Abstract

ABSTRACT With the dramtic expansion of global e-markets, companies collaborate more and more in order to streamline their supply chains. Companies often form coalitions to reach the critical mass required to bid on a large volume or wide ranges of products. Meanwhile, they also compete with one another for market shares. Because of the complex relationships among companies, controlling the access to shared information found in e-markets is a challenging task. Currently, there is a lack of comprehensive approach in access control that can be used to maintain data security in e-markets. We propose to integrate several known access control mechanisms such as role-based access control, coalition-based access control, and relationship driven access control into an e-market access control (EMAC) model. In this paper, we present a web services based architecture for EMAC and the associated concepts and algorithms. We also illustrate via an automotive emarket example how the EMAC model can support e-market access control. Keywords : access control; data security; e-market; inter-organizational workflow; web services greater than the GDP of Sweden As e-markets develop and offer more advanced services, many serious challenges have been presented. Among those challenges, security has been highlighted as a critical issue that must be dealt with for e-markets' attractiveness and profitability. Businesses generally perform controls over the internal use of their business processes. In the e-market environment, this controlled access must be extended to outside the company boundaries Although there have been many research efforts in access control in the recent years In e-markets, the need to interoperate multiple types of systems has risen due to the increased level of connectivity and increased complexity of the data types LITERATURE REVIEW Task-based access control uses tasks as an important parameter for access control and authorization Kang, Park and Froscher (2001) suggested that as more businesses engage in globalization and as inter-organizational collaborative computing grows in importance, the access control requirements for inter-organizational workflow must be met by new access control solutions in a multi-organizational environment. Their proposal emphasized the separation of inter-organizational workflow security from concrete organization level security enforcement. Further, they described workflow-based access control requirements such as dynamic constraints, fine-grained and context-based access control, and the need to insulate inter-organizational workflows from organization level changes. The role domain was introduced as an interface between workflows and organizationspecific security infrastructure. In B2B e-commerce environments, particularly e-markets, companies form alliances to improve operational efficiency and gain competitive advantages, and meanwhile these companies compete with one another for market shares. The dynamic and complex relationships among companies impose more access control requirements for the shared resources in e-markets, as addressed by the relationshipdriven access control (RDAC) model (Zhao, Wang, Huang and Chen, 2002). RDAC states that the access decision of certain shared resources is based on the relationship between access requester company and the owner company of the shared resources. For instance, company X can set an access control policy on its shared e-catalog that any company can see the quantity of the product but only buyer companies can see the price. Here, "buyer companies" is no longer a static role as defined in the role-based access control model. Instead, it represents the dynamic and bidirectional relationship between companies. Therefore, a role-based access control model is not sufficient for access control of shared e-market data. For the same reason, the extended RBAC models like TBAC and CBAC are not sufficient either. The complexity of various trading functions and dynamic company relationships require e-markets to enforce security authorization constraints that are more complex than those found in each of the access control models aforementioned. Therefore, we propose an EMAC model by integrating all these specialized access control models to satisfy the needs of emarkets. In this paper, we provide guidelines for designing an access control infrastructure in e-markets, and propose a web services enabled architecture and the associated techniques based on emerging web services security standards. To the best of our knowledge, the EMAC model is the first comprehensive access control model specially designed for e-markets. E-MARKET ACCESS CONTROL MODEL Relationship Hierarchy in E-Markets Company relationships are important for managing security in an e-market because a company determines information sharing policies based on its relationships with other companies. The first type of relationship is between roles and their companies. Roles have been used as the basic way of authorizing users to access certain information. In the literature, a role is a semantic abstraction of specific job competency within a company International Journal of Web Services Research, 1(1), 21-40, Jan-Mar 2004 25 domain; in this case, roles in one security domain have to be correctly recognized and mapped to another security domain. The second type of relationship is between two companies. As shown, complex relationships among companies exist. For example, Company 1 is a supplier of Company 2, because Company 1 sells product P1 to Company 2. At the same time, Company 1 is also a buyer of product P2 from Company 2. Company 1 and Company 3 are identified as competitors on P1, because both of them sell the same product P1 to a third party, which is Company 2 in this case. In sum, companies can have multiple relationships between one another. The third type of relationship is based on the membership of the company in coalitions. In e-markets, small companies often form strategic coalitions to reach the critical mass required to bid on a large volume or wide ranges of products. These coalitions are frequently formed and dissolved as company objectives change. Companies can choose not to join coalitions or to join any number of coalitions. For example, Company 1 participates in both Manufacturing Supplies Coalition and Raw Materials Coalition, while Company 2 is not a member of any coalitions as shown in The fourth type of relationship is based on the membership of the company in emarkets. E-markets are often closed to companies that are not members. Sometimes only registration is required