Skip to Main Content
The emergence of e-marketplace Web sites that contain proprietary information from multiple organizations requires the creation of new access control schemes that provide fine-grained access control while reducing both administrative and run-time overhead. It is also desirable to have clear, concise, and easily configurable definitions of access control policies that are aligned with business processes, and to have these policies enforced consistently throughout an e-commerce system. In this paper, we describe a policy-based access control scheme, and its implementation, that allows access to individual instances of resources to be specified in a concise and computationally efficient manner. We model business relationships between users and business objects and use implicit grouping of users and resources. These concepts allow policies to refer efficiently to aggregates of resources and users and to document the intention of an authorization policy. Our access control scheme is implemented as an applicati on-level access control mechanism within IBM's WebSphere® Commerce Suite, Marketplace Edition. We use this implementation to provide examples and give performance data. For future work, we discuss how our policy-based, resource-level access control scheme might be enhanced to augment language-level access control schemes, such as the Java™ 2 Platform, Enterprise Edition (J2EE™) security model.
Note: The Institute of Electrical and Electronics Engineers, Incorporated is distributing this Article with permission of the International Business Machines Corporation (IBM) who is the exclusive owner. The recipient of this Article may not assign, sublicense, lease, rent or otherwise transfer, reproduce, prepare derivative works, publicly display or perform, or distribute the Article.