مدل سازمانی هدف گرا برای پشتیبانی از کنترل دسترسی مبتنی بر نقش پویا در تجارت الکترونیک

Role-based access control (RBAC) provides flexibility to security management over the traditional approach of using user and group identifiers. In RBAC, access privileges are given to roles rather than to individual users. Users acquire the corresponding permissions when playing different roles. Roles can be defined simply as a label, but such an approach lacks the support to allow users to automatically change roles under different contexts; using static method also adds administrative overheads in role assignment. In electronic commerce (E-Commerce) and other cooperative computing environments, access to shared resources has to be controlled in the context of the entire business process; it is therefore necessary to model dynamic roles as a function of resource attributes and contextual information. In this paper, an object-oriented organizational model, Organization Modeling and Management (OMM), is presented as an underlying model to support dynamic role definition and role resolution in E-Commerce solution. The paper describes the OMM reference model and shows how it can be applied flexibly to capture the different classes of resources within a corporation, and to maintain the complex and dynamic roles and relationships between the resource objects. Administrative tools use the role model in OMM to define security policies for role definition and role assignment. At runtime, the E-Commerce application and the underlying resource manager queries the OMM system to resolve roles in order to authorize any access attempts. Contrary to traditional approaches, OMM separates the organization model from the applications; thus, it allows independent and flexible role modeling to support realistically the dynamic authorization requirements in a rapidly changing business world.

Electronic Commerce (E-Commerce) applications aim to conduct business over the electronic network. Although electronic business transactions evolved from EDI protocols will continue to play a major role in E-Commerce, the rapid growth of the Internet (in 1998, more than 2 million new users are added to the Internet every quarter [20]) has pushed companies to expand the scope of E-Commerce applications to cover the full range of business activities [3]. These activities may include marketing, negotiation, fulfillment and follow up, all perform over the Internet. This trend creates new business opportunities and posts new technical challenges. It pushes E-Commerce to go beyond simple short-lived transactions but become a business process that includes outside customers, business partners, and a number of resources within a company. As more people are involved in the transaction circle, security and authorization control become one of the biggest concerns. Current E-Commerce solutions are primarily developed as applications on top of Resource Managers (RM) or database management system (DBMS). Unfortunately, resource manager implementations have historically focused on technologies around access methods, concurrency control, and logging and recovery [7], [8] and [16]. The security model and access control usually assume a simple and static model, which are based on user and group identifiers. As E-Commerce applications are implemented over the DBMS, they simply adopt the user and security model of a relational database management system (RDBMS) as their access control model. However, the user model in RDBMS is designed primarily to support access control in processing isolated transactional operations rather than integrated process activities [17]. It is thus not adequate to model the flexible resource relationship that is required to support cooperative works in the E-Commerce context. The introduction of workflow technology allows E-Commerce applications to cover the full range of business activities over the network. As the work-process flows across multiple organizations, it is important to identify the different resources involved in the process. However, current workflow deployment practically focuses on departmental level; many of these systems simply ignore the role issue. Others though expand their scope to cover workflow across departmental boundaries, they still assumed a static organization and role model within a single corporation [2] and [13]. This paper discusses an organizational and role model to support dynamic access control in E-Commerce. The model is called Organization Modeling and Management (OMM). The OMM methodology supports both the conceptual design and the design implementation phases of the enterprise modeling cycle [1]. It serves as an underlying system for applications and resource managers to control resource accesses and job assignment. The next section covers the related research work in role-based access control (RBAC) and organization modeling. Section 3 describes the OMM conceptual and reference model for enterprise modeling. OMM does not assume a particular process or application architecture. With this generic approach, OMM is able to map its object types to other organizational data schemes and to present an integrated multidimensional view of different organizational resources. Section 4 presents the role resolution concept in E-Commerce and discusses a Java-based prototype, OMM, which is used to implement an RBAC system to enable the E-Commerce strategy in a hi-tech company. Section 5 discusses the OMM system architecture. The paper will conclude in Section 6 by a summary and by sharing our practical experience of applying the OMM methodology to a hi-tech firm to support their E-Commerce strategy.

