Head over to ITANA.ORG and sign up for the email notices, pick up the RSS and request an account. Have an idea for a post? Send me an email.

Thanks for everyone’s help, support and enthusiasm.

- Jim

Microsoft Published an Architecture journal that was focused on Workflow.

Approval processes in privilege management systems

Persona A can have role B with approval of person C. Tom Barton states that a good privilege management system alleviates the needs for the workflow for approval.

Other areas: Shibboleth approval processes. Virtual Organizations (VO). If VOs have the same need for workflow as real organizations, how do you deploy a workflow solution across a Virtual Organization?

WS-BPEL as presented by Joe Sharp, Architect, Microsoft. Connected Systems Division.

Orchestration vs. Choreography :

Orchestration: Execution order of web services interactions, describes process flow, includes internal and external webservices, process is always controlled by one party.

Choreography: Between different parties. Peer to Peer. Tracks the sequence of messages involving multiple parties and sources. Public message exhanges, not executable process.

BPEL standard does not yet support the definition of industry standard BPEL languages.

BPEL is Web services specific. It is WSDL only. The efforts today is focused on the execution language. The choreography portion is not in focus at this point in time. New efforts are spinning up to deal with the choreography portion. BPEL 2.0 should be out later this year.

Open source BPEL products: Twister, bexee

BPEL “Opportunities” – Compensation Patterns – the ability to roll back transactions based on a failure at a future point in time. Some portions should be rolled back, others may not. Compensation means doing another business transaction to compensate for a business traction that really occurred. Since in workflow, the business transactions occur and the events really occur. You cannot “undo” the cutting of check or the digging of a trench. You have to trigger a second business process to request a refund or fill the trench.

Karl Frank – Borland and OMG

Specialized in modeling business process – contributor to UML 2 and 2.1, BPDM, etc.

UML2.X – State Transition Diagram and Activity Diagram are related to workflow business process modeling.

Model Driven Architecture – capture the required business functionality without contamination of implementation specifics.

Merger with BPMI (Business Process Management Institute) – Business Process Definition Metamodel, Business Process Modeling Notation (BPMN). These do not separate out Orchestration from Choreography.

UML Behavior Diagrams – Statemachines for Workflow artifacts. What state is the loan application in?

BPMN model does not generate BPEL out of the box. You need to know which parts of BPMN are implemented in the BPEL specification.

Scott Thorne, Architect MIT and OKI

Reasons for doing workflow: the business process will probably outlive the technical implementation therefore having a generic model is important. Allows developers to focus on application specific technologies not rewriting infrastructure functions.

When you are designing you Web services, spend the time to be sure that you have vetted the designs with a wide variety of consumers to plan for changes in the future.

OKI Project Site

Education Commons dot Org

James Dalziel, Director, Macquarie ELearning Centre of Excellence(MELCOE), Macquarie University

MAMS – Identity and access management – leading Shibboleth rollout 500K+ identities. Developing Sharpe and Autograph

LAMS – eLearning workflow system

ASK-OOS

RAMP (Research Activityflow and Middleware Priorities)

1. Part 1 – Authorization – generalized library using XACML
2. Part 2 – Activityflow – “People-based workflow” for eResearch. Especially concurrent multi-actor multi-step workflows. Demonstrator of re-usable activityflows (builds on LAMS 2 core). Theoretical review of workflow standards and concepts
3. Part 3 – Authorization/Activityflow fusion exploration.

LAMS – based on new field of “Learning Design” based on IMS Learning Design specification. Goes beyond that. Web app (J2EE+Flash) Open source (GPL). Any teacher could create and run. Core concepts of LAMS are not e-learning specific. Concurrent multi-actor, multi-step workflow systems. LAMS community site with about 1300 community developed flows.

I’m very intrigued with the LAMS project. Could we use this for Architecture requirements gathering? Here is our standard workflow(s). Here are the steps that we follow.

LAMS v2 – provides a modular architecture for building different kinds of people-based worklfow systems. Separation of workflow core engine from workflow object definitions.

Starting up RAMS – Research Activity Management System. A new suite of activity tools appropriate for research based activities. Currently vaporware.

Brian McGough, UITS – Kuali Enterprise workflow (KEW)

Started out as OneStart Workflow. Worked with Cornell and changed name to Kuali Enterprise Workflow.

