James Governer and Alan have written posts about ECM and security. The problem that many of these products implement their own security model instead of using external security products is not limited to just ECM products. I’ve seen some portal products also that have their own security model.
Most products in this space actually claim that they can integrate with external security products. However, when you dig deep, you will find out that this integration is limited to authentication. It’s quite easy to use an external LDAP that stores userid and password against which authentication can be done. But when it comes to authorization, these products need fine grained permissioning mechanism (Alan gives an example of 57 different permission levels!). One needs to store permissions for different assets, sometimes even for different fields of an asset, on different versions of assets and so on and in that sense, the security mechanism is quite closely coupled with the content management system (or portal as the case may be).
Having said this, I think it would be a good idea to decouple features like security and externalize them. But many of the product vendors use this as a differentiator and previous experience shows that it is easier said than done to get vendors agree on using common standards.
Good take apoorv. Externalizing Authorization has been a highly debated topic, especially when you are looking at integrating application access and possibly provisioning using portals.
I believe that Centralizing Authorization is not such a good idea. It creates a “cyclic dependancy” between the portal and the applications.
The Central Authorization Server needs to know all roles which exist in all the accessed application in order to do that.
Also the applications hardly ever agree on the security model – and we find the applications using a mix of ACL-Role , Role-Resource-Operation, and a unix style Asset-ACL authorization model.
Even if all the systems were using JAAS – centralizing authorization will require a dependance during application maintenance and administration.
Hi Apoorv,
My two cents on ECM security, having dealt with many implementations from a migration
point-of-view, is that access rights to content (be thay ACL-Role, Asset-ACL or whatever) should be maintained by the ECM.
That is to say… I’m a great believer in keeping the metadata alongside the content and
to me access right information is nothing more than metadata. So I guess I take an
asset-centric point-of-view.
I think what is needed is industry standardisation around accesss rights. You right in
pointing out that security is more than just providing connectors into LDAP directories
to perform authentication requests.
Efforts like SAML are still “authentication-focused”, which is disappointing. I’m surprised not more is being done in this area to standardise the “access-rights” problem. There’s hardly any competitive edge to be found in the security implementations from one CMS to another.
I guess vendors are taking the “walled garden”-approach and hoping to cash-in on lock-in through lack of standardisation.
Having a centralized authentication and authorization model always leads to problems. Every new application that comes in, usually have its own authorization model. Now, a centralized model will mean, creating more roles/groups to manage this new set of privileges. After some time, the admin will go bonkers trying to create a new user and assigning him privileges across 10 applications.
My advise, keep the authentication central via your AD system and let each application, manage its own authorization model. Organizations can standardize on the tools/model to be used for authorization. This can provide a good delegated admin model also where an application admin can manage privileges for his/her set of application users
Great article…wrote some others on ECM and Security at http://www.scanguru.com
http://www.scanguru.com/page.php?9