SOLUTION FOR BUSINESS

rangaleclickSoftware and s/w Development

Nov 4, 2013 (3 years and 9 months ago)

58 views

AN INTEGRATED IDENTITY
AND ACCESS MANAGEMENT
SOLUTION FOR BUSINESS
PROCESSES

Federica
Paci

Department of Engineering and Information Science

University of Trento

June 22 2009

Outline


Motivation


IAM for WS
-
BPEL processes


How to handle human interactions


How to evaluate process resiliency to absence of
users


How to verify users digital identities


How to enforce authorizations and authorization
constraints


Prototype and Experimental results


Conclusions and Future Works

Issues

WS
-
BPEL processes

<process>


<sequence>


<receive


… />


<invoke


… />


</sequence>

</process>


BPEL Engine



WS
-
BPEL


Process

Web service
1

Web service
2

Web service
3

Published To

WS
-
BPEL processes

Issues


How to involve humans in a business process
?


How to verify business process users’ identity?


How
to prevent potential misuse of users’
confidential information?


Does a user have the permission to perform a
business process’s activity?


Can the execution of a business process
complete?




Issues

Existing solutions


Humans inclusion in WS
-
BPEL

processes



BPEL4People 2007



Authorization


Koshutanski

et al. 2003


Xianpeng

et al. 2006



Resiliency

to user absence


Wang et al. 2007

Existing solutions

Why existing solutions are unsatisfactory


Each solution tackles one specific problem.


No comprehensive and feasible solution has
been proposed




I
mportant

aspects that have not been
considered:


Users

digital identities management


Resiliency of a WS
-
BPEL

process to users


absence




Why existing solutions are
unsatisfactory

The solution




Integrated approach to digital identity and
access management:


Include human user interactions in WS
-
BPEL
processes


Determine if a business process can complete even


if some users become unavailable (
resiliency
)


Check if a user has the permission to execute a
business process’s activity
(
authorization
)


Flexible way to verify the identity of users who claim
the execution of business process’s activity (
identity
attribute
-
based role provisioning
)









The focus of this talk


RBAC
-
WS
-
BPEL
:

