臺灣博碩士論文加值系統

以「角色為基礎的存取控制」主要是依據權責衝突的角色，來建立授權準則以達到權責區分之目的；然而為因應企業環境之改變，企業之運作需提供有效的工作管理與工作為基礎的存取控制，因此若僅以角色為基礎的機制，並無法有效的管理企業之工作。近來雖已有以角色與工作為基礎的存取控制之研究，但並未探討權責區分準則或是僅為原來以角色為基礎的存取控制之簡單延伸，並未從工作之間不同的權責關係考量權責區分之授權準則。
本研究提出新的分析觀點，從企業制訂規劃工作的角度，分析與定義不同的工作權責衝突關係，包括制衡、督導查核與非獨攬性等，並依據所定義的工作權責衝突關係來探討使用者、角色與工作之授權及指派，進而設計授權準則以達到在角色與工作為基礎的存取控制模式中之權責區分。本研究不僅定義新的工作權責關係，更推導出符合工作權責關係之新的授權準則，包括督導查核、相依執行及協調合作等權責區分準則。

Mutual-exclusive roles are the basis for designing authorization rules to achieve separation of duty in role-based access control (RBAC) models. However, in order to adapt to the changing business environments, enterprises need to operate with effective task management as well as task-based access control. Current RBAC models are not adequate to provide effective management of tasks within enterprises. Although some works have been done in the context of role and task-based access control, very few works have designed authorization rules on separation of duty in this context. The designed authorization rules are merely simple extensions from the authorization rules of RBAC models. Moreover, different duty-relationships among tasks are not considered.
This work presents a novel view to analyze different duty-relationships among tasks from the aspect of how enterprises design and plan tasks. Several kinds of duty-conflict tasks are defined to represent various duty-relationships such as balancing, supervising and non-arbitrary relationships among tasks. On the basis of the defined duty-conflict tasks, authorization rules for assigning tasks to roles and users are designed to achieve separation of duty. The proposed work not only defines new duty-conflict tasks but also deduces new authorization rules to achieve variations of separation of duty including supervision-based, work-dependent and coordination-based separation of duty, etc.

摘要I
英文摘要II
誌謝III
目錄IV
圖目錄VI
表目錄VII
第一章 緒論1
1.1 研究動機1
1.2 研究目的2
1.3 研究貢獻3
1.4 論文架構4
第二章 文獻探討5
2.1 以角色為基礎的存取控制模型5
2.2 權責區分7
2.3 以工作為基礎的存取控制與授權管制11
2.4 ADAGE系統14
第三章 工作權責衝突分析18
3.1 以工作為基礎的企業環境18
3.2 工作權責衝突分析20
第四章 工作為基礎的權責區分26
4.1 工作權責衝突關係29
4.2 工作制衡關係36
4.3 督導查核關係36
4.4 非獨攬性工作權責40
4.5 協調合作關係43
4.6 授權管制政策的嚴格性討論46
第五章 分析與討論47
5.1 角色的階層性47
5.2 工作的階層性47
5.3 分析比較49
第六章 結論與未來研究方向52
6.1 結論52
6.2 未來研究方向53
參考文獻54
附錄一：定義57
附錄二：規則58

