An Attribute-Based Access Control Model for Web Services

Web service is a new service-oriented computing paradigm which poses the unique security challenges due to its inherent heterogeneity, multi-domain characteristic and highly dynamic nature. A key challenge in Web services security is the design of effective access control schemes. However, most current access control systems base authorization decisions on subject?s identity. Administrative scalability and control granularity are serious problems in those systems, and they are not fit for Web services environment. So an attribute-based access control model (WS-ABAC) is presented to address these issues in this paper. WS-ABAC grants access to services based on attributes of the related entities, and uses automated trust negotiation mechanism to address the disclosure issue of the sensitive attributes. It can provide administratively scalable alternative to identity-based authorization methods and provide fine-grained access control for Web services. Moreover, it also can protect user?s privacy.

[1]  Xie Jun,et al.  Context-Aware Role-Based Access Control Model for Web Services , 2004 .

[2]  Ernesto Damiani,et al.  Fine grained access control for SOAP E-services , 2001, WWW '01.

[3]  Miao Liu,et al.  An attribute and role based access control model for Web services , 2005, 2005 International Conference on Machine Learning and Cybernetics.

[4]  Jin Tong,et al.  Attributed based access control (ABAC) for Web services , 2005, IEEE International Conference on Web Services (ICWS'05).

[5]  William H. Winsborough,et al.  Automated trust negotiation in attribute-based access control , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[6]  Pierangela Samarati,et al.  A Uniform Framework for Regulating Service Access and Information Release on the Web , 2002, J. Comput. Secur..

[7]  Ninghui Li,et al.  RT: a Role-based Trust-management framework , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[8]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[9]  Marianne Winslett,et al.  Negotiating Trust on the Web , 2002, IEEE Internet Comput..

[10]  K.E. Seamons,et al.  Automated trust negotiation , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[11]  Elisa Bertino,et al.  A trust-based context-aware access control model for Web-services , 2004 .