印刷ERP系统中访问控制机制的研究与实现
|
摘要
近年来印刷ERP系统不断发展。印刷企业任务多样化这一特点使得印刷ERP系统功能繁杂、用户众多。随着企业规模的扩大、职责分工的细化,印刷ERP系统容易产生用户职权不明、数据资源安全性差等问题。这是反复困扰软件开发者的主要问题。解决这些问题的根本途径在于能够灵活、方便地为不同级别的用户赋予不同的操作权限。
本文围绕自主研发的印刷ERP系统——印刷行业管理解决方案(Printing Industry Management Solution,PIMS),讨论权限管理模块的分析、设计和实现。PIMS系统使用动静结合的权限管理方法,统一、可靠地保障系统安全。
文章首先研究几种常用的访问控制模型,分析它们各自的优缺点。与自主访问控制模型和强制访问控制模型相比,基于角色的访问控制模型引入角色的概念,较好地解决了印刷ERP系统中用户数量众多、变动频繁的问题,仍在角色继承、模型动态性和控制算法等方面存在不足。基于任务的访问控制模型基于工作流建模,却忽略角色概念。基于任务和角色的访问控制(Task-Role-Based Access Control,T-RBAC)模型引入角色与任务的概念,较好地解决了模型的动态性和角色的生命周期约束问题。本文提出基于T-RABC模型的企业权限管理方法,设计、开发了与Web应用系统配合的授权工具和工作流程引擎等,实现了PIMS系统的权限管理。文章最后以订购单子功能为例,详细分析PIMS系统中T-RBAC模型的应用。
PIMS系统已在东莞某印刷企业投入使用。它灵活方便,通过动静结合的权限管理方法,切实解决了印刷ERP系统职权不明、访问控制困难等问题,提高了企业的生产效率和整体竞争力。
The printing ERP system has been developing in recently years. Printing tasks are always different. This feature makes printing ERP system have complicated functions and many users. Printing ERP system classifies users by different levels, both the parallel relationship and the subordinate affiliation. With the expansion of enterprise and the division of responsibilities, some problems have been broken out, such as chaos of responsibilities and insecurity of data resources. The fundamental way to solve these problems which trouble software developers is to authorize different users flexibly.
Printing Industry Management Solution (PIMS) is an independently developed printing ERP system. The thesis discusses how to analyze, design and implement the privilege management module of PIMS. PIMS system use static and dynamic privilege management method to guarantee system security reliably.
At first the thesis studies several different access control models, analyzing the advantages and disadvantages of them. Compared to Discretionary Access Control model and Mandatory Access Control model, Role-Based Access Control model uses the conception of role to solve the huge number and frequent change of users in ERP systems.
But it still has some disadvantages. Task-Based Access Control model is based on workflow, but ignoring role. T-RABC (Task-Role-Based Access Control) model imports the conception of role and task, and solve the dynamic characteristic of models and the lifecycle of roles. The thesis proposes an enterprise privilege management method, implementing the static and dynamic access control in PIMS system by authorize tool, workflow engine, Web UI etc. At the end of the thesis, it uses purchase order as an example to elaborate the application of T-RABC model in PIMS.
PIMS system has been deployed in a printing industry in Dong Guan. It uses static and dynamic privilege management method, resolving lots of management problems such as chaos of responsibilities, difficulties in access control and so on. PIMS system increased the production efficiency and competitiveness of printing enterprise.
本文围绕自主研发的印刷ERP系统——印刷行业管理解决方案(Printing Industry Management Solution,PIMS),讨论权限管理模块的分析、设计和实现。PIMS系统使用动静结合的权限管理方法,统一、可靠地保障系统安全。
文章首先研究几种常用的访问控制模型,分析它们各自的优缺点。与自主访问控制模型和强制访问控制模型相比,基于角色的访问控制模型引入角色的概念,较好地解决了印刷ERP系统中用户数量众多、变动频繁的问题,仍在角色继承、模型动态性和控制算法等方面存在不足。基于任务的访问控制模型基于工作流建模,却忽略角色概念。基于任务和角色的访问控制(Task-Role-Based Access Control,T-RBAC)模型引入角色与任务的概念,较好地解决了模型的动态性和角色的生命周期约束问题。本文提出基于T-RABC模型的企业权限管理方法,设计、开发了与Web应用系统配合的授权工具和工作流程引擎等,实现了PIMS系统的权限管理。文章最后以订购单子功能为例,详细分析PIMS系统中T-RBAC模型的应用。
PIMS系统已在东莞某印刷企业投入使用。它灵活方便,通过动静结合的权限管理方法,切实解决了印刷ERP系统职权不明、访问控制困难等问题,提高了企业的生产效率和整体竞争力。
The printing ERP system has been developing in recently years. Printing tasks are always different. This feature makes printing ERP system have complicated functions and many users. Printing ERP system classifies users by different levels, both the parallel relationship and the subordinate affiliation. With the expansion of enterprise and the division of responsibilities, some problems have been broken out, such as chaos of responsibilities and insecurity of data resources. The fundamental way to solve these problems which trouble software developers is to authorize different users flexibly.
