1. Field of the Invention
The present invention relates to the concurrent display of multiple, heterogeneous application components and middleware components and more particularly to access control among multiple, heterogeneous application components and middleware components.
2. Description of the Related Art
Access control relates to the moderation and limitation of access rights to resources in a computing system. Resources can range from documents to application logic and access rights can range from read-only access to full read, write and execute access. Oftentimes, access control can vary from user to user or group to group depending upon the trustworthiness of the user or group. Those having a higher level of trust are granted access permissions associated with a high degree of access, while those having a lower level of trust are granted only an amount of access permission required to achieve a specific objective. In this way, the exposure of the security and integrity of the underlying resources can be minimized.
Access control for an application having only a limited number of users can be relatively manageable. For each individual user, a requisite level of access can be determined subjectively, and corresponding access rights can be assigned to the user. For an application which involves a vast number of often unpredictable individual users, access control can be unmanageable. Where the requisite access rights to various resources change for individual users in the latter scenario, access control, administration becomes a very complex task. This increasing complexity also increases the probability for access control mis-configurations to occur, compromising system security. To reduce complexity and its associated risk, system designers have introduced the mechanism of role-based access control.
Role-based access control relates to the assignment of access rights not to an individual user, but to a role fulfilled by one or more individual users. Specifically, it can be more readily determined what level of access rights are to be afforded to a user who fulfills a particular role in an application, such as an administrator, guest, manager, executive and the like. In the concept of workflow, roles can be extended to the type of user responsible for a portion of a business process. In this way, though the identity and roles assumed by any one user can be fluid in nature, the access rights afforded to a user assigned to a specific role can remain relatively static. Consequently, the management of access rights, even for a vast number of users, can be dramatically simplified.
Role-based access control solutions have been proposed for a variety of software systems. For simple systems, where a single application executes on a single middleware component, role-based access control has proven to be a powerful tool for mediating access control. Yet, though the use of application roles have been effective in abstracting access control for a simple system, role-based access control has not been effective in managing access control to an aggregation of disparate applications and/or middleware components—especially where the role-based access control systems vary from application to application and middleware component to middleware component within a composite application (the aggregation of heterogeneous applications).
Business roles have been proposed as a solution to the authorization problem in the composite application space. Business roles define an arbitrary combination of all application roles available for the composite applications. In this way, the disparate nature of the role-based access control for each application can be harmonized within at least one of the arbitrary combinations. Notwithstanding, it will be apparent to the skilled artisan that the mechanism of the business role is deficient at least in respect to potentially large number of business roles which must be defined to accommodate a set of disparate applications for various business objectives. Managing a large number of business roles can be burdensome. Moreover, the solutions integrator must have a priori knowledge of all of the application roles for the composite applications. Finally, not all business roles are valid and can result in the propagation of contradicting roles within the business roles and more complex access control management.