A Multiple-Layer Knowledge Management System Framework Considering User Knowledge Privileges

July 28, 2009 11:58 WSPC/117-IJSEKE - SPI-J111 00419
International Journal of Software Engineering

and Knowledge Engineering
Vol. 19, No. 3 (2009) 361–387
c World Scientific Publishing Company
A MULTIPLE-LAYER KNOWLEDGE MANAGEMENT

SYSTEM FRAMEWORK CONSIDERING USER
KNOWLEDGE PRIVILEGES
Int. J. Soft. Eng. Knowl. Eng. 2009.19:361-387. Downloaded from www.worldscientific.com
TSUNG-YI CHEN
by FLINDERS UNIVERSITY LIBRARY on 01/23/15. For personal use only.
Department of Electronic Commerce Management,

Nanhua University, No. 32, Chung Keng Li,
Dalin, Chiayi, 62248, Taiwan
tsungyi@mail.nhu.edu.tw
Received 1 May 2007

Revised 4 October 2007
Accepted 9 January 2008
Success in a knowledge economy requires effectively using existing knowledge to create

new knowledge. Security for knowledge sharing in enterprises is critical for protecting
intellectual assets. This study develops the functional framework of a knowledge manage-
ment system (KMS) with knowledge access control for effectively and securely sharing
knowledge within an enterprise or across teams. The functional framework of the pro-
posed KMS includes the following nine layers: user interface layer, knowledge access
control and security layer, knowledge representation layer, knowledge process layer, con-
ceptual knowledge layer, knowledge index layer, transport layer, middleware layer and
physical knowledge layer. A method of conceptual knowledge representation in the knowl-
edge representation layer is then proposed. Finally, an ontology-based knowledge access
control model based on role-based access control (RBAC) model and the conceptual
knowledge representation method is proposed for managing user knowledge privileges in a
knowledge sharing enterprise. The proposed method can enhance (1) precision in describ-
ing knowledge and knowledge relationships, (2) ensure security of knowledge access and
sharing within an enterprise and (3) accurately and rapidly identify user knowledge
access privileges.
Keywords: KMS; knowledge representation; knowledge sharing; RBAC; privilege;

ontology.
1. Introduction
In this era of a dynamic knowledge-driven economy, knowledge owners enjoy com-
petitive advantages. Collaborative development of new products and technologies
requires real time sharing of data, information and knowledge. Data are often
unorganized and unprocessed facts about events, often merely structured records
of transactions. Information is the aggregation of data which can enhance deci-
sion making whereas knowledge is the human understanding of a specialized field
of interest acquired through study and experience [1]. Knowledge may also be
361
362 T.-Y. Chen
accumulated facts, procedural rules or heuristics. A heuristic is a rule of thumb

based on experience. Nonaka and Takeuchi suggested that “knowledge, unlike infor-
mation, is about beliefs and commitment” [2]. Only when workers within an organi-
zation freely share knowledge with each other can an enterprise exploit its potential
in product design. Most knowledge managers recognize that the most important
task in knowledge management (KM) is assigning and appropriately distributing
knowledge to workers who need the knowledge to achieve their tasks [1, 3]. Tacit
knowledge acquired and embedded in the human mind by experience is often the
most valuable knowledge asset yet often the most difficult to document, manage and
share. Enterprise knowledge acquisition, representation, storage, learning, sharing
and innovation are the core functions of KM [4, 5]. Although knowledge innova-
tion is one goal of KM, innovation cannot occur without existing knowledge [4].
However, knowledge sharing is a particularly important aspect of KM. Thus, the

security of shared knowledge by effective access control is essential to fully exploit
existing knowledge. Bertino et al. observed that an effective KMS should include a
security strategy, process and supportive knowledge activities [6].
Efficient knowledge sharing within and across departments and teams is neces-
sary for several reasons: (1) the success of a team depends on effective knowledge
sharing; (2) effective knowledge sharing and dissemination can enhance efficiency
in applying existing knowledge; and (3) real-time knowledge sharing and dissemi-
nation can increase competitiveness by improving efficiency and quality. Effective
knowledge sharing entails three steps: (1) promoting an enterprise culture which
encourages knowledge sharing and accumulation of enterprise individual knowledge,
(2) offering an efficient knowledge sharing mechanism to minimize time and space
barriers and (3) improving knowledge representation technology to increase accessi-
bility by all members of an enterprise [4, 7, 8]. Explicit knowledge is relatively easy
to share because it can be expressed in a language and stored in a document. The
following three steps encourage tacit knowledge sharing within an enterprise: (1)
converting tacit knowledge into explicit knowledge, (2) expressing tacit knowledge
without language and (3) connecting knowledge with a knowledge provider [4].
The following studies recently explored KMS framework design. Wiig presented
a KM framework involving three KM pillars that represent the major functions
needed to manage knowledge [9]. Leonard-Barton introduced a framework com-
prised of four core capabilities — shared and creative problem solving, implement-
ing and integrating new methodologies and tools, experimenting and prototyping,
and importing and absorbing technologies from other areas of expertise [10]. An
et al. proposed a web-based knowledge-sharing platform based on Microsoft.net to
support enterprise knowledge sharing [4]. Seleznyov and Hailes developed concep-
tual architecture for an access control system featuring automatically distributed
knowledge acquisition and processing [11]. In a significant contribution to KMS
research, Abra et al. presented a generic knowledge management system architec-
ture with an agent-based distributed information processing system framework [12].
Malhotra conceptualized KM as a framework within which the organization views
A Multiple-Layer KMS Framework Considering User Knowledge Privileges 363
all its processes as knowledge processing, e.g., creation, dissemination, renewal and
application of knowledge for organizational sustenance and survival [13]. Holsapple
and Joshi broadly classified all proposed frameworks into two categories: (1) descrip-
tive frameworks characterizing the nature of KM phenomena and (2) prescriptive
frameworks for knowledge management methodologies [14].
Several researchers have noted that, of the numerous studies of secure access con-
trol, none have proposed solutions for managing user knowledge access privileges
for knowledge access control and sharing [6, 7, 8]. Enterprise knowledge, including
explicit and tacit knowledge, can be stored in different formats such as in distributed
knowledge bases or in the minds of employees. Therefore, managing user knowledge
access privileges differs from traditional methods of controlling access to data and
information. Knowledge access control requires a unique integration with knowledge
representation to manage the increasing complexity of knowledge, and a strategy

for enterprise KM must be consistent with practical business operations and man-
agement. Developing an effective KMS requires integration of information systems
and human ecology. Aspects of information systems include knowledge acquisition,
storage, sharing, transmission and innovation while aspects of human ecology drive
the implementation of KM and the development of enterprise culture.
To build a secure and efficient KMS, a KM process involves six phases: knowl-
edge acquisition, identification, retention, utilization, sharing and distribution and
development, and each phase requires effectively managing user knowledge access
privileges. This study
(1) focuses on the control and sharing of enterprise knowledge;
(2) proposes not only a strategy for centralized control of knowledge but also a
method for decentralized control of knowledge sharing while protecting shared
knowledge owned by individuals;
(3) contributes to the field of enterprise KM security by presenting a multiple-layer
KMS functional framework for distributed knowledge sharing. The proposed
KMS functional framework is comprised of the following nine layers: user inter-
face layer, knowledge access control and security layer, knowledge represen-
tation layer, knowledge process layer, conceptual knowledge layer, knowledge
index layer, transport layer, middleware layer and physical knowledge layer;
(4) investigates the knowledge access control and security layer as well as the con-
ceptual knowledge layer;
(5) proposes a method of representing knowledge in the conceptual knowledge
layer using three ontologies (organizational, process and product ontologies)
to describe knowledge and knowledge relationships. To evaluate user knowl-
edge access privileges in the knowledge access control and security layer, an
ontology-based knowledge access control model based on the RBAC model is
also proposed as a core technology for managing and sharing knowledge.
The major contributions of this study can enhance: (1) precision in describ-
ing knowledge and relationships between knowledge; (2) the security of knowledge
364 T.-Y. Chen
access and sharing within an enterprise; and (3) the dynamic evaluation of user
knowledge access privileges according to enterprise organizational structure, user
roles, status of knowledge sharing and enterprise knowledge sharing strategies. Thus,
a business enterprise can encourage knowledge sharing as well as stimulate innova-
tion in a secure and trusting environment.
This paper is organized as follows. Section 2 introduces the relevant topics of this
study. Section 3 provides an overview of the functional framework of the multilayer
KMS. Sections 4 and 5 introduce the conceptual knowledge layer and the knowledge
access control and security layer, respectively, included in the functional framework
of the multilayer KMS. Finally, Sec. 6 concludes and proposes further studies.
2. Related Studies
This section explores three topics relevant to this study: secure knowledge shar-
ing, RBAC and ontology. The relevant literature is briefly reviewed to clarify the
requirements of an effective and secure KMS framework for knowledge sharing, the
RBAC for managing user knowledge access privileges and the ontology of knowledge
representation.
2.1. Secure knowledge sharing

