190 likes | 322 Views
Secure Access to Service-based Collaborative Workflow for DAME. Duncan Russell Informatics Institute University of Leeds, UK. DAME (Distributed Aircraft Maintenance Environment). EPSRC Funded, 3 years. Ended Dec 2004 4 Universities:
E N D
Secure Access to Service-based Collaborative Workflow for DAME Duncan Russell Informatics Institute University of Leeds, UK CoLaB 22nd December 2005
DAME (Distributed Aircraft Maintenance Environment) • EPSRC Funded, 3 years. Ended Dec 2004 • 4 Universities: • University of Leeds - School of Computing and School of Mechanical Engineering • University of Oxford - Dept of Engineering Science • University of Sheffield - Dept of Automatic Control and Systems Engineering • University of York - Dept of Computer Science • Industrial Partners: • Rolls-Royce • Data Systems and Solutions
Secure Access to Service-based Collaborative Workflow for DAME • Access control within a Service Architecture • Users collaborating in workflows • Across multiple organisations • Dynamic policy to define access to workflow and services • Illustrated using a Case Study
Outline • Workflow background • Workflow-team Policy • DAME Case Study • DAME Portal • Summary
Business Requirements to Workflow Definition • Business requirements creates: • Workflow definition • Workflow based access policy • Collaborating users are defined as roles
Collaborative Workflow and Access Control • Workflow and Policy definitions used in the instances • User take on roles within the workflow • A Workflow-team policy records users in roles1 (1) Thomas, R. K. (1997) Team-based access control (TMAC): a primitive for applying role-based access controls in collaborative environments. In: Proc. 2nd ACM workshop on Role-based access control, 1997. pp.13-19
Collaborative Access to Service Instances • Workflows create and invoke service instances • Each workflow instance controls access to service instances with its own policy instance2 • The Workflow-team includes service instances and user permissions (2) Liu, P. and Chen, Z. (2004) An Access Control Model for Web Services in Business Process. In: IEEE/WIC/ACM Int. Conf. on Web Intelligence, 2004. pp. 292-298
Access Control to Collaborative Workflow • The workflow creates the context • Users involved in the workflow are: • Not known before creation • Change during execution • Service instances created during the process • May be shared between users • Become temporary assets during the workflow lifetime • Role-based access control (RBAC) simplifies administration • Policy can be generalised by role • An active workflow creates a context that requires fine grained access control
Secure Workflow-team • Static Workflow & Service Policies • Restrictions to actions on Workflow & Services • By Subject Attribute (role, organisation) • Dynamic Workflow-team Policy • Defines team members • As users with role permissions • Access permission to service instance • Temporary policy for active workflow (instance)
DAME System • Aircraft Engine Diagnostics • Expert system & decision support • Predictive maintenance scheduling • Distributed Resources • Data sources e.g. aircraft engines • Signal & Case data processing services • Distributed Users • Maintenance staff at airport (for Airline) • Engine experts at Rolls Royce and DS&S • On-demand Requirements • Diagnostics response within turn-around time • Virtual Organisation (VO)
DAME Architecture Controlled access to workflow instances Team instances Browser Presentation Tier Role database Case database Portal Team templates Business Tier Workflow Credential Workflow Manager Service Tier Pattern Matching Engine Data Store Workflow Advisor Feature Detection Feature Visualization Engine Model CBR Resource Tier Broker White Rose Grid
Future Workflow-team Architecture • Investigate issues with standardization • WS-BPEL, SAML, XACML3 • Automating the definition of access policies from business requirements • Compare with recent developments • CAS, VOMS, Shibboleth, PERMIS • Applications in BROADEN • (Business Resource Optimisation for After-market and design On Engineering Networks) • Follow-on project • Industrial implementation of DAME (3) Mendling, J., et al.(2004) An Approach to Extract RBAC Models from BPEL4WS Processes. In: Proc. of the 13th IEEE Int. WET ICE 2004
Questions? Secure Access to Service-based Collaborative Workflow for DAME Duncan Russell duncanr@comp.leeds.ac.uk This research is funded by the Engineering and Physical Science Research Council (EPSRC), e–Science Programme, Contract No. GR/R67668/01