I HC BCH KHOA H NI VIN O TO QUC T - SIE ----------

AN TON BO MT THNG TIN

Ti

K THUT CI T CHNH SCH BO MT DA TRN VAI TR - RBAC

Nhm thc hin : Anh Thi Lu Thnh ng Phm Thi Hong Giang Tin Chc

H NI 2012

1

Danh sch cc thut ng v khi nimTHUT NG MAC DAC RBAC ACL Role hierarchy OPS KHI NIM Mandatory access control iu khin truy cp bt buc Discretionary access control iu khin truy cp ty quyn Role-based access control iu khin truy cp trn c s vai tr Access control list Danh sch iu khin truy cp Cp bc trong vai tr Tp hp cc hnh ng trn mt i tng c th Qu trnh chy mt chng trnh kim tra mt thut ton hay Test File Project Session User Permission Role Expression mt bi ton c th. i tng tp vn bn c sao lu trn my tnh Ni v mt d n c to ra c th l Eclipse Phin lm vic Ngi s dng Quyn hn Vai tr Cc biu thc ( y tp trung ni v cc biu thc iu kin)

2

CHNG 1. GII THIU1.1. Bi cnhiu khin truy cp da trn vai tr (RBAC) bt u vi h thng a ngi s dng v a ng dng trc tuyn c a ra ln u vo nhng nm 70. tng trng tm ca RBAC l permission (quyn hn) c kt hp vi role (vai tr) v user (ngi s dng) c phn chia da theo cc role thch hp. iu ny lm n gin phn ln vic qun l nhng permission. To ra cc role cho cc chc nng cng vic khc nhau trong mt t chc v user cng c phn cc role da vo trch nhim v trnh ca h. Phn li cho user t chc nng ny sang chc nng khc. Nhng role c cp cc permission mi v cc ng dng gn kt cht ch vi cc h thng v cc permission c hy khi cc role khi cn thit. Mt role c xem nh mt kt cu ng ngha m c ch iu khin truy cp u hnh thnh xung quanh. Mt tp hp ring bit nhng user v cc permission c lp ra bi cc role ch l tm thi. Role n nh hn bi v hot ng hay chc nng ca mt t chc thng t thay i hn. Mt role tng ng vi mt nng lc lm mt nhim v c th, v d mt bc s ni khoa hay mt dc s. Mt role cng l hin thn ca mt thm quyn v mt bn phn nh mt gim st d n. Mt thm quyn hay mt trch nhim khc vi mt nng lc. Jane Doe c nng lc iu hnh mt s b phn nhng ch c phn cng iu hnh mt b phn. Cc role phn nh cho cc nhim v c phn cng c th c lun phin gia nhiu user, v d cng vic ca mt bc s ni khoa hay mt qun l ca. Cc m hnh RBAC v s ci t nn c kh nng ci thin cung cp tt c cc biu hin ca khi nim role. C rt nhiu c ch bo mt c nghin cu v trin khai thch hp cho tng lnh vc khc nhau. Trong cc m hnh ang tn ti th ton din nht l RBAC.

1.2. Mc tiuKhi nim RBAC v ci t Role Based Access Control RBAC.

3

CHNG 2. NI DUNG

2.1. Khi nimTrong my tnh ca h thng an ninh, kim sot truy cp da trn vai tr (RBAC) l mt phng php tip cn hn ch truy cp h thng ngi dng c thm quyn. N c s dng bi phn ln cc doanh nghip vi hn 500 nhn vin v c th c thc hin thng qua kim sot truy cp bt buc (MAC) hoc iu khin truy cp ty (DAC). RBAC i khi c gi l an ninh da trn vai tr. Kim sot truy cp da trn vai tr (RBAC) l mt tnh nng bo mt cho ngi dng truy cp kim sot vi nhim v m thng thng s b hn ch vai tr gc. Bng cch p dng cc thuc tnh bo mt cho cc quy trnh v cho ngi dng, RBAC c th phn chia kh nng nhiu ngi dng trong s cc qun tr vin. Quy trnh qun l quyn c thc hin thng qua cc c quyn. Ngi s dng qun l quyn c thc hin thng qua RBAC. 2.2. Ba quy tc c bn c nh ngha cho RBAC: 1. Vai tr phn cng: Mt ch c th thc hin mt s cho php ch khi i tng la chn hoc c giao mt vai tr. 2. Vai tr y quyn: vai tr tch cc ca mt i tng phi c y quyn cho i tng. Vi quy tc 1 trn, nguyn tc ny m bo rng ngi dng c th c vai tr duy nht m h c u quyn. 3. S cho php y quyn: Mt ch c th thc hin mt s cho php ch cho php c y quyn cho vai tr tch cc ca i tng. Vi quy tc 1 v 2, quy tc ny m bo rng ngi dng c th thc hin cc quyn truy cp duy nht m h c u quyn.

