CERIAS - Center for Education and Research in Information Assurance and Security

Skip Navigation
CERIAS Logo
Purdue University - Discovery Park
Center for Education and Research in Information Assurance and Security

Access Control and Resiliency for WS-BPEL

Federica Paci - Purdue University

Oct 22, 2008

Size: 362.7MB

Download: Video Icon MP4 Video  
Watch in your Browser   Watch on Youtube Watch on YouTube

Abstract

Business processes –the next generation workflows- have attracted considerable research interest in the last fifteen years. More recently, several XML-based languages have been proposed for specifying and orchestrating business processes, resulting in the WS-BPEL language. Even if WS-BPEL has been developed to specify automated business processes that orchestrate activities of multiple Web services, there are many applications and situations requiring that people be considered as additional participants that can influence the execution of a process. Significant omissions from WS-BPEL are the specification of activities that require interactions with humans to be completed, called human activities, and the specification of authorization information associating users with human activities in a WS-BPEL business process and authorization constraints, such as separation of duty, on the execution of human activities. This talk investigates the problem of access control and resiliency for WS-BPEL processes. Access control in the context of business process means checking whether a user claiming the execution of an activity is authorized and the execution does not violate authorization constraints. Resiliency means that even if some users become unavailable, the remaining users can still complete the execution of the process according to the stated authorizations and authorization constraints. We present RBAC-WS-BPEL, an RBAC model for WS-BPEL business processes that supports the specification of resiliency constraints, authorizations and authorization constraints on business process activities. Resiliency constraints are evaluated when a WS-BPEL process is deployed, to check if there is a sufficient number of authorized users to perform the process so that authorization constraints are satisfied and the process terminates even if some users become unavailable. Authorizations and authorization constraints are evaluated whenever a user claims the execution of a business process’s activity to determine if the execution of the activity by the user does not violate any authorization constraints and does not prevent some other subsequent activities from completing.

About the Speaker

From Febraury 2008, Dr. Federica Paci is a post-doctoral research associate at Purdue University.

Paci’s main research interests include access control for web services and business process, digital identity management and trust negotiations. Currently, she working on digital identity management for business process and mobile devices.

Paci earned her Ph.D. in Computer Science from the University of Milan, Italy, in Febraury 2008. In Febraury 2004, she received the equivalent of a combined bachelor’s/master’s degree in Computer Science, also from the University of Milan.

During Spring Semester of 2005 and 2006, Paci was a visiting research scholar at CS Department of Purdue University, West Lafayette, IN.

Paci is the author or co-author of more than 10 conference papers and journal articles. Currently, she is co-authoring a book on Web services security.

She serves as a program committee member for APWeb 2008 , IEEE Collaborative-Com 2008 and WWW 2009.

Unless otherwise noted, the security seminar is held on Wednesdays at 4:30P.M. STEW G52, West Lafayette Campus. More information...

Disclaimer

The views, opinions and assumptions expressed in these videos are those of the presenter and do not necessarily reflect the official policy or position of CERIAS or Purdue University. All content included in these videos, are the property of Purdue University, the presenter and/or the presenter’s organization, and protected by U.S. and international copyright laws. The collection, arrangement and assembly of all content in these videos and on the hosting website exclusive property of Purdue University. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any other way exploit any part of copyrighted material without permission from CERIAS, Purdue University.