Images

Classifications

• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY?PURPOSES, NOT OTHERWISE PROVIDED FOR
  • G06Q10/00—Administration; Management
  • G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
  • G06F16/30—Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
  • G06F16/36—Creation of semantic tools, e.g. ontology or thesauri
  • G06F16/367—Ontology
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F9/00—Arrangements for program control, e.g. control units
  • G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
  • G06F9/44—Arrangements for executing specific programs
  • G06F9/448—Execution paradigms, e.g. implementations of programming paradigms
  • G06F9/4488—Object-oriented
  • G06F9/4492—Inheritance
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F9/00—Arrangements for program control, e.g. control units
  • G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
  • G06F9/46—Multiprogramming arrangements
  • G06F9/50—Allocation of resources, e.g. of the central processing unit [CPU]
  • G06F9/5005—Allocation of resources, e.g. of the central processing unit [CPU] to service a request
  • G06F9/5027—Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals
  • G06F9/5055—Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals considering software capabilities, i.e. software resources associated or available to the machine
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY?PURPOSES, NOT OTHERWISE PROVIDED FOR
  • G06Q10/00—Administration; Management
  • G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
  • G06Q10/063—Operations research, analysis or management
  • G06Q10/0631—Resource planning, allocation, distributing or scheduling for enterprises or organisations
  • G06Q10/06311—Scheduling, planning or task assignment for a person or group
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY?PURPOSES, NOT OTHERWISE PROVIDED FOR
  • G06Q10/00—Administration; Management
  • G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
  • G06Q10/063—Operations research, analysis or management
  • G06Q10/0631—Resource planning, allocation, distributing or scheduling for enterprises or organisations
  • G06Q10/06311—Scheduling, planning or task assignment for a person or group
  • G06Q10/063118—Staff planning in a project environment
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY?PURPOSES, NOT OTHERWISE PROVIDED FOR
  • G06Q10/00—Administration; Management
  • G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
  • G06Q10/067—Enterprise or organisation modelling
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY?PURPOSES, NOT OTHERWISE PROVIDED FOR
  • G06Q10/00—Administration; Management
  • G06Q10/10—Office automation; Time management
  • G06Q10/103—Workflow collaboration or project management

