Managing the Life Cycle of Access Rules in CEOSIS

The definition and management of access rules (e.g., to control the access to business documents and business functions) is an important task within any enterprise information systems (EIS). Many EIS apply role-based access control (RBAC) mechanisms to specify access rules based on organizational models. However, only little research has been spent on organizational changes even though they often become necessary in practice. Examples comprise the evolution of organizational models with subsequent adaptation of access rules or direct access rule modifications. In this paper, we present a change framework for the controlled evolution of access rules in EIS. Specifically, we define change operations which ensure correct modification of access rules. Finally, we define the formal semantics of access rule changes based on operator trees which enables their unambiguous application; i.e., we can precisely determine which effects are caused by respective adaptations. This is important, for example, to be able to efficiently adapt user worklists in process-aware information systems. Altogether this paper contributes to comprehensive life cycle support for access rules in (adaptive) EIS

Access Control for Monitoring System-Spanning Business Processes in Proviado

Integrated process support is highly desirable in environments where data related to a particular (business) process are scattered over distributed, heterogeneous information systems (IS). A process monitoring component is a much-needed module in order to provide an integrated view on all these process data. Regarding process data integration, access control (AC) issues are very important but also quite complex to be addressed. A major problem arises from the fact that the involved IS are usually based on heterogeneous AC components. For several reasons, the only feasible way to tackle the problem of AC at the process monitoring level is to define access rights for the process monitoring component, hence getting rid of the burden to map access rights from the IS level. This paper discusses requirements for AC in process monitoring, which we derived from our case studies in the automotive domain. It then presents alternative approaches for AC: the view-based and the object-based approach. The latter is retained, and a core AC model is proposed for the definition of access rights that meet the derived requirements. AC mechanisms provided within the core model are key ingredients for the definition of model extensions

Architecural Principles and Components of Adaptive Process Management Technology

Process-aware information systems (PAIS) must not freeze business processes, but should enable authorized users to deviate from the implemented workflows on-the-fly and to dynamically evolve them over time. While there has been a lot of work on the theoretical foundations of dynamic process changes, there is still a lack of implemented PAIS providing this dynamics. Designing the architecture of such adaptive PAIS, however, constitutes a big challenge due to the high complexity coming with dynamic changes. Besides this, performance, robustness, security and usability of the PAIS must not be affected by the added flexibility. In the AristaFlow project we follow a holistic approach to master this complexity. Based on a conceptual framework for adaptive process management, we have designed a sophisticated architecture for next generation process management technology. This paper discusses major design goals and basic architectural principles, gives insights into selected system components, and shows how change support features can be realized in an integrated and efficient manner

Flexibilisierung Service-orientierter Architekturen

Service-orientierte Architekturen (SOA) werden zunehmend in Unternehmen eingesetzt. Wichtige Ziele bilden die flexible IT-Unterstützung von Geschäftsprozessen, etwa deren rasche Anpassungsfähigkeit sowie die (Teil-) Automatisierung dieser Prozesse. Um die in der betrieblichen Praxis geforderte Flexibilität zu verwirklichen, sind jedoch eine Reihe von Maßnahmen vonnöten, die von der Dokumentation fachlicher Anforderungen über die Modellierung von Geschäftsprozessen bis hin zu dynamischen Service-Aufrufen reichen. Besonders wichtige Flexibilitätsmaßnahmen werden im vorliegenden Beitrag erörtert und in ein Rahmenwerk zur Erhöhung der Flexibilität in Service-orientierten Architekturen eingebettet

The Proviado Access Control Model for Business Process Monitoring Components

Integrated process support is highly desirable in environments where data related to a particular business process are scattered over distributed, heterogeneous information systems. A business process monitoring component is a much-needed module in order to provide an integrated view on all these process data. Regarding process visualization and process data integration, access control (AC) issues are very important but also quite complex to be addressed. A major problem arises from the fact that the involved information systems are usually based on heterogeneous AC components. For several reasons, the only feasible way to tackle the problem of AC at the process monitoring level is to define access rights for the process monitoring component, hence getting rid of the burden to map access rights from the information system level. This paper presents the Proviado process visualization framework and discusses requirements for AC in process monitoring, which we derived from our case studies in the automotive domain. It then presents alternative approaches for AC: the view-based and the object-based approach. The latter is retained, and a core AC model is proposed for the definition of access rights that meet the derived requirements. AC mechanisms provided within the core model are key ingredients for the definition of model extensions

On Utilizing Web Service Equivalence for Supporting the Composition Life Cycle

Deciding on web service equivalence in process-aware service compositions is a crucial challenge throughout the composition life cycle. Restricting such decisions to (activity) label equivalence, however, is not sufficient for many practical applications: if two activities and web services respectively have equivalent labels, does this necessarily mean they are equivalent as well? In many scenarios (e.g., evolution of a composition schema or mining of completed composition instances) other factors may play an important role as well. Examples include context information (e.g., input and output messages) and information on the position of web services within compositions. In this paper, we introduce the whole composition life cycle and discuss specific requirements for web service equivalence along its different phases. We define adequate equivalence notions for the design, execution, analysis, and evolution of service compositions. Main focus is put on attribute and position equivalence. Altogether this paper shall contribute a new understanding and treatment of equivalence notions in service compositions

Comprehensive Life Cycle Support for Access Rules in Information Systems: The CEOSIS Project

The definition and management of access rules (e.g., to control access to business documents and business functions) is a fundamental task in any enterprise information system (EIS). While there exists considerable work on how to specify and represent access rules, only little research has been spent on access rule changes. Examples include the evolution of organizational models with need for subsequent adaptation of related access rules as well as direct access rule modifications (e.g., to state a previously defined rule more precisely). This paper presents a comprehensive change framework for the controlled evolution of role-based access rules in EIS. First, we consider changes of organizational models and elaborate how they affect existing access rules. Second, we define change operations which enable direct adaptations of access rules. In the latter context, we define the formal semantics of access rule changes based on operator trees. Particularly, this enables their unambiguous application; i.e., we can precisely determine which effects are caused by respective rule changes. This is important, for example, to be able to efficiently and correctly adapt user worklists in process-aware information systems. Altogether this paper contributes to comprehensive life cycle support for access rules in (adaptive) EIS