在SOA的架構影響之下，網路服務(Web Service)可被當作是工作流程(Workflow)中的一部分元件，組合適當網路服務後，能夠快速滿足企業的需求。工作流程之中包含人工活動(Human Task)與自動活動(Automatic Task)，選擇適當的執行者來執行工作，並且不違反組織內部和組織之間的存取控制限制(Access Control Constraints)。本研究提出一套動態的選擇策略，在工作流程中選擇適當的人員、適當的網路服務來執行工作流程中的每一個活動。此策略的選擇避免了違反與流程相關的存取控制限制，使得最終能夠順利完成流程的成功機率較高。實驗顯示我們的選擇策略能夠避免違反存取控制限制，比Composition為基礎的方法與Random兩種方法表現的好。

Web services have become the de facto standards as components for quickly building a business process that satisfies the business goal of an organization. Nowadays, Web services have found its way into describing the functions of automatic tasks as well as manual tasks. An important part in the specification of a business process, especially for manual tasks, is the access control. This thesis considers both types of tasks involved in a Web services-based process with its corresponding access control problem and proposes a selection approach for choosing the performer for each task so as to satisfy all access control constraints. Based on the role-based access control model, we focus on two types of access control: separation of duties (SoD) and binding of duties (BoD). Both role-level and participant-level of SoDs and of BoDs that need to be dynamically enforced and these constraints are considered in this thesis. The proposed performer selection approach is evaluated by a workflow scenario and is shown to have the highest chance of satisfying all predefined access control constraints when compared to other methods.

CHAPTER 1 - Introduction 8
1.1. Background 8
1.2. Motivation 9
CHAPTER 2 - Literature Review 13
2.1. Web Service Technology 13
2.1.1. SOAP 13
2.1.2. WSDL 14
2.1.3. UDDI 14
2.2. Web Service Composition 15
2.3. Workflow Access Control 16
2.4. Enforcing Access Control Constraints 18
CHAPTER 3 - Problem Definition 20
3.1. Preliminaries 20
3.2. Problem description 29
CHAPTER 4 - Our approach 30
4.1. Skeleton of our Approach 30
4.2. Adjusting the FSMs for each role and each web service 32
4.3. Building the Composition and deciding composabilities of configurations 37
4.4. Execution Time Delegation for Enforcing Participant-Level Access Control 43
CHAPTER 5 - Performance Evaluation 47
5.1. Purchase Process Scenario 47
5.2. Experimental Design 47
5.3. Experimental Result 51
CHAPTER 6 - Conclusion 54
References 55

Agrawal, A., Amend, M., Das, M., Ford, M., Keller, C., Kloppmann, M., et al. (2007). WS-BPEL extension for people (BPEL4People).
Alonso, G., Casati, F., Kuno, H., & Machiraju, V. (2004). Web services concepts, architectures and applications Springer New York.
Alves, A., Arkin, A., Askary, S., Barreto, C., Bloch, B., Curbera, F., et al. (2007). Web services business process execution language version 2.0. OASIS Standard,
Andrews, T., Curbera, F., Dholakia, H., Goland, Y., Klein, J., Leymann, F., et al. (2003). Business process execution language for web services, version 1.1. Standards Proposal by BEA Systems, International Business Machines Corporation, SAP AG, Siebel Systems, and Microsoft Corporation,
Bertino, E., Crampton, J., & Paci, F. (2006). Access control and authorization constraints for WS-BPEL. 275-284.
Bertino, E., Ferrari, E., & Atluri, V. (1999). The specification and enforcement of authorization constraints in workflow management systems. ACM Transactions on Information and System Security, 2(1), 65-104.
Bertino, E., Squicciarini, A., Paloscia, I., & Martino, L. (2006). Ws-AC: A fine grained access control system for web services. World Wide Web, 9(2), 143-171.
Biron, P. V., & Malhotra, A. (2001). XML schema part 2: Datatypes second edition. W3C Recommendation, 2, 2-20010502.
Christensen, E., Curbera, F., Meredith, G., & Weerawarana, S. (2001). Web services description language (WSDL) 1.1. Unpublished manuscript.
Clark, D. D., & Wilson, D. R. (1987). A comparison of commercial and military computer security policies. IEEE Symposium on Security and Privacy, 0, 184.
Clement, L., Hately, A., Riegen, C. V., & Rogers, T. (2004). UDDI version 3.0.2. Unpublished manuscript.
Dang, Z., Ibarra, O. H., & Su, J. (2005). On composition and lookahead delegation of e-services modeled by automata. Theor.Comput.Sci., 341(1), 344-363.
Hwang, S., Lim, E., Lee, C., & Chen, C. (2007). On composing a reliable composite web service: A study of dynamic web service selection. IEEE International Conference on Web Services, 184-191.
Hwang, S., Lim, E., Lee, C., & Chen, C. (2008). Dynamic web service selection for reliable web service composition. IEEE Transactions on Services Computing, 1(2), 104-116.
Joshi, J. B. D., Aref, W. G., Ghafoor, A., & Spafford, E. H. (2001). Security models for web-based applications. Communications of the ACM, 44(2), 38-44.
Li, N., Bizri, Z., & Tripunitara, M. V. (2004). On mutually-exclusive roles and separation of duty. ACM Conference on Computer and Communications Security, 42-51.
Martin, D., Burstein, M., Hobbs, J., Lassila, O., McDermott, D., McIlraith, S., et al. (2004). OWL-S: Semantic markup for web services.
Milner, R. (1999). Communicating and mobile systems: The [symbol for pi]-calculus Cambridge University Press.
Mitra, N., & Lafon, Y. (2007). SOAP version 1.2 part 0: Primer (second edition). Unpublished manuscript.
Moses, T. (2005). Extensible access control markup language (XACML) version 2.0. Oasis Standard, 200502
Pfleeger, C. P. (1997). Security in computing. Upper Saddle River, NJ, USA: Prentice-Hall, Inc.
Sandhu, R. S., Coyne, E. J., Feinstein, H. L., & Youman, C. E. (1996). Role-based access control models. IEEE Computer, 29(2), 38-47.
Sandhu, R. S. (1988). Transaction control expressions for separation of duties. Computer Security Applications Conference, 282-286.
Wolter, C., Schaad, A., & Meinel, C. (2008). Task-based entailment constraints for basic workflow patterns. Symposium on Access Control Models and Technologies, 51-60.