Authors:
Worachet Uttha
1
;
Clara Bertolissi
2
and
Silvio Ranise
3
Affiliations:
1
LIF and CNRS UMR 7279 & AMU, France
;
2
LIF, CNRS UMR 7279 & AMU and Fondazione Bruno Kessler, France
;
3
Fondazione Bruno Kessler, Italy
Keyword(s):
Access Control, Transitive Access, Security Policy, OrBAC, Web Services, XACML.
Related
Ontology
Subjects/Areas/Topics:
Access Control
;
Data Engineering
;
Databases and Data Security
;
Information and Systems Security
;
Information Assurance
;
Internet Technology
;
Organizational Security Policies
;
Security and Privacy in Web Services
;
Web Information Systems and Technologies
Abstract:
Access control is a crucial issue for the security of Web Services. Since these are independently designed,
implemented, and managed, each with its own access control policy, it is challenging to mediate the access
to the information they share. In this context, a particularly difficult case occurs when a service invokes
another service to satisfy an initial request, leading to indirect authorization errors. To overcome this problem,
we propose a new approach based on a version of ORganization Based Access Control (OrBAC) extended
by a delegation graph to keep track of transitive authorization dependencies. We show that Datalog can be
used as the specification language of our model. As a byproduct of this, an automated analysis technique
for simulating execution scenarios before deployment is proposed. Finally, we show how to implement an
enforcement mechanism for our model on top of the XACML architecture. To validate our approach, we
present a case study adapted from the literature.