基于Web的流程企业综合信息统计系统及其访问控制模型
|
摘要
CIMS是实现企业综合自动化的有效手段,实施CIMS系统可以提高企业的信息化水平,将企业的技术、管理和人力资源集成,以达到提高企业经济效益、增强企业适应能力和竞争能力的目的,这已经成为现代工业企业的发展趋势。
在流程企业CIMS(CIPS)系统中,生产管理子系统是一个重要的组成部分,如何快速建立生产综合信息统计系统是实现生产管理子系统的首要问题,为保证该管理信息系统的数据安全性,还要考虑应该采用什么样的访问控制模型,应该如何设计和实施访问控制策略。
本文研究了生产综合信息统计系统与实现,以及系统中的数据安全性问题,提出了一种基于组/角色/用户的访问控制模型。主要工作如下:
1)介绍了CIPS的概念,比较了CIPS和CIMS的异同点,指出了CIPS的特点和功能构成;简单介绍了管理信息系统的安全性以及访问控制;指明了论文所要解决问题与主要工作。
2)以一个具体的制浆造纸企业的CIMS系统为应用背景,阐述了制浆造纸企业CIMS结构设计与实现,并且着重介绍了其中的生产管理子系统的设计分析方法。
3)详细说明生产综合信息统计系统的设计与实现,提出了系统的功能模型和体系结构,以及网络设计和主要功能模块实现方法。
4)介绍了目前非常流行的一种访问控制模型RBAC96模型,然后将其应用于生产综合信息统计系统中,提出了一些实施过程中需要解决的问题。
5)对生产综合信息统计系统中的访问控制方法进行了深入探讨,针对主体的复杂性,结合操作的数据对象的特殊性,综合考虑主体约束和操作对象状态约束,对RBAC96模型进行了改进,提出了一种基于组/角色/用户的访问控制(team/role/user-based access control,TRUBAC)模型。其主体集的定义相对稳定,对象集的定义有层次,可以指定工作代理。
6)最后部分总结了本文研究工作情况及取得的成果、并对进一步的工作进行了展望。
CIMS (CIPS) is the effective means to realize enterprise integrated
automatization. It can integrate technique, management and manpower resources of
enterprise, so that improves information communication efficiency of the enterprise to
promote profit, enhance adaptability and competition. This trend has become popular.
Production management sub-system is an important part of CIPS, in which it is
the first task to establish integrated information statistics system, a kind of
Management Information System (MIS), quickly. And the adopted access control
model and strategy should be considered in order to ensure data security of the MIS.
This thesis concentrates on integrated information statistics system and its
implementation. A teamlrole/user based access control model is put forward to solve
the issue of data security in the management information system. The thesis is
organized as below:
1) The concept of CIPS is introduced. Then the similarities and differences
between CIPS and CIMS are given. The features and functions of CIPS are
also summarized. At the same time, the concepts of data security of MIS
and access control are explained. Finally major tasks of this thesis are
pointed out0
2) The design and implementation of CIPS are expounded based on an
application background, an actual CIMS of a paper mill, in which the
production management sub-system is emphasized.
3) The design and implementation of integrated information statistics system
are discussed. And the functional model and architecture of the system are
brought up. Finally, the structure of the network and the design of the
sub-modules are reached0
4) RBAC96 model, a polpular access control model, is introduced and is
applied to the integrated information statistics system. But some problems
of it will appear at the same time.
5) The access control method of the integrated information statistics system is
discussed thoroughly. Aiming at the complexity of the subjects, combined
with the particularity of actions and objects in data security of MIS,
considering the restriction of subject and the state of object, some
improvement is made to the original RBAC96 model and a new
team/role/user-based access control model named RUBAC model?is
presented. The definition of its subjects set is steady and proxy can be
assigned.
6) In the last section some main achievements of the thesis are given with
conclusions. And future work is discussed further.
