虛擬企業(Virtual Enterprise)是有效提昇企業競爭力策略之ㄧ，其工作者以協同合作的模式貢獻自己的核心能力，跨企業的分享彼此的企業流程及資源，以共同完成產品生命週期中所有的活動，例如設計、生產、組裝、行銷並提供具附加價值的服務給顧客。

虛擬企業的成功必須仰賴即時的資訊透通性及安全的資源分享。因此，本研究將涵蓋存取控制模型及信任評估的技術。本研究首先考慮虛擬企業生命週期中所有的活動，提出一個適合虛擬企業環境特性之資源管理與分享的存取控制模型；此模型包含一個專案存取控制(Project-based Access Control, PBAC)模型及角色為基之存取控制(Role-based Access Control, RBAC)模型，能管理虛擬企業共同的資源及分享成員之私有資源。這些資源在虛擬企業執行期間允許被合法的授權者建構、更新、分享和重複使用，資源可以是資料庫、可延伸標示語言文件、網路資訊、應用程式、網路服務元件及知識，其範圍涵蓋產品設計階段的工程資料、專業領域的技術及知識或其他與虛擬企業相關的資源。本模型利用專案關係(Project Relation)連接不同的虛擬企業、虛擬企業工作者間的合作模式(Cooperative Mode)及角色階層(Role Hierarchy)所組成的角色關係網路(Role Relation Net)來促使跨企業及虛擬企業界限的資源分享與使用。基於本研究所提出之存取控制模型，設計一個信任評估的方法，評估兩個虛擬企業或虛擬工作者間信任的強度，幫助資源分享的決策。

經由本研究可以有助於虛擬企業資源的管理及分享，促進資訊的重複利用率，進而使虛擬企業能以協同及同步的方式來運作，降低資源管理的成本，克服複雜商業環境中存取控制模型權限分派問題。

A virtual enterprise (VE) is a network of independent, geographically dispersed administrative business domains that collaborate by sharing business processes and resources across enterprises to provide a value-added service to customers.

Successfully implementing a VE relies on information transparency and appropriate resource sharing among VE workers, and, hence, two important issues for information security and trust among coworkers are introduced. This dissertation covers access control models and a trust evaluation method. In considering the activities during a VE’s lifecycle, this study presents a Virtual Enterprise Access Control (VEAC) model that facilitates resource sharing and reuse. The VEAC model has a Project-based Access Control (PBAC) model that handles public resources held by VE, and an RBAC-based model that manages private resources owned by various VE members. These public and private resources, which are created, updated, shared and reused by authorized workers, can be databases, XML documents, web information and services, applications and knowledge within a VE, and encompass engineering data for product modeling, technology information for product implementation, domain skills and knowledge, and any external resources available to a VE. A trust evaluation method based on the VEAC model is also presented that improves resource security while safeguarding sensitive resources that support collaboration.

The results of the study enhance the security of resource sharing and reuse during collaboration and cooperation within a VE, reduce the costs of resource management and eliminate the complexity of resource sharing across enterprises.

Ahn, G..J. (2003). Specification and classification of role-based authorization policies. Proceedings of Twelfth IEEE International Workshops on
Enabling Technologies: Infrastructure for Collaborative Enterprises, 202-207.

Al-Kahtani, M.A., & Sandhu, R. (2002). A model for attribute-based user-role assignment. Proceedings of the 18th Annual Conference on Computer Security Applications, 353-362.

Alotaiby, F.T., & Chen, J.X. (2004). A model for team-based access control (TMAC). Information Technology: Coding and Computing, 1, 450-454.

Ardagna, C.A., Damiani, E., Vimercati, S.D.C., & Samarati, P. (2004). XML-based access control languages. Information Security Technical Report, 9, No. 3, 35-46.

Au, R., Looi, M., & Ashley, P. (2001). Automated cross-organizational trust establishment on extranets. Proceedings of Workshop on Information Technology for Virtual Enterprises, 3-11.

Bacon, J., Moody, K., & Yao, W. (2002). A model of OASIS role-based access control and its support for active security, ACM Transactions on Information and System Security, Vol. 5, No. 4, 492-540.

Bai, Y., & Varadharajan, V. (1997). Updating policy base: an application of knowledge base in authorizations. IEEE International Conference on Intelligent Processing Systems, 2, 1057-1061.

