The function would enable narrowed access to specific data objects based on instances, rather than focus on entire data sets related to an object, according to Anthony Nadalin, IBM senior technical staff member and lead security architect in the company's Tivoli Software group.
With instance-based authorisation, a healthcare provider could access instances of data pertaining to patient "Mary," rather than gaining access to all related objects and methods, Nadalin said.
"Basically, we want to get this notion into J2EE (Java 2 Enterprise Edition) itself" through the Java standards process, known as JSR (Java Specification Request), Nadalin said,
"Meanwhile, we're working on something in WebSphere," said Nadalin, noting 2003 as the target date for inclusion of the instance function.
Additionally, IBM is moving toward a Kerberos-based token security model for authorisation in WebSphere to enable tighter links to other Kerberos-based security systems in IBM offerings such as CICS middleware, the DB2 database, and OS/390 mainframes, Nadalin said.
"Kerberos gives us the ability to have end-to-end delegation" of requests between different servers and divide workloads, said Nadalin.
Kerberos is due in WebSphere some time this year, some time after the Release 5 of WebSphere, which is expected in June, said Nadalin.