Printing Industry Management Solution (PIMS) is an independently developed printing ERP system. The thesis discusses how to analyze, design and implement the privilege management module of PIMS. PIMS system use static and dynamic privilege management method to guarantee system security reliably.
At first the thesis studies several different access control models, analyzing the advantages and disadvantages of them. Compared to Discretionary Access Control model and Mandatory Access Control model, Role-Based Access Control model uses the conception of role to solve the huge number and frequent change of users in ERP systems.
But it still has some disadvantages. Task-Based Access Control model is based on workflow, but ignoring role. T-RABC (Task-Role-Based Access Control) model imports the conception of role and task, and solve the dynamic characteristic of models and the lifecycle of roles. The thesis proposes an enterprise privilege management method, implementing the static and dynamic access control in PIMS system by authorize tool, workflow engine, Web UI etc. At the end of the thesis, it uses purchase order as an example to elaborate the application of T-RABC model in PIMS.
PIMS system has been deployed in a printing industry in Dong Guan. It uses static and dynamic privilege management method, resolving lots of management problems such as chaos of responsibilities, difficulties in access control and so on. PIMS system increased the production efficiency and competitiveness of printing enterprise.
引文
[1] 赵成璧. 浅谈包装印刷企业与 ERP. 中国包装, 2005, 4: 91 ~ 92
[2] 简川霞. 印刷企业的信息化管理: ERP. 广东印刷, 2005, 1: 11 ~ 12
[3] 刘彤. 谈印刷企业的 ERP. 印刷杂志, 2003, 202(1): 24 ~ 26
[4] Palaniswamy R, Frank T. Enhancing Manufacturing Performance with ERP system. Information System Management, 2000, 17(3):43 ~ 55
[5] 任云. 简论 ERP 在印刷企业中的应用. 今日印刷, 2004, 7: 7 ~ 13
[6] 沈伟荣. 印刷业 ERP: 管理利器, 利润之源. 今日印刷, 2002, 7:19 ~ 20
[7] 孙帮勇, 周世生. 现代印刷企业与 ERP. 印刷世界, 2005, 10: 43 ~ 45
[8] 毛晚堆. 中小印刷企业如何与高校合作开发企业管理软件. 印刷杂志, 2004, 221(8): 25 ~ 27
[9] 杨文杰, 刘浩学. 基于B/S方式的印刷ERP 软件系统分析. 包装工程, 2004, 25(3): 92 ~ 93
[10] 臧忠慧. 印刷企业信息化管理研究. 印刷杂志, 2003, 210(9): 11 ~ 13
[11] 王薇, 吴宇红, 马文平. 分布式网络管理系统中的访问控制. 计算机仿真, 2005, 22(1): 135 ~ 138
[12] Sejong Oh, Seog Park. An Improved Administration Method on Role-Based Access Control in the Enterprise Environment. Journal of Information Science and Engineering, 2001, 17: 921 ~ 944
[13] 潘德锋, 徐少平, 梁庆中, 吴信才. 基于操作的 MIS 多级授权模型的实现. 计算机应用, 2003, 23(6): 100 ~ 102
[14] 莫乐群, 姚国祥. 基于 J2EE 的 B/S 系统的权限管理设计. 计算机工程, 2005, 31(5): 84 ~ 86
[15] 宋维平, 曾一, 涂争光, 高旻, 李颖. B/S 模式下 OA 系统的权限管理设计与实现. 计算机工程与应用, 2004, 35: 199 ~ 201
[16] 王军强, 杨宏安. 管理信息系统权限管理的组件化研究与实现. 计算机工程与应用, 2005, 5: 173 ~ 175
[17] 杨春程, 鄢萍, 李飞, 刘颖. 企业应用系统中权限管理及实现. 现代制造工程, 2005, 1: 25 ~ 27
[18] J. D. Moffett. Control Principles and Role Hierarchies. In: Proceedings of 3rd ACM Workshop on Role-Based Access Control. Virginia, USA. 1998. ACM Press, 1998.153 ~ 160
