an integrated identity and access management solution for business processes
DESCRIPTION
Federica Paci Department of Engineering and Information Science University of Trento June 22 2009. An INTEGRATED IDENTITY AND ACCESS MANAGEMENT SOLUTION for business PRocesses. Outline. Motivation IAM for WS-BPEL processes How to handle human interactions - PowerPoint PPT PresentationTRANSCRIPT
AN INTEGRATED IDENTITY AND ACCESS MANAGEMENT SOLUTION FOR BUSINESS PROCESSES
Federica PaciDepartment of Engineering and Information ScienceUniversity of TrentoJune 22 2009
Outline
Motivation IAM for WS-BPEL processes
How to handle human interactions How to evaluate process resiliency to absence of
users How to verify users digital identities How to enforce authorizations and authorization
constraints Prototype and Experimental results Conclusions and Future Works
Issues
WS-BPEL processes
<process> <sequence> <receive … /> <invoke … /> </sequence></process>
BPEL Engine
WS-BPEL Process
Web service1
Web service2
Web service3
Published To
WS-BPEL processes
Issues
How to involve humans in a business process? How to verify business process users’ identity? How to prevent potential misuse of users’
confidential information? Does a user have the permission to perform a
business process’s activity? Can the execution of a business process
complete?
Issues
Existing solutions
Humans inclusion in WS-BPEL processes BPEL4People 2007
Authorization Koshutanski et al. 2003 Xianpeng et al. 2006
Resiliency to user absence Wang et al. 2007
Existing solutions
Why existing solutions are unsatisfactory
Each solution tackles one specific problem. No comprehensive and feasible solution has
been proposed
Important aspects that have not been considered:Users digital identities managementResiliency of a WS-BPEL process to users absence
Why existing solutions are unsatisfactory
The solution Integrated approach to digital identity and
access management: Include human user interactions in WS-BPEL
processes Determine if a business process can complete even if some users become unavailable (resiliency) Check if a user has the permission to execute a
business process’s activity (authorization) Flexible way to verify the identity of users who claim
the execution of business process’s activity (identity attribute-based role provisioning)
The focus of this talk
RBAC-WS-BPEL: Innovative IAM framework for WS-BPEL processes New type of WS-BPEL activity to handle human
interactions- <Human Activity> Verification of WS-BPEL process resiliency to user
absence Specification and enforcement of authorizations
and authorization constraints Identity Attribute Based Role Provisioning
RBAC-WS-BPEL prototype
The focus of this talk
Overview
ActionHumanActivity
Permissions
Users
Human Activities
WS-BPEL Business Process
Roles
Authorization Constraints
Resiliency Constraints
Automatic Activities
Identity Record
Identity Attributes
Identity Tuples
Role Provisioning Policies
RBAC-WS-BPEL overview
Handling human interactions
<invoke> review1
<invoke> determine_status
<reply> submit
Rejected Funded
<receive> submit
parallel
<invoke> review2
<invoke> approve1
<invoke> assign funds
Approval Service
Review Service
FundsAssignment Service
Submission Service
<invoke> approve2
Human activity
Handling human interactions
Role Provisioning Policies
Role Identifier
Rolei Cond1,……, Condn
Attribute Condition
AttrName op lAttrNamePost Doctorate PhdCertificate, Affiliation = Purdue,
SSN
Example of Role Hierarchy
Dean
Full Professor
Associate Professor
Assistant Professor
Post Doctorate Phd Student
Business Office Manager
Business Office Clerk
John
Tammy
Robynne, Leslie Ellen, Doug Ashish, Melanie, Kara
Anna, Dan
Chris, IriniMary, Jane
Authorizations Definition
Role Identifier
Activity Indentifier
<Role, (Activity, Action)>
Typeof
Action
Permission
Example of Authorizations
<invoke> review1
<invoke> determine_status
<reply> submit
Rejected Funded
<receive> submit
parallel
<invoke> review2
<invoke> approve1
<invoke> assign funds
Approval Service
Review Service
FundsAssignment Service
Submission Service
<invoke> approve2
Human activity Assistant professor, <invoke> review1, execute Associate professor, <invoke> review1, execute
Full professor, <invoke> approve1, execute Business Office Clerk, <invoke > approve2, execute Dean, <invoke > approve2, execute
Authorization constraints
Set of Roles/Userswho have performed
Activityi
AntecedentActivity
< D, (Activityi, Activityj ), >
Consequent Activity
Binary Relation On the set of Roles/Users
Alternative specification inXML- based language calledBPCL
Example of Authorization Constraints
SOD
BOD
<invoke> review1
<invoke> determine_status
<reply> submit
Rejected Funded
<receive> submit
parallel
<invoke> review2
<invoke> approve1
<invoke> assign funds
Approval Service
Review Service
FundsAssignment Service
Submission Service
<invoke> approve2
Human activity
U, (<invoke> review1, <invoke> review2),
U, (<invoke> approve2, <invoke> assign funds), =
Resiliency constraints
ActivityIdentifier
Minimum Number of
Users who must havethe authorization to
performActivityi
<Activity, n>
A user has the authorization to execute an activity Ai if he/she is assigned to a role which has the permission to perform Ai
Example of Resiliency Constraints
<invoke> review1
<invoke> determine_status
<reply> submit
Rejected Funded
<receive> submit
parallel
<invoke> review2
<invoke> approve1
<invoke> assign funds
Approval Service
Review Service
FundsAssignment Service
Submission Service
<invoke> approve2
Human activity
<invoke> approve1, 2
<invoke> approve2, 2
<invoke> review1, 3 <invoke> review2, 3
IAM lifecycle
ProcessDeployment
Process Resiliency Evaluation
Process Instance Execution
Activity Request
User Identity Verification
Access control Enforcement
Activity Execution
Process Instance Termination
Business process lifecycle
Users Enrollment
User enrollment
Registration of Pedersen commitment of their identity attributes to be used later as proofs of identity
Enrollment
CreateIdentity Record
Identity Manager
Identity Tuple
User Enrollment
Identity Record (IdR)
Identity AttributeIdentifier
Signature of IdM on M
<tag, M, , validity-assurance, ownership-assurance>
Pedersen Commitmentof Identity Attribute
M = g m h r
Confidence about the claim that
the user presenting the Identity Attribute is its true owner
m and r are known only by the user
Confidence about the validity of the
Identity Attribute
Business process resiliency
<invoke> review2, 3
Chris, Irini, Anna,Dan
<invoke> review1
<invoke> determine_status
<reply> submit
Rejected Funded
<receive> submit
parallel
<invoke> review2
<invoke> approve1
<invoke> assign funds
Approval Service
Review Service
FundsAssignment Service
Submission Service
<invoke> approve2
Human activity
<invoke> approve1, 2
<invoke> review1, 3
<invoke> approve2, 2
Chris, Irini, Anna,Dan
Mary, Jane,John
Robynne,Leslie,Tammy, John
MaxRes is equal to 3
ConfigurationsIrini
Mary
Anna
Jane
John
John
<invoke> review1
<invoke> determine_status
<reply> submit
Rejected Funded
<receive> submit
parallel
<invoke> review2
<invoke> approve1
<invoke> assign funds
Approval Service
Review Service
FundsAssignment Service
Submission Service
<invoke> approve2
Human activity
How to evaluate resiliency Compute all configurations
Evaluate Resiliency Constraints
Satisfied?Yes No
Business Process IS Resilient
Business Process IS NOT Resilient
EXECUTE
NP Complete
Compute a subset Conf of configurations
| Conf | = = MaxRes?
Yes No
Business Process IS Resilient
Business Process IS NOT Resilient
EXECUTE
Our Approach Our approach
How to compute the set Conf
• Group business process’s activities based on authorization constraints
• Compute a sub-configuration for each activity group
• Merge sub-configurations
=
John Allison
PeterJohn Heather
Iva
John Heather
Allison
John
Users authorized to performActivity1
Users authorized to performActivity2
Users authorized to performActivity3
Set of users that can be selected to perform Activity1, Activity2 and Activity3
Activity1
Activity2
Activity3
Activity4
Activity5
BoD
BoD
How to compute sub-configurations
How to compute sub-configurations
Activity1
Activity2
Activity3
Activity4
Activity5
SoD
SoDUser assignment fails
Re-assignment
First sub-configuration
Thirdsub-configuration
Secondsub-configuration
Enforcement
The authorization to perform an activity Ai is granted to a user u if: u is assigned to a role Rk which has the permission
to execute Ai
No authorization constraint where Ai is the consequent activity is violated
Enforcement
Pol1, ….., Polk
Role Provisioning
User Enforcement Point Requests Activityi
Select Roles Authorized to perform Activityi
Yes No
Denied
Verified?
