`
JackyCheng2007
  • 浏览: 253856 次
  • 性别: Icon_minigender_1
  • 来自: 上海
社区版块
存档分类
最新评论

Authorization and staff resolution in BPC

阅读更多
Business Process Choreographer - Human Task Manager & Business Flow Manager

four eyes principle

Business Process Choreographer provides instance- and rule-based authorization for business processes and tasks enabling you to model sophisticated authorization scenarios based on process context, or the four-eyes principle: people are authenticated by WebSphere Application Server and then also authorized by Human Task Manager based on their user IDs. Be aware that authentication and authorization relies on WebSphere Application Server global security.

Architecture overview

   1. Business Flow Manager navigates business processes. - WS-BPEL
   2. Human Task Manager coordinates human interaction. - Web service

Authorization and staff resolution concepts

Staff Verbs - The authorization rules are defined using so-called staff verbs (also known as people assignment criteria), which are authorization rule templates. Staff verbs are abstract authorization rules for a human task role that can be parameterized and bound to a specific staff repository during business process and human task modeling.

Staff Queries - During deployment, the parameterized staff verbs are transformed into concrete staff queries (also known as people queries) that are specific to the staff repository used to perform the query.

Staff Resolution - Querying a staff repository at run time for people, groups, and their attributes, to evaluate an authorization rule is called staff resolution (also known as people resolution).

Staff Repository - A staff repository (also known as an enterprise, staff, or people directory) is the data store that actually contains the user and group information. The most popular staff repository is the LDAP directory, which is based on the standardized Lightweight Directory Access Protocol.

Context Variables - Context variables are enclosed in percent signs.When staff query parameters contain context variables that are resolved at run time, authorization is then based on process and task instance data; therefore, even though authorization is based on the same rule, the data that determines authorization can be different for each instance of the business process or human task. Be aware that only inline human tasks have access to the process context.

Work Items - Everybody, User, Group






http://www.ibm.com/developerworks/websphere/techjournal/0710_lind/0710_lind.html

分享到:
评论

相关推荐

Global site tag (gtag.js) - Google Analytics