Koshutanski, Hristo and Massacci, Fabio (2002) An Access Control System for Business Processes for Web Services. UNSPECIFIED. (Unpublished)
Web Services and Business Processes for Web Services are the new paradigms for the lightweight integration of business from different enterprises. Whereas the security and access control policies for basic web services and distributed systems are well studied and almost standardized, there is not yet a comprehensive proposal for an access control architecture for business processes. The major difference is that business process describe complex services that cross organizational boundaries and are provided by entities that sees each other as just partners and nothing else. This calls for a number of differences with traditional aspects of access control architectures such as: - credential vs classical user-based access control, - interactive and partner-based vs one-server-gathers-all requests of credentials from clients, - controlled disclosure of information vs all-or-nothing access control decisions, - abducing missing credentials for fulfilling requests vs deducing entailment of valid requests from credentials in formal models, - "source-code" authorization processes vs data describing policies for communicating policies or for orchestrating the work of authorization servers. Looking at the access control field we find good approximation of most components but not their synthesis into one access control architecture for business processes for web services, which is the contribution of this paper.
Actions (login required)