Research on authorization model of the hottest pdm

  • Detail

Research on authorization model of pdm/plm system

1. preface

pdm/plm system security is ensured by the cooperation of authentication, access control, audit, encryption and other technologies. Access control technology is the central link of system security, which ensures the confidentiality, integrity and availability of data. Today, with the increasing degree of enterprise informatization, the access control technology in pdm/plm system plays a more and more important role. Access control technology and authorization model affect the usability, ease of use and security of pdm/plm system to a great extent

at present, there are many kinds of access control models for information systems, such as matrix model, autonomous access control model, mandatory access control model, role-based access control model, workflow access control model, etc. the authorization models of most pdm/plm systems are often the synthesis of the above authorization models

2. comparison of mainstream pdm/plm system authorization models

Table 1 gives the comparison of several mainstream pdm/plm system authorization models. The following mainly introduces the features of these systems in terms of authorization model

2.1 windchill

windchill adopts the concept of domain. A domain is a collection of objects of different types. Different access control policies and access control permissions can be defined on each different domain

the access control policy on each domain is composed of a series of access control rules. Access rules specify the access rights of the subject to the object in various life cycle states. The general form of a rule is "If then". These rules can spread from parent class to child class along the class tree. Windchill uses ACL (access control list) to reflect the access control rules on an object

2.2 Teamcenter enterprise

the permission control in Teamcenter enterprise uses the "rule-based" method, which can control the user's operation permission through rules, control the operation permission of users, roles, workgroups and departments on an object, a class of objects or data warehouses, and can be combined with electronic processes

teamcenter enterprise supports three types of rules:

access control rules

notification rules

location selection rules

teamcenter enterprise puts forward the concept of dynamic user. A user can have certain permissions only when certain attribute conditions are met

2.3 Teamcenter engineering

teamcenter engineering controls users' access to data documents in two ways:

object-oriented access control method

implement classified access control on data objects based on rules

among them, rule method is a kind of thick line management method. In rule_based access control, users can The three attributes of the user or group uniformly determine the range of personnel who can access the data

teamcenter engineering also uses role-based access control. A user must log in as a role to obtain the corresponding permissions

teamcenter engineering initializes the permission model by accessing the rule definition table, which is easy to read

3. Diversification of pdm/plm authorization requirements

although great progress has been made in the research and application of pdm/plm system authorization models, these models can not fully support the various authorization requirements put forward by customers in actual use. These requirements are mainly reflected in the following aspects:

diversification of subjects: permissions need to be defined not only on users and roles, but also on other types of subjects. For example, a user can form a static organization by grouping, or a project group by dynamic grouping. Sometimes it is necessary to define permissions on these static and statistical organizations and project groups

diversity of permissions: permissions can be divided into object type permissions, object permissions, attribute permissions, component permissions, management permissions, secondary allocation permissions, agent permissions, etc. according to different object applications. Ordinary class based authorization can no longer meet the actual application requirements. It is necessary to establish permission control over instantiated objects and object attributes of classes. In addition, compared with users and classes, the number of instantiated objects is very large. How to ensure the efficiency of access verification is the biggest problem in the implementation of the performance characteristics of the authorized model microcomputer controlled electronic control testing machine

permission change of an object in its life cycle: the same user has different permissions for the same object in different life cycles of the object. If the designer has the permission to modify the drawing object in the design stage, after the drawing is published, the designer has only the permission to browse and read. This requires that permissions be defined on the life cycle of the object

unified authorization model framework: with the development of pdm/plm system, more and more subsystems are included in pdm/plm system. For example, in addition to the traditional data management subsystem, many pdm/plm systems also integrate workflow subsystem, ERP subsystem, CAD subsystem, etc. This requires that there must be a unified authorization framework to support the permission to control the data in these subsystems in pdm/plm, and the permission cannot be controlled only by the authorization model of each subsystem

hierarchical permission management: at present, the permission management of most pdm/plm systems is performed by the global system administrator, who is responsible for allocating the permissions of the entire system. Because the system administrator can do everything, in fact, the system administrator has become the biggest vulnerability of enterprise security. In practical applications, there are often various conflicts of interest between departments. Therefore, in the implementation of data management, not only the global data, but also each department will have its own data. This requires that the administrator's authority must be limited and cannot access the private data of each department at will. In addition, in terms of actual operation management, the system administrator can not understand in detail the requirements of personnel in various departments for permission use, and can not better set the permissions of the enterprise. Therefore, it is necessary to establish a hierarchical authority administrator

