Professional Documents
Culture Documents
TSUNG-YI CHEN
by FLINDERS UNIVERSITY LIBRARY on 01/23/15. For personal use only.
1. Introduction
In this era of a dynamic knowledge-driven economy, knowledge owners enjoy com-
petitive advantages. Collaborative development of new products and technologies
requires real time sharing of data, information and knowledge. Data are often
unorganized and unprocessed facts about events, often merely structured records
of transactions. Information is the aggregation of data which can enhance deci-
sion making whereas knowledge is the human understanding of a specialized field
of interest acquired through study and experience [1]. Knowledge may also be
361
July 28, 2009 11:58 WSPC/117-IJSEKE - SPI-J111 00419
and innovation are the core functions of KM [4, 5]. Although knowledge innova-
tion is one goal of KM, innovation cannot occur without existing knowledge [4].
by FLINDERS UNIVERSITY LIBRARY on 01/23/15. For personal use only.
all its processes as knowledge processing, e.g., creation, dissemination, renewal and
application of knowledge for organizational sustenance and survival [13]. Holsapple
and Joshi broadly classified all proposed frameworks into two categories: (1) descrip-
tive frameworks characterizing the nature of KM phenomena and (2) prescriptive
frameworks for knowledge management methodologies [14].
Several researchers have noted that, of the numerous studies of secure access con-
trol, none have proposed solutions for managing user knowledge access privileges
for knowledge access control and sharing [6, 7, 8]. Enterprise knowledge, including
explicit and tacit knowledge, can be stored in different formats such as in distributed
knowledge bases or in the minds of employees. Therefore, managing user knowledge
Int. J. Soft. Eng. Knowl. Eng. 2009.19:361-387. Downloaded from www.worldscientific.com
access privileges differs from traditional methods of controlling access to data and
information. Knowledge access control requires a unique integration with knowledge
by FLINDERS UNIVERSITY LIBRARY on 01/23/15. For personal use only.
access and sharing within an enterprise; and (3) the dynamic evaluation of user
knowledge access privileges according to enterprise organizational structure, user
roles, status of knowledge sharing and enterprise knowledge sharing strategies. Thus,
a business enterprise can encourage knowledge sharing as well as stimulate innova-
tion in a secure and trusting environment.
This paper is organized as follows. Section 2 introduces the relevant topics of this
study. Section 3 provides an overview of the functional framework of the multilayer
KMS. Sections 4 and 5 introduce the conceptual knowledge layer and the knowledge
access control and security layer, respectively, included in the functional framework
of the multilayer KMS. Finally, Sec. 6 concludes and proposes further studies.
Int. J. Soft. Eng. Knowl. Eng. 2009.19:361-387. Downloaded from www.worldscientific.com
2. Related Studies
by FLINDERS UNIVERSITY LIBRARY on 01/23/15. For personal use only.
This section explores three topics relevant to this study: secure knowledge shar-
ing, RBAC and ontology. The relevant literature is briefly reviewed to clarify the
requirements of an effective and secure KMS framework for knowledge sharing, the
RBAC for managing user knowledge access privileges and the ontology of knowledge
representation.
Role hierarchy
Constraints
Sessions (S)
resources can be used by whom. Role-based access control (RBAC) was developed
to address security requirements [16]. The RBAC model (Fig. 1) introduces the con-
cept of role to organize users and authorizations and provides a means of expressing
access control that is scalable to large number of subjects. The model is hierarchi-
cal: a high role may inherit all access rights of lower roles in the role structure.
Session elements map users to sets of authorized roles. The basic RBAC model has
the following three main components [17–22]:
• The base model of RBAC is comprised of the following elements: Users, who are
assigned to roles through assignments U-R-A; Roles, which are assigned permis-
sions R-P-A; Permissions, which are approved for operating on a resource; and
Sessions, which map a user to one or more roles.
• Role hierarchy defines the relationships between the inherited authorities of roles.