在流程企业CIMS(CIPS)系统中,生产管理子系统是一个重要的组成部分,如何快速建立生产综合信息统计系统是实现生产管理子系统的首要问题,为保证该管理信息系统的数据安全性,还要考虑应该采用什么样的访问控制模型,应该如何设计和实施访问控制策略。
本文研究了生产综合信息统计系统与实现,以及系统中的数据安全性问题,提出了一种基于组/角色/用户的访问控制模型。主要工作如下:
1)介绍了CIPS的概念,比较了CIPS和CIMS的异同点,指出了CIPS的特点和功能构成;简单介绍了管理信息系统的安全性以及访问控制;指明了论文所要解决问题与主要工作。
2)以一个具体的制浆造纸企业的CIMS系统为应用背景,阐述了制浆造纸企业CIMS结构设计与实现,并且着重介绍了其中的生产管理子系统的设计分析方法。
3)详细说明生产综合信息统计系统的设计与实现,提出了系统的功能模型和体系结构,以及网络设计和主要功能模块实现方法。
4)介绍了目前非常流行的一种访问控制模型RBAC96模型,然后将其应用于生产综合信息统计系统中,提出了一些实施过程中需要解决的问题。
5)对生产综合信息统计系统中的访问控制方法进行了深入探讨,针对主体的复杂性,结合操作的数据对象的特殊性,综合考虑主体约束和操作对象状态约束,对RBAC96模型进行了改进,提出了一种基于组/角色/用户的访问控制(team/role/user-based access control,TRUBAC)模型。其主体集的定义相对稳定,对象集的定义有层次,可以指定工作代理。
6)最后部分总结了本文研究工作情况及取得的成果、并对进一步的工作进行了展望。
CIMS (CIPS) is the effective means to realize enterprise integrated
automatization. It can integrate technique, management and manpower resources of
enterprise, so that improves information communication efficiency of the enterprise to
promote profit, enhance adaptability and competition. This trend has become popular.
Production management sub-system is an important part of CIPS, in which it is
the first task to establish integrated information statistics system, a kind of
Management Information System (MIS), quickly. And the adopted access control
model and strategy should be considered in order to ensure data security of the MIS.
This thesis concentrates on integrated information statistics system and its
implementation. A teamlrole/user based access control model is put forward to solve
the issue of data security in the management information system. The thesis is
organized as below:
1) The concept of CIPS is introduced. Then the similarities and differences
between CIPS and CIMS are given. The features and functions of CIPS are
also summarized. At the same time, the concepts of data security of MIS
and access control are explained. Finally major tasks of this thesis are
pointed out0
2) The design and implementation of CIPS are expounded based on an
application background, an actual CIMS of a paper mill, in which the
production management sub-system is emphasized.
3) The design and implementation of integrated information statistics system
are discussed. And the functional model and architecture of the system are
brought up. Finally, the structure of the network and the design of the
sub-modules are reached0
4) RBAC96 model, a polpular access control model, is introduced and is
applied to the integrated information statistics system. But some problems
of it will appear at the same time.
5) The access control method of the integrated information statistics system is
discussed thoroughly. Aiming at the complexity of the subjects, combined
with the particularity of actions and objects in data security of MIS,
considering the restriction of subject and the state of object, some
improvement is made to the original RBAC96 model and a new
team/role/user-based access control model named RUBAC model?is
presented. The definition of its subjects set is steady and proxy can be
assigned.
6) In the last section some main achievements of the thesis are given with
conclusions. And future work is discussed further.
引文
1. 宋国宁、蒋新松(1994):大型过程自动化全过程体系结构,信息与控制,23(2):65—70。
2. 王雄、范金义、义全庚等(1996):连续过程的详细集成与炼油厂CIMS集成框架,CIMS-CHINA会议文集。
3. 舒炎泰、赵文钦、朱方禹(1996):流程CIM与离散CIM之比较,CIMS-CHINA会议文集。
4. Udo Graefe and Vince Thomson: A Reference Model for Production Control, Int. J. Computer Integrated 2(2):86--92.
5. M.Rao,Q.Wang,L.Yuan and M.Zao: CIPS Architecture and implementation Proceeding of Conference on Computer Integrated Manufacturing in Process Industries, April, 1994,25--26.