Lee defined knowledge sharing as the activity of transferring or disseminating knowl-
edge from one person, group or organization to another [15]. Efficient knowledge
sharing and distribution require a suitable organizational and technical infrastruc-
ture. An employee may be reluctant to share knowledge if by doing so it would
compromise some competitive advantage of the employee within the organization.
Therefore, enterprises must reward and facilitate knowledge sharing. However, the
willingness to share knowledge may be impeded by individual and cultural barriers.
Individual level barriers include those affecting the ability to share knowledge and
those affecting the willingness to do so. Cultural level barriers to sharing knowledge
exist in the absence of a company culture legitimizing or supporting such sharing.
These barriers primarily involve issues of power and trust.
Bertino presented a secure KM architecture involving four major tasks [6]: (1)
knowledge creation: creating new knowledge and devising a secure policy for man-
aging knowledge; (2) knowledge representation: expressing knowledge in a machine-
readable format; (3) knowledge operation: inquiring and updating knowledge and
(4) knowledge dissemination: transferring or distributing knowledge to authorized
users; however, a viable security solution has not been developed [6].
2.2. RBAC model

Access control protects a computing system from unauthorized access or modifi-
cation of information resources [16]. Access control determines whether a user has
access rights to a given resource; an access control system governs when and how
Role hierarchy
User-Role-Assignment Role-Permission Assignment

Users (U-R-A) Roles (R-P-A) Permissions
(U) (R) (P)
Constraints
Sessions (S)
Fig. 1. Basic role-based access control model.
resources can be used by whom. Role-based access control (RBAC) was developed
to address security requirements [16]. The RBAC model (Fig. 1) introduces the con-
cept of role to organize users and authorizations and provides a means of expressing
access control that is scalable to large number of subjects. The model is hierarchi-
cal: a high role may inherit all access rights of lower roles in the role structure.
Session elements map users to sets of authorized roles. The basic RBAC model has
the following three main components [17–22]:
• The base model of RBAC is comprised of the following elements: Users, who are
assigned to roles through assignments U-R-A; Roles, which are assigned permis-
sions R-P-A; Permissions, which are approved for operating on a resource; and
Sessions, which map a user to one or more roles.
• Role hierarchy defines the relationships between the inherited authorities of roles.
• The constraints are described as follows: (1) Static Separation of Duty (SSD)
specifies conflicting roles; (2) Dynamic Separation of Duty (DSD) restricts which
roles can be activated within the same user session; (3) prerequisite-role con-
straints ensure that users meet prerequisites of a role before being assigned to
the role; and (4) cardinality constraints restrict the number of users assigned to
a role. These constraint principles are also applicable to other RBAC elements
such as users, permissions, etc.
2.3. Ontology
Ontology is defined as the basic terms and relations comprising the vocabulary
of a subject area as well as the rules for combining terms and relations to define
366 T.-Y. Chen
extensions to the vocabulary [23]. Ontology provides the means of explicitly describ-
ing the concepts behind the knowledge represented in a knowledge base [24]. Because
tacit knowledge is often stored in the minds of domain experts in a conceptual form
that is implicit and person-specific, extracting and recording such knowledge may
be difficult. Ontological engineering defines abstract domain knowledge in terms of
elements such as entity, property and relation by using systematic methods and
processes. Such knowledge is then transformed into explicit and formal specifica-
tions [25]. Human knowledge acquisition begins with an understanding of simple
knowledge before progressing to acquisition of more profound knowledge. This pro-
cess indicates that knowledge is hierarchically structured. For instance, instructional
materials may be created for students at different levels; they may be arranged in
a specific order and have varying degrees of difficulty. In this study, basic ontolog-
ical elements represent the structure of knowledge and describe the relationships
between knowledge at a conceptual knowledge layer.
Ontology contains: (1) important concepts in a domain, (2) crucial properties of
each concept, (3) restrictions on properties such as property cardinality, (4) property
value type and (5) domain and range of a property. Gruber defined ontology as
an explicit and formal specification of a shared conceptualization and identified
five components of modeling ontologies [26]: classes, relations, functions, formal
axioms and instances. Classes denote abstract or specific concepts. Relations denote
associations between domain concepts; for example, the binary relation Subclass-of
is used for building the class taxonomy.Functions are a special case of relations in
which the n-th elements of the relation is unique for the n − 1 preceding elements.
Formal axioms represent knowledge that cannot be formally defined by the other
components. Finally, instances denote elements or individuals in classes.
In addition to these components, the following six ontological relationships define
conceptual relationships in ontologies and control the propagation of knowledge
access privileges: (1) Sub-class of indicates a class is a specialization of another
class; (2) Equivalence indicates a class is equivalent to another class; (3) Part-of
indicates a class is one component of components of another class; (4) Intersection
indicates a class is the intersection of concepts of other classes; (5) Union indicates
a class is the union of concepts of other classes; and (6) Complement indicates a
class is not part of another class and each instance of the class is not part of any
instance of another class.
3. Multiple-Layer KMS Functional Framework

This section develops a multiple-layer KMS functional framework from a knowledge
access control perspective.
3.1. Scenario for KM activities

This section first introduces a scenario (Fig. 2) demonstrating methods of man-
aging and applying knowledge within an enterprise, such as searching knowledge,
log in a KMS
Employee DB
Knowledge users
communication/meeting request knowledge services

Knowledge map
Expert search knowledge
Employee Owner evaluate user knowledge Knowledge access modify access

access privileges control model control model
share tacit Human Resource allow access?

knowledge Base
Knowledge sharing Administrator

policies
evaluate trust and risk
for knowledge sharing
Fuzzy rules for trust perform knowledge
and risk evaluation activities
allow sharing?
tacit reject the user s

knowledge? Knowledge map
requirement
access explicit Draffs/Design

knowledge Data Base XML Charts
Case Base Rule Base Document Documents
Knowledge users Knowledge Bases
Fig. 2. Scenario for KM activities.
evaluating user knowledge access privileges, evaluating trust and risk when sharing
knowledge, performing knowledge activities (include using, learning and updating
existing knowledge in addition to acquiring new knowledge) as well as formulating
and modifying knowledge access privileges and policies.
The sequence of activities in this scenario is as follows. A user requiring knowl-
edge enters the enterprise KMS. After authentication of user identification and
password by the KMS, the user may log in as one of several available roles. The
user may then request knowledge services, and the KMS initiates a search according
to the knowledge map, which also helps users to quickly identify the source of the
requested knowledge. In this study three ontologies to describe conceptual knowl-
edge are used as the knowledge map. If the knowledge exists in the KMS, the KMS
runs a knowledge access control model to evaluate the allowable level of knowledge
access based on the role of the user. According to the generated privileges, the user
can then access enterprise knowledge and perform knowledge activities such as (1)
acquiring new knowledge and entering it into the knowledge base and (2) updating
knowledge currently contained in the knowledge base. If a user is denied access,
the KMS evaluates the risk of knowledge sharing according to knowledge sharing
policies of the enterprise and fuzzy rules for analyzing vague factors. If sharing is
disallowed, the KMS rejects the user request; conversely, the KMS judges the class
368 T.-Y. Chen
of the knowledge requested by the user. If the shared knowledge is explicit, the
KMS notifies the user to access the knowledge; furthermore, the KMS provides a
chat room and requests relevant experts or knowledge holders in the organization
to enter the chat room to share knowledge or experiences with the user.
Such an access system enables enterprise knowledge owners, security adminis-
trators and resource assigners to readily modify knowledge access control policies
and regulations in response to a rapidly changing business environment or to meet
the security requirements of shared knowledge.
3.2. Design of the multiple-layer KMS functional framework