• The constraints are described as follows: (1) Static Separation of Duty (SSD)
specifies conflicting roles; (2) Dynamic Separation of Duty (DSD) restricts which
roles can be activated within the same user session; (3) prerequisite-role con-
straints ensure that users meet prerequisites of a role before being assigned to
the role; and (4) cardinality constraints restrict the number of users assigned to
a role. These constraint principles are also applicable to other RBAC elements
such as users, permissions, etc.
2.3. Ontology
Ontology is defined as the basic terms and relations comprising the vocabulary
of a subject area as well as the rules for combining terms and relations to define
July 28, 2009 11:58 WSPC/117-IJSEKE - SPI-J111 00419
extensions to the vocabulary [23]. Ontology provides the means of explicitly describ-
ing the concepts behind the knowledge represented in a knowledge base [24]. Because
tacit knowledge is often stored in the minds of domain experts in a conceptual form
that is implicit and person-specific, extracting and recording such knowledge may
be difficult. Ontological engineering defines abstract domain knowledge in terms of
elements such as entity, property and relation by using systematic methods and
processes. Such knowledge is then transformed into explicit and formal specifica-
tions [25]. Human knowledge acquisition begins with an understanding of simple
knowledge before progressing to acquisition of more profound knowledge. This pro-
cess indicates that knowledge is hierarchically structured. For instance, instructional
Int. J. Soft. Eng. Knowl. Eng. 2009.19:361-387. Downloaded from www.worldscientific.com
materials may be created for students at different levels; they may be arranged in
a specific order and have varying degrees of difficulty. In this study, basic ontolog-
by FLINDERS UNIVERSITY LIBRARY on 01/23/15. For personal use only.
ical elements represent the structure of knowledge and describe the relationships
between knowledge at a conceptual knowledge layer.
Ontology contains: (1) important concepts in a domain, (2) crucial properties of
each concept, (3) restrictions on properties such as property cardinality, (4) property
value type and (5) domain and range of a property. Gruber defined ontology as
an explicit and formal specification of a shared conceptualization and identified
five components of modeling ontologies [26]: classes, relations, functions, formal
axioms and instances. Classes denote abstract or specific concepts. Relations denote
associations between domain concepts; for example, the binary relation Subclass-of
is used for building the class taxonomy.Functions are a special case of relations in
which the n-th elements of the relation is unique for the n − 1 preceding elements.
Formal axioms represent knowledge that cannot be formally defined by the other
components. Finally, instances denote elements or individuals in classes.
In addition to these components, the following six ontological relationships define
conceptual relationships in ontologies and control the propagation of knowledge
access privileges: (1) Sub-class of indicates a class is a specialization of another
class; (2) Equivalence indicates a class is equivalent to another class; (3) Part-of
indicates a class is one component of components of another class; (4) Intersection
indicates a class is the intersection of concepts of other classes; (5) Union indicates
a class is the union of concepts of other classes; and (6) Complement indicates a
class is not part of another class and each instance of the class is not part of any
instance of another class.
log in a KMS
Employee DB
Knowledge users
policies
evaluate trust and risk
for knowledge sharing
Fuzzy rules for trust perform knowledge
and risk evaluation activities
allow sharing?
evaluating user knowledge access privileges, evaluating trust and risk when sharing
knowledge, performing knowledge activities (include using, learning and updating
existing knowledge in addition to acquiring new knowledge) as well as formulating
and modifying knowledge access privileges and policies.
The sequence of activities in this scenario is as follows. A user requiring knowl-
edge enters the enterprise KMS. After authentication of user identification and
password by the KMS, the user may log in as one of several available roles. The
user may then request knowledge services, and the KMS initiates a search according
to the knowledge map, which also helps users to quickly identify the source of the
requested knowledge. In this study three ontologies to describe conceptual knowl-
edge are used as the knowledge map. If the knowledge exists in the KMS, the KMS
runs a knowledge access control model to evaluate the allowable level of knowledge
access based on the role of the user. According to the generated privileges, the user
can then access enterprise knowledge and perform knowledge activities such as (1)
acquiring new knowledge and entering it into the knowledge base and (2) updating
knowledge currently contained in the knowledge base. If a user is denied access,
the KMS evaluates the risk of knowledge sharing according to knowledge sharing
policies of the enterprise and fuzzy rules for analyzing vague factors. If sharing is
disallowed, the KMS rejects the user request; conversely, the KMS judges the class
July 28, 2009 11:58 WSPC/117-IJSEKE - SPI-J111 00419
of the knowledge requested by the user. If the shared knowledge is explicit, the
KMS notifies the user to access the knowledge; furthermore, the KMS provides a
chat room and requests relevant experts or knowledge holders in the organization
to enter the chat room to share knowledge or experiences with the user.
Such an access system enables enterprise knowledge owners, security adminis-
trators and resource assigners to readily modify knowledge access control policies
and regulations in response to a rapidly changing business environment or to meet
the security requirements of shared knowledge.
Designing a KMS functional framework should take at least four aspects into
by FLINDERS UNIVERSITY LIBRARY on 01/23/15. For personal use only.
Team
Domain Expert Knowledge Worker Employee
User Interface
Layer User Interface (Web browser)
Knowledge Access Control Knowledge Access Control & Authentication (Security, passwords, firewalls, authentication and authorization )
& Security Layer
Knowledge Knowledge
Knowledge Knowledge Knowledge Knowledge Sharing Knowledge Knowledge Measuring
Process Layer Identification Retention Utilization & Development Acquistion &
&
Distribution &
Evaluating
Int. J. Soft. Eng. Knowl. Eng. 2009.19:361-387. Downloaded from www.worldscientific.com
Conceptual
by FLINDERS UNIVERSITY LIBRARY on 01/23/15. For personal use only.
Knowledge Layer
Organizational Production
Process Ontology
Ontology Ontology
Transport Layer Transport (email, Internet /Web site , TCP/IP protocol to manage traffic flow )
Transport (email, Internet /Web site, TCP/IP protocol to manage traffic flow )
access enterprise knowledge and protect knowledge assets stored in the physical
knowledge layer of the framework. The details of this model are explored further
in Sec. 5.
• Knowledge Transformation Layer. A KMS may contain heterogeneous
knowledge organized by different representation methods and accessed by differ-
ent users. The ontology-based conceptual knowledge in the conceptual knowledge
layer supports the knowledge transformation layer in transforming and integrat-
ing knowledge into a format easily accessed and understood by users.
• Knowledge Process Layer. The design of this layer is based on a six-step KM
process. Hence, this layer offers the following functions: knowledge creation, iden-
tification, collection, organization, sharing and distribution and application. Here,
knowledge creation denotes generating new knowledge behavior; knowledge iden-
tification denotes identifying knowledge useful to an organization or individual;
knowledge collection denotes collecting useful knowledge; knowledge organiza-
tion denotes the classification of useful knowledge for efficient access; knowledge
sharing and distribution denote the dissemination of useful knowledge to users
requiring the knowledge; knowledge application denotes the identification and
application of shared knowledge.
July 28, 2009 11:58 WSPC/117-IJSEKE - SPI-J111 00419
• Conceptual Knowledge Layer. This layer provides a knowledge map; that is,
it visually represents knowledge and provides a channel for sharing and acquir-
ing knowledge in an organization. For example, a knowledge map might help
users retrieve certain professional knowledge. In this layer, ontologies are used to
describe conceptual knowledge content and formalize domain knowledge in order
to clearly regulate knowledge and to describe and define the structure, rules
and restrictions of knowledge. Therefore, a three-dimensional ontology, including
organizational, process and product ontologies, is constructed for the layer to
describe conceptual enterprise knowledge from three viewpoints: enterprise orga-
nizational structure, task and product. All concepts in the three ontologies are
Int. J. Soft. Eng. Knowl. Eng. 2009.19:361-387. Downloaded from www.worldscientific.com
extracted from the knowledge content in the physical knowledge layer. Based on
the content and classification of concepts extracted from the knowledge content,
by FLINDERS UNIVERSITY LIBRARY on 01/23/15. For personal use only.
Ontology, although incapable of representing all knowledge types, still has two
advantages: knowledge sharing and knowledge reuse. A standardized ontology sim-
plifies knowledge sharing, and the previously developed ontology for knowledge
within the same domain can be reapplied in different systems. Regarding knowledge
representation, ontology also enables explicit representation of conceptual knowl-
edge [29]. Knowledge users may differ in their conception of knowledge levels and
domains. Therefore, knowledge representation must support multiple views and
enable customization. In addition to representation of knowledge content, another
important factor affecting the quality of a knowledge base is the structure of the
connection with knowledge contents. Hence, the relationships among knowledge
contents should be specified as completely as possible. To clearly represent correla-
tions among conceptual knowledge, the conceptual knowledge layer should contain
the sequence of enterprise activities and the causes and effects between knowl-
edge, multiple-dimension conceptual knowledge ontology to clearly and accurately
describe conceptual knowledge, distribution of knowledge and relationships among
knowledge. The conceptual knowledge layer is comprised of three ontologies: (1)
an organizational ontology representing all enterprise roles and the interactive and
hierarchical relationships among the roles, (2) a process ontology representing the
relationships among activities in all processes of product production and (3) a prod-
uct ontology representing the structures and specifications of manufactured prod-
ucts. The three ontologies are capable of expressing three main kinds of knowledge,
i.e., know-what, know-how and know-why. Through these ontologies, workers can
easily search and securely access knowledge in a KMS.
General
Engineer
Software
Design Hardware Manager
Manager
Engineer Manager
Programming
Engineer
Testing
Engineer
Int. J. Soft. Eng. Knowl. Eng. 2009.19:361-387. Downloaded from www.worldscientific.com
Engineer
by FLINDERS UNIVERSITY LIBRARY on 01/23/15. For personal use only.
Sub-class Intersection
Equivalence Union Role hierarchy
Part of Complement
Bicycle
Design
Frame
Design Handlebar
Design
Derailleur Gear
Unit Design
Task T 1b
Task T1 Task T4
Task T 3
Int. J. Soft. Eng. Knowl. Eng. 2009.19:361-387. Downloaded from www.worldscientific.com
Task T1a
Task T2
by FLINDERS UNIVERSITY LIBRARY on 01/23/15. For personal use only.
Sub-class Intersection
Equivalence Union Prior sequence
Part of Complement
three sub-processes: “frame design”, “derailleur gear unit design” and “handlebar
design”; the sub-process “designing derailleur gear unit” is comprised of tasks T1 ,
T2 and T3 , which are performed in the order determined by the “prior sequence” of
the relationships. In process ontology, the process, sub-process, activity and task are
referred to as the “task concept”, which can be assigned knowledge relevant to task
performance, and a user is granted knowledge access privileges upon assignment to
the task.
Derailleur
Multiple
Bracket
Freewheel Derailleur
Guard
Handle Bar
Class: Frame Derailleur Control
Component no: F66 Bike Gear Unit Shift
Frame
Gear
Class: Brake Cable
Brake Bicycle
Component no: B336 Front Fork
Int. J. Soft. Eng. Knowl. Eng. 2009.19:361-387. Downloaded from www.worldscientific.com
parts including brake, frame, handle bar, derailleur gear unit, front fork and tire,
non-electrical bike or city bike. In the example, the city bike has two products,
also called “instances,” with two product numbers (CB321 and CB323) and three
equivalent concepts: “bicycle”, “bike” and “ ”.
Concepts in the three ontologies can be connected across ontological bound-
aries. Using the assignments between the organizational ontology and the process
ontology indicates the tasks of each role; using the assignments between the orga-
nizational ontology and the product ontology indicates which role is responsible for
which products or components; using the assignments between the process ontology
and the product ontology indicates which task is performed for which components.
Based on the three-dimensional conceptual knowledge ontology, each enterprise can
construct its conceptual knowledge layer to manage physical knowledge. The fol-
lowing section proposes a knowledge access control model based on the ontology.
and notations of the proposed model are inherited and extended from the RBAC
[17–19].The following overview briefly introduces the essential elements, relation-
ships and functions of the knowledge access control model.
major features.
by FLINDERS UNIVERSITY LIBRARY on 01/23/15. For personal use only.
(1) Role elements inherited from the RBAC are extended using seven relationships
to form an organizational ontology in the conceptual knowledge layer. Such
method can more completely describe organizational structure and interper-
sonal network needed for an enterprise to enhance knowledge sharing among
workers and across teams. Furthermore, knowledge owners are clearly identified
for more efficient access to the right knowledge by the right roles.
(2) Task elements are included in the model to describe the sequence and interaction
among tasks in enterprise processes. The task elements and seven relationships
in process ontology enable clear identification of the knowledge required for
certain tasks. Based on the tasks required, sequences of fragmented knowledge
Organizational Ontology
Relationships/role hierarchy
Users Roles
(U) (R)
Sessions (S)
R-P-A
R-T-A
U-R-A
Permissions
Relationships
(P) Physical
Tasks Operations Knowledge
(T) (K)
T-P-A
R-C-A
Assignment
Process Ontology
Relationship T-C-A
C-P-A
Element
Relationships
Components Constraints
(C)
Product Ontology
edge through the assignment U-R-A. In different sessions, users may be assigned
different roles with different permissions to use certain knowledge. Therefore,
users can access authorized knowledge according to their roles when logging in
to a KMS.
• Roles (R) represent the responsibilities and powers in an enterprise, such as
accounting and cashier. By assigning R-P-A, roles are assigned privileges to access
knowledge. For example, a user in an “accounting” role would be permitted to
read an account management manual and use the account module of an enterprise
resource planning (ERP) system. In RBAC, the role relationships are limited to
role hierarchy, SSD and DSD. In the proposed model, seven relationships in the
organizational ontology represent different relationships between enterprise roles
constituting the interpersonal network of an enterprise.
• Sessions (S) map a user to one or more roles, i.e., control which users may play
what roles during a session. A user is permitted only one role per session.
• Tasks (T ) are responsibilities or work items in an enterprise which must be per-
formed by roles to achieve certain enterprise goals. The enterprise process is
comprised of tasks, which have sequence relationships. To support a worker per-
forming a task, knowledge related to the task must be provided. This study uses
task elements to construct a process ontology in which seven types of relationships
are used to form a task network describing the sequence of tasks, synonymous
relationships and subset relationships.
• Components (C) may be products or product parts produced or manufactured
by an enterprise and are basic elements of the product ontology. Components
may describe domain knowledge for products, parts and product structure. Each
component element is assigned privileges for accessing related knowledge. A user
playing a role is assigned tasks by the assignment R-T-A. Some components
in each task must be handled through the relationship T-C-A. Consequently,
users can gain privileges to access knowledge related to their roles, tasks and
components. For example, in addition to knowledge related to design skill, a
worker designing a bicycle seat would require knowledge of materials, functions
and characteristics of the bicycle seat.
July 28, 2009 11:58 WSPC/117-IJSEKE - SPI-J111 00419
physical knowledge object, and o ∈ O is an access mode for k. In this model, user
knowledge permissions are gained in two ways: (1) assigned permission, granted
by FLINDERS UNIVERSITY LIBRARY on 01/23/15. For personal use only.
of individual elements [26]. The state diagram indicates the initial state by a black
circle, the end state by a black circle surrounded by a ring and a state by a rectangle
by FLINDERS UNIVERSITY LIBRARY on 01/23/15. For personal use only.
with rounded corners. In this section, a state diagram models the different states of
the primary elements in the ontology-based knowledge access control model. At any
given time, elements are assumed to be in an identifiable state. An event typically
changes from one state to another. The state diagrams of the elements modeled in
this section are particularly helpful for specifying restrictions to knowledge use and
sharing.
Figure 8 presents the state diagram of the role element with one start and one
end state and three different states — “deactivating,” “activating” and “active.”
