an integrated identity and access management solution for business processes

AN INTEGRATED IDENTITY AND ACCESS MANAGEMENT SOLUTION FOR BUSINESS PROCESSES

Federica PaciDepartment of Engineering and Information ScienceUniversity of TrentoJune 22 2009

Outline

Motivation IAM for WS-BPEL processes

How to handle human interactions How to evaluate process resiliency to absence of

users How to verify users digital identities How to enforce authorizations and authorization

constraints Prototype and Experimental results Conclusions and Future Works

Issues

WS-BPEL processes

<process> <sequence> <receive … /> <invoke … /> </sequence></process>

BPEL Engine

WS-BPEL Process

Web service1

Web service2

Web service3

Published To

WS-BPEL processes

Issues

How to involve humans in a business process? How to verify business process users’ identity? How to prevent potential misuse of users’

confidential information? Does a user have the permission to perform a

business process’s activity? Can the execution of a business process

complete?

Issues

Existing solutions

Humans inclusion in WS-BPEL processes BPEL4People 2007

Authorization Koshutanski et al. 2003 Xianpeng et al. 2006

Resiliency to user absence Wang et al. 2007

Existing solutions

Why existing solutions are unsatisfactory

Each solution tackles one specific problem. No comprehensive and feasible solution has

been proposed

Important aspects that have not been considered:Users digital identities managementResiliency of a WS-BPEL process to users absence

Why existing solutions are unsatisfactory

The solution Integrated approach to digital identity and

access management: Include human user interactions in WS-BPEL

processes Determine if a business process can complete even if some users become unavailable (resiliency) Check if a user has the permission to execute a

business process’s activity (authorization) Flexible way to verify the identity of users who claim

the execution of business process’s activity (identity attribute-based role provisioning)

The focus of this talk

RBAC-WS-BPEL: Innovative IAM framework for WS-BPEL processes New type of WS-BPEL activity to handle human

interactions- <Human Activity> Verification of WS-BPEL process resiliency to user

absence Specification and enforcement of authorizations

and authorization constraints Identity Attribute Based Role Provisioning

RBAC-WS-BPEL prototype

The focus of this talk

Overview

ActionHumanActivity

Permissions

Users

Human Activities

WS-BPEL Business Process

Roles

Authorization Constraints

Resiliency Constraints

Automatic Activities

Identity Record

Identity Attributes

Identity Tuples

Role Provisioning Policies

RBAC-WS-BPEL overview

Handling human interactions

<invoke> review1

<invoke> determine_status

<reply> submit

Rejected Funded

<receive> submit

parallel

<invoke> review2

<invoke> approve1

<invoke> assign funds

Approval Service

Review Service

FundsAssignment Service

Submission Service

<invoke> approve2

Human activity

Handling human interactions

Role Provisioning Policies

Role Identifier

Rolei Cond1,……, Condn

Attribute Condition

AttrName op lAttrNamePost Doctorate PhdCertificate, Affiliation = Purdue,

SSN

Example of Role Hierarchy

Dean

Full Professor

Associate Professor

Assistant Professor

Post Doctorate Phd Student

Business Office Manager

Business Office Clerk

John

Tammy

Robynne, Leslie Ellen, Doug Ashish, Melanie, Kara

Anna, Dan

Chris, IriniMary, Jane

Authorizations Definition

Role Identifier

Activity Indentifier

<Role, (Activity, Action)>

Typeof

Action

Permission

Example of Authorizations

<invoke> review1


<reply> submit

Rejected Funded

<receive> submit

parallel

<invoke> review2

<invoke> approve1


Approval Service

Review Service


Submission Service

<invoke> approve2

Human activity Assistant professor, <invoke> review1, execute Associate professor, <invoke> review1, execute

Full professor, <invoke> approve1, execute Business Office Clerk, <invoke > approve2, execute Dean, <invoke > approve2, execute

