OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [UseCase:] Workflow

Title: [UseCase:] Workflow

Hi,

I suppose this is the electronic equivalent of "the dog ate my homework", but just as I was about to send this use case write-up late yesterday, our Exchange server stopped responding (i.e., crashed).  Not only was I unable to send the message to the list, but I lost the message altogether (due to killing the process in order to un-freeze my screen) and had to reconstruct it from (vague) memory this morning.

Anyway, apologies for the lateness of this submission.  It's not quite complete (some of the template fields are not yet filled in), but there's enough there to kick-start some discussion.

Carlisle.


8<----------------------------------------------------

Security Policies for Workflow

Workflow is a multi-step electronic transaction in which several security policies may participate at each stage.

1.0

Carlisle Adams

September 5, 2001


In an e-business environment, some transactions may take place over multiple steps, involving several processes, several platforms, and one or more interactions with human entities (although typically the goal is to automate as much of the transaction as possible).  Each step in the transaction may be envisioned as one or more input values (data, request, etc.), a data processing or data transformation stage, and an output result sent to one or more next steps.  Each of these three sub-steps may be governed by an appropriate security policy.  XACML may encompass all such relevant security policies in its language, but at the very least needs to acknowledge their potential existence in its model.

1) Input data at a step in the transaction needs to be of the "proper" form, with respect to security operations.  [Has it been signed by the appropriate entities or roles?  Has it been encrypted for the appropriate entities or roles?  Has it been time-stamped?  Is it accompanied by a receipt from an archive service?  Is the sender authenticated and authorized to have sent this data?  Are the required SAML assertions or other relevant data available?]  This is analogous to checking an input XML document against a schema for that document type, but the focus is on the security properties of the document, rather than merely its syntax.

2) The data needs to be processed or transformed in some way.  [Does it (all of it, or selected elements) need to be signed or encrypted?  By whom or for whom?  Does it need to be time-stamped or archived?  Do SAML assertions or artifacts need to be generated and sent with the output data?  How does the data need to be transformed (e.g., is any filtering of the elements necessary)?  Are there conditions or conditional actions that need to be checked or performed?]  This is similar to some of the access control rules already under consideration in other use cases, but is somewhat richer and more general because it needs to embrace a greater set of security operations and needs to account for the fact that the "requester" and the "recipient" are different entities (with their own policies).

3) The resulting data needs to be sent to the next step(s) in the transaction.  [Does the potential receiver need to be authenticated?  Does the receiver's authorization to receive the data need to be checked?  Has the requester stipulated any constraints on the audience or use of this data, and does this match the potential receiver and the uses to which it claims received data will be put?  If any of the conditions or conditional actions fail, does this process need to be "rolled back" to some previous step in the transaction (how far, and how is this done)?]  Again, this is similar to some of the relevant considerations in other use cases, but is richer and more general.

The main point is that several security policies may participate at each step in the workflow transaction:
 - requester policy describing who can receive the data and what they can do with it;
 - receiver policy describing what data sent to them should look like and what they intend to do with it;
 - policy describing "proper" input data (with respect to security properties);
 - policy describing the required security processing or transformations of data at that step; and
 - policy describing what checks need to be made prior to sending data out (including conditional actions and roll-back procedures).

XACML may consider developing a language rich enough to support all these types of policies, or may decide that some of this work is being done elsewhere (e.g., W3C P3P).  In any case, however, XACML needs to be aware of these concepts and acknowledge them in its overall policy model.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC