Policy based auditing of workflows
First Claim
1. A method, comprising:
- a computer receiving from a workflow engine a workflow representation of a workflow, the workflow representation including a first numerical value that was calculated using a formula prior to a transmission of the workflow representation to the computer, the workflow representation being a format to which the workflow was converted prior to the transmission;
the computer performing a post-transmission checksum calculation on the workflow representation, the performing comprising using the formula to determine a second numerical value for the workflow representation; and
the computer, using the post-transmission checksum, determining a snapshot of what the workflow represents;
wherein a difference between the first numerical value and the second numerical value is indicative of a policy change to the workflow representation during the transmission;
the method further comprising;
the computer transmitting a failure response in response to the difference indicating a policy change; and
the computer transmitting a success response in response to the difference indicating no policy change.
2 Assignments
0 Petitions
Accused Products
Abstract
An auditing system is disclosed comprising a Policy Validation Mechanism Program (PVMP) that operates in conjunction with a Workflow Engine (WE), and a Policy Validation Server Program (PVSP) that operates on a Policy Validation Server (PVS) connected to the WE by a secure communication link. The PVMP converts a workflow to a workflow representation (WR) and sends the WR to the PVS. The PVSP compares the steps in the WR to a security policy identified for that WR and determines whether the WR is in compliance. In addition, the PVSP validates a checksum for the WR and logs the checksum for subsequent comparisons. The PVSP uses the checksum to determine whether a policy has changed during execution of the workflow.
58 Citations
11 Claims
-
1. A method, comprising:
-
a computer receiving from a workflow engine a workflow representation of a workflow, the workflow representation including a first numerical value that was calculated using a formula prior to a transmission of the workflow representation to the computer, the workflow representation being a format to which the workflow was converted prior to the transmission; the computer performing a post-transmission checksum calculation on the workflow representation, the performing comprising using the formula to determine a second numerical value for the workflow representation; and the computer, using the post-transmission checksum, determining a snapshot of what the workflow represents; wherein a difference between the first numerical value and the second numerical value is indicative of a policy change to the workflow representation during the transmission; the method further comprising; the computer transmitting a failure response in response to the difference indicating a policy change; and the computer transmitting a success response in response to the difference indicating no policy change. - View Dependent Claims (2, 3, 10, 11)
-
-
4. A computer system, comprising:
-
one or more processors, one or more computer-readable memories and one or more computer-readable tangible storage devices; program instructions, stored on at least one of the one or more computer-readable tangible storage devices for execution by at least one of the one or more processors via at least one of the one or more memories, to receive a workflow representation of a workflow from a workflow engine, the workflow representation including a first numerical value that was calculated using a formula prior to a transmission of the workflow representation to the computer system, the workflow representation being a format to which the workflow was converted prior to the transmission; program instructions, stored on at least one of the one or more computer-readable tangible storage devices for execution by at least one of the one or more processors via at least one of the one or more memories, to perform a post-transmission checksum on the workflow representation, wherein the program instructions to perform the post-transmission checksum use the formula to determine a second numerical value for the workflow representation; and program instructions, stored on at least one of the one or more computer-readable tangible storage devices for execution by at least one of the one or more processors via at least one of the one or more memories, to determine, using the post-transmission checksum, a snapshot of what the workflow represent; wherein a difference between the first numerical value and the second numerical value is indicative of a policy change to the workflow representation during the transmission; the computer system further comprising; program instructions, stored on at least one of the one or more computer-readable tangible storage devices for execution by at least one of the one or more processors via at least one of the one or more memories, to; transmit a failure response in response to the difference indicating a policy change; and transmit a success response in response to the difference indicating no policy change. - View Dependent Claims (5, 6)
-
-
7. A computer program product, comprising:
-
one or more computer-readable tangible storage devices; program instructions, stored on at least one of the one or more computer-readable tangible storage devices, to receive, at a computer and from a workflow engine, a workflow representation of a workflow, the workflow representation including a first numerical value that was calculated using a formula prior to a transmission of the workflow representation to the computer, the workflow representation being a format to which the workflow was converted prior to the transmission; program instructions, stored on at least one of the one or more computer-readable tangible storage devices, to perform a post-transmission checksum on the workflow representation, wherein the program instructions to perform the post-transmission checksum use the formula to determine a second numerical value for the workflow representation; and program instructions, stored on at least one of the one or more computer-readable tangible storage devices, to determine, using the post-transmission checksum, a snapshot of what the workflow represents; wherein a difference between the first numerical value and the second numerical value is indicative of a policy change to the workflow representation during the transmission; the compute program product further comprising; program instructions, stored on at least one of the one or more computer-readable tangible storage devices for execution by at least one of the one or more processors via at least one of the one or more memories, to; transmit a failure response in response to the difference indicating a policy change; and transmit a success response in response to the difference indicating no policy change. - View Dependent Claims (8, 9)
-
Specification