Access Control Policies for Traceability Information Systems

Traceability information systems need to collect and process data from multiple companies across the supply chain and many of the business partners are not known in advance. This open-ended security is, in principle, a good match for a Service-Oriented Architecture (SOA) design and for the use of Web Services (WS) technologies because they implement flexible and inter-operable systems based on services. However there is a gap between the visibility restrictions and the way to express them using standard WS technologies. This paper describes Supply Chain Authorization (SCAz), an interface developed to define and enforce visibility restrictions – access control policies – for supply chain systems. Several implementations are presented and the trade-offs are discussed. The performance of SCAz is assessed in the setting of an externalized security architecture by comparing raw authorization implementations with their equivalents translated to the standard language eXtensible Access Control Markup Language (XACML). The SCAz Chain-of-Trust Assertions (CTA) implementation is found to have similar performance to other approaches while allowing extensions such as delegated trust, transitive trust, conditional trust, and bulk trust.