（1.中南大学 测绘与国土信息工程系， 长沙 410083； 2.国家基础地理信息中心， 北京 100044)
　　
　　摘 要：针对传统的rbac模型所存在的问题，引入用户组进行了改进：除了rbac模型的角色授权外，增加了用户组对数据资源进行授权，使用户所拥有的权限变成用户所属角色的功能权限和用户所属部门的资源权限之和。改进后的混合授权的扩展模型(erbac)不仅有效解决了角色定义、用户职责、功能和资源等动态变化对系统所带来的问题,更增强了对用户授权的灵活性和可维护性，并且在实际项目中得到了应用。
　　关键词：访问控制模型； 角色； 用户组
　　中图分类号：tp393.08 文献标志码：a
　　 文章编号：10013695(2009)03109803
　　
　　extended access control approach based on role and group
　　
　　xing hanfa1,2, xu lilin2, lei ying2
　　
　　（1.dept. of geomatics, central south university, changsha 410083, china; 2. national geomatics center of china, beijing 100044, china）
　　
　　abstract: during further anglicizing rbac, this paper pointed out its shortcoming. this paper proposed an improved model named erbac. one way to grant user privilege was using role based on rbac, another way was using user group that introduced above. the improved mix granting method solved the mentioned problem and was very convenient, as well as made the system’s authority limitation management easier. meanwhile, it improved the safety of system. it had been used in some projects successfully.
　　key words：access control model; role; user group
　　
　　在信息系统安全机制中，访问控制是一项重要机制，有着许多重要应用。