17 research outputs found
Optimizing performance of workflow executions under authorization control
âBusiness processes or workflows are often used to
model enterprise or scientific applications. It has
received considerable attention to automate workflow
executions on computing resources. However, many
workflow scenarios still involve human activities and
consist of a mixture of human tasks and computing
tasks.
Human involvement introduces security and
authorization concerns, requiring restrictions on who
is allowed to perform which tasks at what time. Role-
Based Access Control (RBAC) is a popular authorization
mechanism. In RBAC, the authorization concepts such as
roles and permissions are defined, and various
authorization constraints are supported, including
separation of duty, temporal constraints, etc. Under
RBAC, users are assigned to certain roles, while the
roles are associated with prescribed permissions.
When we assess resource capacities, or evaluate the
performance of workflow executions on supporting
platforms, it is often assumed that when a task is
allocated to a resource, the resource will accept the
task and start the execution once a processor becomes available. However, when the authorization policies
are taken into account,â this assumption may not be
true and the situation becomes more complex. For
example, when a task arrives, a valid and activated
role has to be assigned to a task before the task can
start execution. The deployed authorization
constraints may delay the workflow execution due to
the rolesâ availability, or other restrictions on the
role assignments, which will consequently have
negative impact on application performance.
When the authorization constraints are present to
restrict the workflow executions, it entails new
research issues that have not been studied yet in
conventional workflow management. This thesis aims to
investigate these new research issues.
First, it is important to know whether a feasible
authorization solution can be found to enable the
executions of all tasks in a workflow, i.e., check the
feasibility of the deployed authorization constraints.
This thesis studies the issue of the feasibility
checking and models the feasibility checking problem
as a constraints satisfaction problem.
Second, it is useful to know when the performance of
workflow executions will not be affected by the given
authorization constraints. This thesis proposes the
methods to determine the time durations when the given
authorization constraints do not have impact.
Third, when the authorization constraints do have
the performance impact, how can we quantitatively
analyse and determine the impact? When there are multiple choices to assign the roles to the tasks,
will different choices lead to the different
performance impact? If so, can we find an optimal way
to conduct the task-role assignments so that the
performance impact is minimized? This thesis proposes
the method to analyze the delay caused by the
authorization constraints if the workflow arrives
beyond the non-impact time duration calculated above.
Through the analysis of the delay, we realize that the
authorization method, i.e., the method to select the
roles to assign to the tasks affects the length of the
delay caused by the authorization constraints. Based
on this finding, we propose an optimal authorization
method, called the Global Authorization Aware (GAA)
method.
Fourth, a key reason why authorization constraints
may have impact on performance is because the
authorization control directs the tasks to some
particular roles. Then how to determine the level of
workload directed to each role given a set of
authorization constraints? This thesis conducts the
theoretical analysis about how the authorization
constraints direct the workload to the roles, and
proposes the methods to calculate the arriving rate of
the requests directed to each role under the role,
temporal and cardinality constraints.
Finally, the amount of resources allocated to
support each individual role may have impact on the
execution performance of the workflows. Therefore, it
is desired to develop the strategies to determine the
adequate amount of resources when the authorization
control is present in the system. This thesis presents the methods to allocate the appropriate quantity for
resources, including both human resources and
computing resources. Different features of human
resources and computing resources are taken into
account. For human resources, the objective is to
maximize the performance subject to the budgets to
hire the human resources, while for computing
resources, the strategy aims to allocate adequate
amount of computing resources to meet the QoS
requirements
RALph: A Graphical Notation for Resource Assignments in Business Processes
The business process (BP) resource perspective deals with the management of human as well as non-human resources throughout the process lifecycle. Although it has received increasing attention recently, there exists no graphical notation for it up until now that is both expressive enough to cover well-known resource selection conditions and independent of the BP modelling language. In this paper, we introduce RALph, a graphical notation for the assignment of human resources to BP activities. We define its semantics by mapping this notation to a language that has been formally defined in description logics, which enables its automated analysis. Although we show how RALph can be seamlessly integrated with BPMN, it is noteworthy that the notation is independent of the BP modelling language. Altogether, RALph will foster the visual modelling of the resource perspective in BP