When a user with a role enters a KMS, the initial state of the role is “deactivating”
and is to be transformed into an activating state while the constraints utilized to
restrict role activation are available. When role activation is completed, the role
state is transformed into an active state. Only roles in an active state can access
authorized knowledge.
Figure 9, a state diagram of the user element, includes seven different states
describing user behaviors in a KMS. When a user logs in to a KMS, the user
password and identity are authenticated by the KMS. Following authentication,
the user state is transformed into the state of “generating user knowledge access
privilege” to assess user knowledge access privileges based on the role of the user.
/end
[constraints
/initiate
available]/activate
Deactivating Activating
/deactivate completed
Active
/request
/Input user data
Then, when entering the waiting state, the user may request authorized knowledge
or log out to enter an access knowledge state or a logout state, respectively.
Figure 10, a state diagram for the task element, shows all possible states in
a task lifecycle to identify all knowledge generated by, or assigned to, the task.
When an unexecuted task is triggered and its pre-conditions are met, the state of
the task is transformed into an initiative state. When users start performing the
task, the initiative state is transformed into a concurrent state, which includes both
an executing and a referred state, when the knowledge related to the task can be
shared because knowledge related to the task can be appropriately shared with other
workers during task execution. When a task permits knowledge sharing, the task
may be disabled as a disallowed reference state. A task is completed when all its
post-conditions are met; the task state is then transformed into the finished state.
Even when a task is finished, knowledge related to the task can still be shared.
Thus, an administrator can enable sharing and change the task state from finished
to referred.
The states of a component element include “concept,” “designing,” “manu-
facturing,” “finished product,” “using,” “improving” and “recycling” (Fig. 11).
Knowledge associated with a component can be created or required during different
component states. Hence, knowledge associated with different component states can
July 28, 2009 11:58 WSPC/117-IJSEKE - SPI-J111 00419
Improving
Designing Manufacturing
/start
Initialed
Triggered completed/examine [the component needs be
[pre-conditions available] improved] /end
Completed
Finished /recycle
Concept Using Recycling
Product
Int. J. Soft. Eng. Knowl. Eng. 2009.19:361-387. Downloaded from www.worldscientific.com
Creating Retention
Applying [refining
[use /end needed]/amend
completed permitted]
/create Completed
[knowledge [sharing allowable] Renewing
available]/store Shared
[sharing [allowable] completed
unallowable] /enable
Identifying /disable
Non-shared
be determined by the knowledge owner whether the knowledge can be shared with
others.
Based on the core KM activities, this study identifies the following five states
of the physical knowledge element: “creating,” “identifying,” “retention,” “utiliza-
tion” and “renewing” (Fig. 12). The utilization state is a concurrent state. When
knowledge can be applied, namely, into “shared” or “non-shared” states, knowl-
edge sharing can be determined by an administrator or knowledge owner. However,
knowledge should continuously be refined and updated. When refining need, the
knowledge state is transformed into the renewing state, at which time knowledge
sharing is not allowed.
This study further refines the physical knowledge element examined in previous
works and adds three attributes (role-shared, task-shared and component-shared
attributes) for effective control of physical knowledge sharing. The three attributes,
as gates for knowledge sharing, are true/false Boolean data determined by knowl-
edge administrators or owners. The role-shared (RS) attribute determines whether
knowledge is assigned to be shared with other roles through different role rela-
tionships in an organizational ontology. The task-shared (TS) attribute is used to
determine whether knowledge is assigned to be shared with other tasks through task
July 28, 2009 11:58 WSPC/117-IJSEKE - SPI-J111 00419
tion associated with a concept can be inferred from another; this relationship is
termed relationship propagation. When roles prevent access to certain conceptual
knowledge, users can still receive knowledge access permission, that is, propagated
permission, through relationship propagation. In this study, relationship propaga-
tion is elucidated by six relationships within three ontologies.
