Andreas,
> From: andreas <[EMAIL PROTECTED]> > Reply-To: <[email protected]> > Date: Thu, 6 Dec 2007 08:47:25 -0800 (PST) > To: OpenWFEru dev <[email protected]> > Subject: [openwferu-dev] Re: RESTful API, User Authentication and Delegated > Authorization for workflows > > > Hi John, Hi Pat, > >> No need to develop anything new!!!!! The OpenID and Oauth teams have done >> some remarkable work. I have already implemented it in GeoBPMS (a >> simplified version of it using pre-approved transactions) > > It would be nice to use the work of the OpenID and Oauth teams. > Especially the decentral and federated approach is very interessted. > But I have also some problems to see how this approach works in a > business application scope. > > User centric identity management is easy to understand in the > discussed examples (multible accounts for different web sites. In this > scenario the identity is the most important aspect th access my own > resources. Sure. OpenID is not a requirement. You woudl pass the user id in a way that is recognizable by the other party. > In a business process as a user I'm not the only one which have access > to a special resource, like a document or a process instance. It is a > normal case that other users can have some access rights to the same > resource - instances (all user which have the same (process) role). > > I'm interessted in but not very familar with OpenID and Oauth and so I > don't know in which way the role aspect will be resolved using a user > centric identity management approach. > Somewhere should be defined which set of OpenID's (representing users) > have which access rights to process instances or to other > resources. > > For me a role describe the following: > > - a role is related to one or more specific activities in a business > (or communication) process independent from the aspect if it is > implemented on a bpm base. > > - a role describe the behavior of a process participant > > - the behavior is related to the performed activities which are > related to specific resources > > - the access to, the creation of or the modification of resources > depend on the permission which a user with a defined role (or roles) > have > > Is there a way to transform this to a plain user centric approach ??? My caution here is that the role is the role of the user and not the process participant (PP). That PP has to derive its access level form the user it is impersonating. And the user has to grant authorization for that process to impersonnate him or her. Users will have roles within their groups (typical Role-based access control). This is way out of scope for Kisha, Densha and OpenWFE and is very much application specific. A workflow could allow a user to task a NASA satellite or UAV, Access the data from USGS, process it at JPL and store the results on another website for instance. This is very user specific... I am pointing out protocols that can support a wide range of use-cases whether or not you want a centralized or federated identity management. The goal is not to re-invent a new security protocol on top of Kisha/Densha at the risk of getting it wrong while we have new protocols that have been in the works for a while now. BYW, OpenID 2.0 just got finalized as well as Oauth 1.0. Again, this is not a requirement for Kisha/Densha/OpenWfe but we need to make sure that we leave the hooks for applications to leverage delagated authoriyt and user identification. Pat. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OpenWFEru dev" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/openwferu-dev?hl=en -~----------~----~----~----~------~----~------~--~---
