Identity Attribute-Based Role Provisioning for Human WS-BPEL Processes


The WS-BPEL specification focuses on business processes the activities of which are assumed to be interactions with Web services. However, WS-BPEL processes go beyond the orchestration of activities exposed as Web services. There are cases in which people must be considered as additional participants to the execution of a process. The inclusion of humans, in turn, requires solutionsto support the specification and enforcement of authorizations to users for the execution of human activities while enforcing authorization constraints.In this paper, we extend RBAC-WS-BPEL, a role-based authorization framework for WS-BPEL processes with an identity attribute-based role provisioning approach that preserves the privacy of the users who claim the execution of human activities. Such approach is based on the notion of identity records and role provisioning policies, and uses Pedersen commitments, aggregated zero knowledge proof of knowledge, andOblivious Commitment-Based Envelope protocols to achieve privacy of user identity information.


role, access control, privacy, identity attributes

Date of this Version



ICWS '09 Proceedings of the 2009 IEEE International Conference on Web Services