Abstract: Web Services Resource (WS-Resource) consists of static Web service interface and dynamic stateful resource. According to the different characteristics of the two components, we proposed an Attribute-Based Two Level Access Control (2L-ABAC) on for WS-Resources. Attribute retrieval is essential for ABAC systems because they are based on their decisions on attributes of users, so 2L-ABAC employs access control policies publishing mechanism to inform users of the needed attributes. Access control policies of Web Services are static and those of resources arc dynamic,correspondently two publishing methods, WSDL attachment and metadata exchanging, are adopted for each level respectively. 2L-ABAC inherits from the ABAC model the capability of authorizing unknown users from other security domains, besides its flexibility due to the hierarchy design model. Moreover, this architecture can be implemented by extending the standard specifications such as XACML and SAML, so it has broad applicability for WS-Resource based systems.

Key words: WS-Resource, ABAC, WSDL, XACML SAML