A parameterized RBAC access control model for WS-BPEL orchestrated composite web services

In complex environments multiple web services are needed to interoperate together. Web Services Business Process Execution Language (WS-BPEL) has become the de facto standard for orchestrating composite web services. Unfortunately, WS-BPEL bypasses some business mandatory security requirements such as authentication and authorization. However, there have been some initiatives to address the authorization-bypass security vulnerability in WS-BPEL through integration with access control models such as RBAC. However, the RBAC models used lack expressiveness in role definitions and in roles to permissions mappings. More so, the architectures proposed use sequential authorization that is inefficient for long running business processes. In this paper, we extend the parameterized RBAC model and integrate it with WS-BPEL. The new extended parameterized RBAC model for WS-BPEL provides restriction of access up to the level of the variables of the business process. We also provide a new algorithm for authorization enforcement that addresses limitations of exiting WS-BPEL authorization architectures.