面向虚拟企业的VAN技术研究

虚拟企业信息系统中的安全问题目前缺乏一个整体的解决方案，文中提出了虚拟应用网络(VAN)的概念，描述了VAN在客户端的网络堆栈结构及实现，以及服务器上实现基于用户、基于应用的应用层路由控制模型。通过对VAN的研究和实施，可以为虚拟企业信息系统提供基于用户、基于应用的访问控制，为虚拟企业提供一个安全的、统一的、透明的网络平台。     

基于虚拟企业的UDDI访问控制研究

UDDI作为Web服务的核心技术之一,用于商业实体之间彼此发现和共享信息,从而成为保证企业间实施动态电子商务的核心支撑体系。但是UDDI现有的访问控制策略在商务实际应用中并不完全适用,因此有必要引入新的访问控制机制。针对虚拟企业的应用需求,指出了现有UDDI访问控制技术的不足,提出基于角色的访问控制方式,设计了更加安全的虚拟企业UDDI访问控制机制,并且采用基于XML的XCAML规范,使得访问控制体系易于维护和配置。     

基于角色的信息网格访问控制的研究

信息网格是利用网格技术实现信息资源的共享、管理和提供信息服务的系统，结合中国科学院计算所织女星网格计划的研究工作，分析了信息格访问控制的关键问题，提出了一个基于角色的信息网格访问控制的模型，并讨论了信息网格访问控制的通用性问题，这一基于角色的访问控制模型正在织女星信息网格的实践中实施。     

面向XML文档的客户端混合访问控制模型

在数据交换过程中，对XML文档的访问控制管理问题是一个重点和热点问题。目前多数方法是以静态的方式共享加密数据，这类方法无法处理临时的、动态的访问控制规则。该文提出了一种结合静态模型和动态模型的混合模型，利用客户端软硬件设施进行XML文档的动态访问控制管理。通过实例说明和实验比较，证明了该方法的正确性和有效性。     

一种支持网上共享设备的安全模型

分析和比较了传统访问控制模型中客体与共享设备资源的异同，指出了设备资源具有时间依赖性、权限差异性、容量受限和进程依赖性，并根据共享设备资源的特性要求，在基于角色的访问控制模型的基础上引入了动态执行者、固定角色和设备访问控制策略等概念，提出了一种远程设备访问控制模型(RDAC)，更好地实现了对设备的描述和访问控制。     

基于角色的异构数据库联合使用

异构数据库系统面临着复杂的数据资源安全管理的难题，基于角色访问控制（简称RBAC）方法方便了数据的安全管理，文章在对访问控制和数据库联合使用综合分析的基础上提出了一个基于角色访问控制和M-W（中间层-包装器）体系结构的异构数据库联合使用模型，对RBAC包装器进行了深入的研究并设计了R-D和R-M两类RBAC包装器，该模型在某企业的信息化集成中进行了实际应用。实践证明该模型作常适用于异构数据库系统环境，同时该模型还在理论上弥补了当前异构数据库领域访问控制方面研究的不足。     

基于RBAC与GFAC架构的访问控制模型

在对基于角色的访问控制（RBAC）模型进行优化处理的基础上,提出了一种基于RBAC与通用访问控制框架（GFAC）的访问控制模型。阐述了模型的构成、特点及其访问控制策略,引入了类、约束和特殊权限等新概念,将分级授权、最小化授权、角色继承授权等策略相结合,实现对资源访问的控制。该模型可配置性强,容易维护,降低了授权管理的复杂性。最后给出了模型实现的关键技术。     

支持虚拟企业组织建立的模型化导航系统

虚拟企业组织建立是一个包含许多支撑技术的复杂过程，而虚拟企业模型化正是支持这个过程的关键技术之一，在虚拟企业模型化雏度空间描述的基础上，给出了虚拟企业模型化的层次结构．进而提出了一种基于资源寻址的虚拟企业模型化框架，分析了支持虚拟企业组织建立的系统需求，提出了虚拟企业模型化导航系统的体系结构，最后，利用系统实现说明了模型化框架的可行性．     