Barker, S., & Stuckey, P.J. (2003). Flexible access control policy specification with constraint logic programming. ACM Transaction on Information and System Security, 6, No. 4, 501-546.

Bell, D.E., & LaPadula, L. J. (1973). Security computer systems: mathematical foundations and model. Bedford. MA: The Mitre Corporation.

Belokosztolszki, A., & Moody, K. (2002). Meta-policies for distributed role-based access control systems. Proceedings of the Third International Workshop on Policies for Distributed Systems and Networks, 106-115.

Bradley, D., & Josang, A. (2004). Mesmerize: an open framework for enterprise security management. Proceedings of the Second Workshop on Australasian Information Security, Data Mining and Web Intelligence, and Software Internationalization, 32, 37-42.

Biba, K.J. (1977). Integrity considerations for secure computer systems. Bedford, MA: The MITRE Corporation.

Botha, R.A., & Eloff, J.H.P. (2001). Designing role hierarchies for access control in workflow systems. The 25th Annual International Computer Software and Applications Conference, 117-122.

Camarinha-Matos, L.M., Afsarmanesh, H., & Rabelo, R.J. (2001). E-Business and virtual enterprises: managing business-to-business cooperation. International Federation for Information Processing.

Chen, T.-Y., Chen, Y.-M., Wang C.-B., & Chu, H.-C. (2006). Development of an access control model, system architecture and approaches for information sharing in virtual enterprise. Computers in Industry. (In press)

Chen, T.-Y., Chen, Y.-M., Wang C.-B., & Chu, H.-C. (2006). Resource sharing to support cross-organization collaboration in virtual enterprise using a novel trust method. Robotics and Computer-Integrated Manufacturing. (In press)

Chen, Y.-M., & Liang, M.-W. (1999). Design and implementation of a collaborative engineering information system for allied concurrent engineering. Int. J. of Computer Integrated Manufacturing, 13, No. 1, 11-30.

Cheng, E.C. (1999). An object-oriented organizational model to support dynamic role-based access control in electronic commerce applications. Proceedings of the 32nd Annual Hawaii International Conference on System Sciences, 8, 9 pp.

Coetzee, M., & Eloff, J.H.P. (2003). Virtual enterprise access control Requirements. Proceedings of the 2003 Annual Research Conference of the South African Institute of Computer Scientists and Information Technologists on Enablement through Technology, 285-294.

Cohen, E., Thomas, R.K., Winsborough,W., & Shands D. (2002). Models for coalition-based access control (CBAC). Proceedings of the Seventh ACM Symposium on Access Control Models and Technologies, 97-106.

Denker, G., Millen, J., & Miyake, Y. (2002) Cross-domain access control via PKI. Third International Workshop on Policies for Distributed Systems and Networks, 202-205.

Disler, K., Krishnamurthi, S., Meyerovich L.A., & Tschantz, M.C. (2005). Verification and change-impact analysis of access control policies. Proceedings of the 27th International Conference on Software Engineering, 196-205.

Dridi, F., Muschall, B., & Pernul, G. (2004). Administration of an RBAC system. Proceedings of the 37th Annual Hawaii International Conference on System Sciences, 187-192.

Ferraiolo, D.F., Kuhn, D.R., & Chandramouli, R. (2003). Role-based access control. Artech House, Inc.

Ferraiolo, D.F., Sandhu R., Gavrila, S., Kuhn, D.R., & Chandramouli R. (2001). Proposed NIST standard for role-based access control. ACM Transactions on Information and System Security, 5, No. 3, 224-274.

Frenkel, A., Afsarmanesh, H., Garita, C., & Hertzberger, L.O. (2000). Supporting information access rights and visibility levels in virtual enterprises. The 2nd IFIP Working Conference on Infrastructure for Virtual Enterprises.

Furst, K., Schmidt, T., & Wippel, G. (2002). Managing access in extended enterprise networks. IEEE Internet Computing, 6, Issue 5, 67-74.

Galiasso, P., Bremer, O., Hale, J., Shenoi, S., Ferraiola, D., & Hu, V.
(2000). Policy mediation for multi-enterprise environments. The 16th Annual Conference on Computer Security Applications, 100-106.

Georgiadis, C.K., Mavridis, I., Pangalos, G., & Thomas, R.K. (2001). Flexible team-based access control using contexts. Proceedings of the Sixth ACM Symposium on Access Control Models and Technologies, 21-27.

Godar, S.H., & Ferris, S.P. (2004). Virtual and collaborative team: process, technologies, and practice. PA: Idea Group Publishing.

Hada, S., & Kudo, M. (2000). XML document security based on provisional authorization. Proceedings of the 7th ACM Conference on Computer and Communications Security, 87-96.

Hart, P., & Sanders, C. (1997). Power and trust: critical factors in the adoption and use of electronic data interchange. Organizational Science, 23-42.

Jajodia, S., Samarati, P., Sapino, M.L., & Subrahmanian, V.S. (2001). Flexible
support for multiple access control policies. ACM Transactions on Database Systems, 26, Issue 2, 214-260.

Kanet, J.J., Faisst, W., & Mertens, P. (1999). Application of information technology to a virtual enterprise broker: the case of Bill Epstein. International Journal of Production Economics, 23-32.

Kang, M.H., Park, J.S., & Froscher, J.N. (2001). Access control mechanisms for inter-organizational workflow. Proceedings of the Sixth ACM Symposium on Access Control Models and Technologies, 66-74.

Kern, A. (2002). Advanced features for enterprise-wide role-based access control. Computer Security Applications Conference, 333-342.

Koch, M., Mancini, L.V., & Parisi-Presicce, F. (2002). Graph transformations for the specification of access control policies. Elsevier science B. V.

Kolaczek, G. (2003). Specification and verification of constraints in role based access control. Proceedings of Twelfth IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, 190-195.

Li, N., MitChell, J.C., & Winsborough, W.H. (2005). Beyond proof-of-compliance: security analysis in trust management. Journal of the ACM (JACM), 52, Issue 3, 474-514.

Lin, F.-R., Huang, S.-H., & Lin, S.-C. (2002). Effects of information sharing on supply chain performance in electronic commerce. IEEE Transactions on Engineering Management, 49, Issue 3, 258-268.

Lorch, M., Kafura, D., & Shah, S. (2003). An XACML-based policy management and authorization service for globus resources. Grid Computing, 208-210.

Lorch, M., Proctor, S., Lepro, R., Kafura, D., & Shah, S. (2003). First experiences using XACML for access control in distributed systems. Proceedings of the 2003 ACM workshop on XML security, 25-37.

Matheus, A. (2005). How to declare access control policies for XML structured information objects using OASIS’ eXtensible Access Control Markup Language (XACML). Proceedings of the 38th Hawaii International Conference on System Sciences, 168a-168a.

McCaffer, R., & Garas, F., (1999), eLSEwise: European large scale engineering wide integration support effort. Engineering Construction and Architectural Management, Special Issues, 6(1).

Mezzetti, N. (2003). Towards a model for trust relationships in virtual enterprises. Proceedings of the 14th International Workshop on Database and Expert Systems Applications, 420-424.

Moffett, J.D. (1998). Control principles and role hierarchies. Proceedings of the Third ACM Workshop on Role-based Access Control, 63-69.

Moon, C.J., Park, D.H., Park, S.J., & Baik, D.K. (2004). Symmetric RBAC model that takes the separation of duty and role hierarchies into consideration. Computers & Security, 126-136.

Nabhen, R., Jamhour, E., & Maziero, C. (2003). RBPIM: a PCIM-based framework for RBAC. Proceedings of the 28th Annual IEEE International Conference on Local Computer Networks, 52-61.

Natvig, M.K., & Ohren, O. (1999). Modeling shared information spaces (SIS). Proceedings of the International ACM SIGGROUP Conference on Supporting Group Work, 199-208.

Neumann, G. & Strembeck, M. (2002). A scenario-driven role engineering process for functional RBAC roles. Proceedings of the Seventh ACM Symposium on Access Control Models and Technologies, 33-42.

Nwana H., Ndumu D., Lee L., & Collis J. (1999), ZEUS: A toolkit and approach for building distributed multi-agent systems. Proceedings of the Third Annual Conference on Autonomous Agents, 360-361.