[19] 张琳, 战学刚. 管理信息系统中用户权限管理的实现方法. 沈阳师范大学学报(自然科学版), 2005, 23(7): 267 ~ 270
[20] Axel Kern, Andreas Schaad, Jonathan Moffett. An Administration Concept for the Enterprise Role-Based Access Control Model. In: Proceedings of the 8th Symposium on Access Control Models and Technologies. Como, Italy. 2003. ACM Press, 2003. 3 ~ 11
[21] 曹天杰,张永平. 管理信息系统中基于角色的访问控制. 计算机应用, 2001, 8: 21 ~ 23
[22] Sandhu R, Conyne EJ, Lfeinstein H et al. Role Based Access Control Models. IEEE Computer, 1996, 29(2): 38 ~ 47
[23] 刑光林, 洪帆. 一个基于 RBAC 的工作流授权模型, 小型微型计算机系统, 2003, 26(3): 544 ~ 547
[24] Ravi Sandhu, Venkata Bhamidipati, Qamar Munawer. The ARBAC97 Model for Role-Based Administration of Roles. ACM Transactions on Information and System Security, 1999, 2(2): 105 ~ 135
[25] Sejong Oh, Seog Park. Enterprise Model as a Basis of Administration on Role-based Access Control. In: Proceedings of the 3rd International Symposium on Cooperative Database Systems for Advanced Applications. Beijing, China. 2001. IEEE Computer Press, 2001. 23 ~ 24
[26] 丁仲, 左春. 用于 RBAC 权限管理的面向对象框架. 计算机工程与应用, 2005, 17: 43 ~ 45
[27] 徐日佳, 赵敬中. 一种改进的 RBAC 模型的研究与应用. 微机发展, 2005, 15(8): 95 ~ 97
[28] 孟宪伟, 王玮. 工作流访问控制模型的研究及应用. 仪器仪表标准化与计量, 2005, 3: 8 ~ 10
[29] Vijayalakshmi Atluri, Wei-Kuang Huang. An Authorization Model for Workflows. In: Proceedings of the 5th European Symposium on Research in Computer Security. Rome, Italy. 1996. Lecture Notes in Computer Science Vol.1146. Springer-Verlag, 1996. 44 ~ 64
[30] 洪帆, 罗炜. 工作流管理系统安全模型. 华中科技大学学报(自然科学版), 2003, 31(12): 4 ~ 6
[31] 邓集波, 洪帆. 基于任务的访问控制模型. 软件学报, 2003, 14(1): 76 ~ 79
[32] Bertino E, Ferrari E, Atluri V. A Flexible Model for the Specification and Enforcement of Authorization Constraints in Workflow Management System. In: Proceedings of the 2nd ACM Workshop on Role-Based Access Control. New York, USA. 1997. ACM Press,1997.1 ~ 12
[33] 施教芳, 李建华, 薛质. 一种扩展的 TBAC 访问控制模型研究. 通信技术, 2002, 11: 95 ~ 97
[34] Coulouris G, Dollimore J, Roberts M. Role and Task-Based Access Control in the PerDiS Groupware Platform. In: Proceedings of 3rd ACM Workshop on Role-Based Access Control. Virginia, USA. 1998. ACM Press, 1998. 115 ~ 121
[35] 金稼玲, 杨材堂. 基于 T-RBAC 的企业权限管理方法. 计算机工程, 2004, 30(10): 93 ~ 95
[36] 沈海波, 洪帆. 基于企业环境的访问控制模型, 计算机工程, 2005, 31(7): 144 ~ 146
[37] 蔡兰, 郭顺生, 李益兵. 基于角色访问控制的动态权限配置研究与实现. 管理技术, 2005, 3: 86 ~ 87
[38] 乔颖, 须德, 戴国忠. 一种基于角色访问控制(RBAC)的新模型及其实现机制. 计算机研究与发展, 2000, 37(1): 37 ~ 44
[39] 景栋盛, 杨季文. 一种基于任务和角色的访问控制模型及其应用. 计算机技术与发展, 2006, 16(2): 212 ~ 214
[40] Sejong Oh, Seog Park. Task–Role-Based Access Control Model. Information Systems, 2003, 28(9): 533 ~ 562
[41] Sejong Oh, Seog Park. Task-role based access control (T-RBAC): An Improved Access Control Method for Enterprise Environment. In: Proceedings of 11th International Conference on Database and Expert Systems Applications. London, UK. 2000. Lecture Note in Computer Science Vol.1873. ACM Press, 2000. 264 ~ 273
[42] 程炜. 面向 Web 服务的业务流程管理系统的研究和实现: [硕士学位论文]. 保存地点: 华中科技大学图书馆, 2003.