基于WebService和元数据的虚拟企业信息集成框架

针对虚拟企业对异构分布性信息资源集成的要求,提出了一个基于元数据和Webservice的虚拟企业信息集成框架。详细分析了信息集成协议栈的层次结构,给出虚拟企业服务共享方案和数据共享系统结构。本信息集成框架克服了传统跨平台技术及数据共享技术在实现虚拟企业信息集成中的局限。     

TRBAC模型在办公自动化中的应用①

信息系统访问控制已越来越受到重视,特别是在办公自动化领域中控制资源访问要求的访问控制。但是传统的角色访问控制模型和任务访问控制模型并不能满足工作流多变的控制需求,针对此问题,引出了基于任务和角色的访问控制模型,它能够满足办公自动化所涉及的业务领域对权限管理的要求。最后,结合实际的办公自动化系统的开发,给出了基于任务和角色的访问控制模型的一个具体的应用实例。     

基于SAML的虚拟企业访问模型

访问控制技术是当前虚拟企业研究的一个重点和难点.通过对国内外的访问控制技术现状的研究,针对虚拟企业环境下多个企业协同工作和无缝访问的要求,提出了基于SAML的访问模型.模型采用XML格式描述,具有易维护和易扩展等优点,可用于解决虚拟企业环境下的用户管理等问题.     

Secure resource sharing on cross-organization collaboration using a novel trust method

A virtual enterprise (VE) consists of a network of independent, geographically dispersed administrative business domains that collaborate with each other by sharing business processes and resources across enterprises to provide a value-added service to customers. Therefore, the success of a VE relies on full information transparency and appropriate resource sharing, making security and trust among subjects significant issues. Trust evaluation to ensure information security is most complicated in a VE involving cross-organization collaboration. This study presents a virtual enterprise access control (VEAC) model to enable resource sharing for collaborative operations in the VE. A scenario for authentication and authorization in the life cycle of a VE is then described to identify the main activities for controlling access. Also developed herein is a trust evaluation method based on the VEAC model to improve its security while safeguarding sensitive resources to support collaborative activities. The trust evaluation method involves two trust evaluation sub-models, one to evaluate the level of trust between two virtual enterprise roles, and another to measure the level of trust between two projects. The two sub-models support each other to make resource-sharing decisions, and are developed based on the concepts of direct, indirect, and negative trust factors. Finally, an example of measuring the trust between two subjects is demonstrated after introducing the two sub-models. The VEAC-based trust evaluation method enables the following: (1) secure resource sharing across projects and enterprises, (2) collaborative operation among participating workers, (3) increased information transparency and (4) lowered information delay in VEs.     

Knowledge sharing in virtual enterprises via an ontology-based access control approach

Collaborating throughout a product life cycle via virtual enterprise (VE) is one of the most promising strategies for enhancing global competitiveness. Efficient and secure knowledge sharing is critical to the success of a VE. This study presents a novel approach, model and technology for knowledge access control and sharing across enterprises. First, this study proposes an ontology-based knowledge sharing model and a multiple-layer knowledge representation framework on which a knowledge access control model for knowledge sharing in a VE is proposed. In the proposed model, user authorizations permitting access to knowledge in a VE are classified into two levels: (1) basic privileges and (2) extended privileges. The former is evaluated from four dimensions, i.e. who, what, when and where, while the latter is determined by considering how three domain ontologies, i.e., product, organization and activity, are related. This study then develops a knowledge access control policy (KACP) language model which is used to identify the knowledge access control and sharing rules of a VE and all its enterprise members. The knowledge access control model proposed in this study can facilitate VE Knowledge management and sharing across enterprises, enhance knowledge sharing security and flexibility and regulate knowledge sharing to expeditiously reflect changes in the business environment.     

A Formal Virtual Enterprise Access Control Model

A virtual enterprise (VE) refers to a cooperative alliance of legally independent enterprises, institutions, or single persons that collaborate with each other by sharing business processes and resources across enterprises in order to raise enterprise competitiveness and reduce production costs. Successful VEs require complete information transparency and suitable resource sharing among coworkers across enterprises. Hence, this investigation proposes a formal flexible integration solution, named the formal VE access control (VEAC) model, based on the role-based AC model, to integrate and share distributed resources owned by VE members. The formal VEAC model comprises a fundamental VEAC model, a project AC policy (PACP) language model, and a model construction methodology. The fundamental VEAC model manages VE resources and the resources of participating enterprises, in which various project relationships are presented to facilitate different degrees of resource sharing across projects and enterprise boundaries, and cooperative modes among VE roles are presented to enable collaboration among coworkers in a VE. This PACP language model features object-subject-action-condition AC policies that jointly determine user access authorizations. In addition, the methodology supplies a systematic method to identify fundamental elements of the VEAC model and to establish assignments between elements and relations.     

一种虚拟机访问控制安全模型

在虚拟机系统的众多安全威胁中, 资源共享和数据通信所带来的内部安全问题成为了云平台下虚拟机中最为关注的问题。结合Chinese Wall和BLP模型, 提出了一种适合于虚拟机的访问控制安全模型VBAC, 在PCW安全模型的基础上, 引入了BLP多级安全模型, 并对BLP进行了相应改进, 该模型可对虚拟机内部资源使用、共享以及事件行为进行安全控制。实验结果显示该模型有较强的可行性及安全性。     

Agent技术在虚拟企业创建过程中的应用研究

虚拟企业（virtual enterprise，VE）被认为是21世纪最有竞争力的企业运行模式，它面向全球范围的企业资源，通过构建VE的联盟之间的快速重组，实现联盟企业之间的敏捷化和柔性化。如何选择伙伴企业，则是VE创建过程中的关键。文章首先采用了分布式对象技术以支持VE创建时的需要；然后提取了用于伙伴企业选择的Agent基本属性；规划了伙伴企业选择过程；最后用多Agent技术为VE构建一个支持动态联盟的多Agent远程制造系统。     

一种基于网格虚拟组织的跨域访问控制算法*

在网格中,主机存在于不同的信任域中,在主机间建立互信是实现资源共享、协同工作的前提,为资源的访问建立规则是实现资源安全的基础。网格中的访问控制算法旨在解决上述两个问题。结合安全数据库的访问控制策略,融入基于身份和基于行为的访问控制思想,实现了以任务发起者为中心的网格虚拟组织的跨域访问控制,并对其中建立互信的核心算法进行了BAN逻辑推理。     

The PRODNET cooperative information management for industrial virtual enterprises

When designing an IT platform aimed at supporting industrial virtual enterprises (VEs), certain issues related to information management requirements become especially challenging, such as the physical distribution of data, the enterprise autonomy and privacy enforcement, access rights to shared information, and data visibility levels, among others. In the ESPRIT project PRODNET II, a federated database architecture was designed and implemented as the base support framework to effectively manage these issues associated with the sharing and exchange of information in the VE environment. In this paper, first the general information management requirements identified for the VE network in the PRODNET II project are described, and then the challenging design issues behind the development of the components of the federated information management system are presented.     

A fuzzy trust evaluation method for knowledge sharing in virtual enterprises

The success of virtual enterprises (VEs) depends on the effective sharing of related resources between various enterprises or workers who perform related activities. Specifically, VE success hinges on the integration and sharing of information and knowledge. Trust is an important facilitator of knowledge sharing. However, the trustworthiness of a peer is a vague concept that is dynamic and that often shifts over time or with environmental changes. This study designs a trust-based knowledge-sharing model based on characteristics of VEs and the knowledge structure model to express knowledge associated with VE activities. Subsequently, the factors that affect the trust evaluation are identified based on the characteristics of trust and VEs. Finally, this study develops a knowledge sharing, decision-making framework in which a fuzzy trust evaluation method for sharing knowledge is proposed based on VE activities and the interactions among workers in allied enterprises. The method consists of three sub-methods, including an activity correlation evaluation method, a current trust evaluation method, and an integral trust evaluation method. Under the premises of secure VE knowledge and reasonable access authorization, the proposed knowledge-sharing method provides the trust level between a knowledge-requesting enterprise and a knowledge-supplying enterprise to improve the willingness of the latter to share more valuable knowledge, ultimately increasing the efficiency and competitiveness of VEs.