An object-oriented organizational model to support dynamic role-based access control in electronic commerce☆
Introduction
Electronic Commerce (E-Commerce) applications aim to conduct business over the electronic network. Although electronic business transactions evolved from EDI protocols will continue to play a major role in E-Commerce, the rapid growth of the Internet (in 1998, more than 2 million new users are added to the Internet every quarter [20]) has pushed companies to expand the scope of E-Commerce applications to cover the full range of business activities [3]. These activities may include marketing, negotiation, fulfillment and follow up, all perform over the Internet. This trend creates new business opportunities and posts new technical challenges. It pushes E-Commerce to go beyond simple short-lived transactions but become a business process that includes outside customers, business partners, and a number of resources within a company. As more people are involved in the transaction circle, security and authorization control become one of the biggest concerns.
Current E-Commerce solutions are primarily developed as applications on top of Resource Managers (RM) or database management system (DBMS). Unfortunately, resource manager implementations have historically focused on technologies around access methods, concurrency control, and logging and recovery [7], [8], [16]. The security model and access control usually assume a simple and static model, which are based on user and group identifiers. As E-Commerce applications are implemented over the DBMS, they simply adopt the user and security model of a relational database management system (RDBMS) as their access control model. However, the user model in RDBMS is designed primarily to support access control in processing isolated transactional operations rather than integrated process activities [17]. It is thus not adequate to model the flexible resource relationship that is required to support cooperative works in the E-Commerce context.
The introduction of workflow technology allows E-Commerce applications to cover the full range of business activities over the network. As the work-process flows across multiple organizations, it is important to identify the different resources involved in the process. However, current workflow deployment practically focuses on departmental level; many of these systems simply ignore the role issue. Others though expand their scope to cover workflow across departmental boundaries, they still assumed a static organization and role model within a single corporation [2], [13].
This paper discusses an organizational and role model to support dynamic access control in E-Commerce. The model is called Organization Modeling and Management (OMM). The OMM methodology supports both the conceptual design and the design implementation phases of the enterprise modeling cycle [1]. It serves as an underlying system for applications and resource managers to control resource accesses and job assignment. The next section covers the related research work in role-based access control (RBAC) and organization modeling. Section 3 describes the OMM conceptual and reference model for enterprise modeling. OMM does not assume a particular process or application architecture. With this generic approach, OMM is able to map its object types to other organizational data schemes and to present an integrated multidimensional view of different organizational resources. Section 4 presents the role resolution concept in E-Commerce and discusses a Java-based prototype, OMM, which is used to implement an RBAC system to enable the E-Commerce strategy in a hi-tech company. Section 5 discusses the OMM system architecture. The paper will conclude in Section 6 by a summary and by sharing our practical experience of applying the OMM methodology to a hi-tech firm to support their E-Commerce strategy.
Section snippets
Related work
Role-based security has been applied in various areas of computer systems security [32]. Osborn [28] and Kuhn [21] proposed formal models for RBAC. These works provide a basis for separation of duty based on role names. Access privileges are granted to different roles. A user can play multiple roles by binding with a number of role names. Although this approach gives more flexibility to access control than the simple granting to user identifier method, it is still a static approach and ignores
The OMM methodology
With the workflow approach, process routing control is abstracted from the application logic; it thus results in a flexible design and implementation of flow logic without interfering the implementation of the associated applications. The flow logic concerns mainly the routing decisions throughout the life of a process instance. The Petri-net representation in Fig. 1 illustrates a flow description of a E-Commerce application, which is a simplified electronic parts ordering process [5], [19],
The OMM organization and role model
The OMM employs a generic reference model, which can be applied flexibly to define different resource types, the roles they play, and their interrelationships. Resource types are user-defined; they may include workers, machines, robots, applications, processes, products, customers, and others. Modeling of an enterprise involves defining these classes of resources and the dynamic relationships between these resource objects. An E-Commerce process application is interested in assigning tasks to a
Role definition and role resolution
Integrated and dynamic E-Commerce applications require support of business process integration and automation [8], [25]. It provides a framework on which multiple tasks and applications are integrated to form a network of steps to accomplish a business process [35]. When E-Commerce application is implemented as a business process, it can be formulated as a set of nodes, representing the tasks or steps, connected by some directed edges, which are condition arcs governing the route of the process