Designing a KMS functional framework should take at least four aspects into
account namely: knowledge component, KM process, information technologies (ITs)

and organization. The knowledge component includes knowledge definition and
categories; the KM process is the steps and activities needed to manage knowl-
edge; ITs consist of some up-to-date and applicable computer technologies and
infrastructures such as communications, networks and databases; the organiza-
tion aspect is comprised of organizational structure, corporate culture and human
resource management [27]. In addition to demonstrating KM activities, the sce-
nario in Sec. 3.1 highlights the importance of knowledge access privilege manage-
ment. Tiwana proposed the following seven-layer KMS framework: user interface
layer, authorized access control layer, collaborative intelligence and filtering layer,
knowledge-enabling applications layer, transport layer, middleware and legacy inte-
gration layer and physical repository layer [28]. Referring to the fundamental KMS
framework, a multiple-layer KMS functional framework is designed in this study for
knowledge access control and sharing. The multiple-layer KMS functional frame-
work (Fig. 3) involves the following nine layers.
• User Interface Layer. In this top layer of the multiple-layer KMS framework,
users interact with a graphic user interface to perform all KM activities. The
layer presents knowledge to all knowledge workers in the form of graphics, tables,
text or other formats. The layer must be capable of presenting both tacit and
explicit knowledge. Without an effective user interface layer, even the best KMS
is bound to fail. Awad and Ghaziri suggested that the following features should
be considered when designing a user interface [1]: consistency, relevance, visual
clarity, navigation and usability.
• Knowledge Access Control and Security Layer. This layer maintains secu-
rity and ensures authorized access to physical knowledge captured and stored in
repositories through the enterprise intranet, the Internet or an extranet from any
place and at any time. The layer ensures security through protocols such as pass-
words, authentication and access control to authorize users and protect resources
as well as a firewall to prevent unauthorized access or to prevent contamination
of company files with inappropriate information. Therefore, the core of this layer
is an appropriate knowledge access control model for evaluating user privileges to
Team
Domain Expert Knowledge Worker Employee
User Interface
Layer User Interface (Web browser)
Knowledge Access Control Knowledge Access Control & Authentication (Security, passwords, firewalls, authentication and authorization )
& Security Layer
Knowledge Knowledge Transformation

Transformation Layer
Knowledge Knowledge
Knowledge Knowledge Knowledge Knowledge Sharing Knowledge Knowledge Measuring
Process Layer Identification Retention Utilization & Development Acquistion &
&
Distribution &
Evaluating
Conceptual
Knowledge Layer
Organizational Production
Process Ontology
Ontology Ontology
Knowledge Index Document

Case Index Rule Index Data Index XML Index Knowledge Source
Index
Layer Description Description Description Description Maps
Description
Transport Layer Transport (email, Internet /Web site , TCP/IP protocol to manage traffic flow )
Transport (email, Internet /Web site, TCP/IP protocol to manage traffic flow )
Middleware Layer Middleware (Network management)

Middleware (Network management)
Commuincatio
n Network
Documents
PBAC
Physical Knowledge
Layer Knowledge XML Document Draffs/Design Human
Case Base Rule Base Data Base Charts
Base Base Document Base Resource Base
Fig. 3. Multiple-layer KMS functional framework.
access enterprise knowledge and protect knowledge assets stored in the physical
knowledge layer of the framework. The details of this model are explored further
in Sec. 5.
• Knowledge Transformation Layer. A KMS may contain heterogeneous
knowledge organized by different representation methods and accessed by differ-
ent users. The ontology-based conceptual knowledge in the conceptual knowledge
layer supports the knowledge transformation layer in transforming and integrat-
ing knowledge into a format easily accessed and understood by users.
• Knowledge Process Layer. The design of this layer is based on a six-step KM
process. Hence, this layer offers the following functions: knowledge creation, iden-
tification, collection, organization, sharing and distribution and application. Here,
knowledge creation denotes generating new knowledge behavior; knowledge iden-
tification denotes identifying knowledge useful to an organization or individual;
knowledge collection denotes collecting useful knowledge; knowledge organiza-
tion denotes the classification of useful knowledge for efficient access; knowledge
sharing and distribution denote the dissemination of useful knowledge to users
requiring the knowledge; knowledge application denotes the identification and
application of shared knowledge.
370 T.-Y. Chen
• Conceptual Knowledge Layer. This layer provides a knowledge map; that is,
it visually represents knowledge and provides a channel for sharing and acquir-
ing knowledge in an organization. For example, a knowledge map might help
users retrieve certain professional knowledge. In this layer, ontologies are used to
describe conceptual knowledge content and formalize domain knowledge in order
to clearly regulate knowledge and to describe and define the structure, rules
and restrictions of knowledge. Therefore, a three-dimensional ontology, including
organizational, process and product ontologies, is constructed for the layer to
describe conceptual enterprise knowledge from three viewpoints: enterprise orga-
nizational structure, task and product. All concepts in the three ontologies are
extracted from the knowledge content in the physical knowledge layer. Based on
the content and classification of concepts extracted from the knowledge content,
including know-what, know-how and know-why, the conceptual relationships in

the three ontologies are identified.
• Knowledge Index Layer. This layer records all data related to knowledge in
the physical knowledge layer, such as knowledge identification number, knowledge
name, knowledge type, knowledge repository and mapping relationship between
the conceptual knowledge layer and the physical knowledge layer. The mapping
relationships indicate each concept in the conceptual knowledge layer associated
with knowledge stored in the physical knowledge layer. The knowledge index layer
enables user access to knowledge stored in the physical knowledge layer through
the knowledge privilege management of concepts in the conceptual knowledge
layer. Some indices for different knowledge formats are needed. For mapping con-
ceptual knowledge to physical knowledge represented with rule-based knowledge
representation method, an index for rule-based knowledge is designed to record
specific knowledge types and designate the start and end points of rule-based
knowledge. For instance, the rule-based decision-making knowledge for selecting
an appropriate cooperative partner is contained within Rule No. 1 to Rule No. 10.
• Transport Layer. This layer, the most critical part of the KMS network, ensures
that a network of relationships is formed to transfer knowledge electronically
throughout the company. The function of the layer is to manage the transmission
and flow of data between two computers or across a network.
• Middleware Layer. This layer interfaces with legacy systems and other appli-
cations installed on different platforms or operating on older operating systems.
Examples of legacy systems and applications are document management sys-
tems, decision support systems (DSS), group support systems (GSS), enterprise
resource planning (ERP) systems and customer relationship management (CRM).
Through the middleware layer, KMS may interact with the legacy systems and
applications, directly access routine transactions stored in their databases and
standardize all data formats for compatibility with the KMS.
• Physical Knowledge Layer. The bottom layer of the KMS framework is a
repository of knowledge in various formats. The repositories may include data
warehouses, databases and XML documents. Each repository is appropriately
structured for the knowledge to be stored and may be categorized as “structured,”

