research-article

An integrated approach for identity and access management in a SOA context

Authors:

Waldemar Hummer,

Patrick Gaubatz,

Mark Strembeck,

Schahram DustdarAuthors Info & Claims

SACMAT '11: Proceedings of the 16th ACM symposium on Access control models and technologies

Pages 21 - 30

https://doi.org/10.1145/1998441.1998446

Published: 15 June 2011 Publication History

Abstract

In this paper, we present an approach for identity and access management (IAM) in the context of (cross-organizational) service-oriented architectures (SOA). In particular, we defined a domain-specific language (DSL) for role-based access control (RBAC) that allows for the definition of IAM policies for SOAs. For the application in a SOA context, our DSL environment automatically produces WS-BPEL (Business Process Execution Language for Web services) specifications from the RBAC models defined in our DSL. We use the WS-BPEL extension mechanism to annotate parts of the process definition with directives concerning the IAM policies. At deployment time, the WS-BPEL process is instrumented with special activities which are executed at runtime to ensure its compliance to the IAM policies. The algorithm that produces extended WS-BPEL specifications from DSL models is described in detail. Thereby, policies defined via our DSL are automatically mapped to the implementation level of a SOA-based business process. This way, the DSL decouples domain experts' concerns from the technical details of IAM policy specification and enforcement. Our approach thus enables (non-technical) domain experts, such as physicians or hospital clerks, to participate in defining and maintaining IAM policies in a SOA context. Based on a prototype implementation we also discuss several performance aspects of our approach.

References

[1]

M. Alam, M. Hafner, and R. Breu. A constraint based role based access control in the SECTET a model-driven appro- ach. In Int. Conf. on Privacy, Security and Trust, 2006.

Digital Library

[2]

D. Basin, J. Doser, and T. Lodderstedt. Model driven security: From UML models to access control infrastruc- tures. ACM Transactions on Software Engineering Methodology, 15:39--91, 2006.

Digital Library

[3]

B. Carminati and E. Ferrari. AC-XML documents: improving the performance of a web access control module. In 10th ACM SACMAT, pages 67--76, 2005.

Digital Library

[4]

D. F. Ferraiolo and D. R. Kuhn. Role-Based Access Controls. In 15th National Computer Security Conference, 1992.

[5]

D. F. Ferraiolo, D. R. Kuhn, and R. Chandramouli. Role- Based Access Control. Artech House, second edition, 2007.

Digital Library

[6]

O. Garcia-Morchon and K. Wehrle. Efficient and context-aware access control for pervasive medical sensor networks. In IEEE Int. Conf. on Pervasive Computing and Communications Workshops, pages 322 --327, April 2010.

[7]

B. Hicks, S. Rueda, D. King, T. Moyer, J. Schiffman, Y. Sreenivasan, P. McDaniel, and T. Jaeger. An architecture for enforcing end-to-end access control over web applications. In 15th ACM SACMAT, pages 163--172, 2010.

Digital Library

[8]

V. Koufi, F. Malamateniou, and G. Vassilacopoulos. A Mediation Framework for the Implementation of Context- Aware Access Control in Pervasive Grid-Based Healthcare Systems. In 4th Int. Conf. on Advances in Grid and Pervasive Computing, pages 281--292, 2009.

Digital Library

[9]

D. Kulkarni and A. Tripathi. Context-aware role-based access control in pervasive computing systems. In 13th ACM SACMAT, pages 113--122, 2008.

Digital Library

[10]

N. Li, Q. Wang, W. Qardaji, E. Bertino, P. Rao, J. Lobo, and D. Lin. Access control policy combining: theory meets practice. In 14th ACM SACMAT, pages 135--144, 2009.

Digital Library

[11]

D. Lin, P. Rao, E. Bertino, N. Li, and J. Lobo. Policy decomposition for collaborative access control. In 13th ACM SACMAT, pages 103--112, 2008.

Digital Library

[12]

P. Mazzoleni, B. Crispo, S. Sivasubramanian, and E. Bertino. XACML Policy Integration Algorithms. ACM Transactions on Information System Security, 11:4:1--4:29, February 2008.

Digital Library

[13]

M. Memon, M. Hafner, and R. Breu. SECTISSIMO: A Platform-independent Framework for Security Services. In Modeling Security Workshop at MODELS '08, 2008.

[14]

T. Mens and P. V. Gorp. A Taxonomy of Model Transformation. Electronic Notes in Theoretical Computer Science, 152:125--142, 2006.

Digital Library

[15]

M. Mernik, J. Heering, and A. Sloane. When and How to Develop Domain-Specific Languages. ACM Computing Surveys, 37(4):316--344, December 2005.

Digital Library

[16]

A. Mourad, S. Ayoubi, H. Yahyaoui, and H. Otrok. New approach for the dynamic enforcement of Web services security. In 8th Int. Conf. on Privacy Security and Trust, pages 189 --196, 2010.

[17]

B. Neuman and T. Ts'o. Kerberos: an authentication service for computer networks. Communications Magazine, IEEE, 32(9):33--38, Sept. 1994.

Digital Library

[18]

OASIS. eXtensible Access Control Markup Language. http://docs.oasis-open.org/xacml/2.0, 2005.

[19]

OASIS. Metadata for the OASIS Security Assertion Markup Language (SAML). http://docs.oasis-open.org/security/saml/ v2.0/saml-metadata-2.0-os.pdf, 2005.

[20]

OASIS. Security Assertion Markup Language. http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0- os.pdf, March 2005.

[21]

OASIS. Web Services Security: SOAP Message Security 1.1. http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os- SOAPMessageSecurity.pdf, 2006.

[22]

OASIS. Web Services Business Process Execution Language. http://docs.oasis-open.org/wsbpel/2.0/OS, 2007.

[23]

F. Paci, E. Bertino, and J. Crampton. An Access-Control Framework for WS-BPEL. Int. J. f. Web Services Research, 5(3):20--43, 2008.

[24]

M. P. Papazoglou, P. Traverso, S. Dustdar, and F. Leymann. Service-Oriented Computing: State of the Art and Research Challenges. Computer, 40(11):38--45, 2007.

Digital Library

[25]

A. Pashalidis and C. J. Mitchell. A taxonomy of single sign-on systems. In 8th Australasian Conference on Information Security and Privacy, pages 249--264, 2003.

Digital Library

[26]

W. rong Jih, S. you Cheng, J. Y. jen Hsu, and T. ming Tsai. Context-aware access control in pervasive healthcare. In EEE Workshop: Mobility, Agents, and Mobile Services, 2005.

[27]

R. Sandhu, E. Coyne, H. Feinstein, and C. Youman. Role- based access control models. Computer, 29(2):38 --47, 1996.

Digital Library

[28]

D. C. Schmidt. Model-Driven Engineering -- Guest Editor's Introduction. Computer, 39(2), February 2006.

Digital Library

[29]

B. Selic. The Pragmatics of Model-Driven Development. IEEE Software, 20(5), 2003.

Digital Library

[30]

S. Sendall and W. Kozaczynski. Model Transformation: The Heart and Soul of Model-Driven Software Development. IEEE Software, 20(5), 2003.

Digital Library

[31]

H. Skogsrud, B. Benatallah, and F. Casati. Model-Driven Trust Negotiation for Web Services. IEEE Internet Computing, 7:45--52, November 2003.

Digital Library

[32]

D. Spinellis. Notable design patterns for domain-specific languages. J. of Systems and Software, 56(1):91--99, 2001.

Digital Library

[33]

T. Stahl and M. Völter. Model-Driven Software Development. John Wiley & Sons, 2006.

Digital Library

[34]

M. Strembeck. A Role Engineering Tool for Role-Based Access Control,. In 3rd Symposium on Requirements Engineering for Information Security, 2005.

