電腦網路與其相關技術在現今的企業裡已扮演著不可或缺的重要角色。然而，在資訊技術所帶來的便利之下隱藏著資訊安全相關的問題，存取控制問題即是一例。
以角色為基礎之存取控制理論（Role-based Access Control，RBAC）是目前公認之較有效的存取控制方法，它能彌補傳統存取控制方式的缺失。許多學者針對RBAC進行研究，但多著重於理論的探討，在整合性與實用性方面的研究仍有不足。本研究主要參考ARBAC97、ARBAC99的架構與美國國家標準暨技術研究院（National Institute of Standards and Technology，NIST）所發表的RBAC 功能規格書（RBAC Functional Specification），提出一新的RBAC系統架構。除此之外，本研究以XACML (eXtensible Access Control Markup Language) 取代XML (eXtensible Markup Language) 作為系統存取控制的政策語言 (Policy Language)。最後，我們會以銀行實例進行系統驗證。
本研究冀能達成以下目標: (1) 建置一以過去研究為基礎之RBAC系統，降低導入RBAC的困難度；(2) 構建以XACML為基礎之參考樣版以增加XACML的實用性。

The computer network and its related information systems play a significant role in today’s companies. However, certain information security problems such as access control have emerged under the convenience brought by the information technologies.
Role-based Access Control (RBAC) is an access control model along with claims that its mechanisms are general enough to simulate the traditional methods such as mandatory access control (MAC) and discretionary access control (DAC). Many research works have been conducted to investigate RBAC, but few were made in view of integration and implementation.
In this study, we intend to develop a new RBAC system architecture by referring the architecture of ARBAC97 and ARBAC99. In addition, RBAC Functional Specification proposed by National Institute of Standards and Technology (NIST) will also be referred. Moreover, we replace XML (eXtensible Markup Language) with XACML (eXtensible Access Control Markup Language) as the access-control policy language. In the end of this study, we will verify our RBAC system with a real banking case.
Our study is anticipated to attain the following achievements: (1) Build a RBAC system in accordance with the integration of theoretical research. (2) Construct RBAC templates based on XACML for later reference while implementing RBAC, such that the practicality of XACML can be increased.

[1] Osborn, S., Sandhu, R., & Munawer, Q., (2000). Configuring Role-based Access Control to Enforce Mandatory and Discretionary Access Control Policies. ACM Transactions on Information and System Security, 3(2), 85-106.
[2] Chang, S. H. (2001). On the Design and the Implementation of Role-based Access Control Model－A View from Bank Lending Workflow. Master thesis, National Chiao Tung University, Hsinchu, Taiwan.
[3] Vuong, N. N., Smith, G. S., & Deng, Y. (2001, March). Managing Security Policies in a Distributed Environment Using eXtensible Markup Language (XML). Symposium on Applied Computing, Las Vegas, NV, USA. 405-411.
[4] Chandramouli, R. (2000, July). Application of XML Tools for Enterprise-Wide RBAC Implementation Tasks. In Proceedings of the 5th ACM Workshop on Role-based Access Control, 11-18.
[5] Schaad, A., Moffett, J., & Jacob J. (2001). The Role-Based Access Control System of a European bank: A Case Study and Discussion. ACM Press, 3-9.
[6] Bhatti, R., Joshi, J., Bertino, E., & Ghafoor, A. (2003, June 23-26). Access Control in Dynamic XML-based Web-Services with X-RBAC. In Proceedings of the International Conference on Web Services, ICWS ’03, 243–249.
[7] Mönkeberg, A., & Rakete, R. (2000). Three for one: Role-Based Access-Control Management in Rapidly Changing Heterogeneous Environments. In Proceedings of the 5th ACM Workshop on Role-based Access Control, 83-88.
[8] Sandhu, R., Ferraiolo, D., & Kuhn, R. (2000, July). The NIST Model for Role-Based Access Control：Towards A Unified Standard. In Proceedings of the 5th ACM Workshop on Role-based Access Control, 47-63.
[9] Ferraiolo, D., & Kuhn, R. (1992, October). Role-Based Access Control. In Proceedings of 15th National Computer Security Conference, 554-563.
[10] Sandhu, R. S., Coyne, E. J., Feinstein, H. L., & Youman, C. E. (1996). Role-Based Access Control Models. IEEE Computer, 29(2), 38-47.
[11] Sandhu, R., Bhamidipati, V., Coyne, E., Ganta, S., & Youman C. (1997, November). The ARBAC97 Model for Role-based Administration of Roles: Preliminary Description and Outline. In Proceedings of the second ACM Workshop on Role-based Access Control, 41-50.
[12] Sandhu, R., & Munawer, Q. (1999). The ARBAC97 Model for Role-Based Administration of Roles. ACM Transactions on Information and System Security, 2(1), 105-135.
[13] Sandhu, R. & Munawer, Q. (1999, December). The ARBAC99 Model for Administration of Roles. In Proceedings of 15th Annual Computer Security Applications Conference, Phoenix, Arizona, USA, 229-238.
[14] Oh, S. & Sandhu R. (2002, June). A Model for Role Administration Using Organization Structure. In Proceedings of the 7th ACM Symposium on Access Control Models and Technologies (SACMAT 2002), Monterey, California, USA, 155-168.
[15] National Institute of Standards and Technology. (2003, April 4). Role Based Access Control. Retrieved January 13, 2004 from the World Wide Web: http://csrc.nist.gov/rbac/#intro
[16] OASIS. (2003, March 14). A Brief Introduction to XACML. Retrieved January 13, 2004 from the World Wide Web: http://www.oasis-open.org/committees/dow
nload.php/2713/ Brief_Introduction_to_XACML.html
[17] Humenn, P. (2003, October 29). The Formal Semantics of XACML. Retrieved January 13, 2004 from the Oasis World Wide Web: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml
[18] Kay, R. (2003, May 19). XACML. Computerworld Framingham, 37(20), 44.
[19] Sun's XACML Implementation. Retrieved January 15, 2004 from the World Wide Web: http://sunxacml.sourceforge.net
[20] Anderson, A. (2004, February 13). XACML Profile for Role Based Access Control (RBAC). Retrieved March 18, 2004 from the Oasis World Wide Web: http://docs.oasis-open.org/xacml/cd-xacml-rbac-profile-01.pdf
[21] http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml
[22] OASIS. (2003, Auguest 7). eXtensible Access Control Markup Language (XACML) Version 1.1. Retrieved February 18, 2004 from the World Wide Web: http://www.oasis-open.org/committees/xacml/repository/cs-xacml-specification-1.1.pdf
[23] Lorch, M., Kafura, D., Shah, S. (2003, November 17). An XACML-based Policy Management and Authorization Service for Globus Resources. Grid Computing, 2003. In Proceedings of Fourth International Workshop, 208 – 210.