[Sigia-l] Information Access Control

Patrick Debois Patrick.Debois at sos.be
Thu Dec 16 10:47:06 EST 2004 

During multiple project I have faced the problem of 'Information Access 
Control'. Typical within an enterprise people have different information 
sources like email,fileshares,webpages. While these are actual 
information stores, they could all be easily be 'webified'. So far for 
means of "access". Difficulties arise when determining who has access to 
what information available.

given [INFORMATION], [WHO] can do [WHAT]

WHO: Some information around is public, some might be a 'for your eyes 
only'. This gives a range from assigning an individual, a group, public 
or any combination. Another thing is when people have to decide who they 
give control to, they consider their personal relationship with the 
other person instead of the corperate role of the other person. It is 
all to human that even within the same company will not share all 
information to one another. Instead of the typical 'corporate' role 
model, people tend to have their own trust model. So much for role based 
ACL based upon the corporate groups, as they are managed centrally and 
pushed upon the employees to use. Therefore it would make sense to 
delegate the control of information to each employee itself. And use a 
kind of 'friend of a friend'/grapevine approach.   (CORPORATE WHO <-> 
PERSONAL WHO perception). (Question: Is there any system doing this?)

INFORMATION: Again multiple variations exist, a specific document, a 
topic, a subtopic. I've tried to compare it to a taxonomy but again you 
fall in a distinction of (CORPORATE view or PERSONAL view). And the 
personal view seems to have more exceptions when you look at it. This 
might be similar at the taxonomy problem: when you start discussing it, 
people see lots and lots of categories, but you end up with only a few 
practical ones at the end. But as opposed to only putting things within 
a category, people are more alert when they have to share information.

WHAT: This seems to be the most limited one: Read, Write, Modify, Delete.

Considering every piece of information you have  INFORMATION x WHO x 
WHAT to consider. This is probably the main reason they start making it 
simple ... no access at all , just ask me ;-(

My question is, is there any structured approach you people have been 
following in getting through this proces? Or are the tools just not up 
to it? Thanks for all your input!

More information about the Sigia-l mailing list