臺灣博碩士論文加值系統

今日的企業在成本與便利性的考量下，多半以結合群組概念的任意型存取權控制 (Discretionary Access Control，簡稱DAC) 作為其資訊系統的執行權管制方式。不過，這種傳統的控管方式缺乏組織層級架構與權責區分的管理，無法完全符合企業對資訊系統安全上的要求，於是以職務為基礎的執行權管制 (Role-Based Access Control，簡稱RBAC) 因應而生。RBAC 是以職務概念為核心，建立使用者對資訊資源執行權限的管理，較貼近現今企業組織的運作模式，符合企業資訊系統的需求。然而，要將 RBAC 機制導入現有 web-based 的企業資訊系統，往往需要大幅修改系統而導致難以整合的困境。因此，本論文針對 web-based 的企業資訊系統導入 RBAC 概念進行探討，應用 RBAC 伺服器與 XML RBAC (XRBAC) 方法，以快速促進 RBAC 與企業資訊系統的整合。
透過本論文發展的RBAC 伺服器與 XML RBAC (XRBAC) 方法，可以讓企業在不影響現有系統架構與介面的前提下，整合 RBAC 與 web-based的企業資訊系統。RBAC 伺服器負責儲存企業的資訊安全政策以及存取權資訊樣板，以方便管理與產生存取權資訊 (access control information generator)；XML RBAC則可視為存取權管制處理元件，其功能除了利用 XML 技術，進行企業資訊系統與RBAC伺服器間訊息的傳遞與處理外，還可以將工作流程的處理資訊附加於系統文件之後，以便日後資料的收集、整理，輔助資訊系統的稽核。最後，本論文以聯維科技股份有限公司所提供的電子金融服務入口 --- Financial XML over Internet (簡稱XOI) 為案例，探討本論文實作的可行性。

Most information systems in enterprises group users into several sets of members and then utilize Discretionary Access Control (DAC) to carry out the enforcement of security policies. Such method could seldom truly satisfy the needs of enterprises, because the information security policies must reflect the privilege setting for organizational functioning. A simple grouping is not sufficient. Aiming at information security management for organizations, including business enterprises, Sandhu introduced a new model, called Role-Based Access Control (RBAC), for defining access control policies. The model is powerful due to its flexibility in assigning access privileges to various roles and grouping users into role hierarchies. Separation of duty--an essential concept from the viewpoint of organizational control--can be described using this model.
Though RBAC has been studied for quite a few years and has been recommended as a national standard of the United States, successful implementations of the model usually demand massive modification of working systems. In this thesis, the author presents a new system architecture, which allows the RBAC model to be easily integrated with working information portals. In this architecture, the function of RBAC is detached from business functions of the information portals. Two key system components are defined and programmed: (1) the RBAC server and (2) the XML interface, called XML RBAC (XRBAC). The RBAC server is a place to manage security policies and is a generator to produce information for access control decisions. The information produced is transmitted as an XML document to the portal through the XRBAC. In addition to functioning as the communication intermediary between the portal and the RBAC server, XRBAC follows the workflow and helps the portal record transactional activities in the audit trail.
The aforementioned design realizes the separation of the security management function from the application function and, as a result, enables an enterprise to add RBAC to its own information system without modification of the system itself. The author, finally, demonstrates an implementation of the RBAC server and the XRBAC middleware, using a portal offered by Linkway Inc. Linkway developed this portal, called Financial XML over the Internet (XOI), for the banking industry in Taiwan. The experience shows that embedding RBAC into working portals can be done using the architecture introduced in this thesis.

摘要 -----------------------------------------------------------------------------------------------I
英文摘要 ---------------------------------------------------------------------------------------ii
誌謝 ------------------------------------------------------------------------------------------------iv
目錄 -------------------------------------------------------------------------------------------------v
圖目錄 ---------------------------------------------------------------------------------------------vi
表目錄 ----------------------------------------------------------------------------------------vii
一、 緒論 ----------------------------------------------------------------------------------------1
1.1 研究動機與目的--------------------------------------------------------------1
1.2 為什麼需要電子金融服務入口-----------------------------------------------------2
1.3 安控程序在電子金融服務所扮演的角色------------------------------------------3
1.4 研究方法與架構--------------------------------------------------------------------4
二、 文獻探討--------------------------------------------------------------------------------------5
2.1 B2B電子金融服務縱覽---------------------------------------------------------------5
2.2 B2B電子金融服務之安控程序-----------------------------------------------------10
2.3 RBAC發展歷程及現況--------------------------------------------------------------18
2.4 XML發展過程簡介-----------------------------------------------------------------23
三、 XOI(Financial XML Over Internet)系統中之安控模組XRBAC(XML Role-based Access Control)-----------------------------------------------------------------------------24
3.1 XOI基本功能介紹--------------------------------------------------------------------24
3.2 如何將RBAC的概念導入XOI----------------------------------------------------27
3.3 XRBAC之細部規格與功能---------------------------------------------------------37
3.4 使用XRBAC的案例------------------------------------------------------------------45
四、 案例背景介紹-------------------------------------------------------------------------------49
4.1 依案例實作XRBAC------------------------------------------------------------------49
4.2 實作RBAC伺服器系統--------------------------------------------------------------56
五、 結論與未來研究----------------------------------------------------------------------------69
參考文獻 ---------------------------------------------------------------------------------------71
附錄一：XRBAC元素組 -----------------------------------------------------------------------73
附錄二：程式 -------------------------------------------------------------------------------------75

