ‪ .‬ﺍﻣﺘﻴﺎﺯﺍﺕ ﺳﻴﺴﺘﻤﻲ ﺗﻨﻬﺎ‬
‫ﻣﻲ ﺗﻮﺍﻧﻨﺪ ﺗﻮﺳﻂ ‪ DBA‬ﻳﺎ ﻳﮏ ﮐﺎﺭﺑﺮﻱ ﮐﻪ ﺍﻳﻦ ﺍﻣﺘﻴﺎﺯ ﺭﺍ ﺑﺎ ‪ADMIN‬‬
‫‪ OPTION‬ﺩﺍﺭﺩ ﻣﻨﺘﻘﻞ ﺷﻮﻧﺪ‪ .‬ﺍﻣﺘﻴﺎﺯﺍﺕ ﺷﻲ ﺍﻱ ﺗﻨﻬﺎ ﻣﻲ ﺗﻮﺍﻧﻨﺪ ﺗﻮﺳﻂ ﺻﺎﺣﺐ‬
‫ﺷﻲ ﻳﺎ ﮐﺎﺭﺑﺮﻱ ﮐﻪ ﺍﻳﻦ ﺍﻣﺘﻴﺎﺯ ﺭﺍ ﺑﺎ ‪ GRANT OPTION‬ﺩﺍﺭﺩ ﻣﻨﺘﻘﻞ ﺷﻮﺩ ‪.‬‬
‫√‬
‫‪35‬‬