Theo mt nghin cu mi y ca NIST th RBAC nhm vo nhu cu ca cc ngnh kinh doanh hay ca c chnh ph. Trong cng trnh nghin cu ca 28 t chc ny, nhu cu iu khin truy cp b chi phi bi nhiu mi quan tm khc nhau gm

4

c ngi tiu dng, c ng v s tin cy ca cc cng ty bo him, s ring t ca thng tin c nhn, vic ngn chn s phn b ti sn ti chnh tri php, ngn chn s dng khng php cc ng dy in thoi ng di v s gi vng cc tiu chun ngh nghip. Nhiu t chc a ra cc quyt nh iu khin truy cp da trn role m user l c nhn m nhn nh mt b phn ca t chc. Nhiu t chc thch kim sot tp trung v duy tr quyn truy cp, khng theo mun c nhn ca ngi qun l h thng lm m theo cc ch dn bo v ca t chc. Bn nghin cu cho thy cc t chc thng xem cc nhu cu iu khin truy cp ca h l duy nht v cm thy cc sn phm c sn thiu s linh hot. Cc role c xem nh mt phn ca tiu chun SQL3 ni bt cho h thng qun l d liu, da vo s thc hin ca chng trong Oracle 7. Cc role c kt ni cht ch trong hin trng an ninh thng mi. RBAC cng ph hp vi cng ngh ang thnh hnh v cc xu hng kinh doanh. Mt lot sn phm cung cp trc tip mt dng RBAC, cc sn phm khc h tr nhng tnh nng c lin quan cht ch, v d nhm user, nhng tnh nng ny c s dng thc hin cc role.

2.3. Mc chMc ch chnh ca RBAC lm cho vic qun tr an ninh v xem li thun tin hn. Nhiu h thng kim sot truy cp cho cc my tnh ln thnh cng v thng mi thc hin role qun tr an ninh. V d, role l ngi vn hnh c th truy cp tt5

c cc ti nguyn m khng thay i cc quyn truy cp, role l mt nhn vin bo v c th thay i cc quyn truy cp nhng khng c truy cp vo cc ti nguyn, v role l mt kim ton vin c th truy cp vo cc ng kim ton. Vic s dng cc role mang tnh qun l ny cng c c trong cc h thng iu khin mng hin i nh Novells NetWare v Microsoft Windows NT. S quan tm mi xut hin tr li y i vi RBAC tp trung ch yu vo kh nng s dng RBAC cp ng dng. Trong qu kh v c ngy nay, cc ng dng c bit c xy dng vi RBAC c m ha trong bn thn s ng dng. Cc h iu hnh hin c v cc mi trng cung cp rt t kh nng s dng RBAC cp ng dng. Kh nng ny by gi bt u xut hin trong cc sn phm. Thch thc t ra l phi xc nh c ng dng c lp tin li kh linh hottt nhin d dng thc hin, s dng v h tr nhiu ng dng vi s iu chnh nh nht. Cc bin th tinh vi ca RBAC bao gm kh nng thit lp mi quan h gia cc role cng nh l gia cc permission v cc role v gia cc user vi cc role. V d, hai role c th c lp sao cho loi tr nhau do cng mt user khng c php thc hin c hai role. Cc role cng c th c quan h k tha, theo mt role k tha cc permission c gn cho role khc. Nhng mi quan h role role ny c th c s dng lm cho cc chnh sch bo mt bao gm s tch ri cc cng vic v s y thc ca ngi c thm quyn. T trc n nay nhng mi quan h ny c m ha trong phn mm ng dng, vi RBAC, chng c nh r mt ln cho mt min bo mt. Vi RBAC, ngi ta c th xc nh c cc mi quan h role permission. iu ny gip cho vic gn cho cc user ti cc role xc nh d dng. Bn nghin cu NIST [1] ch ra rng cc permission c phn cho cc role c xu hng thay i tng i chm so vi s thay i thnh vin nhng user cc role. Nghin cu ny cng nhn thy vic cho php cc qun tr vin cp hoc hy b t cch thnh vin ca cc user trong cc role ang tn ti m khng cho cc qun tr vin ny quyn to role mi hay thay i s phn chia role permission l iu ang c mong mun.

