1,267 research outputs found
CRiBAC: Community-centric role interaction based access control model
As one of the most efficient solutions to complex and large-scale problems, multi-agent cooperation has been in the limelight for the past few decades. Recently, many research projects have focused on context-aware cooperation to dynamically provide complex services. As cooperation in the multi-agent systems (MASs) becomes more common, guaranteeing the security of such cooperation takes on even greater importance. However, existing security models do not reflect the agents' unique features, including cooperation and context-awareness. In this paper, we propose a Community-based Role interaction-based Access Control model (CRiBAC) to allow secure cooperation in MASs. To do this, we refine and extend our preliminary RiBAC model, which was proposed earlier to support secure interactions among agents, by introducing a new concept of interaction permission, and then extend it to CRiBAC to support community-based cooperation among agents. We analyze potential problems related to interaction permissions and propose two approaches to address them. We also propose an administration model to facilitate administration of CRiBAC policies. Finally, we present the implementation of a prototype system based on a sample scenario to assess the proposed work and show its feasibility. © 2012 Elsevier Ltd. All rights reserved
Towards Object-aware Process Support in Healthcare Information Systems
The processes to be supported by healthcare information systems are highly complex, and they produce and consume a large amount of data. Besides, they require a high degree of flexibility. Despite their widespread adoption in industry, however, traditional process management systems (PrMS) have not been broadly used in healthcare environments so far. One major reason for this is the missing integration of processes with business data; i.e., business objects (e.g., medical orders or reports) are usually outside the control of a PrMS. By contrast, our PHILharmonicFlows framework offers an object-aware process management approach, which tightly integrates business objects and processes. In this paper, we use this framework to support a breast cancer diagnosis scenario. We discuss the lessons learned from this case study as well as requirements from the healthcare domain that can be effectively met by an object-aware process management system
Optimizing performance of workflow executions under authorization control
âBusiness processes or workflows are often used to
model enterprise or scientific applications. It has
received considerable attention to automate workflow
executions on computing resources. However, many
workflow scenarios still involve human activities and
consist of a mixture of human tasks and computing
tasks.
Human involvement introduces security and
authorization concerns, requiring restrictions on who
is allowed to perform which tasks at what time. Role-
Based Access Control (RBAC) is a popular authorization
mechanism. In RBAC, the authorization concepts such as
roles and permissions are defined, and various
authorization constraints are supported, including
separation of duty, temporal constraints, etc. Under
RBAC, users are assigned to certain roles, while the
roles are associated with prescribed permissions.
When we assess resource capacities, or evaluate the
performance of workflow executions on supporting
platforms, it is often assumed that when a task is
allocated to a resource, the resource will accept the
task and start the execution once a processor becomes available. However, when the authorization policies
are taken into account,â this assumption may not be
true and the situation becomes more complex. For
example, when a task arrives, a valid and activated
role has to be assigned to a task before the task can
start execution. The deployed authorization
constraints may delay the workflow execution due to
the rolesâ availability, or other restrictions on the
role assignments, which will consequently have
negative impact on application performance.
When the authorization constraints are present to
restrict the workflow executions, it entails new
research issues that have not been studied yet in
conventional workflow management. This thesis aims to
investigate these new research issues.
First, it is important to know whether a feasible
authorization solution can be found to enable the
executions of all tasks in a workflow, i.e., check the
feasibility of the deployed authorization constraints.
This thesis studies the issue of the feasibility
checking and models the feasibility checking problem
as a constraints satisfaction problem.
Second, it is useful to know when the performance of
workflow executions will not be affected by the given
authorization constraints. This thesis proposes the
methods to determine the time durations when the given
authorization constraints do not have impact.
Third, when the authorization constraints do have
the performance impact, how can we quantitatively
analyse and determine the impact? When there are multiple choices to assign the roles to the tasks,
will different choices lead to the different
performance impact? If so, can we find an optimal way
to conduct the task-role assignments so that the
performance impact is minimized? This thesis proposes
the method to analyze the delay caused by the
authorization constraints if the workflow arrives
beyond the non-impact time duration calculated above.
Through the analysis of the delay, we realize that the
authorization method, i.e., the method to select the
roles to assign to the tasks affects the length of the
delay caused by the authorization constraints. Based
on this finding, we propose an optimal authorization
method, called the Global Authorization Aware (GAA)
method.
Fourth, a key reason why authorization constraints
may have impact on performance is because the
authorization control directs the tasks to some
particular roles. Then how to determine the level of
workload directed to each role given a set of
authorization constraints? This thesis conducts the
theoretical analysis about how the authorization
constraints direct the workload to the roles, and
proposes the methods to calculate the arriving rate of
the requests directed to each role under the role,
temporal and cardinality constraints.