[35]

M. Strembeck. Scenario-driven Role Engineering. IEEE Security & Privacy, 8(1), January/February 2010.

Digital Library

[36]

M. Strembeck and J. Mendling. Modeling Process-related RBAC Models with Extended UML Activity Models. Information and Software Technology, 53(5), May 2011.

Digital Library

[37]

M. Strembeck and G. Neumann. An Integrated Approach to Engineer and Enforce Context Constraints in RBAC Environ- ments. ACM Trans. on Inf. and System Security, 7(3), 2004.

Digital Library

[38]

M. Strembeck and U. Zdun. An Approach for the Systematic Development of Domain-Specific Languages. Software: Practice and Experience (SP&E), 39(15), October 2009.

Digital Library

[39]

C. Wolter, M. Menzel, A. Schaad, P. Miseldine, and C. Meinel. Model-driven business process security requirement specification. J. Syst. Archit., 55:211--223, 2009.

Digital Library

[40]

World Wide Web Consortium (W3C). XML Signature Syntax and Processing. http://www.w3.org/TR/xmldsig-core/, 2008.

[41]

U. Zdun and M. Strembeck. Modeling Composition in Dynamic Programming Environments with Model Trans- formations. In 5th Int. Sym. on Software Composition, 2006.

Digital Library

[42]

U. Zdun and M. Strembeck. Reusable Architectural Decisions for DSL Design: Foundational Decisions in DSL Projects. In 14th European Conference on Pattern Languages of Programs (EuroPLoP), July 2009.

Cited By

Verginadis YPatiniotakis IGouvas PMantzouratos SVeloudis SSchork SSeitzluwig LParaskakis IMentzas G(2022)Context-Aware Policy Enforcement for PaaS-Enabled Access ControlIEEE Transactions on Cloud Computing10.1109/TCC.2019.292734110:1(276-291)Online publication date: 1-Jan-2022
https://doi.org/10.1109/TCC.2019.2927341
Maksuti SBicaku AZsilak MIvkic IPeceli BSingler GKovacs KTauber MDelsing J(2021)Automated and Secure Onboarding for System of SystemsIEEE Access10.1109/ACCESS.2021.31022809(111095-111113)Online publication date: 2021
https://doi.org/10.1109/ACCESS.2021.3102280
Sobh T(2019)Identity management using SAML for mobile clients and Internet of ThingsJournal of High Speed Networks10.3233/JHS-19060625:1(101-126)Online publication date: 19-Feb-2019
https://doi.org/10.3233/JHS-190606
Show More Cited By

Index Terms

An integrated approach for identity and access management in a SOA context
1. Security and privacy
  1. Security services
    1. Access control
  2. Systems security
    1. Operating systems security
2. Software and its engineering
  1. Software organization and properties
    1. Software system structures
      1. Distributed systems organizing principles
        Organizing principles for web applications

Recommendations

Introducing Dynamic Identity and Access Management in Organizations
ICISS 2015: Proceedings of the 11th International Conference on Information Systems Security - Volume 9478

Efficient and secure management of access to resources is a crucial challenge inï źtoday's corporate IT environments. During the last years, introducing company-wide Identity and Access Management IAM infrastructures building on the Role-based Access ...
A network access control approach based on the AAA architecture and authorization attributes

Network access control mechanisms constitute an increasingly needed service, when communications are becoming more and more ubiquitous thanks to some technologies such as wireless networks or Mobile IP. This paper presents a particular scenario where ...
A Web Service Architecture for Decentralised Identity- and Attribute-Based Access Control
ICWS '09: Proceedings of the 2009 IEEE International Conference on Web Services

The loosely coupled nature of Service-oriented Architectures raises the question how information for access control can be managed in an efficient way. Several specifications for Web Services exist to describe security requirements and to facilitate a ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SACMAT '11: Proceedings of the 16th ACM symposium on Access control models and technologies

June 2011

196 pages

ISBN:9781450306881

DOI:10.1145/1998441

General Chair:
Ruth Breu
University of Innsbruck, Austria
,
Program Chairs:
Jason Crampton
Royal Holloway, University of London, UK
,
Jorge Lobo
IBM, USA