The OMM system architecture
At the design-implementation phase, the existing organizational databases, such as the human-resource (HR) database, customer profile and the corporate directory, are analyzed and mapped to the OMM organization design. Based on this mapping, the agent programs, which make up a part of the OMM server architecture, can populate the OMM data store by accessing the existing databases. In some cases, due to the continual usage of legacy HR applications over the existing organizational databases, it
Conclusion
In this paper, a dynamic organizational information system, the Organization Modeling and Management (OMM) methodology and organization model, along with its system architecture, are presented as a comprehensive tool to model roles to support dynamic role-based authorization in E-Commerce. The application of the OMM methodology in role resolution of an electronic order processing application is discussed. Compared to previous efforts [1], [4], [6], [9], [11], [17], [19], [21], [24], [28], [32],
Acknowledgements
Most of the research on OMM is initiated at the OCT Research Laboratory. The author likes to express thanks to many designers and developers who have contributed to the concept and implementation of the OMM system. Thanks to George Loizou for his insightful input, the numerous discussions with him on the OMM model have been very helpful. Thanks to Dieter Gawlick for his input on workflow and the requirement of publish-and-subscribe, which has greatly impacted my thoughts on the topic. Thanks to
Edward Cheng is the Director of the OCT Research Laboratory, which focuses on research in E-Commerce technologies and solutions. Prior to heading up OCT, Edward was the managing director of the Collaborative Computing Lab at Oracle, and had led the R&D team at Digital Equipment to deliver ObjectFlow, an object-oriented workflow product. In the late eighties, Edward led the engineering team at Hewlett Packard to accomplish a 2000% performance improvement on HP SQL. His research interests include
References (37)
Officeaid VPE: a visual programming with examples system for specifying routine office tasks
J. Visual Lang. Comput.
(1991)- et al.
Business process redesign — a Petri-net based approach
Comput. Ind.
(1996) - et al.
IT-enabled BPR-organizational and human-resource dimensions
J. Strategic Inf. Syst.
(1995) The M*-OBJECT methodology for information system design in CIM environments
IEEE Trans. Syst. Man Cybern.
(1995)- et al.
A flexible model for the specification and enforcement of role-based authorizations in workflow management systems
- et al.
Enterprise process modeling and enactment in GERAM
Analysis of the organization modeling capability of workflow management systems
- CCITT Recommendation X.500 to X.521: Data Communication Networks, Directory, Blue Book, Also ISO/IEC Standards ISO...
An open and extensible event-based transaction manager
Re-engineering and automating enterprise-wide business processes
A rule-based organization modeling system to support dynamic role resolution in workflow. Parallel and distributed computing systems
The M*-OBJECT organisation model for enterprise modeling of integrated engineering environments
Concurr. Eng. Res. Appl.
Specifying and managing role-based access control within a corporate intranet
Extending object-oriented systems with roles
ACM Trans. Inf. Syst.
An iconic programming system, HI-VISUAL
IEEE Trans. Software Eng.
Work flow: the coordination of business processes
Cited by (22)
Information systems security research agenda: Exploring the gap between research and practice
2021, Journal of Strategic Information SystemsCitation Excerpt :Specifically, we identified several publications related to biometric identification and authentication systems that were published in the Expert Systems with Applications journal. Access Management related topics (see topic V20 in Fig. A2) such as access control mechanisms (e.g., role-based Cheng, 2000, purpose-based Kabir et al., 2012), and authentication methods are a few dominant topics in this area. Modern technology applications such as mobile interfaces encourage shifting from text-based authentication mechanisms to more advanced multifactor approaches including biometric authentication systems (Steinbart et al., 2016).
Managing user relationships in hierarchies for information system security
2007, Decision Support SystemsA Systematic Review of Business Process Management in E-Commerce
2022, Proceedings - 4th International Conference on Informatics, Multimedia, Cyber and Information System, ICIMCIS 2022Integrated modeling and evolution of social software
2014, Springer Proceedings in ComplexityWorkflow process model of RTWD net and its scheduling algorithms
2012, Jisuanji Jicheng Zhizao Xitong/Computer Integrated Manufacturing Systems, CIMSA workflow model to support location based participation to policy making processes
2011, 19th European Conference on Information Systems, ECIS 2011
Edward Cheng is the Director of the OCT Research Laboratory, which focuses on research in E-Commerce technologies and solutions. Prior to heading up OCT, Edward was the managing director of the Collaborative Computing Lab at Oracle, and had led the R&D team at Digital Equipment to deliver ObjectFlow, an object-oriented workflow product. In the late eighties, Edward led the engineering team at Hewlett Packard to accomplish a 2000% performance improvement on HP SQL. His research interests include process automation technology, enterprise modeling and management, fuzzy logic, high performance OLTP systems, journaling and recovery, and distributive databases. Edward is a PhD candidate at the University of London.
- ☆
An invited paper. A shorter version of the paper was presented at HICSS 1999.