6. 崔亚军(1998):流程工业中的CIMS,自动化博览,No.1:3--7。
7. 徐用懋(1997):流程工业的CIMS,化工自动化与仪表,24(4):41--45.
8. Pfister, G.(1998): Security in Computing, Upper Saddle River, NJ: Prentice Hall, 1998.
9. Sandhu, R.,and Samarati,P.(1994): Access Control: Principles and Practice, IEEE Communications, September 1994.
10. 胡华、高济、何志均(1999):基于软件体系结构的软件设计与构造,计算机科学,26(8):74--80。
11. B. Kadar(1998): An Object-Oriented framework for developing distributed manufacturing architectures, Journal of Intelligent Manufacturing, 9(2): 173--179.
12. Lei Ming(1998): A CORBA-based agent-driven design for distributed intelligent manufacturing systems, Journal of Intelligent Manufacturing, 9(5): 457--465.
13.曹军威、范玉顺(1999):柔性软件系统的概念、方法与实践,计算机科学,26(2):74--77。
14.李伯虎等(1998):现代集成制造的发展与863/CIMS主题的实施策略,计算机集成制造系统CIMS,4(5):7-15。
15.潘东、王京春、金以慧(1999):面向用户的CIMS总体设计建模方法,计算机集成制造系统CIMS,5(5):30--37。
16.朱海滨:《面向对象技术-原理与设计》,国防科技大学出版社,1992.10:3--23。
17. Song Zhi-huan, Yang Chunjie and Li Ping(2000): Enterprise Resource Planning in the Process Industry: a Survey, Proceedings of AMSMA'2000 International Conference, June, 2000, Guangzhou, P. R. China, 665-668.
18. Song Zhi-huan, Wang Hai-qing and Li Ping(2000): Wavelet Network-Based Market Prediction of Large Scale Paper Mills, Proceedings of AMSMA'2000 International Conference, June, 2000, Guangzhou, P. R. China, 875-878.
19.陈玉祥 张汉亚:《预测技术与应用》,机械工业出版社,1985。
20.易丹辉:《统计预测-方法与应用》,中国人民大学出版社,1990。
21.张毅等:《制造资源计划MRP-Ⅱ及其应用》,清华大学出版社,1997。
22.杨家本:连续过程CIMS中生产计划/调度系统,计算机集成制造系统,2000(4):87-93。
23.黄慧君,薛恒新:流程企业CIMS/MRPⅡ实施技术分析,化工自动化及仪表,1997(6):52--56。
24.(美)John Papa Matthew Shepker等:《SQL SERVER 7.0编程技术内幕》,机械出版社,2000。
25.白庆华,何玉林:《CIMS中的系统集成和信息集成》,电子工业出版社,1997。
26. David F. Ferraiolo, Dennis M. Gilbert, and Nickilyn Lynch(1993): An examination of federal and commercial access control policy needs. Proceedings of NIST-NCSC National Computer Security Conference, September 20-23 1993, Baltimore, MD.,107--116.
27. Common Criteria Editorial Board. Common Criteria for Information Technology Security, January 1996. Version 1.0.
28. Roshan Thomas and Ravi S. Sandhu(1994) : Conceptual foundations for a model of task-based authorizations, Proceedings of IEEE Computer Security Foundations Workshop 7, June 1994, Franconia, NH, 66-79.
29. Roshan Thomas and Ravi Sandhu(1997) : Task-based authorization controls (tbac):Models for active and enterprise-oriented authorization management, In T. Y.Lin and Xiaolei Qian, editors, Database Security XI: Status and Prospects, 1997,North-Holland.