Authorization constraints

Set of Roles/Userswho have performed

Activityi

AntecedentActivity

< D, (Activityi, Activityj ), >

Consequent Activity

Binary Relation On the set of Roles/Users

Alternative specification inXML- based language calledBPCL

Example of Authorization Constraints

SOD

BOD

<invoke> review1


<reply> submit

Rejected Funded

<receive> submit

parallel

<invoke> review2

<invoke> approve1


Approval Service

Review Service


Submission Service

<invoke> approve2

Human activity

U, (<invoke> review1, <invoke> review2),

U, (<invoke> approve2, <invoke> assign funds), =

Resiliency constraints

ActivityIdentifier

Minimum Number of

Users who must havethe authorization to

performActivityi

<Activity, n>

A user has the authorization to execute an activity Ai if he/she is assigned to a role which has the permission to perform Ai

Example of Resiliency Constraints

<invoke> review1


<reply> submit

Rejected Funded

<receive> submit

parallel

<invoke> review2

<invoke> approve1


Approval Service

Review Service


Submission Service

<invoke> approve2

Human activity

<invoke> approve1, 2


<invoke> review1, 3 <invoke> review2, 3

IAM lifecycle

ProcessDeployment

Process Resiliency Evaluation

Process Instance Execution

Activity Request

User Identity Verification

Access control Enforcement

Activity Execution

Process Instance Termination

Business process lifecycle

Users Enrollment

User enrollment

Registration of Pedersen commitment of their identity attributes to be used later as proofs of identity

Enrollment

CreateIdentity Record

Identity Manager

Identity Tuple

User Enrollment

Identity Record (IdR)

Identity AttributeIdentifier

Signature of IdM on M

<tag, M, , validity-assurance, ownership-assurance>

Pedersen Commitmentof Identity Attribute

M = g m h r

Confidence about the claim that

the user presenting the Identity Attribute is its true owner

m and r are known only by the user

Confidence about the validity of the

Identity Attribute

Business process resiliency

<invoke> review2, 3

Chris, Irini, Anna,Dan

<invoke> review1


<reply> submit

Rejected Funded

<receive> submit

parallel

<invoke> review2

<invoke> approve1


Approval Service

Review Service


Submission Service

<invoke> approve2

Human activity


<invoke> review1, 3


Chris, Irini, Anna,Dan

Mary, Jane,John

Robynne,Leslie,Tammy, John

MaxRes is equal to 3

ConfigurationsIrini

Mary

Anna

Jane

John

John

<invoke> review1


<reply> submit

Rejected Funded

<receive> submit

parallel

<invoke> review2

<invoke> approve1


Approval Service

Review Service


Submission Service

<invoke> approve2

Human activity

How to evaluate resiliency Compute all configurations

Evaluate Resiliency Constraints

Satisfied?Yes No

Business Process IS Resilient

Business Process IS NOT Resilient

EXECUTE

NP Complete

Compute a subset Conf of configurations

| Conf | = = MaxRes?

Yes No

Business Process IS Resilient

Business Process IS NOT Resilient

EXECUTE

Our Approach Our approach

How to compute the set Conf

• Group business process’s activities based on authorization constraints

• Compute a sub-configuration for each activity group

• Merge sub-configurations

=

John Allison

PeterJohn Heather

Iva

John Heather

Allison

John

Users authorized to performActivity1



Set of users that can be selected to perform Activity1, Activity2 and Activity3

Activity1

Activity2

Activity3

Activity4

Activity5

BoD

BoD

How to compute sub-configurations

How to compute sub-configurations

Activity1

Activity2

Activity3

Activity4

Activity5

SoD

SoDUser assignment fails

Re-assignment

First sub-configuration

Thirdsub-configuration

Secondsub-configuration

Enforcement

The authorization to perform an activity Ai is granted to a user u if: u is assigned to a role Rk which has the permission

to execute Ai

No authorization constraint where Ai is the consequent activity is violated

Enforcement

Pol1, ….., Polk

Role Provisioning

User Enforcement Point Requests Activityi

Select Roles Authorized to perform Activityi

Yes No

Denied

Verified?