For each policy Pol Ri Cond1, …., Condn
Computes sets Conditions and NoConditions
{Attri | Condi Pol , Condi = NameA op l , Attri = NameA}
{Attri | Condi Pol , Condi = NameA, Attri = NameA}
For Attr NoConditions Carry out AgZKPK
For each Attr Conditions Carry out OCBE protocol
Select Policies
For each policy Poli verified if it is satisfied by carrying out AgZKPK/OCBE protocol
Role Provisioning Certificate
Assign User to Role
Request Activityi
Aggregate ZKPK protocol
It allows to prove the possession of multiple identity attributes without revealing them
Pedersen commitment scheme Param = (G,p, g,h) p is a prime numberG is finite cyclic group of order p such that the Diffie-
Hellman problem is hard in G g is a generator of Gh is a generator of G such that it is hard to find a number
such that h = g
Aggregate ZKPK protocol
AgZKPK protocol steps
User Enforcement Point
Computes M = M1 M2
= m1 m2
Chooses y, s in [1,.., p]
Computes d = g y h s
Chooseschallenge c in [1,..,p] M, , d
Computes u = y+ c *(m1+ m2) v = s+ c * (r1
+ r2)
c
Verifies guhv = = dMc
u, v Verified?
Verifies
Yes No
Yes No
Grant
Denied
Denied
Verified?
Proof of possessionOf
m1 and m2
M1 = g m1 h r1
M2 = g m2 h r2
OCBE protocols
A user can open an encrypted message sent by a service provider if and only if the committed value of a specified identity attribute satisfies a predicate in the policy
The service provider does not learn anything about the user’s committed value
The service provider does not know if user ‘s identity attribute value satisfies its policy
OCBE protocols
GE-OCBE protocol
It allows to verify that a committed value satisfies a condition with a predicate
Three main cryptographic primitives:Pedersen commitment scheme Param = (G,p,g, h)Additional parameter l such that 2 l < p/2symmetric-key encryption algorithm cryptographic hash function
H(.) : {0, 1}∗ → {0, 1}k
GE-OCBE protocol
GE-OCBE protocol steps
Prover Enforcement PointProvem m0
Select M = g m h r
Computes lcommitments
Opens Envelope
Chooses Random Number N
M,
Decrypts C and obtains N’
c0 , ……, cl-1 Computes Envelope and Encrypts N
N’== N
Verifies
No
Yes No
Grant
Denied
Denied
Verified?
Yes
N’
Env, k[N]
GE-OCBE protocol steps
Role provisioning certificate
• Issuer• Owner• Attributes• Roles• Issuance Date
Released to a user to avoid to perform multiple times the proof of possession of the same set of identity attributes
Signature of the Verifier
• Set user u as the user authorized to perform Ai
• For each activity Aj
compute the set of roles and of users authorized to perform the activity
• For each activity Aj
compute the set of roles and of users which satisfy authorization constraints
• For each activity Aj compute the intersection of the sets computed at step 2 and step 3
• If for some activity Aj
the intersection set is empty, the execution of Ai
is not granted to u
Enforcement steps1º
2º
3º
4º
5º
Enforcement steps
RBAC-WS-BPEL framework
initiateActivity OnActivityResult
WSDL Interface
WSDL Interface
planning
Constraints Store
XACML Policy Store
History Store
Planning Store
WSDL Interface listActivity
claimActivity
RBAC-WS-BPEL Enforcement Service
Identity Manager Service
BPEL Engine
BPEL Process
Identity Records
Proof-of-Identity Cert
Client Module
RBAC-WS-BPEL prototype
Enforcement Web service – Java Web service (WSDL interface for users under development)
Identity Manager- Java ServletApplication Service Apache Tomcat 6 Client application – Java ODE BPEL engine 1.5Oracle database 10g
RBAC-WS-BPEL prototype
Configuration tool interface
Experimental evaluation
Complexity of evaluating process resiliency: Varying the number of SoD constraintsVarying the number of BoD constraints