30. Dirk Jonscher(1993) : Extending access controls with duties|realized by active mechanisms, In B. Thuraisingham and C.E. Landwehr, editors, Database Security VI: Status and Prospects, 1993,North-Holland, 91-111.
31. Ravi S. Sandhu(1988) : Transaction control expressions for separation of duties, Proceedings of 4th Annual Computer Security Application Conference, December 1988, Orlando, FL, 282-286.
32. Ravi S. Sandhu(1991) : Separation of duties in computerized information systems, In S. Jajodia and C.E. Landwehr, editors, Database Security IV: Status and Prospects, 1991, North-Holland, 179-189.
33. David Ferraiolo and Richard Kuhn(1992) : Role-based access controls, Proceedings of 15th NIST-NCSC National Computer Security Conference, October 13-16 1992, Baltimore, MD, 554-563.
34. M.-Y. Hu, S.A. Demurjian, and T.C. Ting(1995) : User-role based security in the ADAM object-oriented design and analyses environment, In J. Biskup, M. Morgernstern, and C. Landwehr, editors, Database Security VIII: Status and Prospects, 1995, North-Holland.
35. Matunda Nyanchama and Sylvia Osborn(1995) : Access rights administration in role-based security systems, In J. Biskup, M. Morgernstern, and C. Landwehr, editors, Database Security VIII: Status and Prospects, 1995, North-Holland.
36. S. H. von Solms and Isak van der Merwe(1994) : The management of computer security pro_les using a role-oriented approach, Computers & Security, 13(8) :673-680.
37. D.J. Thomsen(1991) : Role-based application design and enforcement, In S. Jajodia and C.E. Landwehr, editors, Database Security IV: Status and Prospects, 1991, North-Holland, 151-168.
38. Ravi S. Sandhu(1993) : Lattice-based access control models, IEEE Computer, 26(11) : 9-19, November 1993.
39. Ravi S. Sandhu(1996) : Role hierarchies and constraints for lattice-based access controls, In Elisa Bertino, editor, Proc. Fourth European Symposium on Research in Computer Security, 1996, Springer-Verlag, Rome, Italy, Published as Lecture Notes in Computer Science, Computer Security-ESORICS96
40. Ravi Sandhu and Venkata Bhamidipati(1997) : Role-based administration of user-role assignment: The URA97 model and its Oracle implementation, In T. Y. Lin and Xiaolei Qian, editors, Database Security XI: Status and Prospects, 1997, North-Holland.
41. Ravi Sandhu, Venkata Bhamidipati, Edward Coyne, Srinivas Ganta, and Charles Youman(1997) : The arbac97 model for role-based administration of roles: Preliminary description and outline, Proceedings of the 2nd ACM Workshop on Role-Based Access Control. ACM, 1997.
42. Ravi Sandhu and Pierangela Samarati(1994) : Access control: Principles and practice, IEEE Communications, 32(9) : 40-48.
43. Imtiaz Mohammed and David M. Dilts(1994) : Design for dynamic user-role-based security, Computers & Security, 13(8) : 661-671.
44. Sandhu, R. and Samarati, P. (1996) : Authentication, access control, and audit, ACM Compu. Surv., 28(1) : 241-243.
45. Thomas, R.K. (1997) : Team-based access control (TMAC): A primitive for applying role-based access controls in collaborative environments, A CM RBAC'97.
46. Sandhu R S, Coyne E J, Feinstein H L, Youman C E.(1996) : Role-based access control models, IEEE Computer, 29(2) : 38-47.
47. Shackelford, D.E., Smith, J.B., and Smith, F.D.(1993) : The architecture and implementation of a distributed hypermedia storage system, Proceedings of ACM Hypertext'93, 1-13.