1. John Barkley, "Implementing Role Based Access Control Using Object Technology", First ACM Workshop on Role Based Access Control, November 1995.
2. John Barkley, Anthony Cincotta, "Managing Role/Permission Relationships Using Object Access Types", http://hissa.ncsl.nist.gov/rbac/rgperms/rgperms.htm, 1998.
3. Elisa Bertino, Elena Ferrari, Vijayalakshmi Atluri, "A Flexible Model Supporting the Specification and Enforcement of Role-based Authorizations in Workflow Management Systems", RBAC 97 Workshop, 1997.
4. Elisa Bertino, Lorenzo Martino, "Authorization", Chapter 6, Object-Oriented Database Systems Concepts and Architectures, 1993
5. C. C. Chang, "Organization''s Ontology", National Defense Management College Technical Report, 1995.
6. George Coulouris, Jean Dollimore, Marcus Roberts, "Role and Task-based Access Control in the PerDis Groupware Platform", Third ACM Workshop on Role-Based Access Control, George Mason University, VA. October 1998.
7. David Ferraiolo, Richard Kuhn, "Role-Based Access Control", In Proceedings of 15th NIST-NCSC National Computer Security Conference, pages 554-563, October 1992.
8. David F. Ferraiolo, Janet A. Cugini, D. Richard Kuhn, "Role-Based Access Control (RBAC): Features and Motivations", Proceedings of 11th Annual Computer Security Application Conference, IEEE Computer Society Press, pages 241-248, December 1995.
9. Luigi Giuri, Pietro lglio, "A Role-Based Secure Database Design Tool", Proceedings 12th Annual Computer Security Applications Conference, Dec 1996.
10. Virgil D. Gligor, Serban I. Gavrila, David Ferraiolo, "On the Formal Definition of Separation-of-Duty Policies and Their Composition", Proceedings of IEEE Symposium on Security and Privacy, IEEE Computer Society, May 1998.
11. Mats Gustafsson, Benoit Deligny, Nahid Shahmehri, "Using NFS to Implement Role-Based Access Control", Proceedings of IEEE 6th Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises, June 1997.
12. Michael J. Nash, Keith R. Poland, "Some Conundrums Concerning Separation of Duty", Proceedings of IEEE Computer Society Symposium on Security and Privacy, IEEE Computer Society Press, May 1990.
13. Ravi S. Sandhu, Edward J. Coyne, Hal L. Feinstein, and Charles E. Youman, "Role-Based Access Control Models", IEEE Computer, 29(2), pp.38-47, February 1996.
14. Ravi Sandhu, Venkata Bhamidipati, "The URA97 Model for Role-Based Administration of User-Role Assignment", In T. Y. Lin and Xiaolei Qian, editors, Database Security XI: Status and Prospects, North-Holland, 1997.
15. Ravi Sandhu, Qamar Munawer, "The RRA97 Model for Role-Based Administration of Role Hierarchies*", ACSAC98 conference, December 1998.
16. Kathrin Schier, "Multifunctional Smartcards for Electronic Commerce-Application of the Role and Task Based Security Model", 14th Annual Computer Security Applications Conference, December 1998.
17. Richard T. Simon, Mary Ellen Zurko, "Separation of Duty in Role-Based Environments", 10th Computer Security Foundations Workshop, June 10-12, 1997.
18. Zahir Tari, Shun-Wu Chan, "A Role-Based Access Control for Intranet Security", IEEE Internet Computing, 1997.
19. R. K. Thomas, R. S. Sandhu, "Towards a Task-Based Paradigm for Flexible and Adaptable Access Control in Distributed Applications", Proc. Of 1992-1993 ACM SIGSAC New Security Paradigms Workshops, Little Compton, RI, page 138-142, 1993.
20. R. K. Thomas, R. S. Sandhu, "Task-Based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-oriented Authorization Management", Proceedings of the IFIP WG11.3 Workshop on Database Security, August 11-13, 1997.
21. ISO/IEC 10181-3, "Information Technology-Open Systems Interconnection-Security Frameworks for Open Systems: Access Control Framework", Sep 1996.
22. opengroup, http://www.camb.opengroup.org/RI/www/adage/index.htm
23. The Open Group Research Institute Eleven Cambridge Center, "Adage System Overview", Defense Advanced Research Projects Agency (DARPA) Under contract #F 60602-95-C-0293
24. Workflow Management Coalition, "Workflow Management Coalition Terminology & Glossary", Workflow and Internet: Catalysts for Radical Change (A WfMC White Paper), June 1996.
25. 曾于洲, "以角色為基礎的之存取控制模型實做之研究", 國立交通大學資訊管理研究所, 碩士論文, 民國87年6月。
8. David F. Ferraiolo, Janet A. Cugini, D. Richard Kuhn, "Role-Based Access Control (RBAC): Features and Motivations", Proceedings of 11th Annual Computer Security Application Conference, IEEE Computer Society Press, pages 241-248, December 1995.
9. Luigi Giuri, Pietro lglio, "A Role-Based Secure Database Design Tool", Proceedings 12th Annual Computer Security Applications Conference, Dec 1996.
10. Virgil D. Gligor, Serban I. Gavrila, David Ferraiolo, "On the Formal Definition of Separation-of-Duty Policies and their Composition", Proceedings of IEEE Symposium on Security and Privacy, IEEE Computer Society, May 1998.
11. Mats Gustafsson, Benoit Deligny, Nahid Shahmehri, "Using NFS to Implement Role-Based Access Control", Proceedings of IEEE 6th Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises, June 1997.
12. Michael J. Nash, Keith R. Poland, "Some Conundrums Concerning Separation of Duty", Proceedings of IEEE Computer Society Symposium on Security and Privacy, IEEE Computer Society Press, May 1990.
13. Ravi S. Sandhu, Edward J. Coyne, Hal L. Feinstein, and Charles E. Youman, "Role-Based Access Control Models", IEEE Computer, 29(2), pp.38-47, February 1996.
14. Ravi Sandhu, Venkata Bhamidipati, "The URA97 model for role-based administration of User-role assignment", In T. Y. Lin and Xiaolei Qian, editors, Database Security XI: Status and Prospects, North-Holland, 1997.
15. Ravi Sandhu, Qamar Munawer, "The RRA97 Model for Role-Based Administration of Role Hierarchies*", ACSAC98 conference, December 1998.
16. Kathrin Schier, "Multifunctional Smartcards for Electronic Commerce-Application of the Role and Task Based Security Model", 14th Annual Computer Security Applications Conference, December 1998.
17. Richard T. Simon, Mary Ellen Zurko, "Separation of Duty in Role-Based Environments", 10th Computer Security Foundations Workshop, June 10-12, 1997.
18. Zahir Tari, Shun-Wu Chan, "A Role-Based Access Control for Intranet Security", IEEE Internet Computing, 1997.
19. R. K. Thomas, R. S. Sandhu, "Towards a Task-based Paradigm for flexible and adaptable access control in distributed applications", Proc. Of 1992-1993 ACM SIGSAC New Security Paradigms Workshops, Little Compton, RI, page 138-142, 1993.
20. R. K. Thomas, R. S. Sandhu, "Task-Based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-oriented Authorization Management", Proceedings of the IFIP WG11.3 Workshop on Database Security, August 11-13, 1997.
21. ISO/IEC 10181-3, "Information technology-Open Systems Interconnection-Security Frameworks for open systems: Access control framework", Sep 1996.
22. opengroup, http://www.camb.opengroup.org/RI/www/adage/index.htm
23. The Open Group Research Institute Eleven Cambridge Center, "Adage System Overview", Defense Advanced Research Projects Agency (DARPA) Under contract #F 60602-95-C-0293
24. Workflow Management Coalition, "Workflow Management Coalition Terminology & Glossary", Workflow and Internet: Catalysts for Radical Change (A WfMC White Paper), June 1996.
25. 曾于洲, "以角色為基礎的之存取控制模型實做之研究", 國立交通大學資訊管理研究所, 碩士論文, 民國87年6月。