BPMN Security Extension: Modeling security rules into BPMN


#1

Hi all

I have been working on a BPMN security rule system as I have found we write many of the same types of restrictions in scripts, delegates and listeners throughout a BPMN, and I wanted to bring this to a modeling capability.

I noticed we write many of the same rules in a Unit Test, so some of the logic is pulled from the same style of writing assertions.

The goal here is to write “security rules” that can be used as permission layers. These are similar to assertions that we typically write in unit tests, scripts, and delegates.

My prototype has these implemented using the Camunda Extensions attributes and using a BPMN Parse Listener that adds the specific rules to their relevant activities.

Examples of rules:


// current task cannot be claimed by the same user that claimed/completed Task_13d9vmo
@Security:claim
getAssignee() != task('Task_13d9vmo').getAssignee()

// Task can only be completed on a weekday and between the hours of 9am and 5:30pm
@Security:completion
getCurrentDate().getDayOfWeek().is().weekday() && getCurrentDate().is().between('09:00','17:30')

// Once a task is claimed, it must be completed by that user
@Security:unclaim
cannotUnClaim() //equivalent to returning false

// If a assignee/claimer is part of a specific group then they cannot claim / do this task
@Security:claim
getAssignee().getGroups().contains('group11')

// If a user is part of someBadGroup then they cannot start this process
@Security:startableby
!getCurrentUser().getGroups().contains('someBadGroup')

// This process cannot be started if an existing process for the same definition id is currently active
@Security:startableby
processInstanceQuery().processDefinitionId(execution.getProcessDefinitionId()).active().startedBy(getCurrentUser()).count() == 0

Where the extension property name is @Security:startableby and the value would be a EL / SPEL expression such as: processInstanceQuery().processDefinitionId(execution.getProcessDefinitionId()).active().startedBy(getCurrentUser()).count() == 0

Any thoughts?

Anyone have further types of rules?

My current list was:

  1. Claim
  2. unclaim
  3. complete
  4. Cannot be completed by the user who did X task
  5. Cannot be member of group
  6. cannot be member of same group as user who complete X task
  7. must be specific date/time
  8. must be within a range
  9. cannot have other active processes of X Ids
  10. Variable value must exist or have specific value
  11. Some service must be online

Additionally I was looking at using BPMN “groups” element to create more complex rule assignment so you can create a group element that had 3 tasks inside of it, and apply a rule on the group such as:

@Security:tpi
getAssignee() != task(groupRule().firstTask().getAssignee()), which would place this rule on each each task in the group, except for first task.

And sure you can imagine the various layers that can be built around this.

Note that it is designed to be able to place multiple rules on a single activity: so that you can stack security rules.

Note the current design is setup to always expect the expression to resolve to True.