Innovative

IAM

framework

for

WS
-
BPEL

processes


New type of WS
-
BPEL activity to handle human
interactions
-

<Human Activity>


Verification of WS
-
BPEL process resiliency to user
absence


Specification and enforcement of authorizations
and authorization constraints


Identity Attribute Based Role Provisioning



RBAC
-
WS
-
BPEL prototype





The focus of this talk

Overview

Action

Human

Activity

Permissions

Users

Human Activities


WS
-
BPEL

Business Process

Roles

Authorization


Constraints


Resiliency


Constraints

Automatic
Activities

Identity

Record

Identity Attributes

Identity

Tuples


Role


Provisioning


Policies

RBAC
-
WS
-
BPEL overview

Handling human interactions


<
invoke>



review
1


<
invoke>


determine_status


<
reply>


submit

Rejected


Funded


<receive>


submit

parallel


<
invoke>



review
2


<
invoke>



approve
1


<
invoke>



assign funds



Approval


Service




Review


Service


Funds

Assignment


Service


Submission


Service


<
invoke>



approve
2

Human activity

Handling human interactions

Role Provisioning Policies



Role Identifier



Role
i



Cond
1
,……,
Cond
n



Attribute

Condition


AttrName op l

AttrName

Post Doctorate



PhdCertificate
,

Affiliation = Purdue,
SSN

Example of Role Hierarchy

Dean

Full
Professor

Associate
Professor

Assistant
Professor

Post
Doctorate

Phd

Student

Business Office
Manager


Business Office


Clerk

John

Tammy

Robynne, Leslie

Ellen, Doug

Ashish, Melanie, Kara

Anna, Dan

Chris, Irini

Mary, Jane

Authorizations Definition









Role Identifier


Activity
Indentifier


<Role, (Activity, Action)>



Type

of

Action



Permission

Example of Authorizations


<
invoke>



review
1


<
invoke>


determine_status


<
reply>


submit

Rejected


Funded


<receive>


submit

parallel


<
invoke>



review
2


<
invoke>



approve
1


<
invoke>



assign funds



Approval


Service




Review


Service


Funds

Assignment


Service


Submission


Service


<
invoke>



approve
2

Human activity



Assistant professor, <invoke> review
1
, execute




Associate professor, <invoke> review
1
, execute




Full professor, <invoke> approve
1
, execute



䉵獩B敳猠O晦楣攠䍬敲欬C㱩湶潫攠㸠慰a牯re
2
, execute



Dean, <invoke > approve
2
, execute



Authorization constraints



Set of Roles/Users

who have performed

Activity
i


Antecedent

Activity


< D, (
Activity
i
,
Activity
j

),





Consequent

Activity

Binary Relation

On the set of

Roles/Users

Alternative specification in

XML
-

based language called

BPCL

Example of Authorization Constraints

SOD


<
invoke>



review
1


<
invoke>


determine_status


<
reply>


submit

Rejected


Funded


<receive>


submit

parallel


<
invoke>



review
2


<
invoke>



approve
1


<
invoke>



assign funds



Approval


Service




Review


Service


Funds

Assignment


Service


Submission


Service


<
invoke>



approve
2

Human activity


U, (<invoke>

review
1
, <invoke>

review
2
),





唬⠼(湶潫o>

慰灲潶e
2
,
<invoke> assign funds
), =


Resiliency constraints



Activity

Identifier



Minimum Number


of

Users who must have

the authorization to

perform

Activity
i



<Activity,
n
>


A

user

has

the

authorization

to

execute

an

activity

A
i

if

he/she

is

assigned

to

a

role

which

has

the

permission

to

perform


A
i

Example of Resiliency Constraints


<
invoke>



review
1


<
invoke>


determine_status


<
reply>


submit

Rejected


Funded


<receive>


submit

parallel


<
invoke>



review
2


<
invoke>



approve
1


<
invoke>



assign funds



Approval


Service




Review


Service


Funds

Assignment


Service


Submission


Service


<
invoke>



approve
2

Human activity


<invoke> approve
1
,

2



<invoke> approve
2
,

2



<invoke> review
1
, 3



<invoke> review
2
, 3


IAM lifecycle


Process

Deployment


Process


Resiliency


Evaluation


Process


Instance


Execution


Activity



Request


User Identity


Verification


Access control


Enforcement






Activity


Execution


Process


Instance


Termination

Business process lifecycle



Users

Enrollment

User enrollment

Registration of Pedersen commitment of
their identity attributes to be used later
as proofs of identity


Create

Identity Record


Identity

Manager

Identity
Tuple

User Enrollment

Identity Record (
IdR
)


Identity Attribute

Identifier



Signature of
IdM

on

M


<tag, M,

Ⱐv慬a摩瑹
-
慳獵牡湣攬now湥牳桩r
-
慳獵牡湣n




Pedersen Commitment

of Identity Attribute

M = g
m

h
r


Confidence

about the claim that

the user


presenting the Identity

Attribute is its true owner

m and r
are known
only by
the user


Confidence

about the validity of the


Identity
A
ttribute

Business process resiliency


<invoke> review
2
, 3


Chris,
Irini
,

Anna
,
Dan


<
invoke>



review
1


<
invoke>


determine_status


<
reply>


submit

Rejected


Funded


<receive>


submit

parallel


<
invoke>



review
2


<
invoke>



approve
1


<
invoke>



assign funds



Approval


Service




Review


Service


Funds

Assignment


Service


Submission


Service


<
invoke>



approve
2

Human activity


<invoke> approve
1
,

2



<invoke> review
1
, 3



<invoke> approve
2
,

2


Chris,
Irini
,

Anna
,
Dan

Mary,
Jane,John


Robynne
,

Leslie,Tammy
,
John


MaxRes

is equal to 3

Configurations

Irini

Mary

Anna

Jane

John

John


<
invoke>



review
1


<
invoke>


determine_status


<
reply>


submit

Rejected


Funded


<receive>


submit

parallel


<
invoke>



review
2


<
invoke>



approve
1


<
invoke>



assign funds



Approval


Service




Review


Service


Funds

Assignment


Service


Submission


Service


<
invoke>



approve
2

Human activity

How to evaluate resiliency



Compute


all configurations

Evaluate

Resiliency


Constraints

Satisfied?

