From Business Process Choreography to Authorization Policies

  • Philip Robinson
  • Florian Kerschbaum
  • Andreas Schaad
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4127)


A choreography specifies the interactions between the resources of multiple collaborating parties at design time. The runtime management of authorization policies in order to support such a specification is however tedious for administrators to manually handle. By compiling the choreography into enhanced authorization policies, we are able to automatically derive the minimal authorizations required for collaboration, as well as enable and disable the authorizations in a just-in-time manner that matches the control flow described in the choreography. We have evaluated the advantage of this utility in a collaborative engineering scenario.


Access Control Business Process Access Control Model Policy Decision Point Authorization Policy 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Barros, A., Dumas, M., Oaks, P.: A Criticial Overview of the Web Services Choreography Description Language, BPTrends (2005)Google Scholar
  2. 2.
    Danesh, M.R., Jin, Y.: An Aggregated Value Model for Collaborative Engineering Decisions. In: Proceedings of the 5th ASME Design for Manufacturing Conference (2000)Google Scholar
  3. 3.
    Gould, A., Barker, S., Carver, E., Golby, D., Turner, M.: BAEgrid: From e-Science to e-Engineering. In: Proceedings of the UK e-Science All Hands Meeting (2003)Google Scholar
  4. 4.
    Harrison, M., Ruzzo, W., Ullman, J.: Protection in Operating Systems. Communications of the ACM 19(8) (1976)Google Scholar
  5. 5.
    Holbein, R., Teufel, S., Bauknecht, K.: The use of business process models for security design in organisations. In: Proceedings of SEC (1996)Google Scholar
  6. 6.
    Kang, M., Park, J., Froscher, J.: Access control mechanisms for inter-organizational workflow. In: Proceedings of the 6th ACM Symposium on Access Control Models and Technologies (2001)Google Scholar
  7. 7.
    Kavantzas, N., Burdett, D., Ritzinger, G., Fletcher, T., Lafon, Y., Barreto, C.: Web Services Choreography Description Language Version 1.0 (2005), available at:
  8. 8.
    Knorr, K.: Dynamic access control through Petri net workflows. In: Proceedings of the 16th Annual Computer Security Applications Conference (2000)Google Scholar
  9. 9.
    Mendling, J., Strembeck, M., Stermsek, G., Neumann, G.: An Approach to Extract RBAC Models from BPEL4WS Processes. In: Proceedings of the 13th IEEE International Workshops on Enabling Technologies (2004)Google Scholar
  10. 10.
    Robinson, P., Karabulut, Y., Haller, J.: Dynamic Virtual Organization Management for Service Oriented Enterprise Applications. In: Proceedings of IEEE CollaborateCom (2005)Google Scholar
  11. 11.
    Sandhu, R., Coyne, E., Feinstein, H., Youman, C.: Role-Based Access Control Models. IEEE Computer 29(2) (1996)Google Scholar
  12. 12.
    Samarati, P., di Vimercati, S.d.C.: Access Control: Policies, Models, and Mechanisms. In: Focardi, R., Gorrieri, R. (eds.) FOSAD 2000. LNCS, vol. 2171, p. 137. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  13. 13.
    Dimitrakos, T., Ristol, S., Wilson, M.: TrustCoM: A Trust and Contract Management Framework for Dymamic Virtual Organisations. ERCIM News Magazine (2004)Google Scholar
  14. 14.
    Thomas, R.: Team-Based Access Control (TMAC): A Primitive for Applying Role-Based Access Controls in Collaborative Environments. In: Proceedings of the 2nd ACM workshop on Role-basedAccess Control (1997)Google Scholar
  15. 15.
    Thomas, R., Sandhu, R.: Task-Based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-Oriented Autorization Management. In: Proceedings of the IFIP 11th International Conference on Database Security (1998)Google Scholar
  16. 16.
    van der Aalst, W.M.P., Weske, M.:The P2P Approach to Interorganizational Workflows. LNCS. Springer, Heidelberg (2001)MATHGoogle Scholar
  17. 17.
    Yao, W., Moody, K., Bacon, J.: A Model of OASIS Role-Based Access Control and its Support for Active Security. In: Proceedings of 6th ACM Symposium on Access Control Models and Technologies (2001)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2006

Authors and Affiliations

  • Philip Robinson
    • 1
  • Florian Kerschbaum
    • 1
  • Andreas Schaad
    • 2
  1. 1.SAP ResearchKarlsruheGermany
  2. 2.SAP ResearchSophia AntipolisFrance

Personalised recommendations