Originator usage control with business process slicing

TL;DR

This paper introduces a business process slicing method and Service Call Graphs to enable dynamic originator usage control in enterprise collaborations, maintaining policies throughout asset lifecycles.

Contribution

It presents a novel process slicing approach and SCG extension for real-time, fine-grained downstream usage control in collaborative enterprise environments.

Findings

Effective asset derivation pattern capture in business processes.

Successful implementation of context-aware security policy enforcement.

Feasibility demonstrated through experiments with WS-BPEL processes.

Abstract

Originator Control allows information providers to define the information re-dissemination condition. Combined with usage control policy, fine-grained 'downstream usage control' can be achieved, which specifies what attributes the downstream consumers should have and how data is used. This paper discusses originator usage control, paying particular attention to enterprise-level dynamic business federations. Rather than 'pre-defining' the information re-dissemination paths, our business process slicing method 'capture' the asset derivation pattern, allowing to maintain originators' policies during the full lifecycle of assets in a collaborative context. First, we propose Service Call Graph (SCG), based on extending the System Dependency Graph, to describe dependencies among partners. When SCG (and corresponding 'service call tuple' list) is built for a business process, it is analyzed to group partners into sub-contexts, according to their dependency relations. Originator usage control can be achieved focusing on each sub-context, by examining downstream consumers' security profiles with upstream asset providers' policies. Second, for analyzing SCG, we propose two 'slicing' strategies, namely 'asset-based' and 'request-based' slicing, to deal with the scenarios of both 'pre-processing' a business process scripts and 'on-the-fly' analyzing service compositions. Last, our implementation work involves a 'context manager' service for processing business processes defined in WS-BPEL. It can be composed with our former proposed policy negotiation and aggregation services to provide policy-based end-to-end security management. We also make experiments based on processing the sample processes that come with 'WS-BPEL2.0' specification.