| Abstract: | Enterprises are rapidly extending their relatively stable and internally-oriented business processes and applications with
loosely-coupled enterprise software services in order to support highly dynamic, cross-organizational business processes.
These services are no longer solely based on internal enterprise systems, but often implemented, deployed and executed by
diverse, external service providers. The ability to dynamically configure cross-organizational business processes with a mixture
of internal and external services imposes new security requirements on existing security models.
In this paper, we address the problem of defining and enforcing access control rules for securing service invocations in the
context of a business process. For this purpose, we amortize existing role-based access control models that allow for dynamic
delegation and retraction of authorizations. Authorizations are assigned on an event-driven basis, implementing a push-based
interaction protocol between services. This novel security model is entitled the Event-driven Framework for Service Oriented
Computing (EFSOC). In addition, this article presents an experimental prototype that is explored using a realistic case study.
This work has been partially funded by the Netherlands Organization for Scientific Research (NWO) as part of the PRONIR project.
Recommended by: Asuman Dogac |
