Sunday, August 12, 2007
Enterprise Architecture Perspectives on Workflow
I was reading the Introduction to Documentum and wanted to point out distinctions between different types of workflow...
I hope I have the right perspective. If not, Craig Randall is more than welcome in keeping the conversation honest.
Workflow around documents is distinct from workflow around people where the first situation makes the notion of a document, a first-class citizen where people and their identities are second-class. You create a workflow template and Documentum sends the documents to the proper recipient. You can add conditions like rejected/approved/return to owner. This allows for the document to have a lifecycle. Likewise, the document-specific workflow focuses on the state changes of the document itself while ignoring how the document participates in human workflow.
In document-oriented workflow, the notion of using ACLs built into the product is sufficient. Likewise, if the ECM platform handles document workflow then embedding of identity can also be tolerated. If a document however participates in a human workflow then the security model of the document may need to be externalized from the ECM platform.
Consider the scenario where there may be tons of documents as part of the claims process where the claims process is managed by a BPM engine. The security model may say that only the current process owner can access the document which would either require the massive synchronization between to platforms (this feels fugly) or for the ECM platform to externalize its security model via a standards-based approach.
The above scenario doesn't really call out the need for identity and authentication as the enterprise concern may not really be about if the person accessing the document is who they say they are, but more about authorization in terms of whether they should be allowed to see the document. While we understand that authorization depends on authentication, the folks in the identity community seem to be focusing solely on low-hanging fruit and not the problems of large enterprises.
Maybe ECM vendors at large are sending a message to their enterprise clients that they simply don't care about security. Have you noticed that Billy Cripe, John Newton and others rarely talk about gaps in terms of ECM security. Maybe ECM vendors consider themselves Israel and the enterprise is Palestine...
| | View blog reactionsI hope I have the right perspective. If not, Craig Randall is more than welcome in keeping the conversation honest.
Workflow around documents is distinct from workflow around people where the first situation makes the notion of a document, a first-class citizen where people and their identities are second-class. You create a workflow template and Documentum sends the documents to the proper recipient. You can add conditions like rejected/approved/return to owner. This allows for the document to have a lifecycle. Likewise, the document-specific workflow focuses on the state changes of the document itself while ignoring how the document participates in human workflow.
In document-oriented workflow, the notion of using ACLs built into the product is sufficient. Likewise, if the ECM platform handles document workflow then embedding of identity can also be tolerated. If a document however participates in a human workflow then the security model of the document may need to be externalized from the ECM platform.
Consider the scenario where there may be tons of documents as part of the claims process where the claims process is managed by a BPM engine. The security model may say that only the current process owner can access the document which would either require the massive synchronization between to platforms (this feels fugly) or for the ECM platform to externalize its security model via a standards-based approach.
The above scenario doesn't really call out the need for identity and authentication as the enterprise concern may not really be about if the person accessing the document is who they say they are, but more about authorization in terms of whether they should be allowed to see the document. While we understand that authorization depends on authentication, the folks in the identity community seem to be focusing solely on low-hanging fruit and not the problems of large enterprises.
Maybe ECM vendors at large are sending a message to their enterprise clients that they simply don't care about security. Have you noticed that Billy Cripe, John Newton and others rarely talk about gaps in terms of ECM security. Maybe ECM vendors consider themselves Israel and the enterprise is Palestine...
