In a computer system, an access control list (ACL) is a solution of a security model for giving permissions to users for accessing electronically stored object. An ACL specifies which users and/or user groups are authorized to access objects and which operations are allowed on given objects. The operations can include reading (“R”) from an object, writing (“W”) to an object, deleting (“D”) an object, and executing (“X”) an object. Traditionally the users are identified by their name, and the groups by their members.
In addition to name-based access control, there is a solution for a role-based access control. In such a system, the permission to perform a certain operation is assigned to a specific role rather than a name. This eases the maintenance work because ACL doesn't have to be updated every time a new user is added to a certain job function.
Aforementioned solutions are derived from so called traditional folder structure, where folders are located in a static folder hierarchy. Therefore also ACL's are limited to a single hierarchy of access rights. Similarly, access roles are often statically assigned from a predefined set of users of user groups.
However, these solutions are not suitable for metadata-based folder hierarchy, as in a dynamic document management system. This is because in the dynamic document management system, the objects are not statically located in the folder structure but their existence in the document space varies according to the circumstance. Therefore, a different kind of an ACL solution is needed for the requirements of the metadata-based document management system.