Elsevier

Decision Support Systems

Volume 29, Issue 4, December 2000, Pages 357-369
Decision Support Systems

An object-oriented organizational model to support dynamic role-based access control in electronic commerce

https://doi.org/10.1016/S0167-9236(00)00083-XGet rights and content

Abstract

Role-based access control (RBAC) provides flexibility to security management over the traditional approach of using user and group identifiers. In RBAC, access privileges are given to roles rather than to individual users. Users acquire the corresponding permissions when playing different roles. Roles can be defined simply as a label, but such an approach lacks the support to allow users to automatically change roles under different contexts; using static method also adds administrative overheads in role assignment. In electronic commerce (E-Commerce) and other cooperative computing environments, access to shared resources has to be controlled in the context of the entire business process; it is therefore necessary to model dynamic roles as a function of resource attributes and contextual information.

In this paper, an object-oriented organizational model, Organization Modeling and Management (OMM), is presented as an underlying model to support dynamic role definition and role resolution in E-Commerce solution. The paper describes the OMM reference model and shows how it can be applied flexibly to capture the different classes of resources within a corporation, and to maintain the complex and dynamic roles and relationships between the resource objects. Administrative tools use the role model in OMM to define security policies for role definition and role assignment. At runtime, the E-Commerce application and the underlying resource manager queries the OMM system to resolve roles in order to authorize any access attempts. Contrary to traditional approaches, OMM separates the organization model from the applications; thus, it allows independent and flexible role modeling to support realistically the dynamic authorization requirements in a rapidly changing business world.

Introduction

Electronic Commerce (E-Commerce) applications aim to conduct business over the electronic network. Although electronic business transactions evolved from EDI protocols will continue to play a major role in E-Commerce, the rapid growth of the Internet (in 1998, more than 2 million new users are added to the Internet every quarter [20]) has pushed companies to expand the scope of E-Commerce applications to cover the full range of business activities [3]. These activities may include marketing, negotiation, fulfillment and follow up, all perform over the Internet. This trend creates new business opportunities and posts new technical challenges. It pushes E-Commerce to go beyond simple short-lived transactions but become a business process that includes outside customers, business partners, and a number of resources within a company. As more people are involved in the transaction circle, security and authorization control become one of the biggest concerns.

Current E-Commerce solutions are primarily developed as applications on top of Resource Managers (RM) or database management system (DBMS). Unfortunately, resource manager implementations have historically focused on technologies around access methods, concurrency control, and logging and recovery [7], [8], [16]. The security model and access control usually assume a simple and static model, which are based on user and group identifiers. As E-Commerce applications are implemented over the DBMS, they simply adopt the user and security model of a relational database management system (RDBMS) as their access control model. However, the user model in RDBMS is designed primarily to support access control in processing isolated transactional operations rather than integrated process activities [17]. It is thus not adequate to model the flexible resource relationship that is required to support cooperative works in the E-Commerce context.

The introduction of workflow technology allows E-Commerce applications to cover the full range of business activities over the network. As the work-process flows across multiple organizations, it is important to identify the different resources involved in the process. However, current workflow deployment practically focuses on departmental level; many of these systems simply ignore the role issue. Others though expand their scope to cover workflow across departmental boundaries, they still assumed a static organization and role model within a single corporation [2], [13].

This paper discusses an organizational and role model to support dynamic access control in E-Commerce. The model is called Organization Modeling and Management (OMM). The OMM methodology supports both the conceptual design and the design implementation phases of the enterprise modeling cycle [1]. It serves as an underlying system for applications and resource managers to control resource accesses and job assignment. The next section covers the related research work in role-based access control (RBAC) and organization modeling. Section 3 describes the OMM conceptual and reference model for enterprise modeling. OMM does not assume a particular process or application architecture. With this generic approach, OMM is able to map its object types to other organizational data schemes and to present an integrated multidimensional view of different organizational resources. Section 4 presents the role resolution concept in E-Commerce and discusses a Java-based prototype, OMM, which is used to implement an RBAC system to enable the E-Commerce strategy in a hi-tech company. Section 5 discusses the OMM system architecture. The paper will conclude in Section 6 by a summary and by sharing our practical experience of applying the OMM methodology to a hi-tech firm to support their E-Commerce strategy.

Section snippets

Related work

Role-based security has been applied in various areas of computer systems security [32]. Osborn [28] and Kuhn [21] proposed formal models for RBAC. These works provide a basis for separation of duty based on role names. Access privileges are granted to different roles. A user can play multiple roles by binding with a number of role names. Although this approach gives more flexibility to access control than the simple granting to user identifier method, it is still a static approach and ignores

The OMM methodology

With the workflow approach, process routing control is abstracted from the application logic; it thus results in a flexible design and implementation of flow logic without interfering the implementation of the associated applications. The flow logic concerns mainly the routing decisions throughout the life of a process instance. The Petri-net representation in Fig. 1 illustrates a flow description of a E-Commerce application, which is a simplified electronic parts ordering process [5], [19],