For each policy Pol Ri Cond1, …., Condn

Computes sets Conditions and NoConditions

{Attri | Condi Pol , Condi = NameA op l , Attri = NameA}

{Attri | Condi Pol , Condi = NameA, Attri = NameA}

For Attr NoConditions Carry out AgZKPK

For each Attr Conditions Carry out OCBE protocol

Select Policies

For each policy Poli verified if it is satisfied by carrying out AgZKPK/OCBE protocol

Role Provisioning Certificate

Assign User to Role

Request Activityi

Aggregate ZKPK protocol

It allows to prove the possession of multiple identity attributes without revealing them

Pedersen commitment scheme Param = (G,p, g,h) p is a prime numberG is finite cyclic group of order p such that the Diffie-

Hellman problem is hard in G g is a generator of Gh is a generator of G such that it is hard to find a number

such that h = g

Aggregate ZKPK protocol

AgZKPK protocol steps

User Enforcement Point

Computes M = M1 M2

= m1 m2

Chooses y, s in [1,.., p]

Computes d = g y h s

Chooseschallenge c in [1,..,p] M, , d

Computes u = y+ c *(m1+ m2) v = s+ c * (r1

+ r2)

c

Verifies guhv = = dMc

u, v Verified?

Verifies

Yes No

Yes No

Grant

Denied

Denied

Verified?

Proof of possessionOf

m1 and m2

M1 = g m1 h r1

M2 = g m2 h r2

OCBE protocols

A user can open an encrypted message sent by a service provider if and only if the committed value of a specified identity attribute satisfies a predicate in the policy

The service provider does not learn anything about the user’s committed value

The service provider does not know if user ‘s identity attribute value satisfies its policy

OCBE protocols

GE-OCBE protocol

It allows to verify that a committed value satisfies a condition with a predicate

Three main cryptographic primitives:Pedersen commitment scheme Param = (G,p,g, h)Additional parameter l such that 2 l < p/2symmetric-key encryption algorithm cryptographic hash function

H(.) : {0, 1}∗ → {0, 1}k

GE-OCBE protocol

GE-OCBE protocol steps

Prover Enforcement PointProvem m0

Select M = g m h r

Computes lcommitments

Opens Envelope

Chooses Random Number N

M,

Decrypts C and obtains N’

c0 , ……, cl-1 Computes Envelope and Encrypts N

N’== N

Verifies

No

Yes No

Grant

Denied

Denied

Verified?

Yes

N’

Env, k[N]

GE-OCBE protocol steps

Role provisioning certificate

• Issuer• Owner• Attributes• Roles• Issuance Date

Released to a user to avoid to perform multiple times the proof of possession of the same set of identity attributes

Signature of the Verifier

• Set user u as the user authorized to perform Ai

• For each activity Aj

compute the set of roles and of users authorized to perform the activity

• For each activity Aj

compute the set of roles and of users which satisfy authorization constraints

• For each activity Aj compute the intersection of the sets computed at step 2 and step 3

• If for some activity Aj

the intersection set is empty, the execution of Ai

is not granted to u

Enforcement steps1º

2º

3º

4º

5º

Enforcement steps

RBAC-WS-BPEL framework

initiateActivity OnActivityResult

WSDL Interface

WSDL Interface

planning

Constraints Store

XACML Policy Store

History Store

Planning Store

WSDL Interface listActivity

claimActivity

RBAC-WS-BPEL Enforcement Service

Identity Manager Service

BPEL Engine

BPEL Process

Identity Records

Proof-of-Identity Cert

Client Module


Enforcement Web service – Java Web service (WSDL interface for users under development)

Identity Manager- Java ServletApplication Service Apache Tomcat 6 Client application – Java ODE BPEL engine 1.5Oracle database 10g


Configuration tool interface

Experimental evaluation

Complexity of evaluating process resiliency: Varying the number of SoD constraintsVarying the number of BoD constraints

Complexity of verifying user identity: AgZKPK varying the number of identity attributesOCBE varying the parameter l

