Today, people collaborate around the world, and they cooperatively write documents. When many people work on a document, an access control model that supports a fine level of granularity is essential. Moreover, some steps in the workflow might require that documents are handed over to people that do not usually have access to the central document server.

The authors of this paper propose a model to specify access rights for parts of Extensible Markup Language (XML) documents based on user credentials. Credentials are properties that describe the user. This allows access control rules to be easily expressed.

Privileges can be granted for authoring tasks, allowing subjects to modify the document or be limited to browsing only. Moreover, privileges specified for an element of the XML document can be propagated to all direct children only, to all sub-elements, or not at all. Similarly, policies specified for a document type definition schema can be propagated to its instances.

The most interesting part of the model is that users can pass the document on to the next person in the workflow without requiring the next person to retrieve the document from the server directly. Assuming that users do not collude, the security and integrity constraints can still be enforced. Simultaneously modifying the document is not permitted, but controlling concurrent modifications of documents in a distributed environment is obviously a task that is difficult if not impossible to handle automatically.

The first 20 pages of the paper do not contain any formal definitions, are easy and straightforward to read, and provide a good overview of the model. The latter 30 pages are a bit more formal, but excellent figures and examples make this part easy to understand, too. The paper is most certainly worthwhile to read.