They have a Java API and a Web Services API. Java is most used client. There is an Edoc Lite (for non-programmers) – easy to use, XML document definition, for form based workflow.

KEW is a general-purpose electronic routing infrastructure (workflow engine) designed to facility the automation of mediated business processes.

Routing is based on E-Docs.

In order to make workflow decisions based on payload content (content based routing), you need to map the content within your payload in a semantically neutral way.

Rules – application routing data stored in workflow. Prevents client application from writing screens and logic to maintain their routing data. Routing data for multiple apps housing in a single location, can be managed from a single place. Rule functions driven by java/xml components.

KEW 3.0 is moving towards industry standards: BPEL and ESB.

George: Opening comment about presentation “Identity 2.0″ at OSCON 2005

### Shift in Identity discusion

Students provide a lot of personal information on Facebook but they also turn on the FERPA flags to protect their information from “the institution”. Steve asked about Linked In.

Movement towards people being responsible for their own attributes and expression of their attributes.

### Agenda:

1. Review the notes from I2FMM on Jim’s blog.
2. Follow up from the I2FMM – what are the next steps.
3. Using the I2FMM and Internet2 tags.
4. Spring Member Meeting – a set of tags.

### Next Steps and Collaboration Discussion

Request for an itinerary building – more of a My Member Meeting view
Having a simple tag or set of tags would be a simple

This group could identify collaboration tools – a few tools – that would be useful in this area.

* File Sharing
* CMS
* Blog
* Wiki

Basic idea is to have a common toolset that is available to a Working Group.

* Jim pushes back on the idea that Internet2 should provide all of the tools (wiki, blog, cms, IPTV sharing system)
* Internet2 could provide a couple of aggregators – a Technorati like directory and a del.icio.us like aggregators

Steve – issues with Intellectual Property and Participation is based on Membership. You can only be on a working group if you are a paying member.

It is an interesting example of the basic Authentication / Authorization flow:

1. The Authentication is based on the “something you have” and “something you know” schemes. They have a phone with a phone number and they know my phone number (or they have misdialed).
2. The caller presents an Identifier – their phone number.
3. My phone checks the Identifier against the “known and trusted user” directory – my Address book.
— If the Identifier matches a user the directory, Bio/Demo data is expressed and I grant access or deny based on criteria for service access (if I’m in a meeting, I may not answer a call from my Wife but may answer a call from the CIO). Another way to think of this is that different users have different access levels – the CIO has a high access level during work hours, my nephew has a lower access level during work hours.
— If the Identifier doesn’t match a user in the directory, I may grant access or I may request further Identifiers (e.g. the user’s voice and message of intent in my voice mail)

This example highlights some interesting challenges in Authentication / Authorization schemes: Access based on time (user X can get access services during normal business hours but not after hours), Exertion of further Identifiers (user X is not in our Directory but is in another trusted Directory or can present further credentials to gain access), Requiring additional credentials prior to granting access (user X has successfully logged in with NetID and Password but needs another credential to gain further access).

=== Signet is starting Phase 6: Proxy and bootstrapping roles. ===

Phase 7 includes rules for applying prereqs and conditions.

Release 1.0 will be a UI, XML release without a finalized API.

* next steps could include the API
* other things might take priority
* if you want to write a connector, you could use the API or the XML

SPML privilege engine would be a cool fit into Signet. Service Provisioning Markup Language

What is the correct progression or flow for all of the work that is in front of the group? Connecting Signet to other infrastructure is important in the early days – to PeopleSoft or Nexus.

Signet Subject API – Subject Java API Specification

The Signet web site on Internet2

Signet Demo

XACML markup language for expressing access control via web services call against Signet.

=== Group v0.6 – Released 16 September 05 ===

Added a GUI that fully exposes the API
Basic group and namespace management, subgroups, complete security model.

Mid- November – mostly refactoring internal functions.
Additional search capabilities

Version 1.0 due in mid-January 2006 will include Group Math

- Support for Union, Intersection and Compliment group math
- Group math will be simple

Version 1.1 due in mid-March 2006 group and membership aging and expanded configuration.

Serge Olivier discussing the Domain Keys Identified Mail (DKIM) anti-spam systems.

Craig Hancock discussing RPM packages for Linux installs.