6

Vic phn cng cc user theo role s cn t k nng k thut hn vic phn cng cc permission theo role. Nu khng c RBAC, vic xc nh permission no c y thc cho user no s kh. Chnh sch iu khin truy cp c th hin cc thnh t khc nhau ca RBAC nh mi quan h role permission, mi quan h user role v mi quan h role role. Nhng thnh t ny cng xc nh xem liu mt user c th c c php truy cp vo mt mng d liu trong h thng hay khng. Cc thnh t RBAC c th c nh dng trc tip bi ngi s hu h thng hay gin tip bi cc role thch hp m ngi s hu h thng y thc. Chnh sch c hiu lc trong mt h c th no l kt qu cui cng ca vic nh dng cc thnh t RBAC khc nhau mt cch trc tip bi ngi s hu h thng. Ngoi ra chnh sch iu khin truy cp c th gia tng trong chu k ca h thng v cc h ln iu ny l chc chn xy ra. Kh nng bin i chnh sch p ng c nhu cu ang thay i ca mt t chc l mt li ch quan trng ca RBAC. Mc d RBAC l mt chnh sch trung lp, n trc tip h tr ba nguyn tc bo mt ni ting: c quyn t nht, s tch bit cc nhim v, tru tng ha d liu. Nguyn tc c quyn t nht c h tr v RBAC c nh dng do ch nhng permission m nhim v do cc thnh vin ca role qun l cn mi c phn cho role . S tch bit cc nhim v t c bng cch m bo nhng role c quan h loi tr ln nhau phi c s dng ti hon thnh mt cng vic nhy cm nh yu cu mt nhn vin k ton v mt qun l k ton tham gia vo pht hnh mt tm Sec. Tru tng ha d liu c h tr bng cc permission tru tng nh credit (bn c) v debit (bn n) cho mt ti khon, ch khng phi l cc permission c, vit, qun l thng c h iu hnh cung cp. Tuy nhin, RBAC khng cho php ng dng cc nguyn l ny. Nhn vin bo mt c th nh dng c RBAC do n vi phm nhng nguyn l ny. Ngoi ra, mc tru tung ha d liu c h tr s do cc chi tit b sung quyt nh. RBAC khng phi l gii php cho mi vn kim sot truy cp. Ngi ta cn nhng dng kim sot truy cp phc tp hn khi x l cc tnh hung m trong chui cc thao tc cn c kim sot. V d, mt lnh mua cn nhiu bc trc khi

7

n dt hng mua c pht hnh. RBAC khng c kim sot trc tip cc permission cho mt chui cc s kin nh vy. Cc dng khc ca kim sot truy cp c ci t trn b mt RBAC v mc ch ny. Vic kim sot mt chui cc thao tc ngoi phm vi ca RBAC, mc d RBAC c th l nn mng xy dng nhng kim sot nh th.

CI T Role Based Access Control - RBAC

2.4 Ci t Exchange Server 2010Yu cu phn cng: - Processor core: Ti thiu: 2 ngh: 8 Ti a: 24 - Memory: ngh: 8 Ti a: 64 Yu cu c s h tng: - Active Directory: Schema master phi s dng Windows Server 2003 SP2, Windows Server 2008 hoc Windows Server 2008 R2 Tt c Global Catalog phi s dng Windows Server 2003 SP2, Windows Server 2008 hoc Windows Server 2008 R2 Domain & Forest funtional level ti thiu l ch Windows Server 2003 - DNS:m bo phn gii thnh cng tn ca cc Domain Controller & DNS Server Yu cu OS, Roles & Features: - Windows Server 2008 hoc Windows Server 2008 R2 64bit - m bo phi Start services Net.Tcp Port Sharing Service (Startup Type: Automatic)

8

- 2007/2010 Office System Converter: Microsoft Filter Pack - Web Server (IIS) server role: ISAPI Extensions IIS 6 Metabase Compatibility IIS 6 Management Console Basic Authentication Windows Authentication Digest Authentication Dynamic Content Compression .NET Extensibility - Windows Server 2008 features Microsoft .NET Framework 3.5 (SP1) tr ln WCF HTTP Activation RPC over HTTP Proxy Active Directory Domain Services (AD DS) management tools Windows Remote Management (WinRM) Windows PowerShell Version 2 Cc bc thc hin ci t Exchange Server 2010: 1. Nng cp Domain & Forest funtional level 2. Ci t Office System Converter: Microsoft Filter Pack 3. Ci t Roles & Features 4. Start Net.Tcp Port Sharing Service 5. Ci t Exchange Server 6. Kim tra ci t

