{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,2]],"date-time":"2025-08-02T17:54:02Z","timestamp":1754157242600,"version":"3.41.2"},"reference-count":31,"publisher":"Emerald","issue":"3","license":[{"start":{"date-parts":[[2007,6,12]],"date-time":"2007-06-12T00:00:00Z","timestamp":1181606400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2007,6,12]]},"abstract":"<jats:sec><jats:title content-type=\"abstract-heading\">Purpose<\/jats:title><jats:p>This paper seeks to investigate how the concept of a trust level is used in the access control policy of a web services provider in conjunction with the attributes of users.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Design\/methodology\/approach<\/jats:title><jats:p>A literature review is presented to provide background to the progressive role that trust plays in access control architectures. The web services access control architecture is defined.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Findings<\/jats:title><jats:p>The architecture of an access control service of a web service provider consists of three components, namely an authorisation interface, an authorisation manager, and a trust manager. Access control and trust policies are selectively published according to the trust levels of web services requestors. A prototype highlights the incorporation of a trust level in the access control policy as a viable solution to the problem of web services access control, where decisions of an autonomous nature need to be made, based on information and evidence.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Research limitations\/implications<\/jats:title><jats:p>The WSACT architecture addresses the selective publication of policies. The implementation of sophisticated policy\u2010processing points at each web service endpoint, to automatically negotiate about policies, is an important element needed to complement the architecture.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Practical implications<\/jats:title><jats:p>The WSACT access control architecture illustrates how access control decisions can be made autonomously by including a trust level of web services requestors in an access control policy.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Originality\/value<\/jats:title><jats:p>The WSACT architecture incorporates the trust levels of web services requestors and the attributes of users into one model. This allows web services providers to grant advanced access to the users of trusted web services requestors, in contrast with the limited access that is given to users who make requests through web services requestors with whom a minimal level of trust has been established.<\/jats:p><\/jats:sec>","DOI":"10.1108\/10662240710758939","type":"journal-article","created":{"date-parts":[[2007,6,19]],"date-time":"2007-06-19T11:00:05Z","timestamp":1182250805000},"page":"291-305","source":"Crossref","is-referenced-by-count":7,"title":["Web services access control architecture incorporating trust"],"prefix":"10.1108","volume":"17","author":[{"given":"Marijke","family":"Coetzee","sequence":"first","affiliation":[]},{"given":"J.H.P.","family":"Eloff","sequence":"additional","affiliation":[]}],"member":"140","reference":[{"key":"key2022032020042973500_b1","unstructured":"AMZI (2005), AMZI product page, available at: www.amzi.com\/ (accessed 10 September 2005)."},{"key":"key2022032020042973500_b2","unstructured":"Atkinson, B., Della\u2010Libera, G., Hada, S., Hondo, M., Hallam\u2010Baker, P., Kaler, C., Klein, J., LaMacchia, B., Leach, P., Manferdelli, J., Maruyama, H., Nadalin, A., Nagaratnam, N., Prafullchandra, H., Shewchuk, J. and Simon, D. (2002), Web Services Security (WS\u2010Security), Version 1.0, 5 April, available at: www.verisign.com\/wss\/wss.pdf (accessed 10 March 2003)."},{"key":"key2022032020042973500_b3","doi-asserted-by":"crossref","unstructured":"Bacon, J. and Moody, K. (2002), \u201cToward open, secure, widely distributed services\u201d, Communications of the ACM, Vol. 45 No. 6, pp. 59\u201064.","DOI":"10.1145\/508448.508475"},{"key":"key2022032020042973500_b4","unstructured":"Ballinger, K., Box, D., Curbera, F., Davanum, S., Ferguson, D., Graham, S. and Liu, K. (2004), Web Services Metadata Exchange (WS\u2010MetadataExchange), available at: ftp:\/\/www6.software.ibm.com\/software\/developer\/library\/WS\u2010MetadataExchange.pdf."},{"key":"key2022032020042973500_b5","doi-asserted-by":"crossref","unstructured":"Barkat, B. and Siyal, M.Y. (2002), \u201cA novel trust service provider for Internet based commerce applications\u201d, Internet Research, Vol. 12 No. 1, pp. 55\u201065.","DOI":"10.1108\/10662240210415826"},{"key":"key2022032020042973500_b6","unstructured":"Bertino, E., Mevi, D. and Squicciarini, A. (2004), \u201cA fine\u2010grained access control model for web services\u201d, Proceedings of the 2004 IEEE International Conference on Services Computing (SCC'04), pp. 33\u201040."},{"key":"key2022032020042973500_b7","doi-asserted-by":"crossref","unstructured":"Biskup, J. and Wortmann, S. (2004), \u201cTowards a credential\u2010based implementation of compound access control policies, SACMAT 2004\u201d, paper presented at 9th ACM Symposium on Access Control Models and Technologies, Yorktown Heights, New York, USA, 2\u20104 June.","DOI":"10.1145\/990036.990042"},{"key":"key2022032020042973500_b8","doi-asserted-by":"crossref","unstructured":"Blaze, M., Feigenbaum, J., Ioannidis, J. and Keromytis, A. (1999), The KeyNote Trust management System, version 2, IETF, RFC 3704, September.","DOI":"10.17487\/rfc2704"},{"key":"key2022032020042973500_b9","unstructured":"Cahill, V., Jensen, C.D., Chen, Y., Gray, E. and Seigneur, J. (2004), SECURE Framework Architecture (Beta), available at: www.cs.tcd.ie\/publications\/tech\u2010reports\/reports.04\/TCD\u2010CS\u20102004\u201007.pdf."},{"key":"key2022032020042973500_b10","unstructured":"Cantor, S., Kemp, J., Maler, E. and Philpott, R. (Eds) (2005), SAML 2.0, available at: http:\/\/docs.oasis\u2010open.org\/security\/saml\/v2.0\/."},{"key":"key2022032020042973500_b11","doi-asserted-by":"crossref","unstructured":"Coetzee, M. and Eloff, J.H.P. (2004), \u201cTowards web services access control\u201d, Computers and Security, Vol. 23 No. 7.","DOI":"10.1016\/j.cose.2004.05.006"},{"key":"key2022032020042973500_b12","doi-asserted-by":"crossref","unstructured":"Coetzee, M. and Eloff, J.H.P. (2005), \u201cAutonomous trust for web services\u201d, Internet Research, Vol. 15 No. 5, pp. 498\u2010507.","DOI":"10.1108\/10662240510629448"},{"key":"key2022032020042973500_b13","doi-asserted-by":"crossref","unstructured":"Coetzee, M. and Eloff, J.H.P. (2006), \u201cA framework for web services trust, SEC2006\u201d, paper presented at 21st IFIP International Information Security Conference \u201cSecurity and privacy in dynamic environments\u201d, Karlstad University, Karlstad, Sweden, 22\u201024 May 2006.","DOI":"10.1007\/0-387-33406-8_7"},{"key":"key2022032020042973500_b14","doi-asserted-by":"crossref","unstructured":"Damiani, E., De Capitani Di Vimercati, S., Paraboschi, S. and Samarati, P. (2001), \u201cFine\u2010grained access control for SOAP e\u2010services\u201d, Proceedings of the 10th International World Wide Web Conference (WWW10), Hong Kong, 1\u20105 May.","DOI":"10.1145\/371920.372152"},{"key":"key2022032020042973500_b15","unstructured":"Godik, S., Moses, T., Anderson, A., Parducci, B., Adams, C., Flinn, D., Brose, G., Lockhart, H., Beznosov, K., Kudo, M., Humenn, P., Andersen, S. and Crocker, S. (2003), XACML 1.0 Specification, available at: www.oasis\u2010open.org\/committees\/tc_home.php?wg_abbrev=xacml (accessed 10 February 2004)."},{"key":"key2022032020042973500_b16","doi-asserted-by":"crossref","unstructured":"Gottschalk, K., Graham, S., Kreger, H. and Snell, J. (2002), \u201cIntroduction to web services architecture\u201d, IBM Systems Journal, Vol. 41 No. 2.","DOI":"10.1147\/sj.412.0170"},{"key":"key2022032020042973500_b17","unstructured":"Guerin, R., Pendarakis, D. and Yavatkar, R. (2000), RFC 2753 \u2013 a framework for policy\u2010based admission control, available at: www.faqs.org\/rfcs\/rfc2753.html (accessed 6 June 2005)."},{"key":"key2022032020042973500_b18","unstructured":"Hess, A., Jacobson, J., Mills, H., Wamsley, R., Seamons, K.E. and Smith, B. (2002), \u201cAdvanced client\/server authentication in TLS\u201d, Proceedings: Network and Distributed System Security Symposium, San Diego, California, 6\u20108 February 2002."},{"key":"key2022032020042973500_b19","unstructured":"ISO (1996), ISO 10181\u20103 Access Control Framework, available at: http:\/\/iso.nocrew.org\/iso\/en\/CatalogueDetailPage.CatalogueDetail? csnumber=18199 (accessed 10 November 2006)."},{"key":"key2022032020042973500_b20","unstructured":"Jajodia, S., Samarati, P. and Subramanian, V.S. (1997), \u201cA logical language for expressing authorisations\u201d, Proceedings of the 1997 IEEE Symposium on Security and Privacy, Oakland, CA."},{"key":"key2022032020042973500_b21","doi-asserted-by":"crossref","unstructured":"Koshutanski, H. and Massacci, F. (2003), \u201cAn access control framework for business processes for web services\u201d, Proceedings of the 2003 ACM Workshop on XML Security, Fairfax, VA.","DOI":"10.1145\/968559.968562"},{"key":"key2022032020042973500_b22","doi-asserted-by":"crossref","unstructured":"Li, N. and Mitchell, J.C. (2003), \u201cDatalog with constraints: a foundation for trust\u2010management languages\u201d, Proceedings of the Fifth International Symposium on Practical Aspects of Declarative Languages (PADL 2003), Vol. 2562 of Lecture Notes in Computer Science, Springer\u2010Verlag, New York, NY, pp. 58\u201073.","DOI":"10.1007\/3-540-36388-2_6"},{"key":"key2022032020042973500_b23","doi-asserted-by":"crossref","unstructured":"Lopez, J., Ma\u00f1a, A. and Yag\u00fce, M. (2005), \u201cA metadata\u2010based access control model for web services\u201d, Internet Research, Vol. 15 No. 1, pp. 99\u2010116.","DOI":"10.1108\/10662240510577095"},{"key":"key2022032020042973500_b24","doi-asserted-by":"crossref","unstructured":"Miao, L., He\u2010Qing, G. and Jin\u2010Dian, S. (2005), \u201cAn attribute and role based access control model for web services\u201d, International Conference on Machine Learning and Cybernetics, Vol. 2, pp 1302\u20106.","DOI":"10.1109\/ICMLC.2005.1527144"},{"key":"key2022032020042973500_b26","unstructured":"MS ASP.NET (2005), ASP.NET resources, available at: http:\/\/msdn.microsoft.com\/asp.net (accessed 21 September 2005)."},{"key":"key2022032020042973500_b27","unstructured":"MS VB.NET (2005), Visual Basic resource, available at: http:\/\/msdn.microsoft.com\/vbasic\/default.aspx (accessed 21 September 2005)."},{"key":"key2022032020042973500_b28","doi-asserted-by":"crossref","unstructured":"Olson, L., Winslett, M., Tonti, G., Seeley, N., Uszok, A. and Bradshaw, J.M. (2006), \u201cTrust negotiation as an authorization service for web services\u201d, ICDE Workshops 2006, p. 21.","DOI":"10.1109\/ICDEW.2006.154"},{"key":"key2022032020042973500_b29","unstructured":"Rivest, R. and Lampson, B. (1996), \u201cSDSI \u2013 a simple distributed security infrastructure\u201d, October, available at: http:\/\/research.microsoft.com\/lampson\/59\u2010SDSI\/Webpage.html (accessed 21 September 2006)."},{"key":"key2022032020042973500_b30","doi-asserted-by":"crossref","unstructured":"Shen, H. and Hong, F. (2006), \u201cAn attribute\u2010based access control model for web services\u201d, Proceedings of the 7th International Conference on Parallel and Distributed Computing, Applications and Technologies, pp. 74\u20109.","DOI":"10.1109\/PDCAT.2006.28"},{"key":"key2022032020042973500_b31","unstructured":"Winslett, M. (2002), \u201cAn introduction to trust negotiation\u201d, in Nixon, P. and Terzis, S. (Eds), Proceedings of the First International Conference, iTrust Heraklion, Crete, Greece, 28\u201030 May, Springer\u2010Verlag, New York, NY."},{"key":"key2022032020042973500_b32","unstructured":"Wonohoesodo, R. and Tari, Z. (2004), \u201cA role based access control for web services\u201d, Services Computing, IEEE International Conference on (SCC'04), pp. 49\u201056."}],"container-title":["Internet Research"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/www.emeraldinsight.com\/doi\/full-xml\/10.1108\/10662240710758939","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/10662240710758939\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/10662240710758939\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,24]],"date-time":"2025-07-24T23:40:13Z","timestamp":1753400413000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/intr\/article\/17\/3\/291-305\/177364"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2007,6,12]]},"references-count":31,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2007,6,12]]}},"alternative-id":["10.1108\/10662240710758939"],"URL":"https:\/\/doi.org\/10.1108\/10662240710758939","relation":{},"ISSN":["1066-2243"],"issn-type":[{"type":"print","value":"1066-2243"}],"subject":[],"published":{"date-parts":[[2007,6,12]]}}}