Policy-based access control approach to staff activities of a business process
First Claim
1. A computer implemented method for dynamically assigning a staff activity to a human entity or organizational role, the computer implemented method comprising:
- receiving, from a process server, identification information defined by an output from a process development tool at development time, about a particular staff activity in a business process at an access control system external to the process server, wherein the identification information is a tuple comprising an identifier of the business process, an identifier of the particular staff activity in the business process, and business objects affected by actions of the particular staff activity and wherein the identification information is absent identification of an identified user;
storing the tuple in an access policy store of the access control system, wherein the access policy store comprises role-based access control lists to form bindings between the staff activities and human entities or organizational roles using the identification information in the tuple and wherein the human entities, the organizational roles and deciding rules are able to be updated at deployment time;
responsive to initiation of the business process, running the business process until the business process reaches a point in a workflow for the particular staff activity and dynamically resolving the particular staff activity at the access control system at runtime by assigning the particular staff activity to the identified user by an authorization policy engine in the access control system using an access policy of the access control system and the tuple stored to form a staff activity assignment, wherein resolving the particular staff activity at the access control system further includes;
examining membership of the identified user in an organizational group or role;
assigning the particular staff activity to the identified user based on a membership of the identified user; and
communicating the staff activity assignment from the access control system to the process server, wherein the staff activity assignment includes a process name, activity name pair of each activity awaiting intervention by the identified user;
wherein the receiving, resolving, and communicating steps enable development of the business process to be decoupled from staff activity resolution at runtime.
1 Assignment
0 Petitions
Accused Products
Abstract
A computer implemented method, data processing system, and computer program product for dynamically binding business process activities to human entities at deployment time. Identification information about a staff activity in a business process is received from a process server at an access control system external to the process server. Responsive to initiation of the business process, the staff activity is resolved at the access control system at runtime by assigning the staff activity to a user based on an access policy of the access control system to form a staff activity assignment. The staff activity assignment is communicated from the access control system to the process server. The process allows the development of the business process to be entirely decoupled from staff activity resolution at runtime.
71 Citations
12 Claims
-
1. A computer implemented method for dynamically assigning a staff activity to a human entity or organizational role, the computer implemented method comprising:
-
receiving, from a process server, identification information defined by an output from a process development tool at development time, about a particular staff activity in a business process at an access control system external to the process server, wherein the identification information is a tuple comprising an identifier of the business process, an identifier of the particular staff activity in the business process, and business objects affected by actions of the particular staff activity and wherein the identification information is absent identification of an identified user; storing the tuple in an access policy store of the access control system, wherein the access policy store comprises role-based access control lists to form bindings between the staff activities and human entities or organizational roles using the identification information in the tuple and wherein the human entities, the organizational roles and deciding rules are able to be updated at deployment time; responsive to initiation of the business process, running the business process until the business process reaches a point in a workflow for the particular staff activity and dynamically resolving the particular staff activity at the access control system at runtime by assigning the particular staff activity to the identified user by an authorization policy engine in the access control system using an access policy of the access control system and the tuple stored to form a staff activity assignment, wherein resolving the particular staff activity at the access control system further includes; examining membership of the identified user in an organizational group or role; assigning the particular staff activity to the identified user based on a membership of the identified user; and communicating the staff activity assignment from the access control system to the process server, wherein the staff activity assignment includes a process name, activity name pair of each activity awaiting intervention by the identified user; wherein the receiving, resolving, and communicating steps enable development of the business process to be decoupled from staff activity resolution at runtime. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A data processing system for dynamically assigning a staff activity to a human entity or organizational role, the data processing system comprising:
-
a bus; a storage device connected to the bus, wherein the storage device contains computer usable code; at least one managed device connected to the bus; a communications unit connected to the bus; and a processing unit connected to the bus, wherein the processing unit executes the computer usable code to receive, from a process server, identification information defined by an output from a process development tool, at development time, about a particular staff activity in a business process at an access control system external to the process server, wherein the identification information is a tuple comprising an identifier of the business process, an identifier of the particular staff activity in the business process, and business objects affected by actions of the particular staff activity and wherein the identification information is absent identification of an identified user; store the tuple in an access policy store of the access control system, wherein the access policy store comprises role-based access control lists to form bindings between the staff activities and human entities or organizational roles using the identification information in the tuple and wherein the human entities, the organizational roles and deciding rules are able to be updated at deployment time; dynamically resolve the particular staff activity at the access control system at runtime by running the business process until the business process reaches a point in a workflow for the particular staff activity and assigning the particular staff activity to the identified user by an authorization policy engine in the access control system using an access policy of the access control system and the tuple stored to form a staff activity assignment in response to initiation of the business process, wherein resolving the particular staff activity at the access control system further includes; examining membership of the identified user in an organizational group or role and assigning the particular staff activity to the user based on a membership of the identified user, and communicate the staff activity assignment from the access control system to the process server, wherein the staff activity assignment includes a process name, activity name pair of each activity awaiting intervention by the identified user, wherein the computer usable code to receive, resolve, and communicate enable development of the business process to be decoupled from staff activity resolution at runtime. - View Dependent Claims (7)
-
-
8. A computer program product for dynamically assigning a staff activity to a human entity or organizational role, the computer program product comprising:
-
a non-transitory computer usable medium having computer usable program code stored thereon, which when executed by a computer directs the computer to; receive, from a process server, identification information, defined by an output from a process development tool at development time, about a particular staff activity in a business process at an access control system external to the process server, wherein the identification information is a tuple comprising an identifier of the business process, an identifier of the particular staff activity in the business process, and business objects affected by actions of the particular staff activity and wherein the identification information is absent identification of a user; store the tuple in an access policy store of the access control system, wherein the access policy store comprises role-based access control lists to form bindings between the staff activities and human entities or organizational roles using the identification information in the tuple and wherein the human entities, the organizational roles and deciding rules are able to be updated at deployment time; dynamically resolve the particular staff activity at the access control system at runtime by running the business process until the business process reaches a point in a workflow for the particular staff activity and assigning the particular staff activity to the identified user by an authorization policy engine in the access control system using an access policy of the access control system and the tuple stored to form a staff activity assignment in response to initiation of the business process, wherein executing computer usable program code for resolving the particular staff activity at the access control system further directs the computer to; examine membership of the identified user in an organizational group or role and computer usable program code for assigning the particular staff activity to the identified user based on a membership of the identified user; and communicate the staff activity assignment from the access control system to the process server, wherein the staff activity assignment includes a process name, activity name pair of each activity awaiting intervention by the identified user; wherein the directing the computer to receive, resolve, and communicate enable development of the business process to be decoupled from staff activity resolution at runtime. - View Dependent Claims (9, 10, 11, 12)
-
Specification