Web services access control architecture incorporating trust

Abstract

PurposeThis paper seeks to investigate how the concept of a trust level is used in the access control policy of a web services provider in conjunction with the attributes of users.Design/methodology/approachA literature review is presented to provide background to the progressive role that trust plays in access control architectures. The web services access control architecture is defined.FindingsThe architecture of an access control service of a web service provider consists of three components, namely an authorisation interface, an authorisation manager, and a trust manager. Access control and trust policies are selectively published according to the trust levels of web services requestors. A prototype highlights the incorporation of a trust level in the access control policy as a viable solution to the problem of web services access control, where decisions of an autonomous nature need to be made, based on information and evidence.Research limitations/implicationsThe WSACT architecture addresses the selective publication of policies. The implementation of sophisticated policy‐processing points at each web service endpoint, to automatically negotiate about policies, is an important element needed to complement the architecture.Practical implicationsThe WSACT access control architecture illustrates how access control decisions can be made autonomously by including a trust level of web services requestors in an access control policy.Originality/valueThe WSACT architecture incorporates the trust levels of web services requestors and the attributes of users into one model. This allows web services providers to grant advanced access to the users of trusted web services requestors, in contrast with the limited access that is given to users who make requests through web services requestors with whom a minimal level of trust has been established.