Databases Reference
In-Depth Information
integration with identity management systems, applications, and enterprise
resource planning systems is still rather ad-hoc. Workflow management sys-
tems separate business process control from applications, making it easier
to reuse applications for various business processes. Similarly, it is desirable
to separate workflow management from overall business policy management
and identity management. However, interactions between security constraints
and business rules need to be considered when user-task assignments are per-
formed. Moreover, control of authorizations and permissions can be set across
the organization and the workflow management system would only need to be
concerned with constraints that apply specifically to the workflow and could
consult the policy management system for general authorization questions.
Even less mature is work on inter-organizational workflows. Existing work-
flow systems do not easily integrate to form allow for formation of a single
business process. Instead, inter-organizational workflows are cobbled together
from separate, disparate business processes within each organization. Trans-
action oriented interfaces exist that use the XML-based ebXML business pro-
cess interface for support of transactions between organizations. This supports
inter-organizational interactions by standardizing interfaces. From a security
perspective, constraints can currently only be applied at the organizational
level. No standard way exists for external organizations to specify constraints
on assignment of individuals. Moreover, adhering to the individual organi-
zation's business rules and security constraints is essential while composing
inter-organizational workflows. A more challenging issue would be to accom-
plish the composition when individual organizational policies (security as well
as business) are sensitive and therefore cannot be revealed.
When processes are created in an ad-hoc manner, participating organi-
zations need also to be concerned with evaluating the risk of working with
other participating organizations for the successful completion of the work-
flow. Trust management issues include being able to assess the credibility of
the participants as well as the results of their portion of the process. Contrac-
tual obligations must be established, monitored and assessed and audit trails
must be available to all participants. Secure, available and reliable informa-
tion on business process execution has not been deeply addressed in terms of
inter-organizational business processes or workflows.
Finally, many of the research ideas presented in this chapter have not been
implemented and the problems they solve are still not addressed in existing
systems. Specifically, while role based access control and enforcement of the
SOD constraints to a limited extent have been implemented in some commer-
cial systems, much of that has been done as application code. As a result,
their safety is not tractable.