Yes

No

Business Process IS


Resilient

Business Process IS
NOT Resilient




EXECUTE


NP Complete



Compute


a subset
Conf


of


configurations


|
Conf
|


= =


MaxRes
?

Yes

No

Business Process IS


Resilient

Business Process IS
NOT Resilient




EXECUTE


Our Approach

Our approach

How to compute the set
Conf

Group business process’s activities
based on authorization constraints

Compute a sub
-
configuration for
each activity group

Merge sub
-
configurations



=



John

Allison

Peter



John

Heather

Iva



John

Heather

Allison





John

Users
authorized

to perform

Activity
1


Users
authorized

to perform

Activity
2


Users
authorized

to perform

Activity
3



Set of users

that can be selected to
perform Activity
1
,
Activity
2

and Activity
3







Activity
1




Activity
2




Activity
3




Activity
4




Activity
5

BoD

BoD

How to compute sub
-
configurations

How to compute sub
-
configurations




Activity
1




Activity
2




Activity
3




Activity
4




Activity
5

SoD

SoD

User assignment


fails

Re
-
assignment


First

sub
-
configuration


Third

sub
-
configuration


Second

sub
-
configuration

Enforcement


The

authorization

to

perform

an

activity

A
i


is

granted

to

a

user

u

if
:



u

is

assigned

to

a

role

R
k

which

has

the

permission

to

execute

A
i




No

authorization

constraint

where

A
i

is

the

consequent

activity

is

violated




Enforcement

Role Provisioning

User

Enforcement Point


Requests


Activity
i



Select Roles


Authorized to
perform
Activity
i



Yes

No

Denied

Verified?


For each policy
Pol


R
i




Cond
1
, ….,
Cond
n


Computes sets


Conditions


and


NoConditions


{
Attr
i

| Cond
i



偯l

, Cond
i

=
Name
A

op l ,
Attr
i

=
Name
A
}







{
Attr
i

| Cond
i



偯l

, Cond
i

=
Name
A
,
Attr
i

=
Name
A
}




For
Attr



NoConditions


Carry out
AgZKPK




For each
Attr



Conditions


Carry out OCBE protocol






Select Policies



For each policy
Pol
i

verified if it is
satisfied by carrying out
AgZKPK
/

OCBE protocol


Role Provisioning Certificate

Assign User to Role

Request
Activity
i

Aggregate ZKPK protocol


It

allows

to

prove

the

possession

of

multiple

identity

attributes

without

revealing

them



Pedersen

commitment

scheme

Param

=

(
G,p
,

g,h
)



p

is

a

prime

number


G

is

finite

cyclic

group

of

order

p

such

that

the

Diffie
-
Hellman

problem

is

hard

in

G



g

is

a

generator

of

G


h

is

a

generator

of

G

such

that

it

is

hard

to

find

a

number



such

that

h

=

g








Aggregate ZKPK protocol


AgZKPK

protocol steps


User

Enforcement
Point


Computes



M = M
1


M
2






m1



m2



Chooses


y, s in [1,.., p]




Computes



d = g
y


h
s



Chooses

challenge c in
[1,..,p]



M,

, d


Computes



u = y+ c *(m
1
+ m
2
)


v = s+ c * (r
1
+
r
2
)



c


Verifies


g
u
h
v

= =
dM
c





u, v

Verified?


Verifies


Yes

No

Yes

No


Grant

Denied

Denied

Verified?

