1. Field of the Invention
This invention generally relates to access control in software systems, and more specifically, to role-based access control in component based software systems.
2. Background Art
With the booming of Internet and world economy, people now are in a world where information is shared more equally and freely. This has produced a strong impact over the way people work and communicate. Lots of businesses today are actually carried out and delivered by different collaboration units (CU). For example, according to a recent report, 30 percent of traditional professional IT service jobs will be delivered by people who come from emerging markets, i.e. from different countries all over the world. Therefore, providing effective and appropriate software systems to support today's businesses within a collaborative context is a key issue to the software industry.
Typically, a software system supporting collaborative work might be used by people in different roles. These people not only have their own responsibilities on business, but also utilize the software system to collaborate with each other. In other words, people in different roles often work through a collaborative process to fulfill the business requirements. However, it is not very difficult to find that the person in each role usually has different considerations and only needs to care about the related functions for his own work. From the management view, this also implies a requirement on the management team to do process control and guarantee security by letting the software system provide only the necessary functions to the person in a corresponding role.
Furthermore, the function set of a specific role in a collaborative environment is often dynamically changeable. The software systems should provide related functions to the role according to the run time system environment of the collaborative process. Finally, given the complexity of today's software system and the high cost of software development, it may be impossible to offer a separate version of the software system for each role. Therefore, a method to support role-based access control in the software systems under a collaborative context becomes very important and necessary.
On the other hand, today's software systems are more inclined to be developed using modular components which can be seen as a new programming paradigm beyond the object oriented programming. In other words, a software system is constructed based on the assembly of some well-defined components at run-time. For example, the Eclipse plug-in architecture is a well known representative of the component-based architecture. This kind of modularization achieved through componentization, helps customize the functions in a software system among the users in different roles.
There are some existing solutions that address access control in a distributed system.
U.S. Pat. No. 5,339,403 discloses a procedure including a Privilege Attribute Certificate (PAC) that represents the users' access rights. When the user wants to access an application, it passes the PAC to the application, and to a PAC User Monitor (PUM) to validate the PAC to determine whether the user is authorized to access the application. Although this disclosure offers the apparatus to support user authorization in a distributed system, it does not target the role-based access control issue which is typically more complex than this basic idea.
Role-based access control is going to differentiate the access right of certain roles to the software systems. U.S. Pat. No. 7,222,369 describes a role-based portal to a workplace system, which attempts to provide corresponding data, materials and tools when different roles login the workplace. A role-based filter component is proposed in this reference to use data from an assigned role data file for determining whether the specific tools and information should be accessed by a particular individual. However, this reference does not describe a method for handling dynamic changes to the role-based access mechanism.
U.S. Pat. No. 6,014,666 discusses considers another important problem in role-based access control. When the user ids and groups in the operating system are used by the application software to do the access control, it is difficult for the application software to decide whether the related user ids and groups already exist in the target operating system. Thus, the reference provides an automatic mapping mechanism to let the application software define the logical user ids and groups and then transform the logical user ids and groups into real user ids and groups when the application software is deployed.
Resource organization in role-based access control is investigated in U.S. Patent Publication 2003/0229623 A1. This reference describes the hierarchical relationships among the enterprise resources and assigns each role a set of such resources. Forward and reverse inheritance is applied to each user level-role assignment such that each user is allowed all permissions for ancestors to the assigned level or descendants to the assigned level.
U.S. Pat. No. 7,216,125 studies the resource query and selection problem in role-based access control. This reference provides an automated technique to efficiently generate a list of resources to which a user can apply an action when the user passes the authorization step.
However, the above references do not address the problem of tackling access control in the context of a component-based software system with dynamic roles that may change as defined by a run-time context in a process involving multiple parties.