A unified framework for security visualization and enforcement in business process driven environments
Service-oriented architecture offers a promising approach for supporting interoperability and flexibility in the context of increasingly dynamic and rapidly changing requirements in the business world. However, encapsulation of business functionalities as self-contained services, as one of the main concepts in a SOA, brings new challenges. While business experts concentrate on the domain-specific aspects, other non-functional requirements such as security remain mostly neglected, if all understood. Costs for security administration may increase, business-driven security requirements may not be addressed and security configurations may not match at all internal and external regulations and guidelines. Based on these needs, we propose a technology-independent framework that provides graphical concepts for incorporating the security demands, facilitating the handling of security requirements from the specification to their realization
Security Mechanisms for Workflows in Service-Oriented Architectures
Die Arbeit untersucht, wie sich UnterstĂŒtzung fĂŒr Sicherheit und IdentitĂ€tsmanagement in ein Workflow-Management-System integrieren lĂ€sst. Basierend auf einer Anforderungsanalyse anhand eines Beispiels aus der beruflichen Weiterbildung und einem Abgleich mit dem Stand der Technik wird eine Architektur fĂŒr die sichere AusfĂŒhrung von Workflows und die Integration mit IdentitĂ€tsmanagement-Systemen entwickelt, die neue Anwendungen mit verbesserter Sicherheit und PrivatsphĂ€re ermöglicht
ALIGNMENT OF BUSINESS PROCESS MANAGEMENT AND BUSINESS RULES
Business process management and business rules management both focus on controlling business activities in organizations. Although both management principles have the same focus, they approach manageability and controllability from different perspectives. As more organizations deploy business process management and business rules management, this paper argues that these often separated efforts should be integrated. The goal of this work is to present a step towards this integration. We propose a business rule categorization that is aligned to the business process management lifecycle. In a case study and through a survey the proposed rule categories are validated in terms of mutual exclusivity and completeness. The results indicate the completeness of our main categorization and the categoriesâ mutual exclusivity. Future research should indicate further refinement by identifying rule subcategories
Project-specific software engineering methods : composition, enactment, and quality assurance
Softwareentwicklungsmethoden beschreiben Best-Practice-AnsĂ€tze fĂŒr die Entwicklung von Softwaresystemen. Damit sind Methoden einfachen Ad-Hoc-AnsĂ€tzen ĂŒberlegen und ihr Einsatz unterstĂŒtzt die Entwicklung von hochqualitativer Software. Jedoch erfordert der effektive Einsatz von Methoden, drei Dinge: Erstens mĂŒssen Methoden auf aktuellen Methodeninhalten basieren, zweitens mĂŒssen sie auf den Projektkontext angepasst werden und drittens mĂŒssen sie wie vorgeschrieben von dem Projektteam angewendet werden. Ansonsten gefĂ€hrden veraltete, unangepasste oder falsch angewendete Methoden den Projekterfolg. WĂ€hrend andere AnsĂ€tze nur einige dieser Aspekte abdecken, prĂ€sentieren wir einen umfassenden, werkzeugbasierten Ansatz, der alle Aspekte des Managements von Softwareentwicklungsmethoden abdeckt. Unser Ansatz ermöglicht die Erstellung von formalen, kompositions-basierten Methodenmodellen. Erstens werden Methodenmodelle aus formalen Methodenbausteinen zusammengesetzt. Diese reprĂ€sentieren, aktuelle Methodeninhalte und werden in einer aktualisierbaren Methodenbasis gehalten. Zweitens werden Methodenmodelle projektspezifisch und kontextbasiert komponiert. Drittens wird ihre korrekte Anwendung durch den Einsatz einer Process-Engine sichergestellt. Unsere Proof-Of-Concept-Implementierung demonstriert die Machbarkeit unseres Ansatzes und stellt WerkzeugunterstĂŒtzung fĂŒr die Definition von Methodenbausteinen, die konsistente Methodenmodellkomposition und die AusfĂŒhrung mit Standard-Process-Engines zur VerfĂŒgung.Software engineering methods describe structured, repeatable best practice approaches for the engineering of software systems. The project team of a software project enacts a method and applies the described activities. As methods are superior to ad-hoc build and fix approaches, they benefit the creation of high-quality software. However, for the efficient use of methods, first, they need to be based on state of the practice method content, second, they need to be tailored to the project context, and third, they need to be enacted as prescribed. Otherwise, outdated, unsuitable, or wrongly enacted methods can impede the creation of the software system. While other