Definitions

• the present invention relates generally to an improved data processing system, and in particular, to dynamically binding business process activities to human entities at deployment time.
• Business processes define a set of coordinated tasks and activities that lead to accomplishing specific goals of an organization.
• Business processes may be implemented in a proprietary software language or may be implemented using an industry standard language, such as the Business Process Execution Language (BPEL).
• BPEL Business Process Execution Language
• a business process may include activities which comprise automated tasks, which are performed by computers or other machines, as well as manual activities, which require some form of human intervention.
• activities requiring human intervention is a process in which a request for a change is received, and a human entity must assess the impact and give approval of the requested change prior to the change being implemented. Activities requiring human intervention are often called “staff activities”.
• a particular administrator may be responsible for maintaining a particular subnet of devices with a range of IP addresses between X.Y.Z.0 and X.Y.Z.255.
• the administrator may log into the management system and attempt to manage a device at address X.Y.Z.5.
• the network management system uses the security policy to determine whether to allow the administrator to perform the management function on that particular device. The process of deciding which users are allowed to perform specific activities in a business process is called “staff resolution”.
• the illustrative embodiments provide a computer implemented method, data processing system, and computer program product for dynamically binding business process activities to human entities at deployment time.
• Identification information about a staff activity in a business process is received from a process server at an access control system external to the process server. Responsive to initiation of the business process, the staff activity is resolved at the access control system at runtime by assigning the staff activity to a user based on an access policy of the access control system to form a staff activity assignment. The staff activity assignment is communicated from the access control system to the process server.
• the process in the illustrative embodiments allows the development of the business process to be entirely decoupled from staff activity resolution at runtime.
• FIG. 1 depicts a pictorial representation of a distributed data processing system in which the illustrative embodiments may be implemented
• FIG. 2 is a block diagram of a data processing system in which the illustrative embodiments may be implemented
• FIG. 3 is a block diagram of exemplary components for implementing the policy-based access control of business process activities in accordance with the illustrative embodiments.
• FIG. 4 is a flowchart of a process for dynamically binding business process activities to human entities in accordance with the illustrative embodiments.
• FIGS. 1-2 exemplary diagrams of data processing environments are provided in which illustrative embodiments may be implemented. It should be appreciated that FIGS. 1-2 are only exemplary and are not intended to assert or imply any limitation with regard to the environments in which different embodiments may be implemented. Many modifications to the depicted environments may be made.
• FIG. 1 depicts a pictorial representation of a network of data processing systems in which illustrative embodiments may be implemented.
• Network data processing system 100 is a network of computers in which the illustrative embodiments may be implemented.
• Network data processing system 100 contains network 102 , which is the medium used to provide communications links between various devices and computers connected together within network data processing system 100 .
• Network 102 may include connections, such as wire, wireless communication links, or fiber optic cables.
• network data processing system 100 is the Internet with network 102 representing a worldwide collection of networks and gateways that use the Transmission Control Protocol/Internet Protocol (TCP/IP) suite of protocols to communicate with one another.
• TCP/IP Transmission Control Protocol/Internet Protocol
• At the heart of the Internet is a backbone of high-speed data communication lines between major nodes or host computers, consisting of thousands of commercial, governmental, educational and other computer systems that route data and messages.
• network data processing system 100 also may be implemented as a number of different types of networks, such as for example, an intranet, a local area network (LAN), or a wide area network (WAN).
• FIG. 1 is intended as an example, and not as an architectural limitation for the different illustrative embodiments.
• Data processing system 200 is an example of a computer, such as server 104 or client 110 in FIG. 1 , in which computer usable program code or instructions implementing the processes may be located for the illustrative embodiments.
• data processing system 200 employs a hub architecture including a north bridge and memory controller hub (NB/MCH) 202 and a south bridge and input/output (I/O) controller hub (SB/ICH) 204 .
• NB/MCH north bridge and memory controller hub
• SB/ICH south bridge and input/output controller hub
• Processing unit 206 , main memory 208 , and graphics processor 210 are coupled to north bridge and memory controller hub 202 .
• Processing unit 206 may contain one or more processors and even may be implemented using one or more heterogeneous processor systems.
• Graphics processor 210 may be coupled to the NB/MCH through an accelerated graphics port (AGP), for example.
• AGP accelerated graphics port
• local area network (LAN) adapter 212 is coupled to south bridge and I/O controller hub 204 and audio adapter 216 , keyboard and mouse adapter 220 , modem 222 , read only memory (ROM) 224 , universal serial bus (USB) and other ports 232 , and PCI/PCIe devices 234 are coupled to south bridge and I/O controller hub 204 through bus 238 , and hard disk drive (HDD) 226 and CD-ROM 230 are coupled to south bridge and I/O controller hub 204 through bus 240 .
• PCI/PCIe devices may include, for example, Ethernet adapters, add-in cards, and PC cards for notebook computers. PCI uses a card bus controller, while PCIe does not.
• ROM 224 may be, for example, a flash binary input/output system (BIOS).
• Hard disk drive 226 and CD-ROM 230 may use, for example, an integrated drive electronics (IDE) or serial advanced technology attachment (SATA) interface.
• IDE integrated drive electronics
• SATA serial advanced technology attachment
• a super I/O (SIO) device 236 may be coupled to south bridge and I/O controller hub 204 .
• An operating system runs on processing unit 206 and coordinates and provides control of various components within data processing system 200 in FIG. 2 .
• the operating system may be a commercially available operating system such as Microsoft? Windows? XP (Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both).
• An object oriented programming system such as the JavaTM programming system, may run in conjunction with the operating system and provides calls to the operating system from JavaTM programs or applications executing on data processing system 200 .
• JavaTM and all JavaTTM-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