“semi-structured” or “non-structured”. Further, physical knowledge can be cat-
egorized as descriptive knowledge (know-what), procedural knowledge (know-
how) and cause-effect knowledge (know-why). This layer represents knowledge in
various data formats and may include rule-based knowledge, case-based knowl-
edge or XML-based knowledge. In addition to explicit knowledge, tacit knowl-
edge embedded in the human mind should also be managed and shared in an
enterprise through effective communication. Therefore, the framework requires a
human resource database of the personal characteristics, work experience, skills
and abilities of each employee.
4. Conceptual Knowledge Layer

Ontology, although incapable of representing all knowledge types, still has two
advantages: knowledge sharing and knowledge reuse. A standardized ontology sim-
plifies knowledge sharing, and the previously developed ontology for knowledge
within the same domain can be reapplied in different systems. Regarding knowledge
representation, ontology also enables explicit representation of conceptual knowl-
edge [29]. Knowledge users may differ in their conception of knowledge levels and
domains. Therefore, knowledge representation must support multiple views and
enable customization. In addition to representation of knowledge content, another
important factor affecting the quality of a knowledge base is the structure of the
connection with knowledge contents. Hence, the relationships among knowledge
contents should be specified as completely as possible. To clearly represent correla-
tions among conceptual knowledge, the conceptual knowledge layer should contain
the sequence of enterprise activities and the causes and effects between knowl-
edge, multiple-dimension conceptual knowledge ontology to clearly and accurately
describe conceptual knowledge, distribution of knowledge and relationships among
knowledge. The conceptual knowledge layer is comprised of three ontologies: (1)
an organizational ontology representing all enterprise roles and the interactive and
hierarchical relationships among the roles, (2) a process ontology representing the
relationships among activities in all processes of product production and (3) a prod-
uct ontology representing the structures and specifications of manufactured prod-
ucts. The three ontologies are capable of expressing three main kinds of knowledge,
i.e., know-what, know-how and know-why. Through these ontologies, workers can
easily search and securely access knowledge in a KMS.
4.1. Organizational ontology

An organizational ontology is developed from the relationship between an enter-
prise role and the knowledge required for the role to achieve its tasks. This ontol-
ogy, comprised of role concepts and seven relationships, is used to describe all roles
within an enterprise, relationships among the roles and the organizational hierar-
chical structure of the enterprise. Additionally, the ontology can reveal the advisory
372 T.-Y. Chen
General
Engineer
Software
Design Hardware Manager
Manager
Engineer Manager
Programming
Engineer
Testing
Engineer
Engineer
Sub-class Intersection
Equivalence Union Role hierarchy
Part of Complement
Fig. 4. An example of an organizational ontology.
network, trust network and communication network of an enterprise. Role concepts

in the organizational ontology can be assigned knowledge related to the tasks of
roles based on the responsibilities and authorities of those roles by mapping the
knowledge index layer. The seven relationships illustrated at the bottom of Fig. 4
indicate the relationships among role concepts, including interactive, cooperative
and hierarchical relations of duties between different roles. Effectively establishing
these relationships to construct the organizational ontology of an enterprise can
achieve knowledge sharing within an enterprise. Application of the relationships in
knowledge access privilege management is discussed in Sec. 5. The top of Fig. 4 is
an example of an organizational ontology with eight roles and two relationships.
The “role hierarchy” in the example indicates that the role “general engineer” is
senior to the roles “hardware manager” and “software manager”, and using the
“sub-class” indicates that the roles “hardware manager” and “software manager”
are sub-classes or sub-concepts of the role “manager”. Each role is assigned some
essential knowledge content related to the role.
4.2. Process ontology

Process ontology is developed from the behavioral aspect of physical workers.
Process ontology describes the vocabulary related to a generic task or activity such
as designing, diagnosing, scheduling or selling, which provides a systematic vocabu-
lary of the terms used to solve problems associated with tasks. The process ontology
that comprises some task concepts and seven relationships describes the composition
and sequence between all enterprise processes, sub-processes, activities and tasks.
In the example of a process ontology (Fig. 5), the process “bicycle design” involves
Bicycle
Design
Frame
Design Handlebar
Design
Derailleur Gear
Unit Design
Task T 1b
Task T1 Task T4
Task T 3
Task T1a
Task T2
Sub-class Intersection
Equivalence Union Prior sequence
Part of Complement
Fig. 5. An example of a process ontology.
three sub-processes: “frame design”, “derailleur gear unit design” and “handlebar
design”; the sub-process “designing derailleur gear unit” is comprised of tasks T1 ,
T2 and T3 , which are performed in the order determined by the “prior sequence” of
the relationships. In process ontology, the process, sub-process, activity and task are
referred to as the “task concept”, which can be assigned knowledge relevant to task
performance, and a user is granted knowledge access privileges upon assignment to
the task.
4.3. Product ontology

Product ontology is derived from the concept of product knowledge and focuses on
the structural aspects of devices. Each component (part) of every product is associ-
ated with specific knowledge regarding know-what, know-how and know-why at each
phase of its lifecycle. An example would be a product instruction or maintenance
manual. The product ontology comprised of component concepts and relationships
describes the domain knowledge of products, including the basic definition of each
component concept, the relationships among products and components, product
structure and detailed component specifications. Each component concept in the
ontology is assigned knowledge that introduces the “know-what”, “know-how” and
“know-why” of the component. Furthermore, specifying some component properties,
e.g., color, weight or size, can lead to acquisition of knowledge of a real component
(instance). Seven relations (Fig. 6, bottom left) are used to construct relationships
between products as well as the compositional structure and specification of prod-
ucts and their raw materials. Figure 6 illustrates a bicycle ontology with several
374 T.-Y. Chen
Derailleur
Multiple
Bracket
Freewheel Derailleur
Guard
Handle Bar
Class: Frame Derailleur Control
Component no: F66 Bike Gear Unit Shift
Frame
Gear
Class: Brake Cable
Brake Bicycle
Component no: B336 Front Fork
Sub-class Electric Tire Class: City Bike

Equivalence Bike Product no: CB321

Part of Non-Electric Weight: 13kg
Bike
Intersection
Union Class: City Bike
City Bike Product no: CB323
Complement
Tandem Weight: 10kg
Instance
Fig. 6. An example of a product ontology.
parts including brake, frame, handle bar, derailleur gear unit, front fork and tire,
non-electrical bike or city bike. In the example, the city bike has two products,
also called “instances,” with two product numbers (CB321 and CB323) and three
equivalent concepts: “bicycle”, “bike” and “ ”.
Concepts in the three ontologies can be connected across ontological bound-
aries. Using the assignments between the organizational ontology and the process
ontology indicates the tasks of each role; using the assignments between the orga-
nizational ontology and the product ontology indicates which role is responsible for
which products or components; using the assignments between the process ontology
and the product ontology indicates which task is performed for which components.
Based on the three-dimensional conceptual knowledge ontology, each enterprise can
construct its conceptual knowledge layer to manage physical knowledge. The fol-
lowing section proposes a knowledge access control model based on the ontology.
5. Knowledge Access Control and Security Layer

In the knowledge access control and security layer, this study proposes an ontology-
based knowledge access control model based on RBAC model and three-dimensional
conceptual knowledge ontology in conceptual knowledge layer to manage user knowl-
edge access privileges. To manage all knowledge in the physical knowledge layer, this
study proposes directly managing the concepts (roles, tasks and components) in the
conceptual knowledge layer by mapping the knowledge index layer. The definitions
and notations of the proposed model are inherited and extended from the RBAC
[17–19].The following overview briefly introduces the essential elements, relation-
ships and functions of the knowledge access control model.
5.1. Ontology-based knowledge access control model for enterprises

Some elements and assignments involved in the three-dimensional ontology-based
knowledge access control model (Fig. 7) are derived from the RBAC model, includ-
ing Roles, User and Objects and assignments U-R-A and R-P-A. To accommodate
the requirements of enterprise KM and sharing, the model includes the following
major features.
(1) Role elements inherited from the RBAC are extended using seven relationships
to form an organizational ontology in the conceptual knowledge layer. Such
method can more completely describe organizational structure and interper-
sonal network needed for an enterprise to enhance knowledge sharing among
workers and across teams. Furthermore, knowledge owners are clearly identified
for more efficient access to the right knowledge by the right roles.
(2) Task elements are included in the model to describe the sequence and interaction
among tasks in enterprise processes. The task elements and seven relationships
in process ontology enable clear identification of the knowledge required for
certain tasks. Based on the tasks required, sequences of fragmented knowledge
Organizational Ontology
Relationships/role hierarchy
Users Roles
(U) (R)
Sessions (S)
R-P-A
R-T-A
U-R-A
Permissions
Relationships
(P) Physical
Tasks Operations Knowledge
(T) (K)
T-P-A
R-C-A
Assignment
Process Ontology
Relationship T-C-A
C-P-A
Element
Relationships
Components Constraints
(C)
Product Ontology
Fig. 7. Ontology-based knowledge access control model for enterprises.

