Role-based Access Control in Online Authoring and Publishing Systems vs. Document Hierarchy

Transcription

1 Role-based Access Control in Online Authoring and Publishing Systems vs. Document Hierarchy Z. Zhang, E. Haffner, A. Heuer, T. Engel, Ch. Meinel Institute for Telematics Bahnhofstr , Trier, Germany Tel.: {zhang, haffner, heuer, engel, meinel}@ti.fhg.de ABSTRACT How to structure diverse (documentation) information sources of an enterprise and how to arrange a workflow with access control are two important issues for online authoring and publishing systems. Aim of this paper is to describe a solution for both problems, which is based on department structure, subject areas, and roles in an enterprise. Our approach will be introduced by presenting the DAPHNE system. DAPHNE provides possibilities to support collaborative authoring on a document hierarchy that reflects the diverse branches of an enterprise s organization structure and allows diverse (documentation) information sources of an enterprise to be well structured. The role-based access control (RBAC) mechanism implemented within DAPHNE is supported by the document hierarchy as well. Keywords Online authoring and publishing, role-based access control, RBAC, document hierarchy, workflow, Web authoring system 1. INTRODUCTION Distributed online authoring and publishing in enterprises has gained more and more importance in the last few years [5, 11]. The Internet, in particular the World-Wide Web, has provided the infrastructure that is needed for its realization. Now it is possible for users to perform online collaborative authoring directly from their workplace [6, 7]. However, two distinct issues have to be investigated for Web-based authoring systems in enterprises. 1. How to model/structure a large amount of diverse (documentation) information sources of an enterprise; 2. How to arrange the workflow with reasonable access control for viewing and editing such information sources. At the Institute for Telematics, Trier, Germany we have developed a Web-based online authoring and publishing system - DAPHNE (Distributed Authoring and Publishing in a Hypertet and Networked Environment). DAPHNE, as its name already implies, is a distributed collaborative authoring and publishing tool [5, 14]. DAPHNE offers the following interesting features: 1. DAPHNE differs from other approaches or other Web authoring publishing systems by under most circumstances - employing strictly standardized and open hypertet technology [8, 15]. Components that incorporate standard applications such as word processors or Internet services into DAPHNE have been developed; 2. Authoring and publishing of multilingual documents is supported by DAPHNE; 3. DAPHNE allows the structuring of various information sources by employing a structural element, e.g. subject headings. 4. DAPHNE offers a workflow with access control: various roles are supported by DAPHNE and each role is assigned with a fied set of actions, for instance, content eaminers can eamine and approve documents, a webmaster can publish documents to the Internet, and so on. By means of assigning actions and subject headings to roles an efficient workflow system with access control mechanism has been built; 5. DAPHNE can assure a standard layout for all documents of a website; 6. DAPHNE supports metadata (metatags) management; 7. High system openness: DAPHNE is designed to work with documents in any formats and for multiple purposes (web publishing, document management); 8. High fleibility: users can use any software they prefer to process contents of documents, which are managed by DAPHNE. As already mentioned above, an important issue for online authoring and publishing system is to arrange workflow with reasonable access control for viewing and editing such information sources. The aim is to support the collaborative authoring and publishing and to assure furthermore both, a secure documentation process and the quality of documents. The implementation is based on the WWW platform. In the following sections we will describe the problems we encountered as well our approach to solve the problems.

