The working environment of e-business is characterized by open networks and cross-company business transactions, replacing closed, monolithic systems with intrinsic security mechanisms. In the world of Web services in eCommerce, access will depend more and more on authorization. In this environment, ways of rationalizing the authorization process and authorization status will be key.
Existing solutions for authorization management share a common constraint: they are all tailored to particular applications. Consequently, every time a new application is introduced into the corporate landscape, the user management tool has to create yet another adaptor for it. In most cases, the connection to a central user management tool also requires a plug-in to be installed in the software in order to accomplish the connection. While the user and current role information is centrally kept, because the information has to be prepared by and immediately available to each connected system, there is likely to be redundant storage. For example, where the same users have essentially the same roles and authorizations on different systems, the same user information may wind up being stored separately for multiple systems.
The amount of user information that must be handled is further exacerbated by the need to define and maintain separate roles for each distinct position within the organization, each distinct role being understood as a specific collection of privileges associated with a particular position. While user administration can rely on these roles for administering access rights, the advantages realized by the use of roles, in terms of easier inclusion of new users and grouping of function-related authorizations, are overridden by the huge number of roles to be maintained for even a medium-sized organization. Merely creating derived roles does not solve this problem of proliferation. In the case where the individual's actual role is merely a qualified version of a higher order role, the derived or qualified role merely gives rise to still another discretely defined role associated on an ad hoc basis with a specific privilege set for a specific position. Derived roles thus do not avoid proliferating data to be analyzed and maintained by the user management tools.