Abstract: To solve the problem of lack of consideration of remaining the external behavior of legacy system and making legacy access control policies easy to be evolved, this paper proposes a role engineering approach for legacy system based on FermaT transformation theory and set theory. The approach defines a set of transformation rules for access control policies, analyzes the management cost of transformation rules, gives the design criteria of role engineering of legacy system, and presents a transformation method based on the design criteria. A case study demonstrates that the proposed approach is feasible. Compared with other primary role mining approaches, the constructed roles are ease to be evolved. The role hierarchy is complete and irredundant. The approach is with the lowest cost in the condition of constructing necessary roles.

Key words: legacy system, role engineering, access control policy, transformation rules, role hierarchy

摘要： 针对角色工程方法欠缺关注遗留系统的外部行为不变性和易演化性的问题，基于FermaT转换理论和集合理论，提出一种遗留系统的角色工程方法。该方法给出访问控制策略的转换规则，分析转换规则的管理成本，讨论遗留系统角色工程的设计准则，并给出符合设计准则的角色工程方法。案例分析表明，该方法能够在生成角色的同时构造角色层次，与主要的角色挖掘方法相比，角色的粒度更加细化，角色层次完整且不冗余，在产生必要角色的前提下管理开销最低。

关键词: 遗留系统, 角色工程, 访问控制策略, 转换规则, 角色层次