Menzel, Michael; Wolter, Christian; Meinel, Christoph
Proceedings of the 11th International Conference on Business Information Systems (BIS 2008)
The seamless composition of independent services is one of the success factors of Service-oriented Architectures (SOA). Services are orchestrated to service compositions across organizational boundaries to enable a faster reaction to changing business needs. Each orchestrated service might demand the provision of specific user information and requires particular security mechanisms. To enable a dynamic selection of services provided by foreign organizations, a central management of static security policies is not appropriate. Instead, each service should express its own security requirements as polices that stipulate explicitly the requirements of the composition. In this paper we address the problem of aggregating security requirements from orchestrated services. Such an aggregation is not just the combination of all security requirements, since dependencies and conflicts between these requirements might exist. We provide a classification of these dependencies and introduce a conceptional security model enabling a classification of security requirements to reveal conflicts. Finally, we propose an approach to determine an aggregation of security requirements in cross organizational service compositions.