Proof of possession

Of

m
1

and m
2





M
1

= g
m1


h
r1


M
2

= g
m2



h

r2



OCBE protocols


A

user

can

open

an

encrypted

message

sent

by

a

service

provider

if

and

only

if

the

committed

value

of

a

specified

identity

attribute

satisfies

a

predicate

in

the

policy



The

service

provider

does

not

learn

anything

about

the

user’s

committed

value



The

service

provider

does

not

know

if

user

‘s

identity

attribute

value

satisfies

its

policy


OCBE protocols

GE
-
OCBE protocol


It

allows

to

verify

that

a

committed

value

satisfies

a

condition

with

a

predicate





Three

main

cryptographic

primitives
:


Pedersen

commitment

scheme

Param

=

(
G,p,g
,

h)


Additional

parameter

l

such

that

2

l

<

p/
2


symmetric
-
key

encryption

algorithm




cryptographic

hash

function



H(
.
)

:

{
0
,

1
}




{
0
,

1
}
k




GE
-
OCBE protocol

GE
-
OCBE protocol steps

Prover

Enforcement Point

Prove

m


m
0






Select


M =

g
m


h
r







Computes l

commitments




Opens

Envelope


Chooses


Random


Number N



M,



Decrypts



C and obtains N’



c
0
, ……,

c
l
-
1



Computes
Envelope and


Encrypts N





N’== N


Verifies


No

Yes

No


Grant

Denied

Denied

Verified?

Yes

N’

GE
-
OCBE protocol steps

Role provisioning certificate


Issuer


Owner


Attributes


Roles


Issuance Date

Released

to

a

user

to

avoid

to

perform

multiple

times

the

proof

of

possession

of

the

same

set

of

identity

attributes

Signature


of the


Verifier

Set

user

u

as

the

user

authorized

to

perform

A
i

For

each

activity

A
j

compute

the

set

of

roles

and

of

users

authorized

to

perform

the

activity

For each activity
A
j

compute the set
of roles and of users which satisfy
authorization constraints

For each activity
A
j

compute the
intersection of the sets computed at
step 2 and step 3

If

for

some

activity

A
j

the

intersection

set

is

empty,

the

execution

of

A
i

is

not

granted

to

u


Enforcement steps

1
º

2
º

3
º

4
º

5
º

Enforcement steps

RBAC
-
WS
-
BPEL framework


initiateActivity


OnActivityResult


WSDL
Interface


WSDL
Interface


planning


Constraints


Store


XACML


Policy


Store


History


Store


Planning


Store

WSDL
Interface



listActivity


claimActivity


RBAC
-
WS
-
BPEL


Enforcement


Service

Identity Manager


Service


BPEL Engine




BPEL

Process



Identity Records


Proof
-
of
-
Identity


Cert




Client


Module

RBAC
-
WS
-
BPEL

prototype


Enforcement

Web

service



Java

Web

service

(WSDL

interface

for

users

under

development)


Identity

Manager
-

Java

Servlet


Application

Service

Apache

Tomcat

6



Client

application



Java



ODE

BPEL

engine

1
.
5


Oracle

database

10
g






RBAC
-
WS
-
BPEL prototype

Configuration tool interface

Experimental evaluation


Complexity

of

evaluating

process

resiliency
:



Varying

the

number

of

SoD

constraints


Varying

the

number

of

BoD

constraints



Complexity

of

verifying

user

identity
:



AgZKPK

varying

the

number

of

identity

attributes


OCBE

varying

the

parameter

l



Complexity

of

enforcement

process


Enforcement

varying

the

number

of

users





Experimental evaluation

Test on resiliency


Two

versions

of

the

algorithm

to

compute

configurations

of

users



Algorithm

Not

Optimized


Algorithm

Optimized



Business

process
:

21

activities



No
.

SoD

constraints

:

6



No
.

BoD

Constraints
:

6


Role

Hierarchy

:

7

roles



No
.

potential

users

:

50






Tests on resiliency

1.00
10.00
100.00
1000.00
10000.00
100000.00
0
1
2
3
4
5
Time (ms)

Number of BoD Constraints

Algorithm 1
NoN Optimized Algorithm
Tests on resiliency

1.00
10.00
100.00
1000.00
10000.00
100000.00
1000000.00
3
4
5
6
7
8
9
Time (ms)

Number of SoD Constraints

NoN Optimized Algorithm
Algorithm 1
Test on role provisioning



Business

process
:

21

activities



No
.