[1] David Ferraiolo, Ravi Sandhu, Serban Gavrila, Richard Kuhn and Ramaswamy Chandramouli. “A Proposed Standard for Role -Based Access Control”, ACM Transactions on Information and System Security, Volume 4, Number 3, August 2001.
[2] David Ferraiolo, Richard Kuhn. “Role-Based Access Control”, In Proceedings of 15th NIST-NCSC National Computer Security Conference, October 1992.
[3] FSTC’s eCheck program , “eCheck Introduction” . Available at http://www.echeck.org/overview/comparison/paper.html.
[4] FSTC’s eCheck program , “Electronic Checks: The Best of Both Worlds”,Available at http://www.echeck.org/library/wp/bestofboth.html.
[5] Ian S. Graham & Liam Quin, “XML Specification Guide”, WILEY, pp.57-65, 1999.
[6] Ramaswamy Chandramouli, “Application of XML Tools for Enterprise-Wide RBAC Implementation Tasks”, Proceedings of the fifth ACM workshop on Role-based access control, July 2000.
[7] Ravi Sandhu, David Ferraiolo and Richard Kuhn. “The NIST Model for Role-Based Access Control：Towards A Unified Standard”, Proceedings of the fifth ACM workshop on Role-based access control, July 2000.
[8] Ravi Sandhu, Edward J. Coyne, Hal L. Feinstein, and Charles E. Youman. “Role-Based Access Control Model”, IEEE Computer, 29(2)., pp.38-47, February 1996.
[9] SOFTWARE AG The XML Company, http://www.softwareag.com/tamino/
[10] Sylvia Osborn.“Mandatory Access Control and Role-Based Access Control Revisited”,Proceedings of the second ACM workshop on Role-based access control, pp.33,November 1997.
[11] Sylvia Osborn, Ravi Sandhu, and Qamar Munawer.“Configuring Role-Based Access Control to Enforce Mandatory and Discretionary Access Control Policies”, ACM Transactions on Information and System Security, Vol. 3, No. 2,pp.85-106, May 2000.
[12] T. Bray, J. Paoli, C. M. Sperberg, E. Maler. “Extensible Markup Language 1.0 (Second Edition)”, W3C Recommendation 6, October 2000.
[13] World Wide Web Consortium, “Extensible Markup Language (XML) 1.0 Second Edition”, W3C Recommendation 6, October 2000. Available at http://www.w3.org/TR/REC-xml.
[14] William　J. Pardi原著，官欣怡編譯，”實戰XML第二版”，微軟出版社，2000年6月，第二版。
[15] 洪敏翔，“使用XML設計執行權管制資訊流”，國立交通大學資訊管理研究所，碩士論文，2001年6月。
[16] Brett McLaughlin著，陳建勳譯，”JAVA與XML”，聯寶文化事業有限公司，2001年2月，初版。
[17] XML台灣資訊網，http://www.xml.org.tw
[18] Kalakota & Whinston著，陳雪美譯，“電子商務管理概論”，跨世紀電子商務出版社，1999年6月。
[19] 林真真，（民77年），”電子銀行”，第二版。
[20] 曾國烈，”我國電子金融業務發展現況及建議 ”，經濟情勢暨評論季刊，第六卷第一期，2000年6月。
[21] 財政部金融局，”金融機構辦理電子銀行業務安全控管作業基準”，2000年。
[22] 聯合信用卡處理中心，”電子商務先導專案”。2002 年 2 月，http://www.nccc.com.tw/plan/set.htm.
[23] 臺灣網路認證公司，”網路銀行認證作業手冊-Non-SET篇”，2000 年 4月。