Finally, the amount of resources allocated to
support each individual role may have impact on the
execution performance of the workflows. Therefore, it
is desired to develop the strategies to determine the
adequate amount of resources when the authorization
control is present in the system. This thesis presents the methods to allocate the appropriate quantity for
resources, including both human resources and
computing resources. Different features of human
resources and computing resources are taken into
account. For human resources, the objective is to
maximize the performance subject to the budgets to
hire the human resources, while for computing
resources, the strategy aims to allocate adequate
amount of computing resources to meet the QoS
requirements
Object-aware Process Support in Healthcare Information Systems: Requirements, Conceptual Framework and Examples
The business processes to be supported by healthcare information systems are highly complex, producing and consuming a large amount of data. Besides, the execution of
these processes requires a high degree of flexibility. Despite their widespread adoption in industry, however, traditional process management systems (PrMS) have not been broadly used in healthcare environments so far. One major reason for this drawback is the missing integration of business processes and business data in existing PrMS; i.e., business objects (e.g., medical orders, medical reports) are usually maintained in specific application systems, and are hence outside the control of the PrMS. As a consequence, most existing PrMS are unable to provide integrated access to business processes and business objects in case of unexpected events, which is crucial in the healthcare domain. In this context, the PHILharmonicFlows framework offers an innovative object-aware process management approach, which tightly integrates business objects, functions, and processes. In this paper, we apply this framework to model and control the processes in the context of a breast cancer diagnosis scenario. First, we present the modeling components of PHILharmonicFlows framework applied to this scenario. Second, we give insights into the operational semantics that governs the process execution in PHILharmonicFlows. Third, we discuss the lessons learned in this case study as well as requirements from the healthcare domain that can be effectively handled when using an object-aware process management system like PHILharmonicFlows. Overall, object-aware process support will allow for a new
generation of healthcare information systems treating both data and processes as first class citizens
Using Ontologies for the Design of Data Warehouses
Obtaining an implementation of a data warehouse is a complex task that forces
designers to acquire wide knowledge of the domain, thus requiring a high level
of expertise and becoming it a prone-to-fail task. Based on our experience, we
have detected a set of situations we have faced up with in real-world projects
in which we believe that the use of ontologies will improve several aspects of
the design of data warehouses. The aim of this article is to describe several
shortcomings of current data warehouse design approaches and discuss the
benefit of using ontologies to overcome them. This work is a starting point for
discussing the convenience of using ontologies in data warehouse design.Comment: 15 pages, 2 figure
Knowledge-Intensive Processes: Characteristics, Requirements and Analysis of Contemporary Approaches
Engineering of knowledge-intensive processes (KiPs) is far from being mastered, since they are genuinely knowledge- and data-centric, and require substantial flexibility, at both design- and run-time. In this work, starting from a scientific literature analysis in the area of KiPs and from three real-world domains and application scenarios, we provide a precise characterization of KiPs. Furthermore, we devise some general requirements related to KiPs management and execution. Such requirements contribute to the definition of an evaluation framework to assess current system support for KiPs. To this end, we present a critical analysis on a number of existing process-oriented approaches by discussing their efficacy against the requirements
Implementing Advanced RBAC Administration Functionality with USE
Role-based access control (RBAC) is a powerful means for laying out and developing higher-level organizational policies such as separation of duty, and for simplifying the security management process. One of the important aspects of RBAC is authorization constraints that express such organizational policies. While RBAC has generated a great interest in the security community, organizations still seek a flexible and effective approach to impose role-based authorization constraints in their security-critical applications. In particular, today often only basic RBAC concepts have found their way into commercial RBAC products; specifically, authorization constraints are not widely supported. In this paper, we present an RBAC administration tool that can enforce certain kinds of role-based authorization constraints such as separation of duty constraints. The authorization constraint functionality is based upon the OCL validation tool USE. We also describe our practical experience that we gained on integrating OCL functionality into a prototype of an RBAC administration tool that shall be extended to a product in the future
Unified patterns to transform business rules into an event coordination mechanism.
Business rules define and constrain various aspects of the business, such as vocabulary, behavior and organizational issues. Enforcing the rules of the business in information systems is however not straightforward, because different mechanisms exist for the (semi-)automatic transformation of various business constraints and rules. In this paper, we examine if and how business rules, not only data rules, but also process rules, timing rules, authorization rules, etc., can be expressed in SBVR and translated using patterns into a more uniform event mechanism, such that the event handling could provide an integrated enforcement of business rules of many kinds.Business rules; Event coordination; Business processes; SBVR; Declarative process modeling;
- âŠ