早期資訊工程師依需求開發系統時並未注重醫療系統權限架構的問題，導致共享的資料可以被有權登入系統之其它使用者任意修改。本研究目的是解決急診護理紀錄因權限控管不嚴謹，導致護理紀錄寫入系統後，資料被其他有權登入系統的人誤改。我們為急診護理紀錄系統加入權限機制，並區分每一位使用者所需要的權限。權限分配的部分新增醫師、護理人員和護理長，將急診護理紀錄分成三種權限，依據系統權限可以依職權不同執行不同的作業，確保資料的安全與正確性。

In the early days, application engineers did not pay attention to the problem of the authority structure when developing the medical systems according to the requirements. It leads to one problem that shared data can be arbitrarily modified by others who logon the systems. The goal of this research is to solve the problem that the emergency nursing records are incorrectly modified by others due to the improper access control. We add an access control mechanism to the emergency nursing record system and distinguish each user’s authority. There are there entities in the authority system: doctor, nurse, and head nurse. They use the emergency nursing system to maintain nursing data of patients according to their authority that makes sure data is safety and correct.

第1章 緒論 1
1.1 研究動機與目的 1
1.2 論文概述 3
第2章 文獻探討與技術 5
2.1 ADO.NET 資料庫存取技術 5
2.1.1 精靈化 5
2.1.2 程式化 6
2.1.3 資料庫讀寫應用 7
2.2 MSSQL、MySQL與Oracle 8
2.2.1 MSSQL 8
2.2.2 MySQL 9
2.2.3 Oracle 11
2.2.4 MSSQL、MySQL與Oracle比較 12
2.3 權限存取控制 Access Control 13
2.3.1 存取控制策略主要分為三類： 13
2.3.2 存取控制陣列 14
2.3.3 存取控制串列 15
2.3.4 能力串列 17
2.3.5 授權關係 18
2.4 以工作為基礎的授權控制 19
2.5 以角色為基礎的存取控制 23
2.5.1 RBAC 基本元素 24
2.5.2 安全原則 25
2.5.3 角色階層 26
2.5.4 RBAC 限制 27
第3章 醫療系統存取權限控制機制-以急診護理紀錄為例 29
3.1 系統介紹 29
3.2 系統架構 29
3.2.1 系統流程圖 29
3.2.3 參數設定 31
3.2.2 資料庫架構 34
第4章 系統實作與展示 35
4.1 醫療人員權限架構 35
4.1.1 醫療系統實作 37
4.2 討論 49
第5章 結論 51
參考文獻 52

[1] ADO.NET 簡介6-2:ADO.NET 資料庫存取技術,http://epaper.gotop.com.tw/pdf/acl018900.pdf
[2] CaryHsu - 學無止盡 : 不同資料庫的比較SQL Server vs Oracle and MySQL, http://caryhsu.blogspot.com/2011/06/sql-server-vs-oracle-and-mysql.html
[3] ADO.NET - 维基百科, https://zh.wikipedia.org/wiki/ADO.NET
[4] 全快閃儲存能如何加快您的 Oracle 資料庫部署 https://www.purestorage.com/tw/knowledge/what-is-oracle-database.html
[5] 小鳥雲- SQL Server、MySQL、Oracle三種資料庫的優缺點比較, https://kknews.cc/code/perb6vp.html
[6] John Barkley, Konstantin Beznosov and Jinny Uppal(1999), “Supporting Relationship in Access Control Using Role Based Access Control” in Proceedings of ACM Role-Based Access Control Workshop, Fairfax, Virginia, USA, pp. 55-65.
[7] Honghai Shen and Prasun Dewan(1992), “Access Control for Collaborative Environments,” Proceedings of the ACM Conference on Computer Supported Cooperative Work, pp.51-58.
[8] Ravi S. Sandhu and Pierangela Samarati(1994), “Access Control: Principles and Practice”, IEEE Communication Magazine, Vol.32, No. 9, pp. 40-48.
[9] Roshan K. Thomas and Ravi Sandhu, (1997), “Task-based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-oriented Authorization Management”, Proceesings of the IFIP Workshop on Database Security, Lake Tahoe,California.
[10] John Barkley, Konstantin Beznosov and Jinny Uppal(1999), “Supporting Relationship in Access Control Using Role Based Access Control” in Proceedings of ACM Role-Based Access Control Workshop, Fairfax, Virginia, USA, pp. 55-65.
[11] David F. Ferraiolo and D. Richard Kuhn (1992), “Role Based Access Control” , pp. 2 – 10.
[12] David F. Ferraiolo, J. Cugini and D. Richard Kuhn(1995), “Role Based Access Control:Features and Motivations,” In 11th Annual Computer Security Applications Conference, pp.241-248.
[13] Ravi Sandhu, Edward J. Coyne, Hal L. Feinstein and Charles E. Youman(1996), “Role-Based Access Control Models, ” IEEE Computer, Volume 29, Number 2, February, pp.38-47.
[14] Ravi Sandhu, Edward J. Coyne, Hal L. Feinstein and Charles E. Youman(1994),“Role-Based Access Control: A Multi-Dimensional View, ” In Proceedings of 10th Annual Computer Security Application Conference, pp.54-62.
[15] Ravi Sandhu, David F. Ferraiolo and D. Richard Kuhn(2000), “The NIST Model for Role-Based Access Control: Towards a Unified Standard, ” In Proceedings of the 5th ACM Workshop on Role-Based Access Control, pp.47-63.
[16] David F. Ferraiolo, John F. Barkley and D. Richard Kuhn(1999), “A Role Based Access Control Model and Reference Implementation within a Coporate Intranet, ” ACM Transactions on Information and System Security, Volume 1, Number 2, pp.34-64.
[17] Ravi Sandhu, Edward J. Coyne, Hal L. Feinstein and Charles E. Youman(1996), “Role-Based Access Control Models, ” IEEE Computer, Volume 29, Number 2, February, pp.38-47.
[18] 劉敦仁、吳美玉和黃景彰(2001) ,「以工作為基礎的存取控制之權責區分授權準則設計」,資訊管理學報,第八卷,第一期,pp.61-80.
[19] Richard T. Simon and Mary Ellen Zurko(1997), “Separation of Duty in Role-BasedEnvironments, ” 10th Computer Security Foundations orkshop, pp.183-194.
[20] Fang Chen and Ravi S. Sandhu(1996), ”Constraints for Role-Based Access Control, ” Proceedings of ACM Role-Based Access Control Workshop, pp.39-46.
[21] Ravi S. Sandhu, Edward J. Coyne, Hal L. Feinstein and Charles E. Youman(1994),”Role-Based Access Control: A Multi-Dimensional View, ” In Proceedings of 10th Annual Computer Security Application Conference, pp.54-62.