The ABCs of Content-Driven Systems
Decoupling access control from branding and content
Digital designers of all kinds talk endlessly about the importance of separating content from presentation, but I argue there is a third consideration, and that’s who gets to see what. Overwhelmingly, access control is coupled to the application, and this makes it hard to provision, extend and integrate. The net effect is that to get through their day, people need a zillion different usernames and passwords in a hodgepodge of systems that do not interact with one another. The goal here is to figure out design patterns for (primarily Web-based) infrastructure software (CMS/ERP/CRM) that fully decouple the access control functionality from the content and the presentation. The result is simpler, more secure systems that work better for users. ABC:
- Access control (i.e., authentication and authorization),
- Branding (along with the rest of the presentation layer),
- Content (including data and business logic).
Origin Story
This theme came about through a confluence of projects, including an ongoing project to develop a client's intranet. It began with a concern, first, that people wouldn't use the intranet if they had to incur the extra hurdle of logging into it. Second, we were concerned about the overhead of managing yet another set of user names, passwords, and permissions, including the inevitable tendency for people to forget their passwords—and their user names. What we came up with was a way to hook into the organization's single sign-on system, meaning people in the office, when accessing the intranet, never see a login screen.
The roots for this theme in fact go back even farther, to work I did in the mid-2000s on federated identity for the Web: systems which were designed to be connective tissue, so that you could move—along with your data—unimpeded from application to application. Indeed, side effects of this achievement include a pattern for designing Web applications—like this client's intranet itself—fully decoupled from the business of authentication and authorization. The net effect is that the applications themselves are simpler to write and easier to test, and we can drop in different access control mechanisms, and even have multiple mechanisms running alongside one another.
All other aspects of access control aside: passwords suck. There have been considerable advancements in both security and convenience since passwords, but if your product/service/infrastructure/app/whatever is too wedded to passwords, you're never gonna get to try all the other stuff.
The Program
The program of this theme is to further refine the set of technical criteria that afford the clean separation of access control from content and presentation in a Web-based information system, including the development of technique for modulating the presentation based on whether or not a user is authenticated, or, if authenticated, what access level they have. The proposition is to solve for the general case using open-source implementations of open standards, and where necessary, tailor the solution to your specific platform.