To introduce these propagation modes, this study first defines a direct privilege
function DP(x) and a shared privilege function SP(y). The DP(x) function is defined
as the direct privilege set of concept x ∈ one of three ontologies, and the set of
permissions are assigned to x directly; that is,
rp if (x, rp) ∈ R-P-A, x ∈ R & rp ∈ RP,
DP(x) = tp if (x, tp) ∈ T-P-A, x ∈ T & tp ∈ TP,
cp if (x, cp) ∈ C-P-A, x ∈ C & cp ∈ CP,
where rp ∈ RP is the set of role permissions assigned to x, tp ∈ TP is the set of
task permissions assigned to x and cp ∈ CP is the set of component permissions
assigned to x.
Notably, SP(y) is defined as the shared privilege set of concept y ∈ one of the
three ontologies and the set of permissions assigned to y directly. The permissions
are allowed to operate on the knowledge object k ∈ K, which is allowed to be
shared, that is,
srp if (y, srp) ∈ R-P-A, y ∈ R, srp ∈ RP & RS of k = true,
SP (y) = stp if (y, stp) ∈ T-P-A, y ∈ T, stp ∈ TP & T S of k = true,
scp if (y, scp) ∈ C-P-A, y ∈ C, scp ∈ CP & CS of k = true,
where srp ∈ RP is the set of role permissions assigned to y that operate on knowl-
edge objects k, of which RS attribute is true; stp ∈ TP is the set of task permissions
assigned to y that operate on k, of which TS attribute is true; scp ∈ CP is the set
of component permissions assigned to y that operate on k, of which CS attribute
is true.
• Propagation via sub-class relationships. From an object-oriented perspec-
tive, a sub-class (sub-concept) inherits all attributes and characteristics of its
July 28, 2009 11:58 WSPC/117-IJSEKE - SPI-J111 00419
knowledge created from these tasks should be shared and distributed directly
with the roles performing the tasks. A sequence propagation function Psequence(ti )
for taking user knowledge privileges from ti and shared knowledge privileges from
the pre-tasks of ti are defined as
DP(ti ) ∪ SP (tj ) if tj is a pre-task of ti ,
Psequence(ti ) =
DP (ti ) otherwise,
where ti for 1 ≤ i ≤ n ∈ process ontology are task concepts and tj for 1 ≤ j ≤ m
are task concepts to be performed before ti .
• Propagation via instances. Instances represent elements or individuals in an
Int. J. Soft. Eng. Knowl. Eng. 2009.19:361-387. Downloaded from www.worldscientific.com
U: Andy
U-R-A
R: R-T-A T: T-C-A
R: R&D role C:
Frame Detailed
Manager hierarchy frame
Designer Design
C:
Tire
sub-class C: part of
role R-T-A T: part of
prior sequence Brake
hierarchy Training
role
hierarchy part of
C:
R: Bicycle
Engineer
T: Primary T-C-A part of
R: R-T-A C: equivalence
sub-class Prototype Design Derailleur C:
Designer Gear Unit Bike
prior sequence T: Product
Requirment
Organizational Ontology Process Ontology Analysis Product Ontology
Int. J. Soft. Eng. Knowl. Eng. 2009.19:361-387. Downloaded from www.worldscientific.com
the bicycle component; a bicycle is comprised of one frame, two tires, one brake and
one derailleur gear unit.
In a simplified example, the RS, TS and CS attributes of knowledge objects are
assumed “true”, i.e., knowledge sharing through propagation is all allowed in the
example. A knowledge user (Andy) is a frame designer in the company. Based on
his role, he is given the most fundamental privilege to read the knowledge “guide-
lines for a frame designer”. Andy is allowed to read the guidelines for engineer in
the R&D department because his role, “frame designer”, is a sub-class of the role
“engineer”. Andy is also allowed to read the knowledge “basic structure of a bicycle”
during his initial employee training because the task “training” is assigned to the
role “engineer”. Based on his assigned task “detailed design”, Andy may read and
write the knowledge “criteria for a good bicycle frame”. When Andy performs the
task “detailed design” to design a component “frame”, he may read the knowledge
“bicycle frame design manual” and consult an engineer with relevant design expe-
rience. These privileges are gained by assignments. The method developed in this
study can propagate user privileges using various relationships in the three ontolo-
gies. For instance, when one knowledge user performs the task “detailed design”
for designing a derailleur, the “part of” relationship indicates that, in addition to
privilege to read the knowledge “derailleur design”, the user also has privilege to
read the document “introduction to bicycles”.