376 T.-Y. Chen
needed when performing a simple task can be organized as procedural knowl-

edge available for reference while implementing the task.
(3) Component elements manage knowledge related to products and components
developed by an enterprise. Component elements can clearly describe domain
knowledge, including product structure and relationships between parts.
5.2. Definition of elements

The elements and relationships in the ontology-based knowledge access control
model are defined as follows:
• Users (U ): All possible knowledge users, whether employees, domain experts,

knowledge engineers or enterprise managers, who are permitted to access knowl-
edge through the assignment U-R-A. In different sessions, users may be assigned
different roles with different permissions to use certain knowledge. Therefore,
users can access authorized knowledge according to their roles when logging in
to a KMS.
• Roles (R) represent the responsibilities and powers in an enterprise, such as
accounting and cashier. By assigning R-P-A, roles are assigned privileges to access
knowledge. For example, a user in an “accounting” role would be permitted to
read an account management manual and use the account module of an enterprise
resource planning (ERP) system. In RBAC, the role relationships are limited to
role hierarchy, SSD and DSD. In the proposed model, seven relationships in the
organizational ontology represent different relationships between enterprise roles
constituting the interpersonal network of an enterprise.
• Sessions (S) map a user to one or more roles, i.e., control which users may play
what roles during a session. A user is permitted only one role per session.
• Tasks (T ) are responsibilities or work items in an enterprise which must be per-
formed by roles to achieve certain enterprise goals. The enterprise process is
comprised of tasks, which have sequence relationships. To support a worker per-
forming a task, knowledge related to the task must be provided. This study uses
task elements to construct a process ontology in which seven types of relationships
are used to form a task network describing the sequence of tasks, synonymous
relationships and subset relationships.
• Components (C) may be products or product parts produced or manufactured
by an enterprise and are basic elements of the product ontology. Components
may describe domain knowledge for products, parts and product structure. Each
component element is assigned privileges for accessing related knowledge. A user
playing a role is assigned tasks by the assignment R-T-A. Some components
in each task must be handled through the relationship T-C-A. Consequently,
users can gain privileges to access knowledge related to their roles, tasks and
components. For example, in addition to knowledge related to design skill, a
worker designing a bicycle seat would require knowledge of materials, functions
and characteristics of the bicycle seat.
• Operations (O) are executable knowledge operations such as “read”, “write” or

“update”.
• Physical Knowledge (K): According to the structure of knowledge, physical knowl-
edge can be classified as structured, semi-structured and non-structured. How-
ever, physical knowledge must be stored in a knowledge repository, possibly in
different knowledge models or in different formats such as the following: rela-
tional data base (RDB), XML, text, doc, graph, rule, case, record, image, voice
and object. The physical knowledge can be reorganized as a knowledge object.
• Knowledge Permissions (P ) refer to executable modes of access to knowledge.
Knowledge permission is expressed by a pair (k, o) ⊆ K × O, where k ∈ K is a
physical knowledge object, and o ∈ O is an access mode for k. In this model, user
knowledge permissions are gained in two ways: (1) assigned permission, granted
through assignments between elements and (2) propagated permission, granted

through propagation and extension of conceptual knowledge in the conceptual
knowledge layer. Knowledge permissions can be assigned to one of three elements
(roles, tasks and components) through three relationships (R-P-A, T-P-A and
C-P-A). Therefore, knowledge permission can be divided into three types: (1) role
permission (RP), permissions assigned to roles, (2) task permission (TP), permis-
sions assigned to tasks and (3) component permission (CP), permissions assigned
to components. The knowledge permissions are discussed further in Sec. 5.4.
• Constraints restrict assignments between two elements. For example, in two sets
of elements (roles and users), using constraints can ensure that a user is assigned
only one role at a time. Constraints may also restrict the role of a user during
certain sessions or control which knowledge may be accessed by which roles under
which situations. Furthermore, constraints can be used to determine whether each
type of propagation mode between two elements is allowed.
• Assignments are a binary relation between elements and are used to associate
two corresponding elements. For example, U-R-A ⊆ U × R represents a many-to-
many user-to-role assignment relation and indicates which roles a user may play;
R-T-A ⊆ R × T represents a many-to-many role-to-task assignment relation and
indicates which tasks a role must perform; T-C-A ⊆ T × C represents a many-to-
many task-to-component assignment relation and indicates which components a
task must handle; R-C-A ⊆ R × C represents a many-to-many role-to-component
assignment relation and indicates which role is responsible for which components.
The three many-to-many relations, R-P-A ⊆ R×P , T-P-A ⊆ T ×P and C-P-A ⊆
C×P, separately indicate the roles, tasks and components authorized to use which
permissions. Therefore, more than one ontological concept may be assigned the
same permission.
• Relationships are the binary assignment of elements within an ontology. The
model in this study classifies relationships as role, task and component rela-
tionships. Role relationships, an extension of relationship in RBAC model,
employ a role hierarchy and the six ontological relationships mentioned in
Sec. 2.3 to build an organizational ontology. In addition to the six ontological
378 T.-Y. Chen
relationships, task relationships and component relationships involve the relation-

ships “prior sequence” and “instance”, to construct a process ontology and a
product ontology, respectively. User privileges can be propagated by these three
relationships to acquire additional user knowledge access privileges not directly
assigned to the user.
5.3. Attributes of elements

A state diagram in a Unified Modeling Language (UML) is a representation of
dynamic information in a system and describes the externally observable behavior
of individual elements [26]. The state diagram indicates the initial state by a black
circle, the end state by a black circle surrounded by a ring and a state by a rectangle
with rounded corners. In this section, a state diagram models the different states of
the primary elements in the ontology-based knowledge access control model. At any
given time, elements are assumed to be in an identifiable state. An event typically
changes from one state to another. The state diagrams of the elements modeled in
this section are particularly helpful for specifying restrictions to knowledge use and
sharing.
Figure 8 presents the state diagram of the role element with one start and one
end state and three different states — “deactivating,” “activating” and “active.”
When a user with a role enters a KMS, the initial state of the role is “deactivating”
and is to be transformed into an activating state while the constraints utilized to
restrict role activation are available. When role activation is completed, the role
state is transformed into an active state. Only roles in an active state can access
authorized knowledge.
Figure 9, a state diagram of the user element, includes seven different states
describing user behaviors in a KMS. When a user logs in to a KMS, the user
password and identity are authenticated by the KMS. Following authentication,
the user state is transformed into the state of “generating user knowledge access
privilege” to assess user knowledge access privileges based on the role of the user.
/end
[constraints
/initiate
available]/activate
Deactivating Activating
/deactivate completed
Active
Fig. 8. Role state diagram.

