BPEL4RBAC: An Authorisation Specification for WS-BPEL

  • Xin Wang
  • Yanchun Zhang
  • Hao Shi
  • Jian Yang
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5175)


Business process management is designed to make business activities and trade easier and more cost effective. The increasing business integration and legal requirements raise the need for secure business processes. However, the openness and distribution nature of inter-organisational business processes may result in more security breaches. As a widely accepted standard, WS-BPEL does not support for business process security protection even if the participating organisations already have working security policies. To address this problem, we have developed an authorisation specification BPEL4RBAC for WS-BPEL. Through BPEL4RBAC access control model, with an extension for WS-BPEL, called BPEL4RBAC policy language, the secure WS-BPEL is then achievable. The former introduces the access control capability into business process environment while the latter is used to represent the authorisation information in WS-BPEL.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Wei, X., Jun, W., Yu, L., Jing, L.: SOWAC: a service-oriented workflow access control model. In: Proceedings of the 28th Annual International Computer Software and Applications Conference. COMPSAC 2004, pp. 128–134 (2004)Google Scholar
  2. 2.
    Wang, X., Zhang, Y., Shi, H.: Scenario-Based Petri Net Approach for Collaborative Business Process Modelling. In: IEEE Asia-Pacific Service Computing Conference, pp. 18–25 (2007)Google Scholar
  3. 3.
    Neubauer, T., Klemen, M., Biffl, S.: Secure Business Process Management: A Roadmap. In: First International Conference on Availability, Reliability and Security (ARES 2006), Washington, DC, USA, pp. 457–464. IEEE Computer Society, Los Alamitos (2006)CrossRefGoogle Scholar
  4. 4.
    Sandhu, R., Coyne, E., Feinstein, H., Youman, C.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)Google Scholar
  5. 5.
    Sloman, M., Lupu, E.: Security and management policy specification. Network, IEEE 16(2), 10–19 (2002)CrossRefGoogle Scholar
  6. 6.
    Kim, H., Lee, R., Yang, H.: Frameworks for Secured Business Process Management Systems. In: Fourth International Conference on Software Engineering Research, Management and Applications (2006)Google Scholar
  7. 7.
    Tolone, W., Ahn, G., Pai, T., Hong, S.: Access control in collaborative systems. ACM Computing Surveys (CSUR) 37(1), 29–41 (2005)CrossRefGoogle Scholar
  8. 8.
    Siponen, M., Oinas-Kukkonen, H.: A review of information security issues and respective research contributions. ACM SIGMIS Database 38(1), 60–80 (2007)CrossRefGoogle Scholar
  9. 9.
    Wang, H., Cao, J., Zhang, Y.: A flexible payment scheme and its role-based access control. IEEE Transactions on Knowledge and Data Engineering 17(3), 425–436 (2005)CrossRefGoogle Scholar
  10. 10.
    Kalam, A., Baida, R., Balbiani, P., Benferhat, S., Cuppens, F., Deswarte, Y., Miege, A., Saurel, C., Trouessin, G.: Organization based access control. In: Proceedings of Policies for Distributed Systems and Networks. POLICY 2003. IEEE 4th International Workshop, pp. 120–131 (2003)Google Scholar
  11. 11.
    Liu, P., Chen, Z.: An Access Control Model for Web Services in Business Process. In: Proceedings of Web Intelligence, 2004. WI 2004, IEEE/WIC/ACM International Conference, pp. 292–298 (2004)Google Scholar
  12. 12.
    Yang, C.: Designing secure e-commerce with role-based access control. International Journal of Web Engineering and Technology 3(1), 73–95 (2007)CrossRefGoogle Scholar
  13. 13.
    Wang, H., Zhang, Y., Cao, J., Varadharajan, V.: Achieving Secure and Flexible M-Services Through Tickets. IEEE Transactions On Systems, Man, And Cyberneticspart A: Systems and Humans 33(6), 697 (2003)CrossRefGoogle Scholar
  14. 14.
    Chang, J.: Business Process Management System - Strategy and Implementation. Auerbach Publications (2006)Google Scholar
  15. 15.
    Papazoglou, M., Georgakopoulos, D.: Service-oriented computing: Introduction. Communications of the ACM 46(10), 24–28 (2003)CrossRefGoogle Scholar
  16. 16.
    OASIS: Web Services Business Process Execution Language v2.0 (2007)Google Scholar
  17. 17.
    IBM: Web Services Flow Language (2001)Google Scholar
  18. 18.
    Corporation, M.: XLANG: Web Services for Business Process Design (2001)Google Scholar
  19. 19.
    W3C: SOAP Specification V1.2 (2007)Google Scholar
  20. 20.
    W3C: Web Services Description Language (WSDL) V1.1 (2001)Google Scholar
  21. 21.
    OASIS: UDDI Version 3.0.2 (2004)Google Scholar
  22. 22.
    W3C: XML Schema (2004)Google Scholar
  23. 23.
    W3C: XML Path Language (XPath) (1999)Google Scholar
  24. 24.
    OASIS: WS-Security Core Specification V1.1 (2006)Google Scholar
  25. 25.
    W3C: Web Services Policy 1.2 - Framework (WS-Policy) (2006)Google Scholar
  26. 26.
    OASIS: Security Assertion Markup Language (SAML) v2.0 (2005)Google Scholar
  27. 27.
    OASIS: eXtensible Access Control Markup Language TC v2.0 (XACML) (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Xin Wang
    • 1
  • Yanchun Zhang
    • 1
  • Hao Shi
    • 1
  • Jian Yang
    • 2
  1. 1.School of Computer Science and MathematicsVictoria UniversityAustralia
  2. 2.Department of ComputingMacquarie UniversitySydneyAustralia

Personalised recommendations