Collaborative systems provide a rich but potentially chaotic environment for their users. This paper presents a system that allows users to control collaboration by enacting policies that serve as general guidelines to restrict and define the behavior of the system in reaction to the state of the world. Policies are described in terms of access control rights on data objects, and are assigned to groups of users called roles. Roles represent not only statically-defined collections of users, but also dynamic descriptions of users that are evaluated as applications are run. This run-time aspect of roles allows them to react flexibly to the dynamism inherent in collaboration. We present a specification language for describing roles and policies, as well as a number of common "real-world" policies that can be applied to collaborative settings.
W. Keith Edwards