/request
/Input user data
Login Authenticating /request

[password valid]
Waiting Accessing Knowledge
do/Check do/authenticate
completed
password identity completed
[certificate valid]
/log out /log out
[password invalid] [certificate invalid]
Generating user knowledge
access privilege
based on his activated role Logout
Denied /end
ended
Fig. 9. User state diagram.

/disable share Disallowed

Reference
/end
[sharing allowed]/enable share
/start
Initiative completed
Referred [share allowed]/enable share
[sharing
allowed] /end
Triggered Finished
[pre-conditions available]
Completed
Executing [post-conditions available]
Unexecuted
Fig. 10. Task state diagram.
Then, when entering the waiting state, the user may request authorized knowledge
or log out to enter an access knowledge state or a logout state, respectively.
Figure 10, a state diagram for the task element, shows all possible states in
a task lifecycle to identify all knowledge generated by, or assigned to, the task.
When an unexecuted task is triggered and its pre-conditions are met, the state of
the task is transformed into an initiative state. When users start performing the
task, the initiative state is transformed into a concurrent state, which includes both
an executing and a referred state, when the knowledge related to the task can be
shared because knowledge related to the task can be appropriately shared with other
workers during task execution. When a task permits knowledge sharing, the task
may be disabled as a disallowed reference state. A task is completed when all its
post-conditions are met; the task state is then transformed into the finished state.
Even when a task is finished, knowledge related to the task can still be shared.
Thus, an administrator can enable sharing and change the task state from finished
to referred.
The states of a component element include “concept,” “designing,” “manu-
facturing,” “finished product,” “using,” “improving” and “recycling” (Fig. 11).
Knowledge associated with a component can be created or required during different
component states. Hence, knowledge associated with different component states can
380 T.-Y. Chen
Improving
Designing Manufacturing
/start
Initialed
Triggered completed/examine [the component needs be
[pre-conditions available] improved] /end
Completed
Finished /recycle
Concept Using Recycling
Product
Fig. 11. Component state diagram.

Creating Retention
Applying [refining
[use /end needed]/amend
completed permitted]
/create Completed
[knowledge [sharing allowable] Renewing
available]/store Shared
[sharing [allowable] completed
unallowable] /enable
Identifying /disable
Non-shared
Fig. 12. Knowledge state diagram.
be determined by the knowledge owner whether the knowledge can be shared with
others.
Based on the core KM activities, this study identifies the following five states
of the physical knowledge element: “creating,” “identifying,” “retention,” “utiliza-
tion” and “renewing” (Fig. 12). The utilization state is a concurrent state. When
knowledge can be applied, namely, into “shared” or “non-shared” states, knowl-
edge sharing can be determined by an administrator or knowledge owner. However,
knowledge should continuously be refined and updated. When refining need, the
knowledge state is transformed into the renewing state, at which time knowledge
sharing is not allowed.
This study further refines the physical knowledge element examined in previous
works and adds three attributes (role-shared, task-shared and component-shared
attributes) for effective control of physical knowledge sharing. The three attributes,
as gates for knowledge sharing, are true/false Boolean data determined by knowl-
edge administrators or owners. The role-shared (RS) attribute determines whether
knowledge is assigned to be shared with other roles through different role rela-
tionships in an organizational ontology. The task-shared (TS) attribute is used to
determine whether knowledge is assigned to be shared with other tasks through task
relationships in a process ontology. The component-shared (CS) attribute, seven bits

of Boolean data, are separately employed to represent the status of knowledge shar-
ing in the seven states in the component element. The three attributes enhance
flexibility and security in the sharing of physical knowledge.
5.4. Propagation modes

Based on the above ontological relationships, this section presents propagation
modes for user knowledge access privileges. Since knowledge at any point can
be characterized within a range from simple to complex, this section defines the
scope within which knowledge can be propagated according to the classification
of ontological relationships and organizational security requirements. Any informa-

tion associated with a concept can be inferred from another; this relationship is
termed relationship propagation. When roles prevent access to certain conceptual
knowledge, users can still receive knowledge access permission, that is, propagated
permission, through relationship propagation. In this study, relationship propaga-
tion is elucidated by six relationships within three ontologies.
To introduce these propagation modes, this study first defines a direct privilege
function DP(x) and a shared privilege function SP(y). The DP(x) function is defined
as the direct privilege set of concept x ∈ one of three ontologies, and the set of
permissions are assigned to x directly; that is,

rp if (x, rp) ∈ R-P-A, x ∈ R & rp ∈ RP,

DP(x) = tp if (x, tp) ∈ T-P-A, x ∈ T & tp ∈ TP,


cp if (x, cp) ∈ C-P-A, x ∈ C & cp ∈ CP,
where rp ∈ RP is the set of role permissions assigned to x, tp ∈ TP is the set of
task permissions assigned to x and cp ∈ CP is the set of component permissions
assigned to x.
Notably, SP(y) is defined as the shared privilege set of concept y ∈ one of the
three ontologies and the set of permissions assigned to y directly. The permissions
are allowed to operate on the knowledge object k ∈ K, which is allowed to be
shared, that is,

srp if (y, srp) ∈ R-P-A, y ∈ R, srp ∈ RP & RS of k = true,

SP (y) = stp if (y, stp) ∈ T-P-A, y ∈ T, stp ∈ TP & T S of k = true,


scp if (y, scp) ∈ C-P-A, y ∈ C, scp ∈ CP & CS of k = true,
where srp ∈ RP is the set of role permissions assigned to y that operate on knowl-
edge objects k, of which RS attribute is true; stp ∈ TP is the set of task permissions
assigned to y that operate on k, of which TS attribute is true; scp ∈ CP is the set
of component permissions assigned to y that operate on k, of which CS attribute
is true.
• Propagation via sub-class relationships. From an object-oriented perspec-
tive, a sub-class (sub-concept) inherits all attributes and characteristics of its
382 T.-Y. Chen
super-class (super-concept). Consequently, in enterprise knowledge sharing, users

authorized to access knowledge for a sub-concept must refer to knowledge
for the super-concept of that sub-concept. The sub-class propagation function
Psub−clsss (s) used to take user knowledge privileges from s and its super-concept
is defined as

DP(s) ∪ SP (s ) if s is the super-concept of concept s,
Psub−class (s) =
DP(s) otherwise,
where s and s are concepts and s is the super-concept of s.
• Propagation via equivalence relationships. The problem of synonyms in the
knowledge conceptual layer can be resolved using equivalence relationships. Even

when users are granted access to only one knowledge concept with equivalence
relationships, such access permission can be extended to other equivalent concep-

tual knowledge. An equivalence propagation function defined as Pequiv (c) takes
user knowledge privileges from c and its equivalent concepts, that is,

DP (c) ∪ SP (ci ) if c is the equivalent concept of ci ,
Pequiv (c) =
DP (c) otherwise,
where c and ci for 1 ≤ i ≤ n are concepts and ci for 1 ≤ i ≤ n are the equivalent
concepts of c.
• Propagation via part relationships. In knowledge learning process, knowl-
edge users typically require in-depth knowledge of product parts. To access this
deep knowledge, knowledge access permission can be extended to product parts
via part relationships and by setting conceptual attributes. A part propagation
function Ppart (p) for taking user knowledge privileges from a part concept p and
the whole concept of p is expressed as

DP(p) ∪ SP (w) if p is the part of w,
Ppart (p) =
DP(p) otherwise,
where p and w are concepts and w is the whole concept of p.
• Propagation via intersection relationships. When conceptual knowledge
intersects other conceptual knowledge, knowledge users may be granted access to
other conceptual knowledge required to improve their understanding. An inter-
section propagation function Pintersection(c) for taking user knowledge privileges
from c and its intersection concepts is expressed as

