Purpose – To define a framework for access control for virtual applications, enabled through web services technologies. The framework supports the loosely coupled manner in which web services are shared between partners.
Design/methodology/approach – A background discussion on relevant literature, with an example is used to illustrate the problem that exists. To enable access control composition, an extension is proposed to authorisation specification language, together with publication of access control requirements of a web service provider.
Findings – The framework shows that loosely coupled access control can be made possible by making use of the standard manner in which messages are communicated in XML, and by composing assertions with the access control policy of the provider in a consistent manner. Access to web service methods is only granted if permission can be derived for it, where the derivation step forms a formal proof.
Research limitations/implications – A basic framework has been defined. An architecture to support it must be defined. Only a very basic level of access control composition has been illustrated.
Practical implications – The publication of access control requirements in standards such as WS-Policy can be considered.
Originality/value – This paper offers a practical approach to address access control for web services.