摘要： 基于角色的访问控制是简化企业信息系统访问控制的一个有效策略。近年来规则已经被用于支持用户角色的自动管理。该文引入职能控制集的概念，结合角色和规则的优点，提出了一种新的适合于大型企业的安全访问控制方案，实现角色分解和权限细粒度控制的目的，根据企业的安全管理策略和用户的属性，自动管理用户-角色的分配，还引入否定授权策略，增强了客体权限分配的灵活性和安全性。

关键词: 访问控制, 角色, 规则, 职能控制集

Abstract: Role-based access control (RBAC) is a useful policy for simplifying access control on enterprise information system. Recently, rule concept is used to support role assignment automatically. By introducing the concept of function control sets and combining the virtue of role and rule, this paper proposes a new security access control scheme suitable for large organizations, which can enhance the flexibility and security on object permission assignment, assign role for user automatically based on user attributes.

Key words: Access control, Role, Rule, Function control sets