SoD

constraints

:

6



No
.

BoD

Constraints
:

6


Role

Hierarchy

:

7

roles



No
.

potential

users

:

50


No
.

of

simple

conditions
:

[
1
,

50
]


Value

of

parameter

l
:

[
5
,

20
]



AgZKPK

0
0.01
0.02
0.03
0.04
0.05
0.06
0.07
0.08
0.09
0.1
1
4
7
10
13
16
19
22
25
28
31
34
37
40
43
46
49
Time(secs)

Number of
simple conditions

Create AgZKP
Verification
Tests on OCBE protocols

0
200
400
600
800
1000
1200
1400
1600
1800
2000
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Time (ms
)

Parameter
l

Commitments Creation
Opening Envelope
TotalUserTime
CreateEnvelope
Test on Enforcement



Business process : 30


Role

Hierarchy
:

20


Number of potential users: [500, 2500]


Number of users per role : Num users/Num
Roles


Number of
SoD

constraints : 435


Test on Enforcement


138.86

29

8.25

0.25

0
20
40
60
80
100
120
140
160
0
500
1000
1500
2000
2500
Time (sec)

Number of Users

Enforcement Execution Time

Conclusions and Future Works


Innovative

authorization

framework

for

WS
-
BPEL

processes




Evaluation

of

the

resiliency

of

a

business

process


Specification

and

enforcement

of

authorizations

and

authorization

constraints


Extend

RBAC
-
WS
-
BPEL

to

cross
-
organizational

business

processes



Resiliency

of

a

business

process

to

change








References

1.
Federica
Paci
, Rodolfo
Ferrini
, Elisa Bertino. Identity Attribute
-
based Role Provisioning
for Human WS
-
BPEL processes. I
n Proceedings of IEEE International Conference on
Web Services (ICWS),
Los Angeles, USA, July 2009.

2.
Elisa

Bertino,

Rodolfo

Ferrini
,

Andrea

Musci,

Federica

Paci
,

Kevin

J

Steuer
.

A

Federated

Digital

Identity

Management

Approach

for

Business

Processes
.

Invited

paper
.

In

Proceedings

of

the

4
th

International

Conference

on

Collaborative

Computing
:

Networking,

Applications

and

Worksharing

(
CollaborateCom
)
,

Orlando,

Florida,

November

2008
.

3.
Federica

Paci
,

Rodolfo

Ferrini
,

Yuqing

Sun,

Elisa

Bertino
.

Authorization

and

User

Failure

Resiliency

for

WS
-
BPEL

business

processes
.

In

Proceedings

of

International

Conference

on

Service

Oriented

Computing

(ICSOC)
,

Sidney,

Australia,

December

2008
.

4.
Federica

Paci
,

Elisa

Bertino
,

Jason

Crampton
.

An

Access

Control

Framework

for

WS
-
BPEL
.

International

Journal

of

Web

Services

Research
,

5
(
3
)
:

20
--
43
,

2008
.

5.
Jacques

Thomas,

Federica

Paci
,

Elisa

Bertino,

Patrick

Eugster
.

User

Tasks

and

Access

Control

over

Web

Services
.

In

Proceedings

of

IEEE

International

Conference

on

Web

Services

(ICWS),

Salt

Lake

City,

USA,

July

2007
.

6.
Elisa

Bertino,

Jason

Crampton
,

Federica

Paci
.

Access

Control

and

Authorization

Constraints

for

WS
-
BPEL
.

In

Proceedings

of

IEEE

International

Conference

on

Web

Services

(ICWS
),

Chicago,

USA,

September

2006
.








References

Thank you!


Any questions?


Contact information:

paci@disi.unitn.it

Back up

Form for Review Activity

<form name="input"
action="
UserSide
"
method="post">

Reviewer:

<input type="text"
name="reviewer"/>

<
br
/>

Comment:


<
br
/>

<input type="hidden"
name="
instanceid
"
value="#?
instid
?#"/>

<input type="hidden"
name="action"
value="execute"/>

<input type="submit"
value="Submit"/>

</form>

<
input type="text"
name="content"/>