Heiko Klarl

An Access Control Metamodel for Web Service-Oriented Architecture

With the mutual consent to use WSDL (Web Service Description Language) to describe web service interfaces and SOAP as the basic communication protocol, the cornerstone for web service-oriented architecture (WSOA) has been established. Considering the momentum observable by the growing number of specifications in the web service domain for the indispensable cross-cutting concern of identity management (IdM) it is still an open issue how a WSOA-aware IdM architecture is built and how it is linked with WSOAs main elements, the web services providing functional core concerns. In this paper we present an access control model for WSOA and a blueprint of a WSOA- aware authorization verification service which is part of the IdM architecture. We show the integration of this service with WSOA consisting of both basic and composite web services. Our solution has been tested and evaluated in an implementation case study.

An MDA-Based Environment for Generating Access Control Policies

Identity management and access control are essential in the enterprise IT landscape in order to control access to applications and to fulfil laws or regulations. The global competition of enterprises leads to short development cycles and fast changes of IT applications, which requires also an error-free and quick adaption of its security. The model-driven development of access control policies promises to cope with this situation. This work introduces an mda-based environment for generating access control policies. A comprehensive overview is given on the organisational aspects, describing details of roles, artefacts and tools involved. On this basis the four phases of a model-driven development process for access control policies and their organisational aspects are presented.

Securing Service-Oriented and Event-Driven Architectures Results of an Evaluation of Enterprise Security Frameworks

With the emerging trend to (re) design IT-systems as service-oriented and event-driven architectures new security paradigms are required. This position paper describes the various threats and measures against them. On this base evaluation results of securing a business process are presented. An outlook on research work on combining model-driven techniques and security requirements on a higher modeling level concludes the paper