An Access Control Framework for Business Processes for Web Services

Business Processes for Web Services are the new paradigm for the lightweight integration of business from different enterprises. Whereas the security and access control policies for basic web services and distributed systems are well studied and almost standardized, there is not yet a comprehensive proposal for an access control architecture for business processes. The major issue is that a business process describe complex services that cross organizational boundaries and are provided by entities that see each other as just partners and nothing else. This calls for a number of differences with traditional aspects of access control architectures such as Credential vs classical user-based access control, Cnteractive and partner-based vs one-server-gathers-all requests of credentials from clients, Controlled disclosure of information vs all-or-nothing access control decisions, Abducing missing credentials for fulfilling requests vs deducing entailment of valid requests from credentials i...