Abstract: To improve the flexibility of controlling the depth of permission inheritance, the concept of threshold of privatization was introduced and a method based on it was proposed. Because the depth was defined as the difference between inheritance value and threshold of privatization, it could be changed by adjusting the threshold of privatization, with the precondition that the adjustment would not violate the static separation of duty. An algorithm was given to detect whether the adjustment would violate the static separation of duty. Through analyzing the relationship between permissions of static separation of duty and user's permissions, the algorithm minimized the number of users that need to be considered. Consequently, the time complexity of this algorithm is much lower than the one considering all users.

Key words: Role-Based Access Control (RBAC), private permission, privatization threshold, static duty separation, constraint detection

摘要： 针对现有方法对权限传播深度控制不灵活的问题，引入私有化阈值的概念，提出了基于私有化阈值的权限继承方法，并给出了一个静态职责分离约束检测算法。将权限的传播深度定义为权限传播值与私有化阈值之差，在确保不违背静态职责分离约束的前提下，通过调整私有化阈值控制权限的传播深度，避免了调整传播值所需的大量计算，实现了对权限传播深度的灵活控制。检测算法通过分析静态职责分离约束权限集与用户权限集的关系，将需要考虑的用户数降至最少，其时间复杂度比逐一验证法低多个数量级。

关键词: 基于角色的访问控制, 私有权限, 私有化阈值, 静态职责分离, 约束检测