developing a secure KMS. The knowledge representation method shown in the con-
ceptual knowledge layer enhances precision when describing knowledge and rela-
by FLINDERS UNIVERSITY LIBRARY on 01/23/15. For personal use only.
tionships among knowledge. The proposed knowledge access control model for
enterprises can enhance (1) the security of knowledge access and sharing within
and across departments and teams and (2) the dynamic evaluation of user knowl-
edge access privileges according to organization structure, user roles and enter-
prise knowledge sharing strategy. The ideal objective is achieving a secure and
trusting environment, a culture of knowledge sharing and innovation within an
enterprise.
In addition to the proposed KMS functional framework and knowledge access
control model, the following additional research issues are suggested:
(1) The correlation between conceptual knowledge layer and physical knowledge
layer is currently manual. However, continual and rapid changes in knowledge
often occur at the physical layer. A method of automatically mapping between
conceptual knowledge layer and physical knowledge layer is needed to quickly
respond to such changes.
(2) The detailed functions of the KMS functional framework should be designed to
support all knowledge activities as well as management of access control and
privileges.
(3) The relationships among concepts extracted from a knowledge document must
be constructed as ontology. This complex task may excessively burden workers.
Therefore, a concept extraction mechanism and an automatic ontology con-
struction mechanism are needed.
(4) A method of measuring trust and risk levels for sharing knowledge between
enterprise partners must be developed to increase the security of knowledge
sharing.
Acknowledgments
The authors would like to thank the National Science Council of the Republic
of China, Taiwan for financially/partially supporting this research under contract
no. NSC96-2221-E-343-002.
July 28, 2009 11:58 WSPC/117-IJSEKE - SPI-J111 00419
References
1. E. M. Awad and H. M. Ghaziri, Knowledge Management (Pearson Education, 2004).
2. I. Nonaka and H. Takeuchi, The Knowledge Creating Company: How Japanese Com-
panies Create the Dynamics of Innovation (Oxford University Press, New York, 1995).
3. W. R. King and P. V. Marks, Jr, Motivating knowledge sharing through a knowledge
management system, International Journal of Management Science, 2007.
4. F. An, F. Qiao and X. Chen, Knowledge sharing and web-based knowledge-sharing
platform, Proceedings of the IEEE International Conference on E-Commerce Technol-
ogy for Dynamic E-Business, 2004.
5. D. Wang, The realization of knowledge management with IT technology-simple knowl-
edge management (Publishing House of Electronics Industry, 2002).
Int. J. Soft. Eng. Knowl. Eng. 2009.19:361-387. Downloaded from www.worldscientific.com
21. T.-Y. Chen, Y.-M. Chen, C.-B. Wang and H.-C. Chu, Development of an access con-
trol model, system architecture and approaches for information sharing in virtual
enterprise, Computers in Industry 58(1) (2007) 57–73.
22. T.-Y. Chen, Y.-M. Chen, C.-B. Wang and H.-C. Chu, Resource sharing to support
cross-organization collaboration in virtual enterprise using a novel trust method,
Robotics and Computer-Integrated Manufacturing 23 (2007) 421–435.
23. R. Neches, R. E. Fikes, T. Finin, T. R. Gruber, T. Senator and W. R. Swartout,
Enabling technology for knowledge sharing, AI Magazine 12(3) (1991) 36–56.
24. A. Schreiber, B. J. Wielinga and W. Jansweijer, The KACTUS view on the “O”
world, in D. Skuce (ed.), IJCAI95 Workshop on Basic Ontological Issues in Knowledge
Sharing, 1995, pp. 15.1–15.10.
25. S. Staab, Knowledge representation with ontologies: The present and future, IEEE
Int. J. Soft. Eng. Knowl. Eng. 2009.19:361-387. Downloaded from www.worldscientific.com