Policy based auditing of workflows

US 9,444,786 B2
Filed: 05/23/2012
Issued: 09/13/2016
Est. Priority Date: 04/19/2005
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

a computer receiving from a workflow engine a workflow representation of a workflow, the workflow representation including a first numerical value that was calculated using a formula prior to a transmission of the workflow representation to the computer, the workflow representation being a format to which the workflow was converted prior to the transmission;

the computer performing a post-transmission checksum calculation on the workflow representation, the performing comprising using the formula to determine a second numerical value for the workflow representation; and

the computer, using the post-transmission checksum, determining a snapshot of what the workflow represents;

wherein a difference between the first numerical value and the second numerical value is indicative of a policy change to the workflow representation during the transmission;

the method further comprising;

the computer transmitting a failure response in response to the difference indicating a policy change; and

the computer transmitting a success response in response to the difference indicating no policy change.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An auditing system is disclosed comprising a Policy Validation Mechanism Program (PVMP) that operates in conjunction with a Workflow Engine (WE), and a Policy Validation Server Program (PVSP) that operates on a Policy Validation Server (PVS) connected to the WE by a secure communication link. The PVMP converts a workflow to a workflow representation (WR) and sends the WR to the PVS. The PVSP compares the steps in the WR to a security policy identified for that WR and determines whether the WR is in compliance. In addition, the PVSP validates a checksum for the WR and logs the checksum for subsequent comparisons. The PVSP uses the checksum to determine whether a policy has changed during execution of the workflow.

58 Citations

View as Search Results

11 Claims

1. A method, comprising:
- a computer receiving from a workflow engine a workflow representation of a workflow, the workflow representation including a first numerical value that was calculated using a formula prior to a transmission of the workflow representation to the computer, the workflow representation being a format to which the workflow was converted prior to the transmission;
  
  the computer performing a post-transmission checksum calculation on the workflow representation, the performing comprising using the formula to determine a second numerical value for the workflow representation; and
  
  the computer, using the post-transmission checksum, determining a snapshot of what the workflow represents;
  
  wherein a difference between the first numerical value and the second numerical value is indicative of a policy change to the workflow representation during the transmission;
  
  the method further comprising;
  
  the computer transmitting a failure response in response to the difference indicating a policy change; and
  
  the computer transmitting a success response in response to the difference indicating no policy change.
- View Dependent Claims (2, 3, 10, 11)
- - 2. The method of claim 1, further comprising:
    - before the computer, using the post-transmission checksum, determining the snapshot of what the workflow represents, the computer determining, using the post-transmission checksum, what operation is being executed with the workflow representation.
  - 3. The method of claim 1, further comprising:
    - the computer identifying the workflow representation;
      
      the computer interrogating the workflow representation;
      
      the computer determining a plurality of steps being performed by the workflow representation;
      
      the computer comparing the plurality of steps to a security policy for the workflow representation;
      
      before the computer performing the post-transmission checksum on the workflow representation, the computer determining a compliance of the workflow representation with the security policy;
      
      after the computer performing the post-transmission checksum on the workflow representation, the computer using the post-transmission checksum to determine what operation is being executed with the workflow representation;
      
      the computer validating the post-transmission checksum;
      
      the computer logging the post-transmission checksum;
      
      the computer comparing the post-transmission checksum to a plurality of previously logged checksums; and
      
      after the computer comparing the post-transmission checksum to the plurality of previously logged checksums, the computer determining whether a policy changed during execution of the workflow.
  - 10. A computer system comprising one or more processors, one or more computer-readable memories, one or more computer-readable tangible storage devices and program instructions which are stored on at least one of the one or more computer-readable storage devices for execution by at least one of the one or more processors via at least one of the one or more memories and when executed by at least one of the one or more processors perform the method of claim 1.
  - 11. A computer program product comprising one or more computer-readable tangible storage devices and computer-readable program instructions which are stored on at least one of the one or more storage devices and when executed by at least one of one or more processors, perform the method of claim 1.

4. A computer system, comprising:
- one or more processors, one or more computer-readable memories and one or more computer-readable tangible storage devices;
  
  program instructions, stored on at least one of the one or more computer-readable tangible storage devices for execution by at least one of the one or more processors via at least one of the one or more memories, to receive a workflow representation of a workflow from a workflow engine, the workflow representation including a first numerical value that was calculated using a formula prior to a transmission of the workflow representation to the computer system, the workflow representation being a format to which the workflow was converted prior to the transmission;
  
  program instructions, stored on at least one of the one or more computer-readable tangible storage devices for execution by at least one of the one or more processors via at least one of the one or more memories, to perform a post-transmission checksum on the workflow representation, wherein the program instructions to perform the post-transmission checksum use the formula to determine a second numerical value for the workflow representation; and
  
  program instructions, stored on at least one of the one or more computer-readable tangible storage devices for execution by at least one of the one or more processors via at least one of the one or more memories, to determine, using the post-transmission checksum, a snapshot of what the workflow represent;
  
  wherein a difference between the first numerical value and the second numerical value is indicative of a policy change to the workflow representation during the transmission;
  
  the computer system further comprising;
  
  program instructions, stored on at least one of the one or more computer-readable tangible storage devices for execution by at least one of the one or more processors via at least one of the one or more memories, to;
  
  transmit a failure response in response to the difference indicating a policy change; and
  
  transmit a success response in response to the difference indicating no policy change.
- View Dependent Claims (5, 6)
- - 5. The computer system of claim 4, further comprising:
    - program instructions, stored on at least one of the one or more computer-readable tangible storage devices for execution by at least one of the one or more processors via at least one of the one or more memories, before determining, using the post-transmission checksum, the snapshot of what the workflow represents, to;
      
      determine, using the post-transmission checksum, what operation is being executed with the workflow representation.
  - 6. The computer system of claim 4, further comprising:
    - program instructions, stored on at least one of the one or more computer-readable tangible storage devices for execution by at least one of the one or more processors via at least one of the one or more memories, to identify the workflow representation;
      
      program instructions, stored on at least one of the one or more computer-readable tangible storage devices for execution by at least one of the one or more processors via at least one of the one or more memories, to interrogate the workflow representation;
      
      program instructions, stored on at least one of the one or more computer-readable tangible storage devices for execution by at least one of the one or more processors via at least one of the one or more memories, to determine a plurality of steps being performed by the workflow representation;
      
      program instructions, stored on at least one of the one or more computer-readable tangible storage devices for execution by at least one of the one or more processors via at least one of the one or more memories, to compare the plurality of steps to a security policy for the workflow representation;
      
      program instructions, stored on at least one of the one or more computer-readable tangible storage devices for execution by at least one of the one or more processors via at least one of the one or more memories, before performing the post-transmission checksum on the workflow representation, to determine a compliance of the workflow representation with the security policy;
      
      program instructions, stored on at least one of the one or more computer-readable tangible storage devices for execution by at least one of the one or more processors via at least one of the one or more memories, after performing the post-transmission checksum on the workflow representation, to determine, using the post-transmission checksum, what operation is being executed with the workflow representation;
      
      program instructions, stored on at least one of the one or more computer-readable tangible storage devices for execution by at least one of the one or more processors via at least one of the one or more memories, to validate the post-transmission checksum;
      
      program instructions, stored on at least one of the one or more computer-readable tangible storage devices for execution by at least one of the one or more processors via at least one of the one or more memories, to log the post-transmission checksum;
      
      program instructions, stored on at least one of the one or more computer-readable tangible storage devices for execution by at least one of the one or more processors via at least one of the one or more memories, to compare the post-transmission checksum to a plurality of previously logged checksums; and
      
      program instructions, stored on at least one of the one or more computer-readable tangible storage devices for execution by at least one of the one or more processors via at least one of the one or more memories, after comparing the post-transmission checksum to the plurality of previously logged checksums, to determine whether a policy changed during execution of the workflow.

