Layer Model and Algorithm of Organization Authorization Based on Position Network

After the RBAC model formalized in 1992 by David Ferraiolo and Rick Kuhn, the models of organization authorization have been developing fast. Among these models, the one based on position network will be used widely and has a prospective future. Algorithms for single-layer model and multi-layer model based on position network were cited in this article. Meanwhile an algorithm example was given at the end of this article.

In modern complex government systems, there are too many roles to be setup and provided to the users.If the duties or privileges of users are changed, or the objects in system are changed, it will take lots of time to adjust the relationship of User-Role and Role-Object.The integration of different government application systems has been affected by this bottleneck.For improving the efficiency and security and reducing the workload of system maintenances, "Position" was added between the "User" and "Role".This makes it more close to the reality of Chinese government.
After turning this into reality, we found that a straight and effective algorithm was needed to evaluate the rationality of the authorization process, make sure the strictness, and find out the problems.So the single-layer model algorithm and multi-layer model algorithm for organization were put forward.

Algorithm for Organization Authorization System
We can easily connect the users, positions, roles and objects in different systems with network model.Show as figure 1.
How to look at the connection clearly and check out whether it is right?We need to setup a kind of model system to evaluate the feasibility of the connection.
According to the relationship of the "user" ontology, the "users" in the e-government systems have the character of social network.Meanwhile the "position" ontology also has the same character.For making the description and expression of the character clearly, we describe the algorithm as follows.

Single-layer Model Algorithm for organization authorization system
Because of the complexity of the government, the mapping of user ontology and position ontology is not one-to-one.It is multi-mapping.Show as figure 2.
Define a set of user ontology: , recorded as vector ; Define a set of position ontology: , record as vector ; We record the relationship of and as , and describe it with the form : Shorten the as , then we get: .s Especially, under this structure, if the only aim is to show the connection of and , we can use 0 and 1 to realize it.

If
has no right to access , , record as ; If has the right to access , , record as .
If so, we can get a matrix like , which is formed only with 0 and1.
For keeping consistence with traditional model, the roles in the organization authorization system still have the definitions and attributes as in model.And also the roles can be formed as layer structure.It is multi-mapping between the positions and roles.Show as figure 3.
Define a set of role ontology: , record as vector ; We record the mapping between and as .We describe the mapping with the form of for , then: .We still use the descriptions for roles and operations in model, and setup multi-mapping for them.By allowing this, the workload for distributing the system function is reduced a lot.Show as figure 4.
We define a set of operation: , record as vector ; We record the mapping of and as , and record it as the form of : Shorten for , then: .
By the matrix of the mapping of "User-Position", "Position-Role" and "Role-Operation", we can get the matrix for single layer organization authorization.With , the relationship of different parts in the system can be found out easily.
We record as the elements in , and is the mapping of users and operations.So we get Single-layer Model Algorithm for Organization Authorization System:

If
, it shows that the user has the right to get the operation ; if , it shows that the user has no right to get the operation .From this matrix , all the operations that each user can get are shown clearly.This can help the system administrator check the rationality of each user, and enhance the reliability of the whole system.
From the above process, shows the relationship between users and positions, recorded as: ;

Multi-layer Model Algorithm for organization authorization system
In the practice of government, a structure like pyramid has been formed between different layers and sections.And this caused that the same structure has been used in the former constructed systems.And also there are lots of "pyramid" structures in positions.
Meanwhile for the easy configuration of organization authorization system, the "pyramid" structures were formed between roles in many systems based on .
Because of the multi-layer structures, we need to expand the single-layer model for further detection to verify the authorization process.
For the multi-layer, we add a column vector between each two layers.Each column vector consists of the mapping of the elements of the two layers.
As to the multi-layer structure of positions, if the number of positions is , and they have been divided into layers, we describe each position as , and show the abstract description as figure 5.
We describe the whole position set as , and describe the layer as ; if there are layers, we can get vectors.
We get the relationship of layer and layer with the multiplication of column vector and the transpose of column vector , and record it as : When has some kind of relationship with , we record the value of as 1.If there is no relationship, we record it as 0. So we can get a matrix which only consists of 0 and 1. Suppose there are layers in position structure, we can get matrices in total.Record them as .
Multiply these matrices one by one, we can get the whole position structure matrix : For the roles with abstract layer structure, figure 6 gives an example.
We use to describe the mapping matrix between the two nearby role layers, then we can get the whole role  The organization authorization system structure with multi-layer positions and roles shows in figure 7.
When getting the position structure matrix and role structure matrix, we can get the Multi-layer Model Algorithm for Organization Authorization System:

Example for Single-layer Model Algorithm
For a given existing organization authorization system, we analyze its internal relationship between users, positions, roles and operations.
Figure 8 shows the mapping between users and positions.
We get: ; Figure 9 shows the mapping between positions and roles: We get: ; Figure 10 shows the mapping between roles and operations: We get: ; The whole system mapping is shown in figure 11.
in the application of checking the middle layer mapping in organization authorization system.

From
Figure 2. U