Policy-based access control approach to staff activities of a business process

US 8,904,391 B2
Filed: 04/23/2007
Issued: 12/02/2014
Est. Priority Date: 04/23/2007
Status: Expired due to Fees

First Claim

Patent Images

1. A computer implemented method for dynamically assigning a staff activity to a human entity or organizational role, the computer implemented method comprising:

receiving, from a process server, identification information defined by an output from a process development tool at development time, about a particular staff activity in a business process at an access control system external to the process server, wherein the identification information is a tuple comprising an identifier of the business process, an identifier of the particular staff activity in the business process, and business objects affected by actions of the particular staff activity and wherein the identification information is absent identification of an identified user;

storing the tuple in an access policy store of the access control system, wherein the access policy store comprises role-based access control lists to form bindings between the staff activities and human entities or organizational roles using the identification information in the tuple and wherein the human entities, the organizational roles and deciding rules are able to be updated at deployment time;

responsive to initiation of the business process, running the business process until the business process reaches a point in a workflow for the particular staff activity and dynamically resolving the particular staff activity at the access control system at runtime by assigning the particular staff activity to the identified user by an authorization policy engine in the access control system using an access policy of the access control system and the tuple stored to form a staff activity assignment, wherein resolving the particular staff activity at the access control system further includes;

examining membership of the identified user in an organizational group or role;

assigning the particular staff activity to the identified user based on a membership of the identified user; and

communicating the staff activity assignment from the access control system to the process server, wherein the staff activity assignment includes a process name, activity name pair of each activity awaiting intervention by the identified user;

wherein the receiving, resolving, and communicating steps enable development of the business process to be decoupled from staff activity resolution at runtime.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer implemented method, data processing system, and computer program product for dynamically binding business process activities to human entities at deployment time. Identification information about a staff activity in a business process is received from a process server at an access control system external to the process server. Responsive to initiation of the business process, the staff activity is resolved at the access control system at runtime by assigning the staff activity to a user based on an access policy of the access control system to form a staff activity assignment. The staff activity assignment is communicated from the access control system to the process server. The process allows the development of the business process to be entirely decoupled from staff activity resolution at runtime.

71 Citations

12 Claims

1. A computer implemented method for dynamically assigning a staff activity to a human entity or organizational role, the computer implemented method comprising:
- receiving, from a process server, identification information defined by an output from a process development tool at development time, about a particular staff activity in a business process at an access control system external to the process server, wherein the identification information is a tuple comprising an identifier of the business process, an identifier of the particular staff activity in the business process, and business objects affected by actions of the particular staff activity and wherein the identification information is absent identification of an identified user;
  
  storing the tuple in an access policy store of the access control system, wherein the access policy store comprises role-based access control lists to form bindings between the staff activities and human entities or organizational roles using the identification information in the tuple and wherein the human entities, the organizational roles and deciding rules are able to be updated at deployment time;
  
  responsive to initiation of the business process, running the business process until the business process reaches a point in a workflow for the particular staff activity and dynamically resolving the particular staff activity at the access control system at runtime by assigning the particular staff activity to the identified user by an authorization policy engine in the access control system using an access policy of the access control system and the tuple stored to form a staff activity assignment, wherein resolving the particular staff activity at the access control system further includes;
  
  examining membership of the identified user in an organizational group or role;
  
  assigning the particular staff activity to the identified user based on a membership of the identified user; and
  
  communicating the staff activity assignment from the access control system to the process server, wherein the staff activity assignment includes a process name, activity name pair of each activity awaiting intervention by the identified user;
  
  wherein the receiving, resolving, and communicating steps enable development of the business process to be decoupled from staff activity resolution at runtime.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The computer implemented method of claim 1, wherein the process server provides the staff activity assignment to the identified user.
  - 3. The computer implemented method of claim 1, wherein the staff activity assignment is provided to the identified user in response to the identified user logging onto the process server.
  - 4. The computer implemented method of claim 1, wherein the identified user is one of a human entity, organizational group, or organizational role.
  - 5. The computer implemented method of claim 1, wherein an authorization policy engine in the access control system receives the identification information from the process server.

6. A data processing system for dynamically assigning a staff activity to a human entity or organizational role, the data processing system comprising:
- a bus;
  
  a storage device connected to the bus, wherein the storage device contains computer usable code;
  
  at least one managed device connected to the bus;
  
  a communications unit connected to the bus; and
  
  a processing unit connected to the bus, wherein the processing unit executes the computer usable code to receive, from a process server, identification information defined by an output from a process development tool, at development time, about a particular staff activity in a business process at an access control system external to the process server, wherein the identification information is a tuple comprising an identifier of the business process, an identifier of the particular staff activity in the business process, and business objects affected by actions of the particular staff activity and wherein the identification information is absent identification of an identified user;
  
  store the tuple in an access policy store of the access control system, wherein the access policy store comprises role-based access control lists to form bindings between the staff activities and human entities or organizational roles using the identification information in the tuple and wherein the human entities, the organizational roles and deciding rules are able to be updated at deployment time;
  
  dynamically resolve the particular staff activity at the access control system at runtime by running the business process until the business process reaches a point in a workflow for the particular staff activity and assigning the particular staff activity to the identified user by an authorization policy engine in the access control system using an access policy of the access control system and the tuple stored to form a staff activity assignment in response to initiation of the business process, wherein resolving the particular staff activity at the access control system further includes;
  
  examining membership of the identified user in an organizational group or role and assigning the particular staff activity to the user based on a membership of the identified user, and communicate the staff activity assignment from the access control system to the process server, wherein the staff activity assignment includes a process name, activity name pair of each activity awaiting intervention by the identified user, wherein the computer usable code to receive, resolve, and communicate enable development of the business process to be decoupled from staff activity resolution at runtime.
- View Dependent Claims (7)
- - 7. The data processing system of claim 6, wherein the processing unit further executes the computer usable code to provide the staff activity assignment to the identified user.

8. A computer program product for dynamically assigning a staff activity to a human entity or organizational role, the computer program product comprising:
- a non-transitory computer usable medium having computer usable program code stored thereon, which when executed by a computer directs the computer to;
  
  receive, from a process server, identification information, defined by an output from a process development tool at development time, about a particular staff activity in a business process at an access control system external to the process server, wherein the identification information is a tuple comprising an identifier of the business process, an identifier of the particular staff activity in the business process, and business objects affected by actions of the particular staff activity and wherein the identification information is absent identification of a user;
  
  store the tuple in an access policy store of the access control system, wherein the access policy store comprises role-based access control lists to form bindings between the staff activities and human entities or organizational roles using the identification information in the tuple and wherein the human entities, the organizational roles and deciding rules are able to be updated at deployment time;
  
  dynamically resolve the particular staff activity at the access control system at runtime by running the business process until the business process reaches a point in a workflow for the particular staff activity and assigning the particular staff activity to the identified user by an authorization policy engine in the access control system using an access policy of the access control system and the tuple stored to form a staff activity assignment in response to initiation of the business process, wherein executing computer usable program code for resolving the particular staff activity at the access control system further directs the computer to;
  
  examine membership of the identified user in an organizational group or role and computer usable program code for assigning the particular staff activity to the identified user based on a membership of the identified user; and
  
  communicate the staff activity assignment from the access control system to the process server, wherein the staff activity assignment includes a process name, activity name pair of each activity awaiting intervention by the identified user;
  
  wherein the directing the computer to receive, resolve, and communicate enable development of the business process to be decoupled from staff activity resolution at runtime.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The computer program product of claim 8, further comprising:
    - computer usable program code for providing the staff activity assignment to the identified user.
  - 10. The computer program product of claim 8, wherein the staff activity assignment is provided to the identified user in response to the identified user logging onto the process server.
  - 11. The computer program product of claim 8, wherein the identified user is one of a human entity, organizational group, or organizational role.
  - 12. The computer program product of claim 8, wherein an authorization policy engine in the access control system receives the identification information from the process server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Benantar, Messaoud B., Madduri, Hari Haranath
Primary Examiner(s)
FEENEY, BRETT A

Application Number

US11/738,794
Publication Number

US 20080263060A1
Time in Patent Office

2,780 Days
Field of Search
US Class Current

718/100
CPC Class Codes

G06F 16/367   Ontology

G06F 9/4492   Inheritance

G06F 9/5055   considering software capabi...

G06Q 10/06   Resources, workflows, human...

G06Q 10/06311   Scheduling, planning or tas...

G06Q 10/063118   Staff planning in a project...

G06Q 10/067   Enterprise or organisation ...

G06Q 10/103   Workflow collaboration or p...

Policy-based access control approach to staff activities of a business process

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

71 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Policy-based access control approach to staff activities of a business process

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

71 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links