2. 王雄、范金义、义全庚等(1996):连续过程的详细集成与炼油厂CIMS集成框架,CIMS-CHINA会议文集。
3. 舒炎泰、赵文钦、朱方禹(1996):流程CIM与离散CIM之比较,CIMS-CHINA会议文集。
4. Udo Graefe and Vince Thomson: A Reference Model for Production Control, Int. J. Computer Integrated 2(2):86--92.
5. M.Rao,Q.Wang,L.Yuan and M.Zao: CIPS Architecture and implementation Proceeding of Conference on Computer Integrated Manufacturing in Process Industries, April, 1994,25--26.
6. 崔亚军(1998):流程工业中的CIMS,自动化博览,No.1:3--7。
7. 徐用懋(1997):流程工业的CIMS,化工自动化与仪表,24(4):41--45.
8. Pfister, G.(1998): Security in Computing, Upper Saddle River, NJ: Prentice Hall, 1998.
9. Sandhu, R.,and Samarati,P.(1994): Access Control: Principles and Practice, IEEE Communications, September 1994.
10. 胡华、高济、何志均(1999):基于软件体系结构的软件设计与构造,计算机科学,26(8):74--80。
11. B. Kadar(1998): An Object-Oriented framework for developing distributed manufacturing architectures, Journal of Intelligent Manufacturing, 9(2): 173--179.
12. Lei Ming(1998): A CORBA-based agent-driven design for distributed intelligent manufacturing systems, Journal of Intelligent Manufacturing, 9(5): 457--465.
13.曹军威、范玉顺(1999):柔性软件系统的概念、方法与实践,计算机科学,26(2):74--77。
14.李伯虎等(1998):现代集成制造的发展与863/CIMS主题的实施策略,计算机集成制造系统CIMS,4(5):7-15。
15.潘东、王京春、金以慧(1999):面向用户的CIMS总体设计建模方法,计算机集成制造系统CIMS,5(5):30--37。
16.朱海滨:《面向对象技术-原理与设计》,国防科技大学出版社,1992.10:3--23。
17. Song Zhi-huan, Yang Chunjie and Li Ping(2000): Enterprise Resource Planning in the Process Industry: a Survey, Proceedings of AMSMA'2000 International Conference, June, 2000, Guangzhou, P. R. China, 665-668.
18. Song Zhi-huan, Wang Hai-qing and Li Ping(2000): Wavelet Network-Based Market Prediction of Large Scale Paper Mills, Proceedings of AMSMA'2000 International Conference, June, 2000, Guangzhou, P. R. China, 875-878.
19.陈玉祥 张汉亚:《预测技术与应用》,机械工业出版社,1985。
20.易丹辉:《统计预测-方法与应用》,中国人民大学出版社,1990。
21.张毅等:《制造资源计划MRP-Ⅱ及其应用》,清华大学出版社,1997。
22.杨家本:连续过程CIMS中生产计划/调度系统,计算机集成制造系统,2000(4):87-93。
23.黄慧君,薛恒新:流程企业CIMS/MRPⅡ实施技术分析,化工自动化及仪表,1997(6):52--56。
24.(美)John Papa Matthew Shepker等:《SQL SERVER 7.0编程技术内幕》,机械出版社,2000。
25.白庆华,何玉林:《CIMS中的系统集成和信息集成》,电子工业出版社,1997。
26. David F. Ferraiolo, Dennis M. Gilbert, and Nickilyn Lynch(1993): An examination of federal and commercial access control policy needs. Proceedings of NIST-NCSC National Computer Security Conference, September 20-23 1993, Baltimore, MD.,107--116.
27. Common Criteria Editorial Board. Common Criteria for Information Technology Security, January 1996. Version 1.0.
28. Roshan Thomas and Ravi S. Sandhu(1994) : Conceptual foundations for a model of task-based authorizations, Proceedings of IEEE Computer Security Foundations Workshop 7, June 1994, Franconia, NH, 66-79.
