1. Field of the Invention
The present invention relates to data processing and, in particular, to access control. Still more particularly, the present invention provides a method, apparatus, and computer program product for mobile authorization using policy based access control.
2. Description of the Related Art
Remote access to services over the Internet using mobile and intermittently connected devices is rapidly growing in popularity. Services accessed in this way range from electronic banking to support services for traveling salespeople and from location based services to content based services. Drawbacks of mobile and remote devices include limited bandwidth and sporadic connections. Another drawback of mobile devices is that they tend to be much more resource-constrained than their fixed-line counterparts. Consequently, successful mobile access to services depends on 1) continuous off-line operations when the remote device is disconnected from the network, 2) conformance of off-line operational requirements to the resource constraints of the device, and 3) seamless transition of operations between on-line and off-line states.
To sustain off-line operations, remote devices need to download content and processes. The content may include business objects, such as catalog entries, and business processes, such as order creation, update, and submission. When the required objects and processes are downloaded to the remote device, operations can continue uninterrupted when the device is off-line. When operating in disconnected mode, the same level of authorization allowed on these resources and processes should also be enforced as when operations are performed on-line. Once a remote device is re-connected to the network, seamless transition of operations depends on how well the content and processes can be synchronized with the content and processes on the server.
When a remote device is used to perform off-line operations on downloaded processes and objects, it is possible for the objects and processes to become inconsistent with the corresponding objects and processes on the server. When synchronization is attempted, there may be conflicts. Resolving conflicts can be difficult and time-consuming. Many of these conflicts may be related to the inconsistent enforcement of policy authorization procedures from on-line to off-line operations.
For example, on a remote device without an authorization check, a user cancels a completed order in off-line/disconnected mode. A user may successfully execute the cancel operation on a remote device even though she would not have been permitted to do so on-line. This can arise when there is no authorization check on the remote device. In connected mode, the server would perform an operation authorization check, which would not permit an order that is already completed to be canceled. When the objects and processes corresponding to the off-line operation are synchronized with the server, a conflict occurs from the inconsistency. Conversely, a remote system that did not allow any off-line operations to be performed would not introduce inconsistencies in data, but would introduce inconsistencies in the allowed operations between connected and disconnected operations.