The OMM organization and role model

The OMM employs a generic reference model, which can be applied flexibly to define different resource types, the roles they play, and their interrelationships. Resource types are user-defined; they may include workers, machines, robots, applications, processes, products, customers, and others. Modeling of an enterprise involves defining these classes of resources and the dynamic relationships between these resource objects. An E-Commerce process application is interested in assigning tasks to a

Role definition and role resolution

Integrated and dynamic E-Commerce applications require support of business process integration and automation [8], [25]. It provides a framework on which multiple tasks and applications are integrated to form a network of steps to accomplish a business process [35]. When E-Commerce application is implemented as a business process, it can be formulated as a set of nodes, representing the tasks or steps, connected by some directed edges, which are condition arcs governing the route of the process

The OMM system architecture

At the design-implementation phase, the existing organizational databases, such as the human-resource (HR) database, customer profile and the corporate directory, are analyzed and mapped to the OMM organization design. Based on this mapping, the agent programs, which make up a part of the OMM server architecture, can populate the OMM data store by accessing the existing databases. In some cases, due to the continual usage of legacy HR applications over the existing organizational databases, it

Conclusion

In this paper, a dynamic organizational information system, the Organization Modeling and Management (OMM) methodology and organization model, along with its system architecture, are presented as a comprehensive tool to model roles to support dynamic role-based authorization in E-Commerce. The application of the OMM methodology in role resolution of an electronic order processing application is discussed. Compared to previous efforts [1], [4], [6], [9], [11], [17], [19], [21], [24], [28], [32],

Acknowledgements

Most of the research on OMM is initiated at the OCT Research Laboratory. The author likes to express thanks to many designers and developers who have contributed to the concept and implementation of the OMM system. Thanks to George Loizou for his insightful input, the numerous discussions with him on the OMM model have been very helpful. Thanks to Dieter Gawlick for his input on workflow and the requirement of publish-and-subscribe, which has greatly impacted my thoughts on the topic. Thanks to

Edward Cheng is the Director of the OCT Research Laboratory, which focuses on research in E-Commerce technologies and solutions. Prior to heading up OCT, Edward was the managing director of the Collaborative Computing Lab at Oracle, and had led the R&D team at Digital Equipment to deliver ObjectFlow, an object-oriented workflow product. In the late eighties, Edward led the engineering team at Hewlett Packard to accomplish a 2000% performance improvement on HP SQL. His research interests include

References (37)

  • E. Cheng

    Re-engineering and automating enterprise-wide business processes

  • E. Cheng. The OMM Model. Technical Report of the OCT Lab and College of Notre Dame, Belmont, CA, November...
  • E. Cheng

    A rule-based organization modeling system to support dynamic role resolution in workflow. Parallel and distributed computing systems

  • A. Di Leva et al.

    The M*-OBJECT organisation model for enterprise modeling of integrated engineering environments

    Concurr. Eng. Res. Appl.

    (1997)
  • D. Ferraiolo et al.

    Specifying and managing role-based access control within a corporate intranet

  • G. Gottlob

    Extending object-oriented systems with roles

    ACM Trans. Inf. Syst.

    (1996)
  • M. Hirakawa et al.

    An iconic programming system, HI-VISUAL

    IEEE Trans. Software Eng.

    (1990)
  • M. Howard

    Work flow: the coordination of business processes

  • Cited by (22)

    • Information systems security research agenda: Exploring the gap between research and practice

      2021, Journal of Strategic Information Systems
      Citation Excerpt :

      Specifically, we identified several publications related to biometric identification and authentication systems that were published in the Expert Systems with Applications journal. Access Management related topics (see topic V20 in Fig. A2) such as access control mechanisms (e.g., role-based Cheng, 2000, purpose-based Kabir et al., 2012), and authentication methods are a few dominant topics in this area. Modern technology applications such as mobile interfaces encourage shifting from text-based authentication mechanisms to more advanced multifactor approaches including biometric authentication systems (Steinbart et al., 2016).

    • A Systematic Review of Business Process Management in E-Commerce

      2022, Proceedings - 4th International Conference on Informatics, Multimedia, Cyber and Information System, ICIMCIS 2022
    • Integrated modeling and evolution of social software

      2014, Springer Proceedings in Complexity
    • Workflow process model of RTWD net and its scheduling algorithms

      2012, Jisuanji Jicheng Zhizao Xitong/Computer Integrated Manufacturing Systems, CIMS
    • A workflow model to support location based participation to policy making processes

      2011, 19th European Conference on Information Systems, ECIS 2011
    View all citing articles on Scopus

    Edward Cheng is the Director of the OCT Research Laboratory, which focuses on research in E-Commerce technologies and solutions. Prior to heading up OCT, Edward was the managing director of the Collaborative Computing Lab at Oracle, and had led the R&D team at Digital Equipment to deliver ObjectFlow, an object-oriented workflow product. In the late eighties, Edward led the engineering team at Hewlett Packard to accomplish a 2000% performance improvement on HP SQL. His research interests include process automation technology, enterprise modeling and management, fuzzy logic, high performance OLTP systems, journaling and recovery, and distributive databases. Edward is a PhD candidate at the University of London.

    An invited paper. A shorter version of the paper was presented at HICSS 1999.

    View full text