[43] 吴耀华, 李宁. 适用于 B /S 结构的 RBAC 模型研究及实现. 计算机应用, 2004, 24(12): 84 ~ 87
[44] Workflow Management Coalition (WfMC). Workflow Reference Model. WF-TC-1003 V1.1, January 1995.
[2] 简川霞. 印刷企业的信息化管理: ERP. 广东印刷, 2005, 1: 11 ~ 12
[3] 刘彤. 谈印刷企业的 ERP. 印刷杂志, 2003, 202(1): 24 ~ 26
[4] Palaniswamy R, Frank T. Enhancing Manufacturing Performance with ERP system. Information System Management, 2000, 17(3):43 ~ 55
[5] 任云. 简论 ERP 在印刷企业中的应用. 今日印刷, 2004, 7: 7 ~ 13
[6] 沈伟荣. 印刷业 ERP: 管理利器, 利润之源. 今日印刷, 2002, 7:19 ~ 20
[7] 孙帮勇, 周世生. 现代印刷企业与 ERP. 印刷世界, 2005, 10: 43 ~ 45
[8] 毛晚堆. 中小印刷企业如何与高校合作开发企业管理软件. 印刷杂志, 2004, 221(8): 25 ~ 27
[9] 杨文杰, 刘浩学. 基于B/S方式的印刷ERP 软件系统分析. 包装工程, 2004, 25(3): 92 ~ 93
[10] 臧忠慧. 印刷企业信息化管理研究. 印刷杂志, 2003, 210(9): 11 ~ 13
[11] 王薇, 吴宇红, 马文平. 分布式网络管理系统中的访问控制. 计算机仿真, 2005, 22(1): 135 ~ 138
[12] Sejong Oh, Seog Park. An Improved Administration Method on Role-Based Access Control in the Enterprise Environment. Journal of Information Science and Engineering, 2001, 17: 921 ~ 944
[13] 潘德锋, 徐少平, 梁庆中, 吴信才. 基于操作的 MIS 多级授权模型的实现. 计算机应用, 2003, 23(6): 100 ~ 102
[14] 莫乐群, 姚国祥. 基于 J2EE 的 B/S 系统的权限管理设计. 计算机工程, 2005, 31(5): 84 ~ 86
[15] 宋维平, 曾一, 涂争光, 高旻, 李颖. B/S 模式下 OA 系统的权限管理设计与实现. 计算机工程与应用, 2004, 35: 199 ~ 201
[16] 王军强, 杨宏安. 管理信息系统权限管理的组件化研究与实现. 计算机工程与应用, 2005, 5: 173 ~ 175
[17] 杨春程, 鄢萍, 李飞, 刘颖. 企业应用系统中权限管理及实现. 现代制造工程, 2005, 1: 25 ~ 27
[18] J. D. Moffett. Control Principles and Role Hierarchies. In: Proceedings of 3rd ACM Workshop on Role-Based Access Control. Virginia, USA. 1998. ACM Press, 1998.153 ~ 160
[19] 张琳, 战学刚. 管理信息系统中用户权限管理的实现方法. 沈阳师范大学学报(自然科学版), 2005, 23(7): 267 ~ 270
[20] Axel Kern, Andreas Schaad, Jonathan Moffett. An Administration Concept for the Enterprise Role-Based Access Control Model. In: Proceedings of the 8th Symposium on Access Control Models and Technologies. Como, Italy. 2003. ACM Press, 2003. 3 ~ 11
[21] 曹天杰,张永平. 管理信息系统中基于角色的访问控制. 计算机应用, 2001, 8: 21 ~ 23
[22] Sandhu R, Conyne EJ, Lfeinstein H et al. Role Based Access Control Models. IEEE Computer, 1996, 29(2): 38 ~ 47
[23] 刑光林, 洪帆. 一个基于 RBAC 的工作流授权模型, 小型微型计算机系统, 2003, 26(3): 544 ~ 547
[24] Ravi Sandhu, Venkata Bhamidipati, Qamar Munawer. The ARBAC97 Model for Role-Based Administration of Roles. ACM Transactions on Information and System Security, 1999, 2(2): 105 ~ 135
[25] Sejong Oh, Seog Park. Enterprise Model as a Basis of Administration on Role-based Access Control. In: Proceedings of the 3rd International Symposium on Cooperative Database Systems for Advanced Applications. Beijing, China. 2001. IEEE Computer Press, 2001. 23 ~ 24
[26] 丁仲, 左春. 用于 RBAC 权限管理的面向对象框架. 计算机工程与应用, 2005, 17: 43 ~ 45
[27] 徐日佳, 赵敬中. 一种改进的 RBAC 模型的研究与应用. 微机发展, 2005, 15(8): 95 ~ 97
[28] 孟宪伟, 王玮. 工作流访问控制模型的研究及应用. 仪器仪表标准化与计量, 2005, 3: 8 ~ 10
[29] Vijayalakshmi Atluri, Wei-Kuang Huang. An Authorization Model for Workflows. In: Proceedings of the 5th European Symposium on Research in Computer Security. Rome, Italy. 1996. Lecture Notes in Computer Science Vol.1146. Springer-Verlag, 1996. 44 ~ 64
[30] 洪帆, 罗炜. 工作流管理系统安全模型. 华中科技大学学报(自然科学版), 2003, 31(12): 4 ~ 6
[31] 邓集波, 洪帆. 基于任务的访问控制模型. 软件学报, 2003, 14(1): 76 ~ 79
[32] Bertino E, Ferrari E, Atluri V. A Flexible Model for the Specification and Enforcement of Authorization Constraints in Workflow Management System. In: Proceedings of the 2nd ACM Workshop on Role-Based Access Control. New York, USA. 1997. ACM Press,1997.1 ~ 12
[33] 施教芳, 李建华, 薛质. 一种扩展的 TBAC 访问控制模型研究. 通信技术, 2002, 11: 95 ~ 97
[34] Coulouris G, Dollimore J, Roberts M. Role and Task-Based Access Control in the PerDiS Groupware Platform. In: Proceedings of 3rd ACM Workshop on Role-Based Access Control. Virginia, USA. 1998. ACM Press, 1998. 115 ~ 121
[35] 金稼玲, 杨材堂. 基于 T-RBAC 的企业权限管理方法. 计算机工程, 2004, 30(10): 93 ~ 95
[36] 沈海波, 洪帆. 基于企业环境的访问控制模型, 计算机工程, 2005, 31(7): 144 ~ 146
[37] 蔡兰, 郭顺生, 李益兵. 基于角色访问控制的动态权限配置研究与实现. 管理技术, 2005, 3: 86 ~ 87
[38] 乔颖, 须德, 戴国忠. 一种基于角色访问控制(RBAC)的新模型及其实现机制. 计算机研究与发展, 2000, 37(1): 37 ~ 44
[39] 景栋盛, 杨季文. 一种基于任务和角色的访问控制模型及其应用. 计算机技术与发展, 2006, 16(2): 212 ~ 214
[40] Sejong Oh, Seog Park. Task–Role-Based Access Control Model. Information Systems, 2003, 28(9): 533 ~ 562
[41] Sejong Oh, Seog Park. Task-role based access control (T-RBAC): An Improved Access Control Method for Enterprise Environment. In: Proceedings of 11th International Conference on Database and Expert Systems Applications. London, UK. 2000. Lecture Note in Computer Science Vol.1873. ACM Press, 2000. 264 ~ 273
[42] 程炜. 面向 Web 服务的业务流程管理系统的研究和实现: [硕士学位论文]. 保存地点: 华中科技大学图书馆, 2003.
[43] 吴耀华, 李宁. 适用于 B /S 结构的 RBAC 模型研究及实现. 计算机应用, 2004, 24(12): 84 ~ 87
[44] Workflow Management Coalition (WfMC). Workflow Reference Model. WF-TC-1003 V1.1, January 1995.