• Instructions for the operating system, the object-oriented programming system, and applications or programs are located on storage devices, such as hard disk drive 226 , and may be loaded into main memory 208 for execution by processing unit 206 .
• the processes of the illustrative embodiments may be performed by processing unit 206 using computer implemented instructions, which may be located in a memory such as, for example, main memory 208 , read only memory 224 , or in one or more peripheral devices.
• FIGS. 1-2 may vary depending on the implementation.
• Other internal hardware or peripheral devices such as flash memory, equivalent non-volatile memory, or optical disk drives and the like, may be used in addition to or in place of the hardware depicted in FIGS. 1-2 .
• the processes of the illustrative embodiments may be applied to a multiprocessor data processing system.
• data processing system 200 may be a personal digital assistant (PDA), which is generally configured with flash memory to provide non-volatile memory for storing operating system files and/or user-generated data.
• PDA personal digital assistant
• a bus system may be comprised of one or more buses, such as a system bus, an I/O bus and a PCI bus. Of course the bus system may be implemented using any type of communications fabric or architecture that provides for a transfer of data between different components or devices attached to the fabric or architecture.
• a communications unit may include one or more devices used to transmit and receive data, such as a modem or a network adapter.
• a memory may be, for example, main memory 208 or a cache such as found in north bridge and memory controller hub 202 .
• a processing unit may include one or more processors or CPUs.
• processors or CPUs may include one or more processors or CPUs.
• FIGS. 1-2 and above-described examples are not meant to imply architectural limitations.
• data processing system 200 also may be a tablet computer, laptop computer, or telephone device in addition to taking the form of a PDA.
• business processes are computer processes which are often customized to a particular company's needs and typically involve some amount of human interaction. Since most organizations classify their personnel into different organizational roles based on the tasks performed by each individual, the actions of any particular individual may be restricted to those operations that are appropriate for the individual's role in the organization based on policy rules.
• the process of binding a task to an individual or organizational role (“staff resolution”) comprises deciding which user in the organization is allowed to perform the activity in a business process.
• the illustrative embodiments provide a dynamic method and system for binding a business process activity to a corresponding human entity or organizational role.
• the illustrative embodiments decouple the policy-based authorization from the process engine and externalize this authorization in a policy-based access control system.
• binding is implemented at deployment time through the policy-based access control system.
• the dynamic process in the illustrative embodiments does not need to rely on definitions created at development time to implement the binding process, and thus the process avoids the static nature of existing staff resolution techniques.
• implementing the binding process at deployment time in the access control system shields a user from having to re-build and re-deploy a business process when a change occurs in the underlying definitions which enable staff resolution.
• the dynamic staff resolution process described in the illustrative embodiments provides several advantages over existing staff resolution techniques. For instance, with the illustrative embodiments, the binding of human entities to staff activities of a process is completely dynamic and is process-independent. Existing staff resolution techniques implement this binding as part of the process logic. Thus, a business process developer using the illustrative embodiments may focus solely on the business process logic at development time, rather than having to be concerned over binding of staff activities to human entities.
• human intervention during business process activities may be subject to various rules. For instance, a particular approval process may require the approval of an entire set of persons exercising a particular role or a subset thereof. Similarly, another policy may render the tasks to an automatic approval based on the satisfaction of pre-set conditions.
• the binding in the illustrative embodiments is delegated to an access control system, roles, users and deciding rules may be updated at deployment time to accommodate the needs of the organization.
• the staff service component in products such as Websphere Process Choreographer becomes a very light-weight component of the process engine, as the staff service component simply acts as an interface to the underlying access control system.
• FIG. 3 is a block diagram of exemplary components for implementing the policy-based access control of business process activities in accordance with the illustrative embodiments.
• FIG. 3 illustrates how the binding of human entities to business process activities is implemented within an access control system.
• Data processing system 300 in this illustrative example comprises business process engine 302 , access control interface 304 , and access control system 306 .
• Business process engine 302 is a process server, which may be implemented as server 104 or 106 in FIG. 1 .
• Business process engine 302 contains the runtime components necessary to execute a business process, and interprets the business processes defined by a business process developer in order to execute and manage business transactions.
• Business process engine 302 oversees the business transactions in the data processing system by reminding an individual or group participant of their assigned staff activities, such as via a calendar or email program.
• Business process engine 302 also may act as a client device to access control system 306 .
• Access control interface 304 allows business process engine 302 to interface with external systems.
• a JavaTM Authorization Contract for Container (JACC) interface is used as the access control interface 304 , although other appropriate interfaces may also be used.
• JACC provides the ability to delegate access decisions to an external provider, such as access control system 306 .
• Business process engine 302 is interfaced via JACC to access control system 306 .
• Access control system 306 is an authorization provider external to business process engine 302 which receives information about a user security context and determines whether any activities are assigned to the user. Access control system 306 may be located on any server 104 or 106 in FIG. 1 . Access control system 306 protects resources (business process activities) in the system by making them available to users who are identified as assigned to those resources. Access control system 306 may include a user registry, such as a corporate LDAP server or a database, comprising user and group/role information. Resources may be defined and mapped to particular users and roles within the organization to constrain resource access based on these mappings. This mapping may be to one or more individual users by name, to one or more defined groups of users, or any combination of these. These mappings may be stored as role-based access control lists (ACLs) within access control system 306 .
• An example of an access control system is Tivoli? Access Manager, a product of International Business Machines Corporation.
