________________________________________________________________________________________________
Author Addresses:
M. Coetzee, School of Information Technology, Technikon Witwatersrand, PO Box 17011, Doornfontein, 2028, South Africa;
mcoetzee@mail.twr.ac.za.
J.H.P. Eloff, Department of Computer Science, University of Pretoria, Pretoria, 0002, South Africa, eloff@cs.up.ac.za
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that the copies are
not made or distributed for profit or commercial advantage, that the copies bear this notice and the full citation on the first page. Copyrights for
components of this work owned by others than SAICSIT or the ACM must be honoured. Abstracting with credit is permitted. To copy otherwise, to
republish, to post on servers, or to redistribute to lists, requires prior specific permission and/or a fee.
© 2003 SAICSIT

Proceedings of SAICSIT 2003, Pages 285 – 294
Virtual Enterprise Access Control Requirements

M. COETZEE
Technikon Witwatersrand

and

J.H.P. ELOFF
University of Pretoria
________________________________________________________________________________________________

Current developments in IT point towards the formation of loosely coupled enterprises, often referred to as virtual enterprises. These enterprises
require both secure and flexible collaboration between unrelated information systems. Web services technology can be used as an ideal platform for
realising virtual enterprises throughh their ease of integration, flexibility, and support of XML vocabularies. To ensure the successful implementation
of Web services within virtual enterprises, new approaches to security are required. Together with authentication, access control has been seen as a
pillar of IT security approaches. The focus of this paper will be to determine requirements that could play a role when the access control policies of
such enterprises are defined.

Categories and Subject Descriptors: C.2 [Computer Systems Organization]: General – Security and protection, H.4 [Information Systems
Applications]: Communications Applications - Internet; I..7 [Document and Text Processing]: Document preparation – Mark-up languages K.4
[Computers and Society]: Electronic Commerce - Security
General Terms: Design, Management, Security, Standardization
Additional Key Words and Phrases: SOAP, XML, access control, Web services, virtual enterprises, B2B, roles, trust, federation
________________________________________________________________________________________________


1. INTRODUCTION
In an era of rapid technological development and increasing competition, enterprises co-operate in new and
innovative ways. A virtual enterprise is an example of such innovation. It is defined as a network of independent,
geographically dispersed entities with a partial mission overlap. All contributors such as distributors, suppliers,
physically distributed management, staff and independent business partners provide their own core competencies and
the co-operation is based on semi-stable relations [Bultje 1998]. B2B relationships can, in effect, be considered virtual
enterprises, with stringent requirements for security, auditability, availability, service-level agreements and complex
transaction processing flows.
Virtual enterprises are by definition flexible, dynamic and responsive. Web services can be an ideal platform for
realising virtual enterprises [Khoshafian 2002]. A Web service is an autonomous, well-defined, standards-based
component that can be accessed via established Web-based protocols. This allows Web services to enable the dynamic
assembly of business functionality, across loosely coupled heterogeneous platforms. As providers of Web services
concentrate on their field of expertise, more sophisticated systems can be created. The technologies that Web services
use, such as HTTP and SOAP (Simple Object Access Protocol), are readily available to enterprises, with WSDL (Web
Service Definition Language) allowing a flexible binding to the actual run-time execution of a Web service.
The variety of business partners that interact within a virtual enterprise necessitates strict requirements for security.
A single transaction can often be distributed across multiple organizations, each of which may have its own
authentication and authorization schemes. In order to support virtual enterprises, authentication and authorization
security services must be extensible across and beyond enterprise boundaries.
The focus of this paper will be to provide access control policy requirements for virtual enterprises, implemented
with Web services architectures. This paper will be structured as follows: Section 2 will provide a background to related
work. Section 3 will address a virtual enterprise access control policy, where we propose a list of ten requirements that
should be considered when such a policy is defined. Section 4 will conclude the paper.