7. A computer program product, comprising:
- one or more computer-readable tangible storage devices;
  
  program instructions, stored on at least one of the one or more computer-readable tangible storage devices, to receive, at a computer and from a workflow engine, a workflow representation of a workflow, the workflow representation including a first numerical value that was calculated using a formula prior to a transmission of the workflow representation to the computer, the workflow representation being a format to which the workflow was converted prior to the transmission;
  
  program instructions, stored on at least one of the one or more computer-readable tangible storage devices, to perform a post-transmission checksum on the workflow representation, wherein the program instructions to perform the post-transmission checksum use the formula to determine a second numerical value for the workflow representation; and
  
  program instructions, stored on at least one of the one or more computer-readable tangible storage devices, to determine, using the post-transmission checksum, a snapshot of what the workflow represents;
  
  wherein a difference between the first numerical value and the second numerical value is indicative of a policy change to the workflow representation during the transmission;
  
  the compute program product further comprising;
  
  program instructions, stored on at least one of the one or more computer-readable tangible storage devices for execution by at least one of the one or more processors via at least one of the one or more memories, to;
  
  transmit a failure response in response to the difference indicating a policy change; and
  
  transmit a success response in response to the difference indicating no policy change.
- View Dependent Claims (8, 9)
- - 8. The computer program product of claim 7, further comprising:
    - program instructions, stored on at least one of the one or more computer-readable tangible storage devices, before determining, using the post-transmission checksum, the snapshot of what the workflow represents, to;
      
      determine, using the post-transmission checksum, what operation is being executed with the workflow representation.
  - 9. The computer program product of claim 7, further comprising:
    - program instructions, stored on at least one of the one or more computer-readable tangible storage devices, to identify the workflow representation;
      
      program instructions, stored on at least one of the one or more computer-readable tangible storage devices, to interrogate the workflow representation;
      
      program instructions, stored on at least one of the one or more computer-readable tangible storage devices, to determine a plurality of steps being performed by the workflow representation;
      
      program instructions, stored on at least one of the one or more computer-readable tangible storage devices, to compare the plurality of steps to a security policy for the workflow representation;
      
      program instructions, stored on at least one of the one or more computer-readable tangible storage devices, before performing the post-transmission checksum on the workflow representation, to determine a compliance of the workflow representation with the security policy;
      
      program instructions, stored on at least one of the one or more computer-readable tangible storage devices, after performing the post-transmission checksum on the workflow representation, to determine, using the post-transmission checksum, what operation is being executed with the workflow representation;
      
      program instructions, stored on at least one of the one or more computer-readable tangible storage devices, to validate the post-transmission checksum;
      
      program instructions, stored on at least one of the one or more computer-readable tangible storage devices, to log the post-transmission checksum;
      
      program instructions, stored on at least one of the one or more computer-readable tangible storage devices, to compare the post-transmission checksum to a plurality of previously logged checksums; and
      
      program instructions, stored on at least one of the one or more computer-readable tangible storage devices, after comparing the post-transmission checksum to the plurality of previously logged checksums, to determine whether a policy changed during execution of the workflow.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ServiceNow Incorporated
Original Assignee
ServiceNow Incorporated
Inventors
Childress, Rhonda L., Chow, Edmond, Kumhyr, David Bruce, Watt, Stephen James
Primary Examiner(s)
Tran, Jimmy H

Application Number

US13/478,951
Publication Number

US 20120240187A1
Time in Patent Office

1,574 Days
Field of Search

709/219, 709/217, 709/223
US Class Current

1/1
CPC Class Codes

G06Q 10/0633   Workflow analysis

H04L 63/0263   Rule management

H04L 63/123   received data contents, e.g...

Policy based auditing of workflows

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

58 Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Policy based auditing of workflows

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

58 Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links