• a process development tool outputs only identification information of the staff activities 310 contained in a business process.
• identification information of each staff activity 310 may be output in a tuple, such as:
• Business process engine 302 then exports the identification information of a staff activity 310 in tuple form, and imported to an authorization policy engine in access control system 306 .
• the authorization policy engine in access control system 306 comprises policy information required to determine the binding of each staff activity to a corresponding human entity or an organizational role, or to a rule based policy statement when access control system 306 supports such rules.
• Access control system 306 then stores the tuple in access policy store 312 . It should be noted that storing staff activity information within access control system 306 is a departure from existing staff resolution mechanisms which persist this staff activity information in their own control structures, rather than in a control system external to access control system 306 .
• Access policy store 312 also comprises role-based access control lists (ACLs), which access control system 306 uses to form the bindings between the staff activities and the human entities or organizational roles based on the information in the tuple.
• ACLs role-based access control lists
• business process engine 302 may invoke access control system 306 by passing the user security context (e.g. an authenticated identity and its group/role information) to access control system 306 .
• user security context e.g. an authenticated identity and its group/role information
• Access control system 306 queries the access control lists (ACLs) in access policy store 312 against the user information and returns ? Process Name, Activity Name> of each activity that is awaiting the user's intervention.
• Business process engine 302 provides this user information to access control system 306 and allows access control system 306 to make an access decision (i.e., a determination whether the user has any pending staff activities assigned).
• Access control system 306 provides the pending staff activity information to business process engine 302 , which in turn provides the activity information to the user.
• Access control system 306 may also determine whether or not access to a resource may be given to an entity by first determining whether the entity has access to the process activity template. For example, a change requester may instantiate a change management process only if the requester is allowed access to the underlying change management process template.
• a process template is a generic process definition that has not yet been customized to a particular environment, such as a change management process template in which staff activities have not yet been defined.
• FIG. 4 is a flowchart of a process for dynamically binding business process activities to human entities in accordance with the illustrative embodiments.
• the process described in FIG. 4 may be implemented in a data processing system, such as data processing system 300 in FIG. 3 .
• the process begins at development time, where a process development tool used to define a process outputs information about all of the tool's staff activities (step 402 ).
• This information may comprise identification information about the staff activities in tuple form, which includes an identifier of a business process, an identifier of a particular staff activity in the process, and the business objects which will be affected by the actions of the staff activity.
• the process server then exports the identification information containing information about the staff activity in tuple form to an authorization policy engine in an external access control system (step 404 ).
• the access control system comprises policy information required to determine the binding of each business activity to a corresponding human entity or an organizational role.
• the external access control system then imports and stores the identification information in an access policy store within the access control system (step 406 ).
• the business process instructs the external access control system to resolve the staff activities in the business process which have no dependency on other staff activities (step 408 ).
• resolution means assigning staff activities to the entitled human entities based on the access policy of the access control system.
• the resolved staff activities are communicated back from the access control system to the process server (step 410 ).
• the process server When a user authenticates (logs on) to the process server and checks if the user has a pending staff activity, the process server provides the user with those staff activities which were assigned to the user by the access control system based on the access policy (step 412 ). For example, the process server may provide the business process name and the business activity name to the user which are pending the user's intervention. The user may then perform the business activities dynamically assigned to the user by the access control system (step 414 ).
• step 416 A determination is then made as to whether there are any other staff activities in the business process which should be resolved (step 416 ). If there are more staff activities to be resolved (‘yes’ output of step 416 ), the process loops back to step 408 . If there are no more staff activities to be resolved (‘no’ output of step 416 ), the process terminates thereafter.
• the invention can take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment containing both hardware and software elements.
• the invention is implemented in software, which includes but is not limited to firmware, resident software, microcode, etc.
• the invention can take the form of a computer program product accessible from a computer-usable or computer-readable medium providing program code for use by or in connection with a computer or any instruction execution system.
• a computer-usable or computer readable medium can be any tangible apparatus that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
• the medium can be an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system (or apparatus or device) or a propagation medium.
• Examples of a computer-readable medium include a semiconductor or solid state memory, magnetic tape, a removable computer diskette, a random access memory (RAM), a read-only memory (ROM), a rigid magnetic disk and an optical disk.
• Current examples of optical disks include compact disk—read only memory (CD-ROM), compact disk—read/write (CD-R/W) and DVD.
• a data processing system suitable for storing and/or executing program code will include at least one processor coupled directly or indirectly to memory elements through a system bus.
• the memory elements can include local memory employed during actual execution of the program code, bulk storage, and cache memories which provide temporary storage of at least some program code in order to reduce the number of times code must be retrieved from bulk storage during execution.
• I/O devices including but not limited to keyboards, displays, pointing devices, etc.
• I/O controllers can be coupled to the system either directly or through intervening I/O controllers.
• Network adapters may also be coupled to the system to enable the data processing system to become coupled to other data processing systems or remote printers or storage devices through intervening private or public networks.
• Modems, cable modem and Ethernet cards are just a few of the currently available types of network adapters.