2.5 Cch thit lp, cu hnh m rng mc phn quyn vi RBAC Role Based Access Control bng cch trin khai Predefined Role Groups qua giao din ha ca Exchange Control PanelV mt bn cht, Microsoft Exchange Server 2010 c ci tin v tch hp thm chc nng phn quyn Role Based Access Control RBAC mi, v m hnh ny cung cp cho ngi dng nhiu cch hn trong vic gim st, khi to cng nh gn quyn ti cc ti khon qun tr khc nhau. V nhng vai tr ny c gn ny s phn nh ng cng vic ca ngi qun tr trong m hnh hot ng trn thc t. Trc Exchange Server 2010, nhng ngi qun tr Microsoft Exchange m nhn vic

9

to mi ti khon admin, gn quyn ti nhng ti khon c sn, thng gp kh nhiu kh khn trong khi quyt nh p dng vi nhm Administrator no. Tng nhm Administrator li c cha nhiu mc phn quyn khc nhau, v cc phin bn Exchange c li ch c rt t nhm Admin ngi dng la chn. V nh vy, cch gii quyt duy nht l gn nhng ti khon vi cc mc phn quyn khng thc s ph hp trong h thng.

a, Role Group v Role: tip tc, chng ta cn phi hiu r v nm bt khi nim c bn trong RBAC l mi lin quan gia role group, role, cmdlet (commandlet) v parameter. Trc tin, role c th coi l t hp cc tc v m ti khon qun tr c th thc hin c. V d, role Mail Recipients cho php ti khon Administrator qun l mailbox, mail user v mail contact. Khi ti khon qun tr c gn role th ngha l mc phn quyn tng ng ca role . V hnh ng gn quyn thc hin cc tc v nht nh chng ta c th hiu nm na l trao quyn truy cp ti cmdlet hoc parameter gn lin vi nhng tc v . Trong mt s trng hp c bit, th 1 ti khon Admin c th c gn vi nhiu role khc nhau. V v mt k thut, chng ta c th gp cc role li vi nhau, sp xp chng thnh nhm hay cn gi l role group, sau thay v vic gn nhiu role ti ti khon no th chng ta ch cn thay th bng role group ph hp tng ng. Ngc li, ngi dng hon ton c th gn nhiu thnh vin trong nhm Administrator ti 1 role group. C ngha l tt c ti khon trong nhm Admin s thc hin c tt c cc role ging nhau, v s c quyn truy cp ti cmdlet v parameter trong role . b, Predefined Role Groups v Roles: Trong Exchange 2010 cn c Predefined Role Group chng ta c th s dng thay th cho RBAC nu cha hiu r v tnh nng c th cng nh cch thc lm vic ca RBAC. Nu bao gm tt c cc Predefined Role Group (hoc gi l Predefined Universal Security Groups) th tng cng s c 16 thnh phn. Tuy nhin, ch 11 trong s l thc s c s dng dnh cho RBAC, v phn cn li c dng trc tip bi Exchange. Trong bi vit ny, chng ta s ch yu tp trung vo cc role group caRBAC. Cc Predefined Role Group c s dng trong Exchange Server 2010 Role Based Access Control: - Delegated Setup: dnh cho ngi qun tr cn trin khai m hnh server Exchange 2010 c cung cp bi role group Organization Management. - Discovery Management: i vi cc ti khon Admin mun tm kim d liu trong h

