The Internet and the World Wide Web (“Web”) have changed the landscape of information delivery and affected numerous aspects of life. One benefit of this technological development is the ability to conduct business transactions globally via the Internet. As the volume of commerce conducted over the network continues to increase, collections of business units or organizations are working together to pool resources and expertise in order to achieve common objectives. Organizations are sharing services and resources across enterprise boundaries in order to undertake collaborative projects and offer services that could not be provided by individual organizations.
A growing array of technologies has emerged to help bridge the gaps between people, time and geography in such collaborative environments. One such group of technologies is known collectively as “Web Services.” Web Services are governed by a set of protocols and standards for conducting commerce over the World Wide Web. The goal for Web Services is to provide a means for software systems to automatically find each other and interact over the World Wide Web. Technically, the “service” in the Web Services universe is a channel between two computers for the generation, manipulation and exchange of messages. Commercially, a service is the basic resource offered for exchange in on line transactions.
Web Service protocols are based on the extensible Markup Language (XML). An XML schema is a set of rules for storing data hierarchically in data objects called documents. The XML standards describe how a computer system running an XML execution engine should act when processing an XML document. Programmers can introduce data structures previously undefined by XML using compounds of existing data structures. These compound data structures can still be processed by a standard XML execution engine.
One particular application for Web Services is facilitating Virtual Organizations (VOs). VOs are a concept for forming collaborations between organizations, usually businesses. A consortium of more permanent organizations may wish to temporarily join together and share resources to produce a product or provide a service together that they could not do as fast or as well separately. A traditional way to form a collaboration is for the participants to create a jointly owned legal entity. However, this may be unattractive since such entities can require substantial amount of resources, including resources to establish and maintain accounting for the joint entity and management staff to run the joint entity. VOs offer an attractive alternative since they are not legal entities, organized instead with contracts describing the objectives of the collaboration and describing the roles and duties of the participants.
Web Services can facilitate VOs by automating the process of integration, reducing the cost of integration as well as the time required. A choreography may be written that describes all the objectives to which the participants are committed, the roles assigned to participants and the interactions between roles. From the choreography, services and processes can be developed to carry out objectives assigned to each role. Each participant organization in the VO provides the services and carries out the processes for the roles it is assigned. In carrying out assigned processes, a role may have to call on services made available as VO resources by other roles. A participating organization providing services as resources for a VO over the World Wide Web will need to address concerns about security. The service providing organization will want a mechanism to control access to the services that it offers as resources to a VO to only parties that have authorization to call on these services and will want a mechanism to authenticate the identity of parties calling on these services.
Operating a VO requires a VO management system that facilitates the administration and management of the infrastructure of a VO. Such a VO management system enables the creation, deletion and performs other infrastructure operations on the state of the VO. A VO management system may assign roles to individual organizations in the VO to carry out the choreography of the VO. Such role assignments will require the VO management system to add, remove and replace the members of the VO. A management system for a VO that operates over the World Wide Web will also need to address concerns about security. A VO management system will need a mechanism to control access to the services that it offers, allowing only authorized parties to call the services to create and change the state of a VO and to change the membership of the VO. A VO management system will also need a mechanism to authenticate the identity of parties calling on these services.
Securing VOs (or similar forms of collaborations) has been considered before. Some security systems secure the authentication and access control for the services offered as resources to a VO to further the objectives of the VO (referred to as “resource services”), but do not secure the authentication and access control for VO management services (referred to as “infrastructure services”). Some security systems provide access control based on VO membership, but not based on the roles assigned VO members. Some security systems provide unified management over a distributed VO, but sacrifice local control of security. Other security systems provide local control of security, but do not have a unified management system. What is needed is a security architecture to provide authentication and role-based access control for both the resource services and infrastructure services of a VO with distributed membership using a unified management system, but without sacrificing local control of security.