Queensland Treasury Corporation
Security issues have to be carefully considered for information systems that support the business processes of an organization, in particular, when these systems build on open interfaces such as web services. In this paper, the authors examine the new BPEL extension BPEL4People from an access control perspective. In particular, they discuss the importance of "Separation of duty" constraints and identify options to specify such constraints in BPEL4People processes. Moreover, they identify and discuss shortcomings of the BPEL4People specifications that complicate and/or impede separation of duty enforcement. In addition, they suggest solutions which can be introduced into future versions of BPEL4People to mitigate those shortcomings.