Enterprise Content Management and Security

December 17, 2006 Posted By: Apoorv  Published in Document Management, Enterprise Content Management

17

Dec

James Governer and Alan have written posts about ECM and security. The problem that many of these products implement their own security model instead of using external security products is not limited to just ECM products. I’ve seen some portal products also that have their own security model.

Most products in this space actually claim that they can integrate with external security products. However, when you dig deep, you will find out that this integration is limited to authentication. It’s quite easy to use an external LDAP that stores userid and password against which authentication can be done. But when it comes to authorization, these products need fine grained permissioning mechanism (Alan gives an example of 57 different permission levels!). One needs to store permissions for different assets, sometimes even for different fields of an asset, on different versions of assets and so on and in that sense, the security mechanism is quite closely coupled with the content management system (or portal as the case may be).

Having said this, I think it would be a good idea to decouple features like security and externalize them. But many of the product vendors use this as a differentiator and previous experience shows that it is easier said than done to get vendors agree on using common standards.

  • Share/Bookmark
4 Responsed To This Post
Subsribes to this topic Comment RSS or TrackBack URL
mygif_alt
Pranshu Says, in 12-18-2006 at 11:38:52 from 203.123.182.26    

Good take apoorv. Externalizing Authorization has been a highly debated topic, especially when you are looking at integrating application access and possibly provisioning using portals.

I believe that Centralizing Authorization is not such a good idea. It creates a “cyclic dependancy” between the portal and the applications.
The Central Authorization Server needs to know all roles which exist in all the accessed application in order to do that.

Also the applications hardly ever agree on the security model – and we find the applications using a mix of ACL-Role , Role-Resource-Operation, and a unix style Asset-ACL authorization model.
Even if all the systems were using JAAS – centralizing authorization will require a dependance during application maintenance and administration.

mygif
Ijonas Kisselbach Says, in 12-18-2006 at 13:48:46 from 217.204.65.78    

Hi Apoorv,

My two cents on ECM security, having dealt with many implementations from a migration
point-of-view, is that access rights to content (be thay ACL-Role, Asset-ACL or whatever) should be maintained by the ECM.

That is to say… I’m a great believer in keeping the metadata alongside the content and
to me access right information is nothing more than metadata. So I guess I take an
asset-centric point-of-view.

I think what is needed is industry standardisation around accesss rights. You right in
pointing out that security is more than just providing connectors into LDAP directories
to perform authentication requests.

Efforts like SAML are still “authentication-focused”, which is disappointing. I’m surprised not more is being done in this area to standardise the “access-rights” problem. There’s hardly any competitive edge to be found in the security implementations from one CMS to another.

I guess vendors are taking the “walled garden”-approach and hoping to cash-in on lock-in through lack of standardisation.

mygif_alt
Munish K Gupta Says, in 1-2-2007 at 17:27:29 from 203.91.193.5    

Having a centralized authentication and authorization model always leads to problems. Every new application that comes in, usually have its own authorization model. Now, a centralized model will mean, creating more roles/groups to manage this new set of privileges. After some time, the admin will go bonkers trying to create a new user and assigning him privileges across 10 applications.

My advise, keep the authentication central via your AD system and let each application, manage its own authorization model. Organizations can standardize on the tools/model to be used for authorization. This can provide a good delegated admin model also where an application admin can manage privileges for his/her set of application users

mygif
Steve Says, in 2-25-2007 at 23:42:09 from 207.231.68.88    

Great article…wrote some others on ECM and Security at http://www.scanguru.com

http://www.scanguru.com/page.php?9

Leave A Reply

 Username (*required)

 Email Address (*private)

 Website (*optional)

Inform me when someone post new message here

Please Note: Comments Moderation maybe active so there is no need to resubmit your comment
Subscribe


More Info

Pages

Categories

RSS On Real Story Group

Tags

Archives

Recent Comments

Disclaimer

The postings on this site are my own and don’t necessarily represent my employer's positions, strategies, plans or opinions.

Recent Posts

Ads