Model-Driven Development of Access Control Policies for Web Services

Web service-oriented architecture (WSOA) is a promising paradigm for future software development. Necessary identity management (IdM) architectures for WSOA are just being prepared to enable fine-grained access control. With the loose coupling of Web services with cross-cutting identity services the question arises how to develop access control policies for Web services. In this paper we present a model-driven approach defining access control policies which are independent from the IdM architecture to which they are later applied. Therefore we develop a platform-independent access control model for WSOA and derive a platform-specific model from a given IdM product. We show how to map both models to a concrete language. Access control policies are then defined using our platform-independent language and transformed to platform-specific policies using explicitly defined transformation rules. We present a case study that applies our approach.