User Tasks and Access Control overWeb Services

Web services are a successful technology for enterprise information management, where they are used to expose legacy applications on the corporate intranet or in business-to-business scenarios. The technologies used to expose applications as Web services have matured, stabilized, and are defined as W3C standards. Now, the technology used to build applications based on Web services, a process known as orchestration, is also maturing around the Web Services Business Process Execution Language (WS-BPEL). WS-BPEL falls short on one feature though: as it is focused on orchestration of fully automatic Web-services, WS- BPEL does not provide means for specifying human interactions, even less their access-control requirements. Human interactions are nonetheless needed for flexible business processes. This lacking feature of WS-BPEL has been highlighted in a white paper issued jointly by IBM and SAP, which "describes scenarios where users are involved in business processes, and defines appropriate extensions to WS-BPEL to address these." These extensions, called BPEL4People, are well explained, but their implementation isn\´t. In this paper, we propose a language for specifying these extensions, as well as an architecture to support them. The salient advantage of our architecture is that it allows for the reuse of existing BPEL engines. In addition, our language allows for specifying these extensions within the main BPEL script, hence preserving a global view of the process. We illustrate our extensions by revisiting the classic loan approval BPEL example.