An access control framework for business processes for web services

Business Processes for Web Services are the new paradigm for the lightweight integration of business from different enterprises.Whereas the security and access control policies for basic web services and distributed systems are well studied and almost standardized, there is not yet a comprehensive proposal for an access control architecture for business processes. The major issue is that a business process describe complex services that cross organizational boundaries and are provided by entities that see each other as just partners and nothing else.This calls for a number of differences with traditional aspects of access control architectures such as• credential vs classical user-based access control,• interactive and partner-based vs one-server-gathers-all requests of credentials from clients,• controlled disclosure of information vs all-or-nothing access control decisions,• abducing missing credentials for fulfilling requests vs deducing entailment of valid requests from credentials in formal models,• "source-code" authorization processes vs data describing policies for communicating policies or for orchestrating the work of authorization servers.Looking at the access control field we find good approximation of most components but not their synthesis into one access control architecture for business processes for web services, which is the contribution of this paper.

[1]  Sabrina De Capitani di Vimercati,et al.  A fine-grained access control system for XML documents , 2002, TSEC.

[2]  Ninghui Li,et al.  Design of a role-based trust-management framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[3]  Matjaz B. Juric,et al.  Business process execution language for web services , 2004 .

[4]  Jan Vitek,et al.  Secure Internet Programming: Security Issues for Mobile and Distributed Objects , 1999 .

[5]  Ernesto Damiani,et al.  Fine grained access control for SOAP E-services , 2001, WWW '01.

[6]  Mark Bartel,et al.  Xml-Signature Syntax and Processing , 2000 .

[7]  Simon S. Lam,et al.  Designing a distributed authorization service , 1998, Proceedings. IEEE INFOCOM '98, the Conference on Computer Communications. Seventeenth Annual Joint Conference of the IEEE Computer and Communications Societies. Gateway to the 21st Century (Cat. No.98.

[8]  Joan Feigenbaum,et al.  Delegation logic: A logic-based approach to distributed authorization , 2003, TSEC.

[9]  Bob Atkinson Web Services Security (WS-Security) , 2003 .

[10]  Sushil Jajodia,et al.  Policy algebras for access control the predicate case , 2002, CCS '02.

[11]  Murray Shanahan,et al.  Prediction is Deduction but Explanation is Abduction , 1989, IJCAI.

[12]  Pierangela Samarati,et al.  A Uniform Framework for Regulating Service Access and Information Release on the Web , 2002, J. Comput. Secur..

[13]  Sushil Jajodia,et al.  An Architecture for Supporting Interoperability among Temporal Databases , 1997, Temporal Databases, Dagstuhl.

[14]  Elisa Bertino,et al.  The specification and enforcement of authorization constraints in workflow management systems , 1999, TSEC.

[15]  Sushil Jajodia,et al.  Temporal Databases: Research and Practice , 1998 .

[16]  Joan Feigenbaum,et al.  The Role of Trust Management in Distributed Systems Security , 2001, Secure Internet Programming.

[17]  Tim Moses,et al.  EXtensible Access Control Markup Language (XACML) version 1 , 2003 .

[18]  Gail-Joon Ahn,et al.  Role-based access control on the web , 2001, TSEC.

[19]  Terry Winograd,et al.  A communication agreement framework for access/action control , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[20]  Giovanni Della-Libera,et al.  Web Services Trust Language (WS-Trust) , 2002 .

[21]  Michiharu Kudo,et al.  XML document security based on provisional authorization , 2000, CCS.

[22]  Walid G. Aref,et al.  Security models for web-based applications , 2001, CACM.

[23]  Fabio Massacci,et al.  A Logical Model for Security of Web Services , 2003 .

[24]  Ravi S. Sandhu,et al.  RBAC on the Web by smart certificates , 1999, RBAC '99.

[25]  Yi Deng,et al.  A resource access decision service for CORBA-based distributed systems , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[26]  Jean Bacon,et al.  An Architecture for Distributed OASIS Services , 2000, Middleware.

[27]  Jaehong Park,et al.  Towards usage control models: beyond traditional access control , 2002, SACMAT '02.

[28]  Stephen Weeks,et al.  Understanding trust management systems , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[29]  D. Eastlake,et al.  XML Encryption Syntax and Processing , 2003 .

[30]  Elisa Bertino,et al.  A unified framework for enforcing multiple access control policies , 1997, SIGMOD '97.

[31]  William E. Johnston,et al.  Authorization and attribute certificates for widely distributed access control , 1998, Proceedings Seventh IEEE International Workshop on Enabling Technologies: Infrastucture for Collaborative Enterprises (WET ICE '98) (Cat. No.98TB100253).

[32]  Sushil Jajodia,et al.  An authorization model for a public key management service , 2001, TSEC.

[33]  Elisa Bertino,et al.  On specifying security policies for web documents with an XML-based language , 2001, SACMAT '01.

[34]  Marianne Winslett,et al.  Supporting structured credentials and sensitive policies through interoperable strategies for automated trust negotiation , 2003, TSEC.

[35]  Mary Ellen Zurko,et al.  A user-centered, modular authorization service built on an RBAC foundation , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[36]  Christian S. Jensen,et al.  Temporal Databases: Research and Practice , 1998, Lecture Notes in Computer Science.

[37]  David M. Booth,et al.  Web Services Architecture , 2004 .