29. Roshan Thomas and Ravi Sandhu(1997) : Task-based authorization controls (tbac):Models for active and enterprise-oriented authorization management, In T. Y.Lin and Xiaolei Qian, editors, Database Security XI: Status and Prospects, 1997,North-Holland.
30. Dirk Jonscher(1993) : Extending access controls with duties|realized by active mechanisms, In B. Thuraisingham and C.E. Landwehr, editors, Database Security VI: Status and Prospects, 1993,North-Holland, 91-111.
31. Ravi S. Sandhu(1988) : Transaction control expressions for separation of duties, Proceedings of 4th Annual Computer Security Application Conference, December 1988, Orlando, FL, 282-286.
32. Ravi S. Sandhu(1991) : Separation of duties in computerized information systems, In S. Jajodia and C.E. Landwehr, editors, Database Security IV: Status and Prospects, 1991, North-Holland, 179-189.
33. David Ferraiolo and Richard Kuhn(1992) : Role-based access controls, Proceedings of 15th NIST-NCSC National Computer Security Conference, October 13-16 1992, Baltimore, MD, 554-563.
34. M.-Y. Hu, S.A. Demurjian, and T.C. Ting(1995) : User-role based security in the ADAM object-oriented design and analyses environment, In J. Biskup, M. Morgernstern, and C. Landwehr, editors, Database Security VIII: Status and Prospects, 1995, North-Holland.
35. Matunda Nyanchama and Sylvia Osborn(1995) : Access rights administration in role-based security systems, In J. Biskup, M. Morgernstern, and C. Landwehr, editors, Database Security VIII: Status and Prospects, 1995, North-Holland.
36. S. H. von Solms and Isak van der Merwe(1994) : The management of computer security pro_les using a role-oriented approach, Computers & Security, 13(8) :673-680.
37. D.J. Thomsen(1991) : Role-based application design and enforcement, In S. Jajodia and C.E. Landwehr, editors, Database Security IV: Status and Prospects, 1991, North-Holland, 151-168.
38. Ravi S. Sandhu(1993) : Lattice-based access control models, IEEE Computer, 26(11) : 9-19, November 1993.
39. Ravi S. Sandhu(1996) : Role hierarchies and constraints for lattice-based access controls, In Elisa Bertino, editor, Proc. Fourth European Symposium on Research in Computer Security, 1996, Springer-Verlag, Rome, Italy, Published as Lecture Notes in Computer Science, Computer Security-ESORICS96
40. Ravi Sandhu and Venkata Bhamidipati(1997) : Role-based administration of user-role assignment: The URA97 model and its Oracle implementation, In T. Y. Lin and Xiaolei Qian, editors, Database Security XI: Status and Prospects, 1997, North-Holland.
41. Ravi Sandhu, Venkata Bhamidipati, Edward Coyne, Srinivas Ganta, and Charles Youman(1997) : The arbac97 model for role-based administration of roles: Preliminary description and outline, Proceedings of the 2nd ACM Workshop on Role-Based Access Control. ACM, 1997.
42. Ravi Sandhu and Pierangela Samarati(1994) : Access control: Principles and practice, IEEE Communications, 32(9) : 40-48.
43. Imtiaz Mohammed and David M. Dilts(1994) : Design for dynamic user-role-based security, Computers & Security, 13(8) : 661-671.
44. Sandhu, R. and Samarati, P. (1996) : Authentication, access control, and audit, ACM Compu. Surv., 28(1) : 241-243.
45. Thomas, R.K. (1997) : Team-based access control (TMAC): A primitive for applying role-based access controls in collaborative environments, A CM RBAC'97.
46. Sandhu R S, Coyne E J, Feinstein H L, Youman C E.(1996) : Role-based access control models, IEEE Computer, 29(2) : 38-47.
47. Shackelford, D.E., Smith, J.B., and Smith, F.D.(1993) : The architecture and implementation of a distributed hypermedia storage system, Proceedings of ACM Hypertext'93, 1-13.