Exposeè
Short overview
Process Aware Information Systems (PAIS) allow to support groups of users in organizing or coordination sequences of tasks. These sequences are refereed to as processes, in a business environment they typically are the representation of a business logic. This business logic is typically driven by 2 types of actors:
- Users that deal with the execution of individual tasks: they collect data or accomplish activities that lead to the successful finalization of a task.
- Services, that deliver data without human interaction.
Tasks involving humans are typically supported by a worklist handler. The purpose of a worklist handler is to distribute the work to one or more human actors that may be entitled to work on a particular task.
As the processes are a manifestation of the business logic, they are very important for a company, and are typically constrained by a set of rules. These rules either stem from internal necessity (e.g. a diverse workforce, internal security rules), or from external sources (e.g. laws). The creation of these rules is driven by the following basic security facts:
- Not every employee or service is able or allowed to do every task.
- Not every employee or service is allowed to see every piece of data that is generated or used during the execution of a process.
- Employees or services with special abilities are sometimes required to work together according to well defined rules to complete a sequence of tasks (separation / binding of duty).
On a technical level, processes are executed by a process engine (PE), which together with the worklist (WL) is responsible for an efficient and secure (regarding the above mentioned facts) execution of processes. In order to do so, not only the business logic but also the accompanying security facts, have to be well formalized and available in machine readable and interpretable form. While the creation of processes is supported by a wide range of process editors [REF jBPM Signavio), for security rules the tool support often only support certain security aspects, and is not formalized or standardized. Also the security support is often tightly integrated with the processes and their syntax, allowing for no independent management of security aspects.
Goals, Contributions
The goal of this work is to create an editor, to support the efficient management of security rules for PAIS, based on the formalization developed by Leitner, Mangler and Rinderle-Ma. The purpose of this editor is to allow for an independent management and audit of process related security concepts. The contributions will include:
- An editor for describing how tasks may interact with each other, and which data may be used while working on these tasks.
- An editor for describing permissions, including when, how and under which circumstances it is allowed to work on certain tasks.
- An editor for describing how permissions are connected to particular users or organizational structures inside a company.
Furthermore a backend-system will be provided, that manages the data created by the editors as a restful service.
Finally this thesis will also provide a well defined testset (including security rules and example processes) as well as a test program to find out which rules apply for certain tasks.
This thesis will not provide a language or library to match process patterns: for this case either LTL (Linear Temporal Logic), or alternatively the ppmex (Process Pattern Matching Expressions) formalism developed by the WST group, will be used.
Table of Contents
- Introduction: Long version of abstract, explain all concepts in detail
- Motivation (2 Seiten)
- Structure of Thesis (1 Seite mit Graphik)
- Glossary of Terms (2-3 Seiten)
- Security In Workflow Systems / Related Work (10-15 Seiten)
- NIST RBAC, W-RBAC
- ARBAC
- Bertino et al: The specification and enforcement of authorization constraints in workflow management systems", Casati et al: "Managing workflow authorization constraints through active database technology"
- Riberio et al: "Verifying workflow processes against organization security policies"
- Neumann et al: "An approach to engineer and enforce context constraints in an RBAC environment"
- … (weitere)
- The Sprint Approach (summary of Paper) (5 pages)
- Structural Security
- Operational Security: Relation of Permissions to Processes
- Operational Security: Relation of Permissions to Users
- Implementation (40-50)
- Uses Cases
- Implementation & User Interface
- Backend
- Conclusion & Summary (10 Seiten)
Letzte Änderung: 03.09.2013, 16:07 | 695 Worte