2 2. PROBLEM ANALYSIS: ACCESS CONTROL ON THE WEB Web authoring and publishing in enterprises can be a very comple process and many people are involved. Access control in a distributed collaborative online system has several aspects at different levels: 1. To only allow legal users to work with the system (authentication); 2. To support different roles to work with the system securely (authorization); 3. To support different implementations of the same role type to work with the system securely (authorization); Beside these aspects, there are other aspects, for instance, secure data transfer. The scenario described below can help to understand those security aspects of an online authoring and publishing system: In order to build a website of a big enterprise, many people must participate. They will work all together with the system, but with different tasks on the one hand and responsibility for different areas on the other hand. To allow people to work with the system directly from their workplaces, the system will be run on an Intranet or on the Internet. To prevent illegal access to the system (by the staff or other users), an access control mechanism should be available. That is, each user must be registered. People can have different tasks within the system (different role types), for instance, in an online authoring system there may be authors who write the documents, directors who eamine the contents of those documents, and webmasters who publish the documents, layout designers who determine the layout of those documents. In the system, an authorization mechanism should be available in order to prevent, for eample, an author from illegally performing tasks of directors. People (authors, content eaminers,...) are often only responsible for defined areas, for eample, authors and department directors only for their own departments. Likewise, an authorization mechanism should be available in the system in order to prevent, for eample, an author from trying to illegally edit documents of another area. Webserver programs provide already authentication and authorization mechanisms. For a Web-based authoring and publishing system, the webserver can meet the needs of access control at the first two levels easily. However, it can be very cumbersome to meet the need of access control at the third level, as Ferraiolo, Barkley, and Kuhn [1] wrote: Web server administrators usually control user access to enterprise published documents through creation and maintenance of access control lists (ACLs) on a serverby-server basis. ACLs specify, for each protected resource, a list of named individuals, or groups composed of individual users, with their respective modes of access to that object. This use of ACLs is problematic for a variety of reasons. ACLs are tied to particular objects. As such, they are appropriate for discretionary need-to-know policies, where ownership of objects resides with the end user. In more detail: in order to reach the 3. level access control, the following work should be done: 1. to make each possible departmental area or subject field (together in DAPHNE: subject heading) to be able to be associated with the ACLs, for eample, by establishing a directory for each possible area or field; 2. specify each role for areas or fields that they are responsible for on the Web server. It is obviously very difficult to reach the third level of access control, especially when the following factors are considered as well: there may be lots of areas / fields (subject headings), they may also grow constantly, there are often needs to change the association between users and areas / fields (subject headings). In order to build a fleible access control mechanism, a rolebased access control mechanism with an etension associated with the document hierarchy has been built in DAPHNE. In section 3 of this paper the basic role-based access control mechanism will be shown. The etension to document hierarchy will be shown in section RBAC IMPLEMENTATION WITHIN DAPHNE 3.1 Role-based Access Control To support collaborative work, a workflow and access control mechanism is very useful. Access control can be used both to restrict access to information and functionality in the shared environment to those authorized and to help coordination by providing only those functions to users that are currently needed to fulfil their role [12]. Lots of researches on role-based access control have been reported [1, 10, 12]. Roles and actions or permissions (to perform an action) are two basic elements of both workflow management system [13] and role-based access control system [1]. Since RBAC is primarily a nondiscretionary access control model and does not permit users to be directly associated with permissions, two different types of associations play a key role for building a role-based access control mechanism. They are: 1. associations between permissions and roles, that means, permissions are authorized for roles, and 2. associations between roles and users, that means, roles are authorized for users. By means of managing the two types of associations, a rolebased access control system can be managed efficiently. Ferraiolo, Barkley, and Kuhn [1] wrote:... when administering RBAC, two different types of associations must be managed: associations between users and roles and associations between roles and permissions. When a user s job position changes, only the user/role association change. If the job position is