combination of rule authorization and matrix authorization: rule authorization based on conditional expression has high flexibility, but when the number of rules increases, the efficiency of the system will be greatly reduced, because rules need to be judged one by one. Another object may appear in multiple rules, so a complex mechanism is needed to deal with authorization conflicts between rules. Matrix based authorization has high efficiency because it can directly use the query mechanism of the database. 4 Build a service-oriented enterprise. However, the authorization based on matrix has poor flexibility and scalability. How to combine these two methods to realize flexible and efficient authorization mechanism to meet the increasingly complex needs of enterprises for authorization is a greater challenge to the pdm/plm system permission model

4. Tiplm's authorization model

qingruo Yingtai's product lifecycle management system - tiplm is based on Net using multi tier architecture. There are special security service modules in the underlying services of tiplm to provide unified security services for each module and application of tiplm. Permission verification is an important part of these security services. In order to meet the actual needs of enterprises, the permission model of tiplm has been extended in many aspects on the basis of role-based and process based authorization models. Its main features are reflected in the following aspects

4.1 unified authorization framework

tiplm's authorization model system framework is shown in Figure 1. It includes five modules and four interfaces. The authorization logical model defines the logical rules for permission verification. Ordinary users use the tidesk module to complete their work, and tidesk verifies the access rights of users through interface 1. The permission administrator uses the timodeler module to set permissions through interface 2. The system customizer uses tipolicy to customize the meta model and plug-in extension authorized by the enterprise through interface 3. Through interface 4, permission verification rules that conform to the logical model for different databases (such as Oracle, SQL server, etc.) can be implemented

4.2 multi level spreading mechanism

there are many types of subjects and objects in the pdm/plm system, such as users, roles, organizations, and classes, instantiated objects, and object attributes. These different types have various dependencies and constraints. Therefore, the relationship between these types must be comprehensively considered in the actual permission verification. Tiplm system adopts multi-level spreading mechanism to ensure the correctness and ease of use of authority verification

according to these different propagation rules, the tiplm system authorization model internally defines different permission verification interfaces, realizing a flexible and extensible mode. The authorization model only provides a unified verification interface for external users. Through this interface, applications can obtain the permission verification results after the spread of various hosts and objects, without caring about the spread relationship between various hosts and objects

4.3 unified authorization mechanism

with the wide application of workflow system, more and more application data appear in workflow system, and the demand for permission control of these data is becoming more and more complex. At present, most pdm/plm systems adopt workflow systems that are independent of pdm/plm. Therefore, for users and data in pdm/plm, a complete authorization mechanism must be re established in the workflow system. On the one hand, it increases the difficulty of system development. On the other hand, it increases the workload of administrators in the process of implementation and operation, because administrators must set the permissions of pdm/plm system and workflow system at the same time. Moreover, most of the current workflow systems' permission control can not reach the strength of pdm/plm system's permission control

tiplm adopts a unified authorization framework and uses the same set of mechanisms for non process and process data authorization. When verifying permissions, users can completely ignore whether they need to obtain permissions through process tasks. The underlying logical model can automatically determine whether process authorization verification is required through the meta model defined by tipolicy. Through timoldeler, administrators can directly manage the authorization of processes. Moreover, only specific permissions in the process need to be set, and the default permissions are handed over to the tiplm system for unified processing, which greatly simplifies the work of the administrator and increases the strength of permission verification

4.4 multi level permission management

tiplm adopts a multi-level authorization management model based on the management role tree to manage and allocate permissions. As shown in the following figure. After the multi-level management role is adopted, the authority administrator of the design department of branch 1 can only manage the personnel, roles, organizations, workflows, controlled objects and other authorities of the design department, but cannot manage the sales department and manufacturing department of branch 1, and the personnel, roles, organizations and testing machines of branch 2 and branch 3 Workflow, controlled object and other permissions. This multi-level authorization management model better supports the actual permission management needs of large enterprises or group enterprises, and has great flexibility

5. conclusion

various specific requirements of enterprises for pdm/plm system authorization are implemented by the enterprise pdm/plm system

Copyright © 2011 JIN SHI