Model-Driven Development of Access Control Policies for Web Services

Web service-oriented architecture (WSOA) is a promising paradigm for future software development. Necessary identity management (IdM) architectures for WSOA are just being prepared to enable fine-grained access control. With the loose coupling of Web services with crosscutting identity services the question arises how to develop access control policies for Web services. In this paper we present a model-driven approach defining access control policies which are independent from the IdM architecture to which they are later applied. Therefore we develop a platform-independent access control model for WSOA and derive a platform-specific model from a given IdM product. We show how to map both models to a concrete language. Access control policies are then defined using our platform-independent language and transformed to platform-specific policies using explicitly defined transformation rules. We present a case study that applies our approach.