DP (c) ∪ SP (ci ) if c is the intersection of ci ,
Pintersection(c) =
DP (c) otherwise,
where c and ci for 1 ≤ i ≤ n are concepts and c is the intersection of ci for
1 ≤ i ≤ n.
• Propagation via prior sequences. A prior sequence in a process ontology
describes the order of all tasks. When several continuous tasks needed to achieve
a goal are performed in a given order, knowledge for achieving the tasks or
knowledge created from these tasks should be shared and distributed directly
with the roles performing the tasks. A sequence propagation function Psequence(ti )
for taking user knowledge privileges from ti and shared knowledge privileges from
the pre-tasks of ti are defined as

DP(ti ) ∪ SP (tj ) if tj is a pre-task of ti ,
Psequence(ti ) =
DP (ti ) otherwise,
where ti for 1 ≤ i ≤ n ∈ process ontology are task concepts and tj for 1 ≤ j ≤ m
are task concepts to be performed before ti .
• Propagation via instances. Instances represent elements or individuals in an
ontology. An example in the concept “mountain bicycle” is the product num-

ber MB320 mountain bicycle weighing 9.5 kg manufactured by M company. A
user authorized to access an instance is also authorized to access the concept of

the instance. Where instance propagation function Pinstance (i) used to take user
knowledge privileges from instance i and the concept of i is expressed as

DP(i) ∪ SP (c) if i is an instance of concept c,
Pinstance (i) =
DP(i) otherwise,
where i is an instance and c is a concept.
Applying the above propagation functions to generate user knowledge access
privileges simplifies knowledge management. However, constraint elements can be
used to restrict the scope and depth of knowledge sharing in accordance with secu-
rity requirements.
5.5. An example of the ontology-based knowledge

access control model
This section presents an example of enterprise knowledge management using the
proposed ontology-based knowledge access control model in a bicycle manufac-
turing firm. Figure 13 shows portions of the conceptual knowledge layer in the
company. The organizational structure of the company is comprised of four roles
in the organizational ontology: R&D manager, engineer, prototype designer and
frame designer. The role of R&D manager is senior to the other three roles (engi-
neer, prototype designer and frame designer); two roles (prototype designer and
frame designer) are sub-classes of the engineer role; that is, prototype designer and
frame designer are also engineer roles. In the process ontology of the company, only
a single task (training task) and a simplified bicycle R&D process comprised of
three tasks (product requirement analysis, primary design and detailed design) are
shown. Figure 13 shows the order of the three tasks involved in the bicycle R&D pro-
cess: product requirement analysis, primary design and detailed design. The prod-
ucts and the product structures manufactured by the company and represented by
the product ontology involve six components: bicycle, bike, frame, brake, tire and
derailleur gear unit. In this product ontology, the bike component is equivalent to
384 T.-Y. Chen
U: Andy
U-R-A
R: R-T-A T: T-C-A
R: R&D role C:
Frame Detailed
Manager hierarchy frame
Designer Design
C:
Tire
sub-class C: part of
role R-T-A T: part of
prior sequence Brake
hierarchy Training
role
hierarchy part of
C:
R: Bicycle
Engineer
T: Primary T-C-A part of
R: R-T-A C: equivalence
sub-class Prototype Design Derailleur C:
Designer Gear Unit Bike
prior sequence T: Product
Requirment
Organizational Ontology Process Ontology Analysis Product Ontology
R-P-A R-P-A T-P-A T-P-A C-P-A C-P-A C-P-A C-P-A

P: rk 7 (read the guidelines P: rk 4 (read the knowledge P: rk8 (read the

for frame design ) “derailleur design”) introduction to bicycles)
P: rwk 3 (read and write the knowledge
P: rk1 (read the guidelines for “criteria for a good bicycle frame”)
P: rk6 (read the knowledge
engineer in R &D department ) P: ck5 (consult an engineer with “bicycle frame design manual”)
P: rk 2 (read the knowledge “basic relevant designing experience
Structure of a bicycle”)
Fig. 13. Example of ontology-based knowledge access control model.
the bicycle component; a bicycle is comprised of one frame, two tires, one brake and
one derailleur gear unit.
In a simplified example, the RS, TS and CS attributes of knowledge objects are
assumed “true”, i.e., knowledge sharing through propagation is all allowed in the
example. A knowledge user (Andy) is a frame designer in the company. Based on
his role, he is given the most fundamental privilege to read the knowledge “guide-
lines for a frame designer”. Andy is allowed to read the guidelines for engineer in
the R&D department because his role, “frame designer”, is a sub-class of the role
“engineer”. Andy is also allowed to read the knowledge “basic structure of a bicycle”
during his initial employee training because the task “training” is assigned to the
role “engineer”. Based on his assigned task “detailed design”, Andy may read and
write the knowledge “criteria for a good bicycle frame”. When Andy performs the
task “detailed design” to design a component “frame”, he may read the knowledge
“bicycle frame design manual” and consult an engineer with relevant design expe-
rience. These privileges are gained by assignments. The method developed in this
study can propagate user privileges using various relationships in the three ontolo-
gies. For instance, when one knowledge user performs the task “detailed design”
for designing a derailleur, the “part of” relationship indicates that, in addition to
privilege to read the knowledge “derailleur design”, the user also has privilege to
read the document “introduction to bicycles”.
6. Conclusions and Future Work

This study developed a multiple-layer KMS functional framework with knowledge
access control which would be appropriate for sharing knowledge among employees
within an enterprise or across teams. The proposed framework is comprised of nine

layers. The focus of this study was knowledge access control and security layer and
the conceptual knowledge layer. To represent knowledge in the conceptual knowl-
edge layer, the proposed knowledge representation method is comprised of organi-
zational, process and product ontologies for describing knowledge and relationships
among knowledge. An ontology-based knowledge access control model based on the
RBAC model in the knowledge access control and security layer is proposed as a core
technology for managing and sharing knowledge and for evaluating user knowledge
access privileges.
The proposed functional framework can be employed by an enterprise while
developing a secure KMS. The knowledge representation method shown in the con-
ceptual knowledge layer enhances precision when describing knowledge and rela-
tionships among knowledge. The proposed knowledge access control model for
enterprises can enhance (1) the security of knowledge access and sharing within
and across departments and teams and (2) the dynamic evaluation of user knowl-
edge access privileges according to organization structure, user roles and enter-
prise knowledge sharing strategy. The ideal objective is achieving a secure and
trusting environment, a culture of knowledge sharing and innovation within an
enterprise.
In addition to the proposed KMS functional framework and knowledge access
control model, the following additional research issues are suggested:
(1) The correlation between conceptual knowledge layer and physical knowledge
layer is currently manual. However, continual and rapid changes in knowledge
often occur at the physical layer. A method of automatically mapping between
conceptual knowledge layer and physical knowledge layer is needed to quickly
respond to such changes.
(2) The detailed functions of the KMS functional framework should be designed to
support all knowledge activities as well as management of access control and
privileges.
(3) The relationships among concepts extracted from a knowledge document must
be constructed as ontology. This complex task may excessively burden workers.
Therefore, a concept extraction mechanism and an automatic ontology con-
struction mechanism are needed.
(4) A method of measuring trust and risk levels for sharing knowledge between
enterprise partners must be developed to increase the security of knowledge
sharing.
Acknowledgments
The authors would like to thank the National Science Council of the Republic
of China, Taiwan for financially/partially supporting this research under contract
no. NSC96-2221-E-343-002.
386 T.-Y. Chen
References
1. E. M. Awad and H. M. Ghaziri, Knowledge Management (Pearson Education, 2004).
2. I. Nonaka and H. Takeuchi, The Knowledge Creating Company: How Japanese Com-
panies Create the Dynamics of Innovation (Oxford University Press, New York, 1995).
3. W. R. King and P. V. Marks, Jr, Motivating knowledge sharing through a knowledge
management system, International Journal of Management Science, 2007.
4. F. An, F. Qiao and X. Chen, Knowledge sharing and web-based knowledge-sharing
platform, Proceedings of the IEEE International Conference on E-Commerce Technol-
ogy for Dynamic E-Business, 2004.
5. D. Wang, The realization of knowledge management with IT technology-simple knowl-
edge management (Publishing House of Electronics Industry, 2002).
6. E. Bertino, L. R. Khan, R. Sandhu and B. Thuraisingham, Secure knowledge manage-

ment: Confidentiality, trust, and privacy, IEEE Transactions on Systems, Man, and
Cybernetics — Part A: Systems and Humans 36(3) (2006) 429–438.
7. H. R. Rao and S. J. Upadhyaya, Special Issue on Secure Knowledge Management,