Complexity of enforcement processEnforcement varying the number of users

Experimental evaluation

Test on resiliency

Two versions of the algorithm to compute configurations of users Algorithm Not OptimizedAlgorithm Optimized

Business process: 21 activities No. SoD constraints : 6 No. BoD Constraints: 6Role Hierarchy : 7 roles No. potential users : 50

Tests on resiliency

0 1 2 3 4 510.00

100.00

1000.00

10000.00

100000.00Algorithm 1 NoN Optimized Algorithm

Number of BoD Constraints

Tim

e (m

s)

Tests on resiliency

3 4 5 6 7 8 910.00

100.00

1000.00

10000.00

100000.00

1000000.00NoN Optimized Algorithm Algorithm 1

Number of SoD Constraints

Tim

e (m

s)

Test on role provisioning

Business process: 21 activities No. SoD constraints : 6 No. BoD Constraints: 6 Role Hierarchy : 7 roles No. potential users : 50 No. of simple conditions: [1, 50] Value of parameter l: [5, 20]

AgZKPK

12345678910

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

00.010.020.030.040.050.060.070.080.09

0.1

Create AgZKP Verification

Number of simple conditions

Tim

e(se

cs)

Tests on OCBE protocols

5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 200

200

400

600

800

1000

1200

1400

1600

1800

2000Commitments Creation Opening Envelope

Parameter l

Tim

e (m

s)

Test on Enforcement

Business process : 30Role Hierarchy: 20Number of potential users: [500, 2500]Number of users per role : Num users/Num

RolesNumber of SoD constraints : 435

Test on Enforcement

0 500 1000 1500 2000 25000

20

40

60

80

100

120

140

160

138.86

298.250.25

Enforcement Execution Time

Number of Users

Tim

e (s

ec)

Conclusions and Future Works

Innovative authorization framework for WS-BPEL processes Evaluation of the resiliency of a business

processSpecification and enforcement of

authorizations and authorization constraintsExtend RBAC-WS-BPEL to cross-

organizational business processes Resiliency of a business process to change

References1. Federica Paci, Rodolfo Ferrini, Elisa Bertino. Identity Attribute-based Role

Provisioning for Human WS-BPEL processes. In Proceedings of IEEE International Conference on Web Services (ICWS), Los Angeles, USA, July 2009.

2. Elisa Bertino, Rodolfo Ferrini, Andrea Musci, Federica Paci, Kevin J Steuer. A Federated Digital Identity Management Approach for Business Processes. Invited paper. In Proceedings of the 4th International Conference on Collaborative Computing: Networking, Applications and Worksharing (CollaborateCom), Orlando, Florida, November 2008.

3. Federica Paci, Rodolfo Ferrini, Yuqing Sun, Elisa Bertino. Authorization and User Failure Resiliency for WS-BPEL business processes. In Proceedings of International Conference on Service Oriented Computing (ICSOC), Sidney, Australia, December 2008.

4. Federica Paci, Elisa Bertino, Jason Crampton. An Access Control Framework for WS-BPEL. International Journal of Web Services Research, 5(3): 20--43, 2008.

5. Jacques Thomas, Federica Paci, Elisa Bertino, Patrick Eugster. User Tasks and Access Control over Web Services. In Proceedings of IEEE International Conference on Web Services (ICWS), Salt Lake City, USA, July 2007.

6. Elisa Bertino, Jason Crampton, Federica Paci. Access Control and Authorization Constraints for WS-BPEL. In Proceedings of IEEE International Conference on Web Services (ICWS), Chicago, USA, September 2006.

References

Thank you!

Any questions?

Contact information:[email protected]

Back up

Form for Review Activity

<form name="input" action="UserSide" method="post">

Reviewer:<input type="text"

name="reviewer"/><br/>Comment:

<br/><input type="hidden"

name="instanceid" value="#?instid?#"/>

<input type="hidden" name="action" value="execute"/>

<input type="submit" value="Submit"/>

</form><input type="text" name="content"/>

an integrated identity and access management solution for business processes

Documents