Today I would like to share the idea of stateful sequence policies for business process (BPM) orchestrated applications. This has been published back in 2007, and has also been implemented in OpenPMF's model-driven security feature a while back.
For example, the generic process sequence policy "only allow each step in the workflow if the previous interaction also happened" means that interactions are only allowed to be executed in the order of the workflow. Simple, generic, intuitive and useful.
But how do you translate this into technical access control rules for your specific interconnected application without having to rewrite the policy each time you change the application? Model-driven security (as implemented in OpenPMF) can apply such generic security policies to specific technical application security policies by analyzing the application (in this case the BPM model). To make this work, we had to slightly extend our rule language and add a few things to the runtime infrastructure. If you want to see how this works in the real world (within a BPM software development tool), go to , www.objectsecurity.com and get your free trial.