2. RELATED WORK

286 M Coetzee and J Eloff


Proceedings of SAICSIT 2003
In the past, distributed environments were in the same physical or logical location. In contrast, Web services allow
virtual enterprise partners to interact with others, at distant, independent locations. Network-based security models,
which emphasize perimeter defences such as firewalls and intrusion detection, may not provide sufficient protection to
virtual enterprise resources. A shift may be required to a data- and application-based view of security, where security
services such as authentication and access control play an important role.
Even with such a shift, traditional centralized access control models and practices cannot solve the distributed nature
of Web services access control requirements. Access control ensures that every access to a system and its resources is
controlled, and that only authorized accesses can take place [Samarati 2000]. This requires that the security policy,
security model and security mechanisms that enforce access control be defined. In distributed environments such as
virtual enterprises, access control becomes more complicated, as the security policy, security model and security
mechanisms have to be defined within security domains of various independent business partners, and be enforced in an
integrated manner as required. As the independence of participating security domains has to be considered, the list of
access control requirements to be addressed becomes more comprehensive.
When access control requirements are initially defined, consideration should be given to identity management
between business partners that are in relationships of trust, as all access control decisions are based on the identity of the
requesting subject. Policy transfer between disparate security systems is required to allow access control rules from
various authorities to be enforced together. This requires the ability to separate policies from mechanisms to allow a
policy to be enforced by different mechanisms at policy enforcement points. With the proliferation of policies across
domains, policy management becomes necessary. There is a need for new policy enforcement mechanisms that support
granular access control across heterogeneous data and application environments. Flexible access control decisions are
required, and dynamic composition of policy rules are an ideal to pursue. To allow the dynamic participation of various
business partners, standardization of access control implementations will allow ease of integration between independent
security domains. These issues need to be addressed by the access control policy requirements we aim to define here.
Access control developments of virtual enterprises are not isolated, but may be influenced by developments in the
security community at large. A literature review has shown that many of the issues mentioned here have been addressed
in architectures and technologies that provide some of the basic infrastructure to implement distributed access control.
Four categories of such developments have been identified. They are security policy specification approaches,
distributed security architectures, policy management architectures and standards-based solutions. To provide a
background to access control requirements for virtual enterprises, these categories will be discussed in the following
paragraphs.

2.1 Security policy specification approaches
A major drawback of existing access control systems is that they have all been developed with a specific access
control policy in mind. Recent developments in access control specification include languages and graphical approaches
that are able to specify different access control policies in a single framework. This can allow interoperation among
different information systems while preserving the security requirements of individual systems.
Such a formal framework and a logic-based language, ASL (Authorization Specification Language) [Jajodia 1997],
was presented by Jajodia et al. [Jajodia 2001]. ASL is a formal logic language for specifying access control policies by
using stratified clause form logic. The major advantage of this approach is that it can be used to specify different access
control policies that can all coexist in the same system and be enforced by the same security server. The language has
been shown to be capable of supporting a variety of access control models [Mishra 2001]. Authorizations are stated
with cando rules. The following are examples of rules stated in ASL. The first rule states that members of the role
Customer may read file1. The second rule states that subjects who are active in role Employee, but not in role
Customer, may write to file2.
cando(file1, Customer, +read) ← .
cando(file2, s, +write) ← in(s, Employee) & ¬ in(s, Customer)

A very different approach is LaSCO [Hoagland 1998], a graphical approach for specifying security constraints on
objects. Policies defined in LaSCO have the appearance of conditional statements used to express authorisations
between objects in the system and are stated as policy graphs. A policy graph is an annotated directed graph where the
annotations are domain and requirement predicates. This is more human-legible than logic-based languages. For
example, the following policy graph indicates that a Customer needs to have his/her ID represented by the policy
variable $UID included in ($UID ∈ ACL) the access control list of file1 in order to have access to it.

Method=’access’ Type=’record/file’&&
Name=’file1’ &&
ACL=$ACL


($UID ∈ ACL)
Type=’Customer’&&
ID=$UID