IEEE Transactions on Systems, Man, and Cybernetics — Part A: Systems and
Humans 36(3) (2006) 418–420.
8. R. Singh and A. F. Salam, Semantic information assurance for secure distributed
knowledge management: A business process perspective, IEEE Transactions on Sys-
tems, Man, and Cybernetics — Part A: Systems and Humans 36(3) (2006) 472–486.
9. K. Wiig, Knowledge Management Foundations (Schema Press, Arlington, 1993).
10. D. Leonard-Barton, Wellspring of Knowledge (Harvard Business School Press, Boston,
1995).
11. A. Seleznyov and S. Hailes, An access control model based distributed knowledge man-
agement, Proceeding of the 18th International Conference on Advanced Information
Networking and Application, 2004.
12. S. Abar, T. Abe and T. Kinoshita, A next generation knowledge management system
architecture, Proceedings of the 18th International Conference on Advanced Informa-
tion Networking and Application, 2004, pp. 191–195.
13. Y. Malhotra, Knowledge Management for the New World of Business, www.brint.
com/km/whatis.htm.
14. C. W. Holsapple and K. D. Joshi, Description and analysis of existing knowledge
management frameworks, Proceedings of the 32nd Hawaii International Conference
on System Sciences, 1999, pp. 1–15.
15. J. N. Lee, The impact of knowledge sharing, organizational capability and partnership
quality on IS outsourcing success, Information & Management 38 (2001) 323–335.
16. M. Koch, L. V. Mancini and F. Parisi-Presicce, Graph Transformations for the Spec-
ification of Access Control Policies (Elsevier Science, 2002).
17. D. F. Ferraiolo, R. Sandhu, S. Gavrila, D. R. Kuhn and R. Chandramouli, Proposed
NIST standard for role-based access control, ACM Transactions on Information and
System Security 5(3) (2001) 224–274.
18. J. Bacon, K. Moody and W. Yao, A model of OASIS role-based access control and its
support for active security, ACM Transactions on Information and System Security
5(4) (2002) 492–540.
19. D. F. Ferraiolo, D. R. Kuhn and R. Chandramouli, Role-Based Access Control (Artech
House, 2003).
20. G. J. Ahn, Specification and classification of role-based authorization policies, Pro-
ceedings of Twelfth IEEE International Workshops on Enabling Technologies: Infras-
tructure for Collaborative Enterprises, 2003, pp. 202–207.
21. T.-Y. Chen, Y.-M. Chen, C.-B. Wang and H.-C. Chu, Development of an access con-
trol model, system architecture and approaches for information sharing in virtual
enterprise, Computers in Industry 58(1) (2007) 57–73.
22. T.-Y. Chen, Y.-M. Chen, C.-B. Wang and H.-C. Chu, Resource sharing to support
cross-organization collaboration in virtual enterprise using a novel trust method,
Robotics and Computer-Integrated Manufacturing 23 (2007) 421–435.
23. R. Neches, R. E. Fikes, T. Finin, T. R. Gruber, T. Senator and W. R. Swartout,
Enabling technology for knowledge sharing, AI Magazine 12(3) (1991) 36–56.
24. A. Schreiber, B. J. Wielinga and W. Jansweijer, The KACTUS view on the “O”
world, in D. Skuce (ed.), IJCAI95 Workshop on Basic Ontological Issues in Knowledge
Sharing, 1995, pp. 15.1–15.10.
25. S. Staab, Knowledge representation with ontologies: The present and future, IEEE
Computer Society, 2004, pp. 72–81.

26. T. R. Gruber, A translation approach to portable ontologies, Knowledge Acquisition
5(2) (1993) 199–220.

27. V. Supyuenyong and N. Islam, Knowledge management architecture: Building blocks
and their relationships, PICMET Proceedings, 2006, pp. 1210–1219.
28. A. Tiwana, The Knowledge Management Toolkit (Prentice Hall, NJ, 2000), p. 309.
29. S. Staab, M. Erdmann, A. Maedche and S. Decker, An extensible approach for model-
ing ontologies in RDF(S), ECDL Workshop on the Semantic Web, Lisbon, Portugal,
2000, pp. 11–22.

A Multiple-Layer Knowledge Management System Framework Considering User Knowledge Privileges

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

A Multiple-Layer Knowledge Management System Framework Considering User Knowledge Privileges

Uploaded by

Copyright:

Available Formats

July 28, 2009 11:58 WSPC/117-IJSEKE - SPI-J111 00419

International Journal of Software Engineering

A MULTIPLE-LAYER KNOWLEDGE MANAGEMENT

Department of Electronic Commerce Management,

Received 1 May 2007

Success in a knowledge economy requires eﬀectively using existing knowledge to create

Keywords: KMS; knowledge representation; knowledge sharing; RBAC; privilege;

362 T.-Y. Chen

accumulated facts, procedural rules or heuristics. A heuristic is a rule of thumb

However, knowledge sharing is a particularly important aspect of KM. Thus, the

A Multiple-Layer KMS Framework Considering User Knowledge Privileges 363

representation to manage the increasing complexity of knowledge, and a strategy

364 T.-Y. Chen

2.1. Secure knowledge sharing

2.2. RBAC model

A Multiple-Layer KMS Framework Considering User Knowledge Privileges 365

User-Role-Assignment Role-Permission Assignment

Fig. 1. Basic role-based access control model.

366 T.-Y. Chen

3. Multiple-Layer KMS Functional Framework

3.1. Scenario for KM activities

A Multiple-Layer KMS Framework Considering User Knowledge Privileges 367

communication/meeting request knowledge services

Expert search knowledge

Employee Owner evaluate user knowledge Knowledge access modify access

share tacit Human Resource allow access?

Knowledge sharing Administrator

tacit reject the user s

access explicit Draffs/Design

Fig. 2. Scenario for KM activities.

368 T.-Y. Chen

3.2. Design of the multiple-layer KMS functional framework

account namely: knowledge component, KM process, information technologies (ITs)

A Multiple-Layer KMS Framework Considering User Knowledge Privileges 369

Knowledge Knowledge Transformation

Knowledge Index Document

Middleware Layer Middleware (Network management)

Fig. 3. Multiple-layer KMS functional framework.

370 T.-Y. Chen

including know-what, know-how and know-why, the conceptual relationships in

A Multiple-Layer KMS Framework Considering User Knowledge Privileges 371

structured for the knowledge to be stored and may be categorized as “structured,”

4. Conceptual Knowledge Layer

4.1. Organizational ontology

372 T.-Y. Chen

Fig. 4. An example of an organizational ontology.

network, trust network and communication network of an enterprise. Role concepts

4.2. Process ontology

A Multiple-Layer KMS Framework Considering User Knowledge Privileges 373

Fig. 5. An example of a process ontology.

4.3. Product ontology

374 T.-Y. Chen

Sub-class Electric Tire Class: City Bike

Equivalence Bike Product no: CB321

Fig. 6. An example of a product ontology.

5. Knowledge Access Control and Security Layer

A Multiple-Layer KMS Framework Considering User Knowledge Privileges 375

5.1. Ontology-based knowledge access control model for enterprises

Fig. 7. Ontology-based knowledge access control model for enterprises.

376 T.-Y. Chen

needed when performing a simple task can be organized as procedural knowl-

5.2. Definition of elements

• Users (U ): All possible knowledge users, whether employees, domain experts,