to become a member, while in other cases companies have to be invited by an existing member or go through a qualification process to get into e-markets (eMarket Service, 2002). Each coalition member company has to register independently to join the e-market regardless if the coalition is a member of the e-market. Figure 1 also illustrates that shared resources in an e-market are classified into three categories: market-owned resources, coalition-owned resources, and companyowned resources. Market-owned resources include all the trading services and facilities, which are open to all market participating companies subject to certain regulations. Coalition-owned resources are shared among coalition member companies, but its access is also subject to certain access control rules. For instance, a coalition could have various classes of membership with varying privileges. Company-owned resources can be accessed by its employees and by the users of other companies according to certain authorization constraints. Coalition-owned resources and company-owned resources can be stored either by e-markets or by coalition and companies or both. Take ecatalog as an example.Companies can upload their e-catalogs to e-markets or they can host their e-catalogs and only provide links for e-markets to redirect e-catalog access requests. The Specification of EMAC Model The basic elements and functions on which EACL is based are defined in Authorization Constraints Given the complex relationships in emarkets and various ways of sharing resources, advanced authorization Figure 3. Basic Elements and Functions for E-market Access Control Language (EACL) CA ⊆ C × CO, a many-to-many company-to-coalition assignment relation. PA ⊆ P × R & P × T & P × C &P × CO, a many-to-many permission assignment relation, which can be permission-to-role, permission-to-task, permission-to-company or permission-to-coalition. CT = types of classification, {"role", "task", "company", "relationship", "coalition"}. RH ⊆ R × R, role hierarchy. CR ⊆ C × C, company relationships. WF ⊆ 2 T , workflows constituted by a set of tasks. CLS ⊆ R &T & C&CR&CO, classification of an object. UA ⊆ U × R, a many-to-many user-to-role assignment relation. TA ⊆ R × T, a many-to-many role-to-task assignment relation. RA ⊆ R × C, a many-to-one role-to-company assignment relation. constraints that are more sophisticated than those in existing access control models must be enforced. Being an important aspect of access control, authorization constraints have been extensively studied. As one of the basic security constraints, separation of duty (SOD) is known and practiced long before the existence of computers. The goal of SOD is to reduce the possibility for fraud or significant errors by partitioning the tasks and associated privileges so that cooperation of multiple users is required to complete sensitive tasks This authorization process is sequential while the exact sequence of Step 2 to Step 5 depends on the authorization decision maker's policy. The pseudo code of the EMAC authorization process is given next. An Illustrative Example Next, we use an example to illustrate how the EMAC model works. We can use the following query to get an object's classification constraints information (for ease of presentation, we select names instead of IDs): We use the companies in Before sharing their e-catalogs, the e-market requires participating companies to classify all the attributes in the e-catalog according to EMAC authorization constraints. User WEB SERVICES ENABLED EMAC ARCHITECTURE First of all, cross-company process automation is a fundamental function provided by e-market. Within an individual company, a workflow management system (WFMS) is usually implemented to streamline the business processes. It defines, creates and manages the execution of workflows, interacts with workflow participants and, where required, invokes the use of IT tools and applications. According to the EMAC model, role-and task-related information is required to enforce related constraints and can be acquired from the WFMS. But in an emarket, different companies may have different WFMSs and how to achieve the interoperability among different WFMSs becomes a critical and challenging issue. Second, companies have different access control policies and security systems. In e-markets, these access control policies need to be exchanged and understood by trading partners' security systems. Therefore, how to make disparate security systems communicate with one another imposes another challenge for the e-market access control architecture. For example, as we have shown, relationships between companies are important for data security in e-markets. But how the relationship information is maintained and where it should be stored are interesting questions. In general, it is not appropriate for the e-market to serve as a centralized relationship information repository, although this method is easy to manage and implement. Because business relationship information is crucial and often top secret for companies, companies are reluctant to let third parties, like e-markets, manage this information. The new emarket access control architecture must support security information exchanges between heterogeneous security systems in order to be successful. Built on existing and emerging standards such as HTTP, Extensible Markup Language (XML), Simple Object Access Protocol (SOAP), Web Services Description Language (WSDL) and Universal Description, Discovery and Integration (UDDI), web services allow business functions to be loosely integrated between companies more rapidly, easily and less expensively than ever before. They also provide a unifying programming model so that application integration inside and outside the company can be done with a common approach, leveraging a common infrastructure. The integration and application of web services can be done in an incremental manner by using existing languages and platforms and by adopting existing legacy applications (Kreger 2001). These characteristics make web services the ideal enabling technology for our emarket access control architecture. As shown in Layer 1 is an inter-organizational workflow composed of tasks wrapped as web services that interface with the private workflows for the companies involved. Based on van der Aalst's definition on various forms of interoperability of interorganizational workflow, this layer is typically loosely coupled (van der Aalst, 1999). In this layer, business processes are exchanged among business partners with different process execution environments as described in