Complexity of verifying user identity: AgZKPK varying the number of identity attributesOCBE varying the parameter l
Complexity of enforcement processEnforcement varying the number of users
Experimental evaluation
Test on resiliency
Two versions of the algorithm to compute configurations of users Algorithm Not OptimizedAlgorithm Optimized
Business process: 21 activities No. SoD constraints : 6 No. BoD Constraints: 6Role Hierarchy : 7 roles No. potential users : 50
Tests on resiliency
0 1 2 3 4 510.00
100.00
1000.00
10000.00
100000.00Algorithm 1 NoN Optimized Algorithm
Number of BoD Constraints
Tim
e (m
s)
Tests on resiliency
3 4 5 6 7 8 910.00
100.00
1000.00
10000.00
100000.00
1000000.00NoN Optimized Algorithm Algorithm 1
Number of SoD Constraints
Tim
e (m
s)
Test on role provisioning
Business process: 21 activities No. SoD constraints : 6 No. BoD Constraints: 6 Role Hierarchy : 7 roles No. potential users : 50 No. of simple conditions: [1, 50] Value of parameter l: [5, 20]
AgZKPK
12345678910
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
00.010.020.030.040.050.060.070.080.09
0.1
Create AgZKP Verification
Number of simple conditions
Tim
e(se
cs)
Tests on OCBE protocols
5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 200
200
400
600
800
1000
1200
1400
1600
1800
2000Commitments Creation Opening Envelope
Parameter l
Tim
e (m
s)
Test on Enforcement
Business process : 30Role Hierarchy: 20Number of potential users: [500, 2500]Number of users per role : Num users/Num
RolesNumber of SoD constraints : 435
Test on Enforcement
0 500 1000 1500 2000 25000
20
40
60
80
100
120
140
160
138.86
298.250.25
Enforcement Execution Time
Number of Users
Tim
e (s
ec)
Conclusions and Future Works
Innovative authorization framework for WS-BPEL processes Evaluation of the resiliency of a business
processSpecification and enforcement of
authorizations and authorization constraintsExtend RBAC-WS-BPEL to cross-
organizational business processes Resiliency of a business process to change
References1. Federica Paci, Rodolfo Ferrini, Elisa Bertino. Identity Attribute-based Role
Provisioning for Human WS-BPEL processes. In Proceedings of IEEE International Conference on Web Services (ICWS), Los Angeles, USA, July 2009.
2. Elisa Bertino, Rodolfo Ferrini, Andrea Musci, Federica Paci, Kevin J Steuer. A Federated Digital Identity Management Approach for Business Processes. Invited paper. In Proceedings of the 4th International Conference on Collaborative Computing: Networking, Applications and Worksharing (CollaborateCom), Orlando, Florida, November 2008.
3. Federica Paci, Rodolfo Ferrini, Yuqing Sun, Elisa Bertino. Authorization and User Failure Resiliency for WS-BPEL business processes. In Proceedings of International Conference on Service Oriented Computing (ICSOC), Sidney, Australia, December 2008.
4. Federica Paci, Elisa Bertino, Jason Crampton. An Access Control Framework for WS-BPEL. International Journal of Web Services Research, 5(3): 20--43, 2008.
5. Jacques Thomas, Federica Paci, Elisa Bertino, Patrick Eugster. User Tasks and Access Control over Web Services. In Proceedings of IEEE International Conference on Web Services (ICWS), Salt Lake City, USA, July 2007.
6. Elisa Bertino, Jason Crampton, Federica Paci. Access Control and Authorization Constraints for WS-BPEL. In Proceedings of IEEE International Conference on Web Services (ICWS), Chicago, USA, September 2006.
References
Back up
Form for Review Activity
<form name="input" action="UserSide" method="post">
Reviewer:<input type="text"
name="reviewer"/><br/>Comment:
<br/><input type="hidden"
name="instanceid" value="#?instid?#"/>
<input type="hidden" name="action" value="execute"/>
<input type="submit" value="Submit"/>
</form><input type="text" name="content"/>