10

thng mailbox da vo thng tin u tin cng nh cu hnh thit lp ca mailbox. - Help Desk: c dng kim tra thng tin tng qut v thay i cc ty chn ca Microsoft Office Outlook Web App. - Hygiene Management: thay i ch bo mt trong Exchange. - Organization Management: dnh cho cc ti khon qun tr mun c ton quyn truy cp ti tt c h thng Exchange 2010. - Public Folder Management: dng qun l th mc public v c s d liu trn server s dng Exchange 2010. - Recipient Management: qun l, gim st b phn recipient ca Exchange 2010. - Records Management: thng c p dng cu hnh, thit lp cc tnh nng nh phn loi policy, thng bo v quy lut lu chuyn d liu. - Server Management: dnh cho nhng ngi qun tr mun thit lp ch transport ca server theo cch ring bit, Unified Messaging UM, kh nng truy cp t pha client v mailbox. - UM Management: c dng d qun l cc bc cu hnh server c lin quan ti UM, thuc tnh ca mailbox, thng tin cnh bo... - View-Only Organization Management: xem v kim tra thuc tnh ca bt k i tng no trong Exchange. c, Predefined Role: Trc tin, chng ta m Exchange Management Console, trong phn ca s bn tri chng ta chnToolbox, ko xung pha di v nhn Role Based Access Control (RBAC) nh hnh di:

11

Chng ta s c chuyn ti phn Exchange Control Panel tip theo, ti y h thng s yu cu ngi dng ng nhp. Sau , m Administrator Roles:

12

Bn di Role Groups, chng ta s thy y 11 Predefined Role Groups c cp pha trn. V mi ln la chn role bt k, h thng hin th thng tin Description ca role c gn ti (hay cn gi lAssigned Roles), cc ti khon qun tr c gn nhng role (gi l Members) s c hin th phn ca s bn phi.

Nu mun gn 1 Member bt k ti Predefined Role Group, chng ta ch cn nhn p vo phn Predefined Role Group tng ng trong danh sch. V d khi chn Discovery Management th h thng s hin th ca s iu khin chnh nh hnh di:

13

Ti y, chng ta s nhn thy tn ca role group (trong v d ny l Discovery Management) chnh l on m t ngn gn ca role group, Assigned Roles, cng nh danh sch thnh vin pha di ca s hin th (thng thng l trng rng). gn thm member, chng ta nhn nt Add nh nh chp mn hnh trn. Ti ca s tip theo, tm v chn tn ti khon Admin cn gn, sau nhn nt OK:

14

Chng ta s thy member va c gn trong Members nh hnh di:

15

Nu mun gn thm nhiu ti khon th chng ta thc hin tng t nh trn, nhn Finish khi hon tt. Tuy nhin, chng ta cn lu rng khng nhng c th gn nhiu ti khon Admin thnh member ca role group m cn gn nhiu role group ti 1 ti khon Admin duy nht. V qu trnh ny s c thc hin bn trong Administrator Roles:

d, C ch lm vic ca RBAC: Trc khi kt thc bi vit ny, chng ta hy cng xem li c ch hot ng ca RBAC qua hnh v minh ha thng gi l Triangle of Power:

16

M hnh ny c to dng t 4 thnh phn chnh: Where, What, Who, v Glue. Trong : - Where hoc Scope i din cho cc i tng, tc v t role c th c gn cho ti nhng i tng c h tr, chng hn nh 1 ti khon ngi dng c nhn, 1 nhm ngi dng, hoc ton b m hnh, t chc. - What hoc Role tng ng vi nhng g m role c th thc hin c. Trn thc t th Exchange Server 2010 c tng cng tt c 65 role dnh cho ngi s dng. - Who hoc Role Group nh chng ta cp trc , ch l b t hp nhiu role c sp xp vi nhau. Chng ta c th kt hp vi Scope to thnh i tng Role Assignment hon chnh. Nh cp ti trn, vic s dng cc nhm role cha c nh ngha predefined ca RBAC c th n gin ha qu trnh phn quyn qun tr ti nhiu ti khon Administrator khc nhau. Tuy nhin, nhng g chng ta va tho lun bn trn ch l cch m rng ca qu trnh phn quyn qua RBAC. Nhng nu chng ta mun ti khon qun tr thit lp rule transport nhng li khng nh hng ti rule retention hoc message th phi lm th no? R rng vic gn ti khon ti nhm rule Records Management s khng p ng c nhu cu v h thng s gn nhiu phn quyn hn mc cn thit.