DKIM – PKI is not required since the public keys are published via DNS. You don’t have to distribute private keys to end users. Keys are added by the first MTA. It does require SMTP/AUTH inside the domain.

With DKIM – some headers are part of the digital signature. There could be transformation of the message somewhere along the way. Canonization algorithm is used so that some changes will not break the signature: removal of white space, empty lines etc.

Antispam filters want to use reputation services. These services are only useful if you are sure that sender hasn’t been spoofed.

DKIM doesn’t specify how Mailing List Management software should handle the signing and forwarding of the email. The MLM could be a thin as possible, the MLM could remove the first signature and resign the email or the MLM could add a second signature.

Hopes for approval by IETF.

Craig Hancock – University of Notre Dam

RPM Packages for Sympa under Linux.

My opening comments are included in my PDF.

George Brett’s opening comments:

1. The recent Wizards Meeting used wiki’s for real-time posting of notes and documents. This was a shift from the usual – mailing list and weekly phone call.
1. Ineternet2 has many communities of interest. Those communities can aggregate to form larger communities. You can imagine a vin diagram of nested and overlapping circles that represents these groups.
1. He will be listening to see what these people think about these topics and to look for direction for Internet2′s collaboration and communication.

JPR’s Demo of MyVOCS.

Discussion Portion of the Meeting

Internet2 currently has about 15,000 Sympa email users. Internet2′s 15,000 email addresses may not represent 15,000 users. It represents 15K identities. Shibboleth could push us all to one identity but not necessarily so. You could have one identity for each IdP that you belong to.

Balance the political need to control and organize information vs. personal desire and choices for how to handle information. Pushing information out for the use of the masses vs. controlling information because of privacy fears.

What is the learning curve for new users using these tools? For the Folksonomy stuff it is pretty low and simple. For MyVOCS, people get hung up on the shibboleth portion.

Jill – hoping to learn what other open source collaboration tools people are interested in using. John-Paul – this is much like our desktop analogy. You find new tools you like. By having this common identity management framework, you can easily add new tools.

What about delegated administration? The goal is push the administration out. The MyVOCS space is pretty wide open. Anyone can create a new VO and become the new administrator for that VO. They have all of the capabilities as an administrator.

Can the average user do that or do the tools need to be simplified? Depends on what tools they have used before. Jump in and start using these tools.

Internet2 is a big user of Sympa. If we wanted to delegate this out to chair of a working group. Can these chairs handle the delegation of rights (read/write by group, readable by everyone, etc)? What you need to know is how to handle administration of Sympa. All of the rights flow from Sympa out to the other tools.

Sympa developers are active in the MList project. The MList follows this meeting. We can take is GUI and functional issues back to the developers if we need to.

Part of this is a training issue also. These chairs need to understand the space and the best use of these tools.

There is an issue of how to mailing list attributes (members can post but everyone can read archives) translate to other tools (what happens in the wiki)? That is where the tool provider/configurer must make intelligent decision. They chose Drupal because it understands assertions but the wiki doesn’t.

Issue of email address as an identifier. In MyVOCS it is NetID@IdentityProvider. Sympa is moving towards netid@idp also.

#### Triple-A – Authentication, Authorization, Accounts ####

* Authentication – has to do with you identity provided by identity provider
* Authorization – has to do with your attributes. How do you combine those attributes especially when they come from different systems and they apply to selected areas.
* Accounts – has to do with provisioning system-specific resources.

#### Attribute Storage ####

* Grouper and Signet let you define attributes and entitlements but where do you store the attributes when you are working across organizations.

#### John-Paul Design ####

* Want a VO Collaboration Environment for UABgrid
* * Communcaiton — email
* * Data Organiztion — CMS
* * Collaborative Editing — WIKI
* * Document Sharing — File Manager.
* Demonstrate utility of Middleware
* * Leverage existing open source applications
* * Use middleware

* Design Principles
* * Use Shibboleth for inter-application, cross-organizational., attribute transfer
* * use mailing list management software as the foundation of the VO environment.
* * use existing open source tools.

* Why Mailing List
* * Mailing lists are common
* * Users can self-register
* * List owner has privileges to manage own list.
* * Supports moderation
* * Single suite supports multiple communities.

* Why Sympa?
* * Established, Supports Shibboleth, Complete UI, Integration with MTA, SQL backend

Sympa site for the VO demo