CHARON
The SAC Architecture presented here constitutes a standards-based mechanism for access control in service networks. It gives a complete picture of what is necessary in order to equip service infrastructures with access control mechanisms, with minimal effects on service interaction. It includes a model for subject related information which can serve as a basis for cross security domain access control. Through this information model it supports PBAC (Policy Based Access Control), IBAC (Identity Based Access Control), RBAC (Role Based Access Control) and ABAC (Attribute Based Access Control) which enable designers to cope with arbitrary requirements for the entity on which a decision is mounted. Service developers do not need to consider SAC aspects and the approach ensures backwards compatibility which means that an unsecured client can invoke service operations of a secured service and vice versa. In compliance with work done in OGC Security and DRM working groups, the SAC Architecture incorporates prominent OASIS security standards, with the additional benefit of security aspects like message confidentiality and integrity that are already covered by the OASIS security standard family. Tangible results of this work are a set of tools (proxy generator, adapter template, administration interface) and a set of service implementations that can be used to secure arbitrary web services. The work presented closes existing gaps of service based environments.