Access Control for Web Service Applications: An Example in Collaborative Auditing

Abstract

Given the rapid changes in the information technologies, the issue of information securities and company’s internal controls has become very critical to both internal and external auditors. Recently, external auditors are under pressure to provide real-time assurance. Movement of this kind has complicated as to when and how to grant the access privileges to external auditors. In addition, when there is a high degree of collaborative relationship among organizations, the collaborators need to establish policies of auditors’ access controls and set up conditions and constraints for security and confidentiality reasons. Since auditors among the collaborators have different seniority, the access privileges should be granted based on the seniority of the auditors in the collaborative team members. In contrast, the growth of Web service becomes a new paradigm to provide collaborative auditing service via Web. The access control issue is a crucial issue for the future collaboration. In this study, we propose a role-based Chinese Wall model, which organizes the corporate data into four different types of control groups with different access control policies, for the auditors to access the data among collaborating enterprises. Using the vendor-managed inventories (VMI) example, the study discusses how auditing tasks can be performed under the proposed access control environment. To ensure the functionality of the proposed framework, the study uses Oracle software to demonstrate the feasibility of the model.