Optimized Workflow Authorization in Service Oriented Architectures

  • Martin Wimmer
  • Martina-Cezara Albutiu
  • Alfons Kemper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3995)


Complex business processes are usually realized by specifying the integration and interaction of smaller modular software components. For example, hitherto monolithic enterprise resource planning systems (ERP) are decomposed into Web services which are then again orchestrated in terms of Web service workflows, bringing about higher levels of flexibility and adaptability. In general, such services constitute autonomous software components with their own dedicated security requirements. In this paper we present our approach for consolidating the access control of (Web service) workflows. The proposed security engineering method allows, first, to determine for whom workflows are executable from a privileges point of view, second, to assess compliance with the principle of least privilege, and, third, helps to reduce policy enforcement costs.


Access Control Business Process Service Orient Architecture Access Control Policy Enterprise Resource Planning 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bonatti, P., De Capitani di Vimercati, S., Samarati, P.: An Algebra for Composing Access Control Policies. ACM Trans. Inf. Syst. Secur. 5(1), 1–35 (2002)CrossRefGoogle Scholar
  2. 2.
    Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-Based Access Control Models. IEEE Computer 29(2), 38–47 (1996)CrossRefGoogle Scholar
  3. 3.
    ANSI INCITS 359-2004, Role Based Access Control. American National Standards Institute, Inc. (ANSI), New York, NY, USA (February 2004)Google Scholar
  4. 4.
    Thatte, S., et al.: Business Process Execution Language for Web Services version 1.1 (BPEL4WS 1.1) (May 2003),
  5. 5.
    Wimmer, M., Eberhardt, D., Ehrnlechner, P., Kemper, A.: Reliable and Adaptable Security Engineering for Database-Web Services. In: Koch, N., Fraternali, P., Wirsing, M. (eds.) ICWE 2004. LNCS, vol. 3140, pp. 502–515. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  6. 6.
    Rosenkrantz, D.J., Hunt, H.B.: Processing Conjunctive Predicates and Queries. In: Proc. of the Intl. Conf. on Very Large Data Bases (VLDB), Montreal, Canada, pp. 64–72 (October 1980)Google Scholar
  7. 7.
    Khalaf, R., Leymann, F.: On Web Services Aggregation. In: Benatallah, B., Shan, M.-C. (eds.) TES 2003. LNCS, vol. 2819, pp. 1–13. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  8. 8.
    Deutsche Gesellschaft für Medizinische Informatik, Biometrie und Epidemiologie e.V., AG Datenschutz in Gesundheitsinformationssystemen,
  9. 9.
    Altunay, M., Brown, D., Byrd, G.T., Dean, R.: Trust-Based Secure Workflow Path Construction. In: Benatallah, B., Casati, F., Traverso, P. (eds.) ICSOC 2005. LNCS, vol. 3826, pp. 502–515. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  10. 10.
    Huang, W.-K., Atluri, V.: SecureFlow: a Secure Web-enabled Workflow Management System. In: RBAC 1999: Proceedings of the 4th ACM Workshop on Role-based Access Control, pp. 83–94. ACM Press, New York (1999)Google Scholar
  11. 11.
    Bertino, E., Ferrari, E., Atluri, V.: The Specification and Enforcement of Authorization Constraints in Workflow Management Systems. ACM Trans. Inf. Syst. Secur. 2, 65–104 (1999)CrossRefGoogle Scholar
  12. 12.
    Bettini, C., Wang, X.S., Jajodia, S.: Temporal Reasoning in Workflow Systems. Distrib. Parallel Databases 11(3), 269–306 (2002)CrossRefMATHGoogle Scholar
  13. 13.
    Rits, M., Boe, B.D., Schaad, A.: Xact: a Bridge between Resource Management and Access Control in Multi-layered Applications. In: SESS 2005: Proceedings of the 2005 Workshop on Software Engineering for Secure Systems, pp. 1–7. ACM Press, New York (2005)Google Scholar
  14. 14.
    Rannenberg, K., Müller, G.: Security in Communications – Technology, Infrastructure, Economy. Addison-Wesley, Reading (1999)Google Scholar
  15. 15.
    Biskup, J., Leineweber, T., Parthe, J.: Administration Rights in the SDSD-System. In: Proceedings of the Seventeenth Annual Working Conference on Database and Application Security, Estes Park, Colorado, United States (August 2003)Google Scholar
  16. 16.
    Rabitti, F., Bertino, E., Kim, W., Woelk, D.: A Model of Authorization for Next-Generation Database Systems. ACM Trans. Database Syst. 16(1), 88–131 (1991)CrossRefGoogle Scholar
  17. 17.
    Fernandez, E.B., Gudes, E., Song, H.: A Model for Evaluation and Administration of Security in Object-Oriented Databases. IEEE Transactions on Knowledge and Data Engineering 6(2), 275–292 (1994)CrossRefGoogle Scholar
  18. 18.
    Moses, T., et al.: eXtensible Access Control Markup Language (XACML) version 2.0 (February 2005),
  19. 19.
    Anderson, A.: Core and Hierarchical Role Based Access Control RBAC Profile of XACML version 2.0 (September 2004),

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Martin Wimmer
    • 1
  • Martina-Cezara Albutiu
    • 1
  • Alfons Kemper
    • 1
  1. 1.Technische Universität MünchenGarching b. MünchenGermany

Personalised recommendations