17

2.6 Cn phi thit lp nhiu mc phn quyn hn so vi Predefined Role Groups s dng Exchange Management Shell x l

a, Kim tra thit lp RBAC qua Exchange Management Shell: Ti phn ny, chng ta xem thng tin k thut trong Exchange Management Shell cng nh trong Exchange Control Panel. V d, chng ta c th p dng ch Exchange Control Panel (nh chp mn hnh bn di) kim traAssigned Roles ang thuc v role group Recipient Management:

V nu mun lm nh vy trong Exchange Management Shell th chng ta g lnh: Get-RoleGroup Recipient Management | fl

18

y l kt qu h thng hin th khi chng ta nhn Enter. Lu rng thng tin Assigned Roles (trong hp ) s hin th chnh xc vi 2 nh chp mn hnh trn. Bn cnh role chng ta cng c th thy phn thng tin m t ngn gn Description ca role group Recipient Management, member tng ng (ti thi im ny l trng rng) v nhiu thng tin khc:

Tuy nhin, nhng g chng ta nhn thy ti y cha ch ra c bt k u im no ca Exchange Management Shell so vi Exchange Control Panel. tm hiu k hn, chng ta s phi tham kho qua m hnh mu nh di y. V d,

19

cng ty ca bn va quyt nh thu mt vi nhn vin qun tr qua hnh thc thc tp, nhim v ca bn l gn cho h mt s mc phn quyn nht nh thit lp, cu hnh nhng thnh phn c lin quan nh: Office, Phone no., Mobile no., Department v Managers. Nh cp ti trong phn 1 ca bi vit, chng ta c th d dng thc hin bng cch gn mi ti khon Admin vi role Mail Recipients y . Tuy nhin, lm nh vy cng s kch hot ton b quyn truy cp ca h ti cc b phn khc trong h thng yu t ny khng c trong k hoch cng nh yu cu. Hy cng xem mc mo him trong tnh hung ny nu ngi qun tr gn ton quyn role Mail Recipients, cc i tngRole Entries (cmdlets v parameters) c lin quan ti role c th . Trc tin, chng ta m Exchange Management Shell v g lnh: Get-ManagementRoleEntry Mail Recipients\* H thng s hin th mt s thng tin nh hnh di:

Chng ta c th d dng nhn ra rt nhiu cc bn ghi ca role. Chc chn rng khng ai mun gn ton b quyn Admin cho nhng nhn vin thc tp bao gi. Phng n gii quyt y l to 1 role nh bn trong h thng ca role Mail Recipients v gn quyn cn thit cho h. b, Lp k hoch vi RBAC v tm hiu v Cmdlet: Trc khi bt tay vo qu trnh tm hiu v Exchange Management Shell v thc thi Cmdlet, chng ta cn phi chun b v ln k hoch c th. Scope Where: Vic trc tin l cc bn cn phi xc nh c i tng Scope hay cn gi l Where. Thng thng, chng ta cn phi s dng cmdlet New-ManagementScope khi to scope mi. Tuy nhin, k t khi ngi qun tr b qua mc role parent, cc role qun l mi s k tha chc nng v scope ca role cp trn. Do vy, khng cn phi khi to scope, v cng khng cn s dng cmdlet New-ManagementScope. M thay vo , ging nh

20

role cp trn, cc role mi c to s cung cp chc nng Read Write cho i tng nhn thng tin, d liu v cu hnh, thit lp cho ton b h thng. Role What: Thnh phn tip theo c cp ti y l Role, bi v role Mail Recipients chng ta mun role mi c k tha, c gn vi rt nhiu i tng khng thc s cn thit. M cch thc hin y s bao gm: - S dng cmdlet New-ManagementRole cmdlet gn tn mi cho role qun l (v d Exinterns) v ch nh role cp trn s k tha cho role mi (v d Mail Recipients). - Loi b tt c cc i tng c k tha t role Mail Recipients, sau sp xp li tt c mi th bng cmdlet Get-ManagementRoleEntry, Remove-ManagementRoleEntry, v Add-ManagementRoleEntry. Role Group Who: Vic cui cng cn lm y l khi to Role Group, hoc l Who s dng cmdlet NewRoleGroup. ng thi, y cng l qu trnh kt ni cc bc khc nhau bn trn (Where v What) thnh Role Assignmenthon chnh. c, Cu hnh, thit lp RBAC qua Exchange Management Shell: to role c tn l Exinterns c kh nng k tha chc nng ca role Mail Recipients, chng ta g lnh: New-ManagementRole -Name ExInterns -Parent Mail Recipients Sau khi nhn Enter, h thng s hin th kt qu nh hnh di:

Ngha l chng ta to role ExInterns thnh cng Tip theo, chng ta cn phi tin hnh thu thp tt c cc i tng role qun l ca ExInterns v loi b chng, ngoi tr 1 thnh phn. l bi v h thng lun yu cu phi c t nht 1 role. Do vy, chng ta s gi li cmdlet Get-User v mun

21

role ExInterns tn dng c u im ca cmdlet Set-User ch c th hot ng hiu qu khi p dng kt hp vi Get-User. G lnh: Get-ManagementRoleEntry ExInterns\* | Where {$_.name ne GetUser} | RemoveManagemRoleEntry V mt c bn, Set-User s kch hot Interns thit lp mailbox. Ngay sau khi nhn Enter, chng ta s nhn thy bng thng bo hin th nh hnh di:

V sau l rt nhiu cc thng tin xc nhn hin th, nhn A tng ng vi Yes to All, Y l Yes, N l No v L l No to All. Sau , g lnh: Get-ManagementRoleEntry ExInterns\*

Chng ta c th d dng thy rng, khng ging vi ln u thc hin lnh cmdlet, role ExInterns mi s khng cn cha bt k i tng role no c k tha t role cp cao nh c. V ti thi im ny, chng ta sn sng gn thm role mi c kch hot Exchange Interns cu hnh, thit lp Office, Phone no., Mobile no., Department v Managers theo nh yu cu. thc hin vic , chng ta g lnh: Add-ManagementRoleEntry ExInterns\Set-User -Parameters Office,Phone,Mobilephone,Department,Manager

Bn cnh , nu b qua cc thnh phn nh: Parameters Office, Phone, Mobilephone, Department, Manager th Exchange Interns s c th truy cp ti ton b tham s ca cmdlet Set-User. Do vy, chng ta khng ch b hn ch kh nng ca Interns nhn cmdlet ca Get-User v Set-User, m cn tr nn c bit so vi cc thng s Office, Phone, Mobilephone, Department, v Manager ca Set-User.

22

V cui cng, chng ta khi to Role Group (v d ExInterns) v ch nh role cn phi gn ti (v d ExInterns) bng cch g lnh: New-RoleGroup ExInterns -Roles ExInterns

Thao tc tip theo cn thc hin y l to Role Assignment ExInternsExInterns. kim tra li, chng ta c th lit k tt c cc role group hin ti bng cch s dng Get-RoleGroup. Kt qu hin th s trng ging nh hnh di:

Sau , cc bn s c th gn Interns ti role group ExInterns. Gn ti khon User vo role group: Mc d chng ta c th gn ti khon User vo role group bng Exchange Management Shell, nhng vic ny s tr nn n gin hn nu dng Exchange Control Panel. Do vy, cc bn chuyn v Exchange Control Panel v chn tab Administrator Roles, nhn nt Refresh vi ln kim tra li cc role group va c gn thm:

23

Tip theo, tm role group ExInters v nhn p vo :

Ca s thit lp ca role group s hin th, nhn nt Add gn thm member mi:

24

Chng ta c th chn 1 hoc nhiu ti khon ngi dng gn vo y, mi 1 member c la chn s hin th trong text box. Nhn OK khi hon tt:

25

V khi quay li ca s chnh ca role group, chng ta s thy cc member va c gn hin th ti y. Nhn Save:

26

Trong khi cc phin bn c ca Exchange ch c vi nhm Administrator la chn th m hnh phn quyn mi m ca RBAC trong Exchange 2010 cho php ngi dng thit lp, khi to nhiu ch hn, ci thin v nng cao tnh linh hot ca role assignment c a ra bi Role Based Access Control, h tr ngi qun tr trong vic thit lp role v quyn hn chnh xc, c th hn nhiu so vi trc kia.

27

Ti liu tham kho1. http://en.wikipedia.org/wiki/Role-based_access_control 2. Using Role-Based Access Control (Tasks) http://docs.oracle.com/cd/E19963-01/html/8211456/rbactask-1.html 3. See National Institute of Standards and Technology FAQ on RBAC models and standards, and the research of David Ferraiolo and Richard Kuhn http://csrc.nist.gov/groups/SNS/rbac/faq.html 4. Ferraiolo, D.F. and Kuhn, D.R. (October 1992). "Role-Based Access Control" 5. http://www.quantrimang.com.vn/hethong/Server/84486_Tim -hieu-ve-Permission-va-Role-Based-Access-Control-RBACphan-1.aspx?pageid=1 6. http://www.quantrimang.com.vn/hethong/Server/84509_Tim -hieu-ve-Permission-va-Role-Based-Access-Control-RBACphan-2.aspx?pageid=2 7.

28