Automated generation of access control policies in cross-organizational workflow

US 20060253314A1
Filed: 02/17/2006
Published: 11/09/2006
Est. Priority Date: 05/03/2005
Status: Active Grant

First Claim

Patent Images

1. A method for controlling an interaction of a plurality of participants in a workflow process of a network system, the method comprising:

classifying a plurality of activities as a first type, a second type or a third type;

generating a control policy based on the type of activity; and

applying the control policy to determine whether a requesting participant is permitted to interact with a responding participant, wherein the activity of the requesting participant precedes the activity of the responding participant in the workflow process.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system to control an interaction of a plurality of participants in a workflow process. The method classifies the plurality of activities as (1) first activity of the workflow process, (2) first activity of a participant in an on-going workflow process, and (3) interaction activity. A set of access control policies is generated for each type of activity. The policies include workflow initialization policy, participation policy and interaction policies. The policies determine if a requesting participant is permitted to interact with a responding participant. In addition, the system includes a policy enforcement point for receiving a request from a requesting participant, wherein the request is for activating an activity of a responding participant. The policy enforcement point forwards the request to a policy decision point where the request is evaluated based on the set of access control policies.

Citations

28 Claims

1. A method for controlling an interaction of a plurality of participants in a workflow process of a network system, the method comprising:
- classifying a plurality of activities as a first type, a second type or a third type;
  
  generating a control policy based on the type of activity; and
  
  applying the control policy to determine whether a requesting participant is permitted to interact with a responding participant, wherein the activity of the requesting participant precedes the activity of the responding participant in the workflow process.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the first type of activity is a first activity of the workflow process.
  - 3. The method of claim 2, further comprising:
    - determining an identity of the requesting participant;
      
      determining a role of the requesting participant; and
      
      evaluating a permission to activate the first type of activity based on the identity and the role of the requesting participant.
  - 4. The method of claim 1, wherein the second type of activity is a first activity of the responding participant in the workflow process.
  - 5. The method of claim 4, further comprising:
    - determining a role of the requesting participant;
      
      determining a trust level of the requesting participant; and
      
      evaluating a permission to activate the second type of activity based on the role and the trust level of the requesting participant.
  - 6. The method of claim 5, wherein the trust level of the requesting participant is a qualification of the requesting participant as specified by the responding participant.
  - 7. The method of claim 1, wherein the third type of activity is an interaction activity between the requesting and the responding participants.
  - 8. The method of claim 7, further comprising:
    - receiving a request from the requesting participant to activate the third type of activity of the responding participant;
      
      verifying a identity certificate of the requesting participant; and
      
      evaluating a permission to activate the third type of activity based on an identity of the requesting participant from the identity certificate.
  - 9. The method of claim 1, further comprising:
    - receiving at a policy enforcement point of the responding participant, a request to interact from the requesting participant;
      
      forwarding the request from the policy enforcement point to a policy decision point of the responding participant;
      
      evaluating the request with the control policy at the policy decision point; and
      
      providing the requesting participant with a decision to interact.

10. A network system for controlling an interaction of a plurality of participants in a workflow process, the system comprising:
- means for classifying a plurality of activities as a first type, a second type or a third type;
  
  means for generating a control policy based on the type of activity; and
  
  means for applying the control policy to determine whether a requesting participant is permitted to interact with a responding participant, wherein the activity of the requesting participant precedes the activity of the responding participant in the workflow process.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, wherein the first type of activity is a first activity of the workflow process.
  - 12. The system of claim 11, further comprising:
    - means for determining an identity of the requesting participant;
      
      means for determining a role of the requesting participant; and
      
      means for evaluating a permission to activate the first type of activity based on the identity and the role of the requesting participant.
  - 13. The system of claim 10, wherein the second type of activity is a first activity of the responding participant in the workflow process.
  - 14. The system of claim 13, further comprising:
    - means for determining a role of the requesting participant;
      
      means for determining a trust level of the requesting participant; and
      
      means for evaluating a permission to activate the second type of activity based on the role and the trust level of the requesting participant.
  - 15. The system of claim 14, wherein the trust level of the requesting participant is a qualification of the requesting participant as specified by the responding participant.
  - 16. The system of claim 10, wherein the third type of activity is an interaction activity between the requesting and the responding participants.
  - 17. The system of claim 16, further comprising:
    - means for receiving a request from the requesting participant to activate the third type of activity of the responding participant;
      
      means for verifying a identity certificate of the requesting participant; and
      
      means for evaluating a permission to activate the third type of activity based on an identity of the requesting participant from the identity certificate.
  - 18. The system of claim 10, further comprising:
    - means for receiving at a policy enforcement point of the responding participant, a request to interact from the requesting participant;
      
      means for forwarding the request from the policy enforcement point to a policy decision point of the responding participant;
      
      means for evaluating the request with the control policy at the policy decision point; and
      
      means for providing the requesting participant with a decision to interact.

19. A machine-readable medium comprising instructions, which when executed by a machine, cause the machine to perform a system to delegate an access authority for accessing a protected resources, the method comprising:
- classifying a plurality of activities as a first type, a second type or a third type;
  
  generating a control policy based on the type of activity; and
  
  applying the control policy to determine whether a requesting participant is permitted to interact with a responding participant, wherein the activity of the requesting participant precedes the activity of the responding participant in the workflow process.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The machine-readable medium of claim 19, wherein the first type of activity is a first activity of the workflow process.
  - 21. The machine-readable medium of claim 20, further comprising:
    - determining an identity of the requesting participant;
      
      determining a role of the requesting participant; and
      
      evaluating a permission to activate the first type of activity based on the identity and the role of the requesting participant.
  - 22. The machine-readable medium of claim 19, wherein the second type of activity is a first activity of the responding participant in the workflow process.
  - 23. The machine-readable medium of claim 22, further comprising:
    - determining a role of the requesting participant;
      
      determining a trust level of the requesting participant; and
      
      evaluating a permission to activate the second type of activity based on the role and the trust level of the requesting participant.
  - 24. The machine-readable medium of claim 23, wherein the trust level of the requesting participant is a qualification of the requesting participant as specified by the responding participant.
  - 25. The machine-readable medium of claim 19, wherein the third type of activity is an interaction activity between the requesting and the responding participants.
  - 26. The machine-readable medium of claim 25, further comprising:
    - receiving a request from the requesting participant to activate the third type of activity of the responding participant;
      
      verifying a identity certificate of the requesting participant; and
      
      evaluating a permission to activate the third type of activity based on an identity of the requesting participant from the identity certificate.
  - 27. The machine-readable medium of claim 19, further comprising:
    - receiving at a policy enforcement point of the responding participant, a request to interact from the requesting participant;
      
      forwarding the request from the policy enforcement point to a policy decision point of the responding participant;
      
      evaluating the request with the control policy at the policy decision point; and
      
      providing the requesting participant with a decision to interact.

28. A workflow management system for controlling an interaction of a plurality of participants in a workflow process, the system comprising a policy enforcement point to accept a request for activating an activity of a responding participant;
- and a policy decision point to evaluates the request based on a set of access control policies.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP SE
Inventors
Reznichenko, Yevgen, Haller, Jochen, Rits, Maarten E., Hebert, Cedric R.J., Spadone, Pascal T.C.

Granted Patent

US 8,744,892 B2
Time in Patent Office

Days
Field of Search
US Class Current

705/9
CPC Class Codes

G06Q 10/06   Resources, workflows, human...

G06Q 10/0633   Workflow analysis

G06Q 10/10   Office automation; Time man...

Automated generation of access control policies in cross-organizational workflow

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Automated generation of access control policies in cross-organizational workflow

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links