An Approach to Identity Management for Service Centric Systems

Today users consume applications composed by services from different providers across trust domains. By experience we know that security requirements and user identity management make services composition difficult. We believe that delegation of access rights across trust domains will become an essential mechanism in services composition scenarios. Users care about security but cannot deal with the variety of existing solutions for access control. A unified interface of access control and delegation is essential for multi-domain composite services. This paper addresses the problem of identity management for service-centric systems and proposes a novel approach based on an abstract delegation framework supporting different access control mechanisms. We show how the abstract delegation framework is designed to give control and clarity to the user consuming applications based on service composition. Besides the theoretical aspects, the paper shares experiences based on scenarios from the automotive industry.

[1]  Elisabetta Di Nitto,et al.  Logic-based Management of Security in Web Services , 2007, IEEE International Conference on Services Computing (SCC 2007).

[2]  Ernesto Damiani,et al.  Data and Applications Security XX, 20th Annual IFIP WG 11.3 Working Conference on Data and Applications Security, Sophia Antipolis, France, July 31-August 2, 2006, Proceedings , 2006, DBSec.

[3]  Luca Cavallaro,et al.  An approach to adapt service requests to actual service interfaces , 2008, SEAMS '08.

[4]  Butler W. Lampson,et al.  SPKI Certificate Theory , 1999, RFC.

[5]  Vijayalakshmi Atluri,et al.  A Distributed Coalition Service Registry for Ad-Hoc Dynamic Coalitions: A Service-Oriented Approach , 2006, DBSec.

[6]  Antonio F. Gómez-Skarmeta,et al.  A Heterogeneous Network Access Service Based on PERMIS and SAML , 2005, EuroPKI.

[7]  Vijay Karamcheti,et al.  dRBAC: distributed role-based access control for dynamic coalition environments , 2002, Proceedings 22nd International Conference on Distributed Computing Systems.

[8]  Elisabetta Di Nitto,et al.  SCENE: A Service Composition Execution Environment Supporting Dynamic Changes Disciplined Through Rules , 2006, ICSOC.

[9]  Mike P. Papazoglou,et al.  The Challenges of Service Evolution , 2008, CAiSE.

[10]  Ian T. Foster,et al.  A Multipolicy Authorization Framework for Grid Security , 2006, Fifth IEEE International Symposium on Network Computing and Applications (NCA'06).

[11]  Winfried Lamersdorf,et al.  Service-Oriented Computing - ICSOC 2006, 4th International Conference, Chicago, IL, USA, December 4-7, 2006, Proceedings , 2006, ICSOC.

[12]  Maria Luisa Villani,et al.  WS Binder: a framework to enable dynamic binding of composite web services , 2006, SOSE '06.

[13]  Philip Robinson,et al.  From Business Process Choreography to Authorization Policies , 2006, DBSec.

[14]  Weider D. Yu An intelligent access control for Web services based on service oriented architecture platform , 2006, The Fourth IEEE Workshop on Software Technologies for Future Embedded and Ubiquitous Systems, and the Second International Workshop on Collaborative Computing, Integration, and Assurance (SEUS-WCCIA'06).

[15]  Bhavani M. Thuraisingham,et al.  Delegation-Based Security Model for Web Services , 2007, 10th IEEE High Assurance Systems Engineering Symposium (HASE'07).

[16]  Andrew D. Gordon,et al.  SecPAL: Design and semantics of a decentralized authorization language , 2010, J. Comput. Secur..

[17]  Alfons Kemper,et al.  Consolidating the Access Control of Composite Applications and Workflows , 2006, DBSec.