Huang et al. / J Zhejiang Univ-Sci C (Comput & Electron) 2010 11(5):328-339 328 Minimal role mining method for Web service composition Chao HUANG † , Jian-ling SUN †‡ , Xin-yu WANG, Yuan-jie SI (Department of Computer Science and Technology, Zhejiang University, Hangzhou 310027, China) † E-mail: {hch, sunjl}@zju.edu.cn Received Apr. 2, 2009; Revision accepted July 29, 2009; Crosschecked Apr. 5, 2010 Abstract: Web service composition is a low cost and efficient way to leverage the existing resource and implementation. In current Web service composition implementations, the issue of how to define the role for a new composite Web service has been little addressed. Adjusting the access control policy for a new composite Web service always causes substantial administration overhead from the security administrator. Furthermore, the distributed nature of Web service based applications makes traditional role mining methods obsolete. In this paper, we analyze the minimal role mining problem for Web service composition, and prove that this problem is NP-complete. We propose a sub-optimal greedy algorithm based on the analysis of necessary role mapping for interoperation across multiple domains. Simulation shows the effectiveness of our algorithm, and compared to the existing methods, our algorithm has significant performance advantages. We also demonstrate the practical application of our method in a real agent based Web service system. The results show that our method could find the minimal role mapping efficiently. Key words: Web service composition, Role base access control (RBAC), Role mining, Access control policy, Role mapping, Web service security doi:10.1631/jzus.C0910186 Document code: A CLC number: TP309 1 Introduction Web service, which is based on the infrastructure of three major standards—the simple object access protocol (SOAP), the Web service definition language (WSDL), and universal description discovery and integration (UDDI), has been widely adopted by fi- nancial enterprises to build up the IT systems (Dust- dar and Schreiner, 2005; Eid et al., 2008). However, a single Web service may not satisfy changing system requirements in dynamic systems, such as the multi-agent system (MAS) (Sycara et al., 2003; Talib et al., 2006). This creates a need for automated Web service composition that enables the construction of a powerful, robust service network by integrating a number of collaborated agent-based Web services. Assume that there are three domains, D1, D2, and D3, in the foreign exchange order MAS. Web service S1 hosted in D1 provides the real time rates for the cur- rency pair; service S2 in D2 accepts the foreign ex- change order and makes the trade; service S3 in D3 records the trade order and generates the report. In such a case, a service that takes the given currency pair and accomplishes the trade with the latest market rate is not available. However, through Web service composition, S1, S2, and S3 can be composed into a new service CS which accepts the currency pair as input and accomplishes the deal. Although such Web service composition provides a cheap, effective, and efficient means for application integration over ex- isting resources, all the benefits can be obtained only after the access control policy is set up properly. The role base access control (RBAC) model, proposed by Ferriaiolo and Sandhu in the 1990s, has been used widely as a powerful way to satisfy the access control needs of Web service (Ferraiolo et al., 2001; Essmayr et al., 2004; Carminati et al., 2005; Li and Tripunitara, 2006). RBAC96 is currently the most widely used access control model in enterprises be- cause of its fine grained control over the privilege (Li et al., 2007). Furthermore, using RBAC we can model Journal of Zhejiang University-SCIENCE C (Computers & Electronics) ISSN 1869-1951 (Print); ISSN 1869-196X (Online) www.zju.edu.cn/jzus; www.springerlink.com E-mail: jzus@zju.edu.cn ‡ Corresponding author © Zhejiang University and Springer-Verlag Berlin Heidelberg 2010