Abstract. The situation in engineering security for Web services that access databases is as follows: On the one hand, specifications like WSSecurity are concerned with the security management for Web services, while on the other hand there exist well established mechanisms for access control in the area of commercial database systems. In handling security for services that rely on database systems, two extreme approaches can currently be observed: The more database-centric one, where the access control decisions are left to the DBMS, and the service-centric authorization approach. The service-centric approach requires a Web service to run under control of the database system provider as operations like queries and updates have to be executed with comprehensive privileges. Authorization has to be enforced by the service itself. In case access control policies of a service are defined independently with regard to the database policies, authorization mismatches are likely to be induced. In our new approach we bridge this gap between DBMS authorization and access control of Web services by supporting reliable and adaptable access control engineering. The policies of the DBMS constitute the basis for the authorization of Web services. These are therefore automatically extracted before they are refined by additional conditions. As a final step, it must be verified that service policies do not grant more permissions than database policies do, thus ensuring reliable service execution.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.