Oh, S., & Park, S. (2003). Task-role-based access control model. Information
System, 533-562.

Oh, S., & Sandhu, R. (2002). A model for role administration using organization structure. Proceedings of the Seventh ACM Symposium on Access Control Models and Technologies, 155-162.

Osborn, S. (2002). Integrating role graphs: a tool for security integration. Data & Knowledge Engineering, 317-333.

Ouzounis, E.K. (2001). An agent-based platform for the management of dynamic virtual enterprises. Ph.D. Dissertation.

Park, J.S., & Hwang, J. (2003). RBAC for collaborative environments: role-based access control for collaborative enterprise in peer-to-peer computing environments. Proceedings of the Eighth ACM Symposium on Access Control Models and Technologies, 93-99.

Rad, P.F., Levin, G., & Raton, B. (2003). Achieving project management success using virtual teams. FL: J. Ross Publishing.

Ray, I., Li, N., France, R., & Kim, D.K. (2004). Constraints: Using UML to Visualize Role-based Access Control Constraints. Proceedings of the Ninth ACM Symposium on Access Control Models and Technologies, 115-124.

Rhodes, A., & Caelli, W. (2002). A roles and rights language specification for a distributed e-commerce environment. Proceedings of Applications and the Internet (SAINT) Workshops, 40-46.

Sandhu, R., & Munawer, Q. (1998). The RRA97 model for role-based administration of role hierarchies. Proceedings of the 14th Annual Conference on Computer Security Applications, 39-49.

Seidmann, A., & Sundararajan, A. (1997). Building and sustaining inter-organizational information sharing relationships: the competitive impact of interfacing supply chain operations with marketing strategy. Proceedings of the Eighteenth International Conference on Information Systems, 205-222.

Shim, W.B., & Park S. (2002). Toward an improved RBAC model for the organic organization. Proceedings of the Ninth International Conference on Parallel and Distributed Systems, 437-442.

Shin, D., Ahn, G.J., Cho, S., & Jin, S. (2003). Role engineering: on modeling system-centric information for role engineering. Proceedings of the Eighth ACM Symposium on Access Control Models and Technologies, 169-178.

Shin, D., Ahn, G.J., & Park, J.S. (2002). An application of directory service markup language (DSML) for role-based access control (RBAC). Computer Software and Applications Conference, 934-939.

Smith, T.J., & Ramakrishnan, L. (2003). Joint policy management and auditing in virtual organizations. Proceedings of Fourth International Workshop on Grid Computing, 117-124.

Steinke, G., & Leamon, R. (1996). Information security issues facing virtual enterprises. Proceedings of International Conference on Engineering and Technology Management, 641-644.

Takakura, H., Goshima, K., & Kambayashi, Y. (2001). Map based information sharing to support virtual enterprise activities. Proceedings of Workshop on Information Technology for Virtual Enterprises, 12-20.

Tran, H., Hitchens, M., Varadharajan, V., & Watters, P. (2005). A trust based access control framework for P2P file-sharing systems. Proceedings of the 38th Hawaii International Conference on System Seciences, 302-302.

Turban, E., King, D., Viehland, D., & Lee, J. (2006). Electronic commerce: a managerial perspective 2006. Pearson Education International.

Yamazaki, W., Nishiyama, H., & Mizoguchi, F. (2001). Design of collaborative agent system with access control for smart-office environment. Proceedings of Tenth IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, 205-210.

Yang, C., & Zhang, C.-N. (2003). An approach to secure information flow on object oriented role-based access control model. Proceedings of the ACM Symposium on Applied Computing, 302-306.

Zhang, N., Ryan, M., & Guelev, D.P. (2004). Synthesizing verified access control systems in XACML. Proceedings of the ACM Workshop on Formal Methods in Security Engineering, 56-65.

Zhang, X., Oh, S., & Sandhu, R. (2003). PBDM: a flexible delegation model in RBAC. Proceedings of the eighth ACM Symposium on Access Control Models and Technologies, 149-157.

Zhu, H. (2003). Some issues of role-based collaboration. Canadian Conference on Electrical and Computer Engineering, 2, 687-690.

Zuo, Y., & Panda, B. (2005). Component based trust management in the context of a virtual organization. ACM Symposium on Applied Computing, 1582-1588.