An Access Control Framework for WS-BPEL Processes

An Access Control Framework for WS-BPEL Processes

Federica Paci (Università degli Studi di Trento, Italy), Elisa Bertino (CS Department and ECE School, CERIAS, Purdue University, USA) and Jason Crampton (Royal Halloway, University of London, UK)
DOI: 10.4018/978-1-4666-2136-7.ch015
OnDemand PDF Download:
List Price: $37.50


Business processes –the next generation workflows- have attracted considerable research interest in the last fifteen years. More recently, several XML-based languages have been proposed for specifying and orchestrating business processes, resulting in the WS-BPEL language. Even if WS-BPEL has been developed to specify automated business processes that orchestrate activities of multiple Web services, there are many applications and situations requiring that people be considered as additional participants that can influence the execution of a process. Significant omissions from WS-BPEL are the specification of activities that require interactions with humans to be completed, called human activities, and the specification of authorization information associating users with human activities in a WS-BPEL business process and authorization constraints, such as separation of duty, on the execution of human activities. In this chapter, we address these deficiencies by introducing a new type of WS-BPEL activity to model human activities and by developing RBAC-WS-BPEL, a role based access control model for WS-BPEL and BPCL, a language to specify authorization constraints.
Chapter Preview


Business Process Management systems (BMP) have gained a lot of attention due to the pressing need of integrating business processes of different organizations. Research efforts have been devoted to improve current workflow technologies in order to support collaborative business processes. BPM systems can be considered as an extension of classical workflow management (WFM) systems. Older, proprietary workflow systems managed document-based processes where people executed the workflow steps of the processes. Today's BPM systems manage processes that include person-to-person work steps, system-to-system communications or combinations of both. In addition, BPM systems include integrated features such as enhanced (and portable) process modeling, simulation, code generation, process execution and process monitoring. All those functions and features have resulted in an increased interest in BPM suites because they enhance business processes flexibility while at the same time reducing risks and costs. Therefore, BPM suites are a way to build, execute and monitor automated processes that may go across organizational boundaries - a kind of next-generation workflows.

Recently, Web services have provided the basis for the development and execution of business processes that are distributed over the network and available via standard interfaces and protocols. Business processes or workflows can be built by combining Web services through the use of a process specification language. Such languages basically allow one to specify which tasks have to be executed and the order in which those tasks should be executed. Because of their importance, process specification languages have been widely investigated and a number of languages have been developed. One such language is WS-BPEL 2.0 (Web Services Business Process Execution Language), an XML-based workflow process language, which provides a syntax for specifying business processes in terms of Web services (Jordan, Evdemon, 2006). WS-BPEL resulted from the combination of two different workflow languages, WSFL (Leymann, 2001) and XLANG (Thatte, 2001), and adopts the best features of these language. WS-BPEL is layered on top of several XML standards, including WSDL 1.1(Christensen, Curbera, Meredith, Weerawarana, 2001), XML Schema 1.0 (Peterson, Biron, Malhotra, 2004) and XPath 1.0 (Clarkand, DeRose, 1999), but of these, WSDL has had the most influence on WS-BPEL.

However, despite those significant progresses towards the development of an expressive language for business processes, significant challenges still need to be addressed before we see the widespread use of business processes management systems in distributed computer systems and Web services. WS-BPEL has been developed to specify automated business processes that orchestrate activities of multiple Web services. There are, however, cases in which people must be considered as additional participants to the execution of a process. Therefore, it is important to extend WS-BPEL to include the specification of activities that must be fully or partially performed by humans. The inclusion of humans, in turn, requires solutions for verifying the identity of users who request the execution of human activities and for the specification and enforcement of authorizations to users for the execution of human activities while enforcing authorization constraints, such as separation of duty, on the execution of those activities.

Therefore, in this chapter, we propose RBAC-WS-BPEL, a role-based access control model for WS-BPEL business processes that addresses the outlined requirements.

The chapter is organized as follows. In the next section we present an overview of WS-BPEL and we introduce an example that we will use throughout the chapter for illustrative purposes. In Section 3 we define the components of RBAC-WS-BPEL, including authorization policies and authorization constraints. In the subsequent section we provide an example of an RBAC policy for a purchase order WS-BPEL business process, specified in XACML (Moses, 2005). In Section 5 we describe our language to specify authorization constraints called Business Process Constraint Language (BPCL). In Section 6, we illustrate the specification of human activities and authorization information and constraints in the purchase order WS-BPEL business process. In Section 7 we present an algorithm to evaluate if a request by a user to execute an activity in a WS-BPEL process can be granted. In Section 8 we discuss a possible implementation of our model. Finally, we conclude with related work and future research directions.

Complete Chapter List

Search this Book: