Policy Conflict Detection in Composite Web Services with RBAC

In the Web services environment, RBAC (role-based access control) model is widely accepted as an efficient approach to manage the access control. By defining the authorization relationship between subject roles and object roles in the RBAC, authorization policies are utilized to simplify the authorization management on different Web services. But the scalability and complexity of composite Web services may cause authorization policy conflict. A new authorization policy added to the system may conflict with existing ones and result in authorization chaos and authorization leaking. And when implemented in the composite Web services, policy conflict detection would be of high cost with manually checking. That makes automatic policy conflict detection important to ensure the security of authorizations in the composited Web services. This paper analyzes the features of the authorization policy in the CWS-RBAC (RBAC for composite Web services) and presents methods of detecting policy conflict including subject role propagation conflict, object role composition conflict and context conflict. The experiment designed is to validate the efficiency of each conflict detection method.