Definition of Action and Attribute Based Access Control Rules for Web Services

Access control has been found to be one of the effective ways of insuring that only authorized users have access to the information resources to perform their job function. The overall objective of any access control policy rule is to define, sensitive information may be disclosed when, why, how and to whom. In one hand resources should be protected against unauthorized access and in the other hand it should be available for authorized use. Separation of duties (SoD) is a security principle that has been used extensively to prevent conflict of interest, fraud and error control in organizations. In recent years many IT organizations have struggled to identify potential SoD violations within their IT systems. Since new technologies such as SOA widely used in IT systems, in this article we describe two access control model: most recently used which is RBAC model and most suitable for SOA environment which is ABAC and compare them in SoD Issue with an example. We show that failure to capture a business requirement for SoD, and then poor rule definitions can lead to violation. Hence we propose an approach for defining rules, based on subject, resource, environment attributes and the action that would be performed.