Three-Layers Role-Based Access Control Framework in Large Financial Web Systems

There are lots of sensitive and confidential data in financial field, such as credit card number, stock number, fund number and so on. Therefore, top level security requirement is always required in financial systems, where a good access control framework is necessary. Traditional role-based access control frameworks lack of control in data access granularity and often slow down the system, even though it provides an efficient access control model which can restrict users´ operation according to their roles. They can hardly meet the requirements in large financial system. This article proposes and implements a Three-Layer Role-based Access Control framework (TL-RBAC) which can perfectly meet the requirements in large financial system. TL-RBAC implements access control in three layers: web pages, operations and data. Coarse-grained access control in web pages layer is used to filter anonymous attacks such as web scan and DoS attacks. Fine-grained access control in operations and data layers guarantee that the user cannot do operations and access data out of his privilege. Performance testing report of the system shows that TL-RBAC meets the performance requirement in terms of system throughput and time per operation.