approaches focus on supporting some of these aspects, our approach is a holistic tool-supported approach that covers all of them. It allows creating formally defined composition-based method models. First, method models are composed from formal building blocks that represent method content and are stored in an extensible, updatable repository. Second, they are composed specifically for a project and tailored to its characteristics. Here the novel notion of method patterns is used to guide the composition process. Third, their correct enactment is supported with a process engine. Our proof-of-concept implementation demonstrates the feasibility of the approach. It provides tooling to define building blocks, to compose them to method models consistently, and to execute them with standard process engines.Masud Fazal-BaqaieTag der Verteidigung: 15.09.2016UniversitĂ€t Paderborn, FakultĂ€t fĂŒr Elektrotechnik, Informatik und Mathematik, Univ., Dissertation, 201
Specification and Automated Design-Time Analysis of the Business Process Human Resource Perspective
The human resource perspective of a business process is concerned with the relation between the activities of a process and the actors who take part in them. Unlike other process perspectives, such as control flow, for which many different types of analyses have been proposed, such as finding deadlocks, there is an important gap regarding the human resource perspective. Resource analysis in business processes has not been defined, and only a few analysis operations can be glimpsed in previous approaches. In this paper, we identify and formally define seven design-time analysis operations related to how resources are involved in process activities. Furthermore, we demonstrate that for a wide variety of resource-aware BP models, those analysis operations can be automated by leveraging Description Logic (DL) off-the-shelf reasoners. To this end, we rely on Resource Assignment Language (RAL), a domain-specific language that enables the definition of conditions to select the candidates to participate in a process activity. We provide a complete formal semantics for RAL based on DLs and extend it to address the operations, for which the control flow of the process must also be taken into consideration. A proof-of-concept implementation has been developed and integrated in a system called CRISTAL. As a result, we can give an automatic answer to different questions related to the management of resources in business processes at design time
HUC-HISF: A Hybrid Intelligent Security Framework for Human-centric Ubiquitous Computing
ć¶ćșŠ:æ° ; ć ±ćçȘć·:äč2336ć· ; ćŠäœăźçšźéĄ:ć棫(äșșéç§ćŠ) ; æäžćčŽææ„:2012/1/18 ; æ©ć€§ćŠäœèšçȘć·:æ°584
Model-Driven Management of Internal Controls for Business Process Compliance
The thesis tackles the problem of high effort for achieving business process compliance to regulations in the area of Enterprise Risk Management. Common to these regulations are requirements on the presence of effective internal controls in companies. The level of automation with regard to translating compliance requirements into a set of internal controls and assuring the effectiveness of these controls during execution of business processes is raised thorugh a novel model-driven approach
Context Sensitive Access Control Model TI for Business Processes
Kontrola pristupa odnosno autorizacija, u ĆĄirem smislu, razmatra na koji naÄin korisnici mogu pristupiti resursima raÄunarskog sistema i na koji naÄin ih koristiti. Ova disertacija se bavi problemima kontrole pristupa u poslovnim sistemima. Tema disertacije je formalna specifkacija modela kontekstno zavisne kontrole pristupa u poslovnim sistemima koji je baziran na RBAC modelu kontrole pristupa. UvoÄenjem kontekstno zavisne kontrole pristupa omoguÄeno je defnisanje sloĆŸenijih prava pristupa koje u postojeÄim modelima kontrole pristupa za poslovne sisteme nije bilo moguÄe realizovati ili bi njihova realizacija bila komplikovana. Dati model primenljiv je u razliÄitim poslovnim sistemima, a podrĆŸava defnisanje prava pristupa kako za jednostavne tako i za slo·zene poslovne tokove. Sistem je verifkovan na dva realna poslovna procesa pomoÄu razvijenog prototipa. Prikazana prototipska implementacija koja ispunjava ciljeve u pogledu funkcionalnosti postavljene pred sistem predstavlja potvrdu praktiÄne vrednosti predloĆŸenog modela.Access control is concerned with the way in which users can access to resources in the computer system. This dissertation focuses on problems of access control for business processes. The subject of the dissertation is a formal specification of the RBAC-based context sensitive access control model for business processes. By using a context-sensitive access control it is possible to define more complex access control policies whose implementation in existing access control models for business processes is not possible or is very complicated. The given model is applicable in diferent business systems, and supports the definition of access control policies for both simple and complex business processes. The model's prototype is verified by two case studies on real business processes. The presented prototype implementation represents a proof of the proposed model's practical value