Identity Attribute-Based Role Provisioning for Human WS-BPEL Processes

The WS-BPEL specification focuses on business processes the activities of which are assumed to be interactions with Web services. However, WS-BPEL processes go beyond the orchestration of activities exposed as Web services. There are cases in which people must be considered as additional participants to the execution of a process. The inclusion of humans, in turn, requires solutions to support the specification and enforcement of authorizations to users for the execution of human activities while enforcing authorization constraints. In this paper, we extend RBAC-WS-BPEL, a role-based authorization framework for WS-BPEL processes with an identity attribute-based role provisioning approach that preserves the privacy of the users who claim the execution of human activities. Such approach is based on the notion of identity records and role provisioning policies, and uses Pedersen commitments, aggregated zero knowledge proof of knowledge, and Oblivious Commitment-Based Envelope protocols to achieve privacy of user identity information.