Consolidating the Access Control of Composite Applications and Workflows

  • Martin Wimmer
  • Alfons Kemper
  • Maarten Rits
  • Volkmar Lotz
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4127)


The need for enterprise application integration projects leads to complex composite applications. For the sake of security and efficiency, consolidated access control policies for composite applications should be provided. Such a policy is based on the policies of the corresponding autonomous sub-applications and has the following properties: On the one hand, it needs to be as restrictive as possible to block requests which do not comply with the integrated sub-applications’ policies. Thereby, unsuccessful executions of requests are prevented at an early stage. On the other hand, the composite policy must grant all necessary privileges in order to make the intended functionality available to legitimate users.

In this paper, we present our formal model and respective algorithmic solutions for consolidating the access control of composite applications. The generated policies conform to the presented requirements of the least privileges paradigm and, thus, allow to revise and optimize the access control of composite applications. We demonstrate this by means of Web service workflows that constitute the state of the art for the realization of business processes.


Access Control Business Process Access Control Policy Disjunctive Normal Form Role Base Access Control 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Wimmer, M., Albutiu, M.-C., Kemper, A.: Optimized Workflow Authorization in Service Oriented Architectures. In: Müller, G. (ed.) ETRICS 2006. LNCS, vol. 3995, pp. 30–44. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  2. 2.
    Bonatti, P., De Capitani di Vimercati, S., Samarati, P.: An Algebra for Composing Access Control Policies. ACM Transactions on Information and System Security (TISSEC) 5(1), 1–35 (2002)CrossRefGoogle Scholar
  3. 3.
    Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-Based Access Control Models. IEEE Computer 29(2), 38–47 (1996)CrossRefGoogle Scholar
  4. 4.
    ANSI INCITS 359-2004, Role Based Access Control. American National Standards Institute, Inc. (ANSI), New York, NY, USA (February 2004)Google Scholar
  5. 5.
    Nadalin, A., et al.: Web Services Secure Conversation Language (WS-SecureConversation) (February 2005),
  6. 6.
    Guo, S., Sun, W., Weiss, M.A.: Solving Satisfiability and Implication Problems in Database Systems. ACM Trans. Database Syst. 21(2), 270–293 (1996)CrossRefGoogle Scholar
  7. 7.
    Wijesekera, D., Jajodia, S.: A Propositional Policy Algebra for Access Control. ACM Transactions on Information and System Security (TISSEC) 6(2), 286–325 (2003)CrossRefGoogle Scholar
  8. 8.
    Jajodia, S., Samarati, P., Sapino, M.L., Subrahmanian, V.S.: Flexible Support for Multiple Access Control Policies. ACM Transactions on Information and System Security (TISSEC) 26(2), 214–260 (2001)zbMATHGoogle Scholar
  9. 9.
    Adam, N.R., Atluri, V., Huang, W.-K.: Modeling and Analysis of Workflows Using Petri Nets. Journal of Intell. Inf. Syst. 10(2), 131–158 (1998)CrossRefGoogle Scholar
  10. 10.
    Bettini, C., Wang, X.S., Jajodia, S.: Temporal Reasoning in Workflow Systems. Distrib. Parallel Databases 11(3), 269–306 (2002)CrossRefzbMATHGoogle Scholar
  11. 11.
    Gudes, E., Olivier, M.S., van de Riet, R.P.: Modelling, Specifying and Implementing Workflow Security in Cyberspace. Journal of Computer Security 7(4), 287–315 (1999)CrossRefGoogle Scholar
  12. 12.
    Huang, W.-K., Atluri, V.: SecureFlow: a Secure Web-enabled Workflow Management System. In: RBAC 1999: Proceedings of the 4th ACM Workshop on Role-based Access Control, pp. 83–94. ACM Press, New York (1999)Google Scholar
  13. 13.
    Atluri, V., Huang, W.-K., Bertino, E.: A Semantic-Based Execution Model for Multilevel Secure Workflows. Journal of Computer Security 8(1) (2000)Google Scholar
  14. 14.
    Bertino, E., Ferrari, E., Atluri, V.: The Specification and Enforcement of Authorization Constraints in Workflow Management Systems. ACM Trans. Inf. Syst. Secur. 2, 65–104 (1999)CrossRefGoogle Scholar
  15. 15.
    Rits, M., Boe, B.D., Schaad, A.: Xact: a Bridge between Resource Management and Access Control in Multi-layered Applications. In: SESS 2005: Proceedings of the 2005 Workshop on Software Engineering for Secure Systems, pp. 1–7. ACM Press, New York (2005)Google Scholar
  16. 16.
    Wimmer, M., Eberhardt, D., Ehrnlechner, P., Kemper, A.: Reliable and Adaptable Security Engineering for Database-Web Services. In: Koch, N., Fraternali, P., Wirsing, M. (eds.) ICWE 2004. LNCS, vol. 3140, pp. 502–515. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  17. 17.
    Advanced Technologies for interoperability of Heterogeneous Enterprise Networks and their Applications (ATHENA), European project. Project homepage:

Copyright information

© IFIP International Federation for Information Processing 2006

Authors and Affiliations

  • Martin Wimmer
    • 1
  • Alfons Kemper
    • 1
  • Maarten Rits
    • 2
  • Volkmar Lotz
    • 2
  1. 1.Technische Universität MünchenGarching b. MünchenGermany
  2. 2.SAP ResearchMouginsFrance

Personalised recommendations