In this paper, a dynamic organizational information system, the Organization Modeling and Management (OMM) methodology and organization model, along with its system architecture, are presented as a comprehensive tool to model roles to support dynamic role-based authorization in E-Commerce. The application of the OMM methodology in role resolution of an electronic order processing application is discussed. Compared to previous efforts [1], [4], [6], [9], [11], [17], [19], [21], [24], [28] and [32], OMM is similar in having a strong object model and separating the organization model from the process model. However, OMM also abstracts the organization model from the role definition, thus giving flexibility in complex organization modeling. It is novel in having a dynamic interrelationship notion that is expressed by using regular expressions over member attributes, system-defined variables and contextual variables. We show that the relationship model is essential in supporting access control of cooperative software, such as E-Commerce applications, for authentication, authorization and dynamic job assignment. Using virtual links, OMM can model dynamic roles such that policies regarding various operations over the work objects can be defined and maintained. Finally, the explicit life cycle of the OMM members reflects the dynamic state changes of resources in reality. This provides a handle for better support of organization management and makes task rerouting and optimistic exception handling in a E-Commerce system possible in case a resource is absent from its duty. Although OMM is strong in modeling enterprise resources and their interrelationships, it does not have a process model for defining business processes. Our goal is to make OMM available for the research community and to solicit research partners in workflow. Several areas of further research stem out directly from our current work. OMM as an analytical and modeling tool is useful. However, if the organization database is only maintained by the modeler, then the information collected during the organization analysis process will remain to be static and will quickly be outdated as the organization is undergoing constant changes. Hence, it is important for the OMM system to continually receive input and to have the capability to adjust itself automatically as the underlying information of the organization change. In order to accomplish that goal, we must provide ways for workers on all levels of the enterprise to continually and handily maintain up-to-date information of those enterprise objects that they manage. The OMM system accomplishes this by providing an open Java API to support the development of Internet and Intranet applications. Users not only can access and review organizational resource information, organization structure and resource connections, but can also update the resource information anywhere, anytime through the World Wide Web. As the underlying information is updated, the specific organization models created through the network of enterprise resources and the corresponding interobject relationships will automatically adjust themselves to represent the most up-to-date picture of the enterprise. However, once we allow multiple users to modify the organizational information concurrently, it is possible for them to run into conflicts that may lead to data inconsistency and deadlocks. Although the underlying DBMS can protect data integrity and resolve transaction conflicts, as we are dealing with an object-based system, more work is required to coordinate access on the object level. We are considering providing object-level locks to improve the usability and performance of the system. In modeling dynamic relationships, we are defining the relationships only between OMM member objects. It would be more powerful if we expand virtual links to cover relationships between a member and an organization, or even between two organizations. When an OMM organization is being part of a relationship, all member objects within that organization are involved in it. For instance, if Tom Moore is a supervisor of an organization, then it is assumed that he supervises all resources within that organization. A Java-based OMM prototype (code name OMM S-25) has been developed at OCT Research Laboratory [10]. With S-25, users can model the different resource types and create resource objects representing various entities in the enterprise. Relationships between the objects are modeled as virtual links using regular expressions. A web interface is provided for users to browse through the enterprise and discover the detailed information and connections of the resources from different point of view. In our case study, we have applied the OMM methodology to model the organizational infrastructure of Hitachi America and use OMM as a key component in their E-Commerce implementation. Hitachi America has 6000 people and over 200 departments, by defining six virtual links to capture their business policies, over 1500 graphical models are automatically generated and self-maintained to represent the complex relationship and interrelated roles between the resources. Hitachi is committed to an E-Commerce initiative strategy. Mas Ishigaki, the Deputy Manager and Director of Information Technology Division at Hitachi America said, “We need to ensure that E-Commerce is conducted in a secured and controlled manner. Organizations need to adapt rapidly to the ever-changing business environment to stay competitive. OMM is a key technology that can enhance our organization's ability to better manage change and strengthen our competitiveness.