Zugriffskontrolle in serviceorientierten Architekturen am Beispiel von Geodateninfrastrukturen

The central components of spatial data infrastructures (SDIs) are Geo Web Services. These services provide functionalities that allow distributed users to use and manage spatial data. Various business rules, legal restrictions and commercial interests require the deployment of access control systems in SDIs. These systems must ensure that only authorized interactions between users and services can take place. One main focus of this thesis is the development of a language that supports the formal de nition of complex spatial access rights. The language is based on the XACML v2.0 standard, combines ideas of rule-, rewriteand role-based rights models and extends them appropriately. The developed concepts have been integrated in the new XACML v3.0 speci cation and in XACML v3.0 related pro les of the Organisation for the Advancement of Structured Information Standards (OASIS). In addition, the ndings in this research area resulted in the OGC GeoXACML standard and in the XACML v3.0 OGC Web Service pro le of the Open Geospatial Consortium (OGC). Another key aspect of this thesis is the analysis how to administrate the emerging access control policies. At rst it is discussed, which functionalities need to be provided by administration services for (Geo)XACML encoded policies. Subsequently an expressive layered administration model is developed, that describes how to de ne and manage access rights referring to interactions with administration services. Rights of this type enable a horizontal and vertical distribution of access rights to di erent administrative roles. They further allow to de ne templates of policy objects, based on which the administrators of lower layers must specify their access rights. Administration systems that conform to the guidelines of the layered administration model support a secure, tractable and distributed administration of complex policies of access control systems in large service-oriented architectures.