Landscapes

• Engineering & Computer Science (AREA)
• Theoretical Computer Science (AREA)
• Software Systems (AREA)
• Physics & Mathematics (AREA)
• General Physics & Mathematics (AREA)
• Business, Economics & Management (AREA)
• General Engineering & Computer Science (AREA)
• Economics (AREA)
• Entrepreneurship & Innovation (AREA)
• Human Resources & Organizations (AREA)
• Strategic Management (AREA)
• Game Theory and Decision Science (AREA)
• Development Economics (AREA)
• Quality & Reliability (AREA)
• General Business, Economics & Management (AREA)
• Operations Research (AREA)
• Marketing (AREA)
• Educational Administration (AREA)
• Tourism & Hospitality (AREA)
• Life Sciences & Earth Sciences (AREA)
• Animal Behavior & Ethology (AREA)
• Computational Linguistics (AREA)
• Data Mining & Analysis (AREA)
• Databases & Information Systems (AREA)
• Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

Description

Claims (20)

Priority Applications (1)

Applications Claiming Priority (1)

Publications (2)

Family

ID=39873282

Family Applications (1)

Country Status (1)

Cited By (8)

Citations (62)

Family Cites Families (1)

• 2007
  • 2025-08-05 US US11/738,794 patent/US8904391B2/en not_active Expired - Fee Related

Patent Citations (71)

Also Published As

Similar Documents

Legal Events