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 June 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SACMAT '11

Sponsor:

SIGSAC

SACMAT '11: 16th ACM Symposium on Access Control Models and Technologies

June 15 - 17, 2011

Innsbruck, Austria

Acceptance Rates

Overall Acceptance Rate 177 of 597 submissions, 30%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

17
Total Citations
View Citations
663
Total Downloads

Downloads (Last 12 months)24
Downloads (Last 6 weeks)3

Reflects downloads up to 04 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Verginadis YPatiniotakis IGouvas PMantzouratos SVeloudis SSchork SSeitzluwig LParaskakis IMentzas G(2022)Context-Aware Policy Enforcement for PaaS-Enabled Access ControlIEEE Transactions on Cloud Computing10.1109/TCC.2019.292734110:1(276-291)Online publication date: 1-Jan-2022
https://doi.org/10.1109/TCC.2019.2927341
Maksuti SBicaku AZsilak MIvkic IPeceli BSingler GKovacs KTauber MDelsing J(2021)Automated and Secure Onboarding for System of SystemsIEEE Access10.1109/ACCESS.2021.31022809(111095-111113)Online publication date: 2021
https://doi.org/10.1109/ACCESS.2021.3102280
Sobh T(2019)Identity management using SAML for mobile clients and Internet of ThingsJournal of High Speed Networks10.3233/JHS-19060625:1(101-126)Online publication date: 19-Feb-2019
https://doi.org/10.3233/JHS-190606
Ayoubi SMourad AOtrok HShahin A(2018)New XACML-AspectBPEL approach for composite web services securityInternational Journal of Web and Grid Services10.1504/IJWGS.2013.0541099:2(127-145)Online publication date: 21-Dec-2018
https://dl.acm.org/doi/10.1504/IJWGS.2013.054109
Mourad AAyoubi SYahyaoui HOtrok H(2018)A novel aspect-oriented BPEL framework for the dynamic enforcement of web services securityInternational Journal of Web and Grid Services10.1504/IJWGS.2012.0515268:4(361-385)Online publication date: 21-Dec-2018
https://dl.acm.org/doi/10.1504/IJWGS.2012.051526
Gu TLu MLi L(2018)Runtime Models for Analysing and Evaluating Quality Attributes of Self-Adaptive Software: A Survey2018 12th International Conference on Reliability, Maintainability, and Safety (ICRMS)10.1109/ICRMS.2018.00020(52-61)Online publication date: Oct-2018
https://doi.org/10.1109/ICRMS.2018.00020
Hummer WGaubatz PStrembeck MZdun UDustdar S(2018)Enforcement of entailment constraints in distributed service-based business processesInformation and Software Technology10.1016/j.infsof.2013.05.00155:11(1884-1903)Online publication date: 30-Dec-2018
https://dl.acm.org/doi/10.1016/j.infsof.2013.05.001
Szvetits MZdun U(2018)Systematic literature review of the objectives, techniques, kinds, and architectures of models at runtimeSoftware and Systems Modeling (SoSyM)10.1007/s10270-013-0394-915:1(31-69)Online publication date: 21-Dec-2018
https://dl.acm.org/doi/10.1007/s10270-013-0394-9
Hoisl BSobernig SStrembeck M(2018)Modeling and enforcing secure object flows in process-driven SOAsSoftware and Systems Modeling (SoSyM)10.1007/s10270-012-0263-y13:2(513-548)Online publication date: 21-Dec-2018
https://dl.acm.org/doi/10.1007/s10270-012-0263-y
Sackmann SKuehnel SSeyffarth T(2018)Using Business Process Compliance Approaches for Compliance Management with Regard to Digitization: Evidence from a Systematic Literature ReviewBusiness Process Management10.1007/978-3-319-98648-7_24(409-425)Online publication date: 11-Aug-2018
https://doi.org/10.1007/978-3-319-98648-7_24
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents