Information federations promise an enhanced collaboration between individual stakeholders in the life cycle of commercial products, including software and hardware products from arbitrary business sectors. However, information sharing across corporate borders must be controlled by tailored mechanisms for enforcing individual business confidentiality and integrity requirements. One influential current security paradigm to achieve this goal is the application of Role-Based Access Control (RBAC). Based on ongoing work in the Aletheia project on service-oriented information federation, we present a case study on applying RBAC for information sharing among multiple stakeholders in the industrial service sector. We place a special emphasis on the methodical, tool-supported elicitation and definition of RBAC policies in this environment. In addition, we use the eXtensible Access Control Markup Language (XACML) to transfer RBAC policies between the different nodes in information federations. Further, we present a corresponding security architecture in which those XACML policies are applied for authorization decision and enforcement. The case study was conducted in cooperation with ABB, a large company providing power and automation technologies, products, and services for utility and industry customers.
Kunz, Steffen; Evdokimov, Sergei; Fabian, Benjamin; Stieger, Bernd; and Strembeck, Mark, "Role-Based Access Control for Information Federations in the Industrial Service Sector" (2010). ECIS 2010 Proceedings. 15.