3 represented by a single role, then, when a user s job position changes, there are only two user/role associations to change: remove the association between the user and the user s current role and add an association between the user and the user s new role. In our case, that is an online authoring and publishing system, since there may be a great amount of departments, areas or fields - we call them together subject headings within DAPHNE, a great amount of jobs can result in definitions of roles for each subject heading. This means two types of associations are not yet enough for the Web authoring and publishing system. As will be shown in a later section of the paper, another type of associations has been employed within DAPHNE, i.e., associations between roles and subject headings. By introduction of this type of associations, jobs of definition of roles have been reduced within DAPHNE. 3.2 DAPHNE Implementation According to our analysis of the requirements for access control and quality assurance in the enterprise s documentation process, the following roles are distinguished with in DAPHNE: 1. authors, 2. content eaminers, 3. publishers, and 4. system administrators (layout manager / information architect). There can be multi-level content eaminers depending on demand, for instance, an enterprise may request for a four-eye concept, while another may request for a si-eye concept. In addition, layout manager, information architect and database/system administrator have been defined as one role. If necessary, they can also be defined separately. Within DAPHNE actions or permissions (to perform actions) have been separated for accomplishing the whole process of online authoring and publishing. Basic actions include: inserting documents, viewing documents, editing / modifying / updating documents, deleting documents, document content eamination, layout definition, definition of subject headings. After having separated and defined roles and permissions within DAPHNE, the two types of associations are defined. Tab. 1 shows the associations between roles and permission: document creation and/or check-in into DAPHNE document modification document removal metadata editing search document replacement Author Content eaminer Webmaster/ publishers System administrator document or website preview layout definition Web structure definition document approval / content eamination (accept or refuse) static HTML based website generation further system administration (add new users, assign subject headings to users, etc.) () Tab. 1: Role-action relationships within DAPHNE Thus, permissions (actions within DAPHNE) are authorized to roles within DAPHNE. The realization of associations between users and roles is supported by means of ACLs: within DAPHNE, all actions of a role are bundled within a CGI directory of the Web server, i.e. each CGI-directory corresponds to a role. By adding a user to the ACL of this directory, the role is authorized for the user. Each document in DAPHNE possesses several possible statuses, which will be changed by actions of users. For instance, as employed by an international bank, DAPHNE supports four status groups of documents as shown below: locked; free; eported; published. If a document is still being edited, it is "locked". An author can set the status of the document to be "free", if he/she finishes the editing. A content eaminer can either "eport" or "lock" the document depending on his/her opinion. After another round of content eamination, the document can be "published". Thus, roles and their permissions described above can cause a

4 workflow for online authoring and publishing in the enterprise. For instance, authors that insert new documents send an "accept" permission for those documents to roles that are in the hierarchy directly above (i.e. content eaminers). Every user with the permissions of that role can accept or refuse to "further work" with the respective document. An accept message of a user with the highest role permission (the final content eaminer or publisher) leads to a new, official document of the enterprises website. However, there is still one issue to be dealt with, i.e., the secure documentation: users are usually only responsible for some subject headings and should not have permissions to perform actions on documents of other subject headings. To solve this problem, DAPHNE employs another association, the association between users and subject headings. 4. DOCUMENT HIERARCHY AS A COMPLEMENTARY ELEMENT FOR RBAC 4.1 Document Hierarchy within DAPHNE Well-structured hypertets can assure high usability [2, 3, 4, 8]. When a website is constructed in an enterprise organization, it is common that the department / area structure of the enterprise or organization is used as the basic structural element for building the elementary structure of the website. However, research results show that this approach has disadvantages, as noted by Jakob Nielsen in his foreword for [9]. In order to improve the usability of websites, the enterprise structure can be complemented by subject areas/headings within DAPHNE. Together they build the subject fields of DAPHNE. Subject headings build a document hierarchy for the website to be built. DAPHNE assumes a tree structure depending on different departments and subject areas in the enterprise documentation set. (See Fig. 1) Enterprise - documentation root Departement 1 Departement 2 Departement... Departement n Documents Area 1.1 Area... Area m 1 Documents Area 2.1 Area... Area m 2 Documents... Leaf-level: Doc 1 Doc... Doc m r Fig. 1: Tree structure based on departments and subject areas in the enterprise Each subject field contains correspondent documents which can be entered by users. Users can also select documents as socalled cover-pages for subject fields. Within DAPHNE, the content and layout of a document are managed separately. The layout of a subject field can be defined and will be used for all documents of this subject field. In this way, an automatic layout mechanism that includes the navigational structure that is based on the subject fields and supports a standard layout has been built. On the other hand, the subject fields used in DAPHNE are also structural elements of the hypertet system: they are both containers of documents and are structural elements of whole web pages (hypertet). In other words, the subject fields in DAPHNE are just like the composite units in some hypertet

5 systems [4], but with etended functions (they can also contain documents). Based on them, a large amount of documents will be managed efficiently, and the navigation structure will be built. As these subject fields are a miture of departments / areas of an enterprise and (Web user-oriented) subjects headings, it is epected that high usability of the Web site constructed by DAPHNE will be achieved. Every area can consist of several sub-areas and/or leaf documents. Two advantages arise out of an idea of putting areas and documents in a hierarchy. The first is that each document and area inherits the major characteristics of the parent-area. This could be information concerning the documentation classification, the layout or content-dependencies. The second advantage is the inheritance of access permissions by default to the users, as will be shown later. 4.2 Associations between Roles and Subject Headings In order to assure a secure documentation, there is a third type of associations, i.e., associations between users and subject headings within DAPHNE, in additions to the two basic associations of RBAC. In this way, the legal users of each subject fields are defined. In more detail, within DAPHNE, 1. Subject fields are authorized for users; 2. Implicitly, webmaster and administrators are associated with all subject headings; 3. System administrators (role type system administrator) cannot only insert new roles (role type author) but also insert or change the associations between roles and subject headings. The associations are maintained within the relational database which DAPHNE employs. Within DAPHNE, there is also a role hierarchy. On the leaflevel (role type: author) there are only basic permissions (actions) to allow the role to work with (contents of) documents directly, while every parent role has at least two high level permissions (actions): 1. accept (further working with) a document 2. refuse (further working with) a document. It should be mentioned again that system administrator, as the root role, can not only insert new roles but also insert or change the associations between roles and subject headings. We implemented the role hierarchy of the web documents for bank companies as: system administrator (root role) web-responsible (root role for document contents) departmental manager (middle role) author (leaf role) Within the workflow implemented in DAPHNE, each document may have several copies of itself - with different status - for different roles, i.e., for author(s), for content eaminer(s) and publisher(s). Thus, the dynamic updating and collaborative authoring of a working document can be achieved. 4.3 Benefits of Our Approach All author-roles of the department can access all documents, but they can only edit the ones they have inserted. The same role can belong to several members of the according department, so that there should not arise any difficulties when an employee falls sick or goes on holiday. The departmental manager is responsible (and he/she has of course all permissions needed) for the whole area-path below the department edge. Different roles for a specific area build a virtual team for this subject headings covering the whole authoring and publishing workflow from the beginning of inserting / editing documents to the final publishing. This assures the collaborative authoring. Within DAPHNE, the subject / document hierarchy is also used to build a browseable-navigation dynamically. The subject / document hierarchy can both be used for publishing internal documentation and providing a base for the web pages of a company. In our approach, subject headings are basic elements for access control: first, the legal users of each area are determined by means of assigning areas to roles. Secondly, subject headings (and their documents) can be assigned different access statuses for end users, for instance, in order to form an Intranet web site and an Internet web site. Generally speaking, the definition of roles within DAPHNE has been made very fleible. 5. CONCLUDING REMARKS AND FUTURE WORK In summary, a workflow system with access control is essential and very useful for online authoring and publishing systems in enterprises. Our eperiences have shown that such a workflow can be built efficiently based on the department and branch structure of an enterprise with complementation of web useroriented subject areas, i.e., the subject headings of DAPHNE. Our approach assures that a large number of online documents will be organized in a well-structured document hierarchy, and content/layout quality assurance as well as an achievement of secure documentation. We have shown that RBAC is very useful for building the access control mechanism in the workflow of an online authoring system as well as the big interest of associating users with subject headings. On the other hand, to make this mechanism more powerful, there are still several things to be done. Up to now, associations between subject headings and roles within DAPHNE can only be defined and modified by the role system administrator. This leads to the disadvantage that the document hierarchy or information structure is not very fleible. In order to get rid of this disadvantage, roles should be allowed to create subject headings freely, while the basic document hierarchy can be maintained. In addition, roles should be allowed to change the associations between subject headings and roles, too. Another type of associations, i.e., associations between documents (information object) and roles should be defined as well. This new type of associations will allow the owner of documents to associate other roles with permissions on those documents, for eamples, to allow other roles to perform actions, e.g. to modify or to remove the documents.

6 6. AKNOWLEDGEMENT This work is in part supported by the Stiftung Rheinland-Pfalz für Innovation, Germany. The authors would also like to thank the anonymous reviewers for the helpful suggestions and comments. 7. REFERENCES [1] Ferraiolo, D.F., Barkley, J.F., and Kuhn, D.R. A Role- Based Access Control Model and Reference Implementation within a Corporate Intranet. ACM Transactions of Information and System Security, 2(1) (1999), [2] Halasz, F.G. Reflections on Notecards: Seven issues for the net generation of hypermedia systems. Communication of ACM, 31 (7) (1988), [3] Halasz, F.G., and Schwartz, M. The Deter Hypertet Reference Model. Communication of ACM, 37(2) (1994), [4] Hammwöhner, R., and Kuhlen, R. Semantic control of open hypertet systems by typed objects. Journal of Information Science, 20(3) (1994), [5] Heuer, A., Zhang, Z., Engel, T., and Meinel. C. DAPHNE - Distributed Authoring and Publishing in a Hypertet and Networked Environment. In: Proceddings of the International Conference IuK99 - Dynamic Documents (Feb. 1999), Jena, Germany [6] Liu, C., Zhou, X., and Orlowska, M. Issues in workflow and Web-based workflow systems. In: Proceedings of the Asia Pacific Web Conference (APWeb98). World Wide Web: technologies and applications. (Beijing, China, 1998). Available at: [7] Miller, J., Palaniswami, D., Sheth, A., Kochut, K., and Singh., H. Webwork: Meteors web-based workflow management system. Journal of Intelligent Information Systems, 10(2) (1998) [8] Nürnberg, P.J., Wiil, U.K., and Leggett, J.J. "Structuring Facilities in Digital Libraries". In: Proceedings of the Second European Conference on Digital Libraries (ECDL 98). (1998), Available at: 8.pdf [9] Rosenfeld, L., and Morville, P. Information Architecture for the World Wide Web. Cambridge: O'Reily [10] Sandhu, R. and Samarati, P. Authentication, access control, and audit. ACM Comput. Surv., 28, 1, , 1996 [11] Streitz, N.A., Haake, J., Hannemann, J., Lemke, A., Schuler, W., Schütt, H., and Thüring, M.: SEPIA: A cooperative hypermedia authoring environment. In Proc. ECHT 92. Milano. ACM: New York, [12] Wang, W.: Team-and-Role-Based Organational Contect and Access Control for Cooperative hypermedia Environments. In Proceedings of Hypertet 99: Returning to our diverse roots (Darmstadt, Germany 1999). ACM Press, [13] Wodtke, D., Weissenfels, J., Weikum, G., and Dittrich, A.K. The Mentor Project: Steps Towards Enterprise-Wide Workflow Management. In: IEEE International Conference on Data Engineering. (New Orleans, 1996). Available at: [14] Zhang, Z. Heuer, A., Engel, T., and Meinel, C.: DAPHNE - A Distributed Tool for Web Authoring and Publishing. To appear in Proceedings of the Annual Conference of American Society of Information Science, ASIS 99, Washington D.C., Nov [15] sterbye, K., and Wiil, U.K.: The Flag Taonomy of Open Hypermedia Systems. Hypertet 96 (1996). ACM Press,