Information Technology Reference
In-Depth Information
•
(
∀
X) (
∀
τ
) (T(X)
∧
Π
(
τ
)
∧
A(X,
τ
) ⇒ CL(X))
•
(
∀
X) (CEO(X) ⇒
¬
ACT(X))
•
(
∀
X) (ACT(X) ⇒
¬
CEO(X))
Where the first axiom reads as “for all X, for all
τ
, if X is a mechanical engineer, X is
a citizen,
”.
The last two read as “for all X, if X is CEO, then X cannot be an accountant” and “for
all X, if X is accountant, X cannot be a CEO.”
As one can see, it is quite possible for the requirements sets to be in conflict with
each other without carefully examination particularly when the logic are implemented
in the low-level, trivial, system-level security mechanisms. It is also possible that the
authorization requirement sets do not cover the entire access control space needed
from both logical and business perspectives. In a one-castle scenario, this issue is less
pronounced due to the lower complexity level. However, the complexity multiplies
when the number of partners, data and data ownership increases. The issue is both a
logical one as well as a business one. Thus, mathematical modeling of the formal
access control policies is essential before the complex logic is implemented into the
target system environments. Legacy IA does not address these challenges, especially
considering the fact that there has never been IA engineering process to follow to
capture the requirements.
τ
is a privileged engineering information, then access is allowed for X to
τ
6.3 Dynamism
Access control requirements in virtual enterprise change all the time. There are
contract expiration, updates as well as suspensions. There are also people,
organization and data updates. Whenever there is a change, all systems need to be
updated. Legacy IA treats authorization as a matrix conceptually with users on one
side and data objects on the other side. This matrix is sparsely populated and the cells
represent allowable access of a user to an object. The cells are eventually
implemented into the end systems. In the old business model where activities only
take place within a castle, this matrix is relatively small and updates are also straight
forward. In the modern virtual enterprise, the scale and complexity make the matrix
very large. When authorization requirements changes occur, it becomes also
extremely difficult to these cumbersome, inflexible, low level system security
mechanisms. Without an explicit policy representation and a management framework,
legacy IA is incapable to catch up with the rate of change in today's virtual enterprise.
6.4 Coherent Implementation
For a large virtual enterprise with many systems, business mandates that same set of
authorization requirements needs to be enforced across multiple environments for the
same set of data objects. For example, export control regulation on the same set of
design data regardless whether it's accessed through CAD/CAM system, file system
or databases should be consistent with each other. Legacy IA focuses on islands of
enforcement. Such coherent implementation is unattainable by today's IA.
