The GDPR requirements are quite popular now. The hype is real, as much as the penalties if you don’t comply with it.

In the previous article, “When technology meets regulation (GDPR) – part I“, by showing you a demonstration to secure your information under the General Data Protection Regulation, we have anticipated how the GDPR compliance requires services based on Digital Business platforms, such as Alfresco, to

• Secure your documents, 
• Control and automates compliance processes and
• Integrate into every part of the business that requires access to GDPR-sensitive information. (George Parapadakis in “Implementing GDPR: from uncertainty to actual solutions).

But what is the technology behind our solution?

Ronny Timmermans, CEO at Xenit, and Thijs Lemmens, Senior ECM Engineer, together with our experienced team, explain how we developed a metadata-based authorization and access control extension and how to improve Alfresco Access Control List (ACL) lists.

In a nutshell, classical Access Control Lists (ACL) systems, like the one in Alfresco, are powerful for fine-grained access control, but cumbersome to maintain and too simple in expressiveness. There is no decent support of AND, OR, NOT type of access rules. Adding an additional protection layer for GDPR would require reviewing your ACL inheritance and creating an additional (oh no, not again) a number of Active Directory groups to express privacy constraints. With a dynamic system of user roles and meta-data-based authorization rules, you will add a simple (GDPR) filter on top of your current access control policies.