Abstract: A computer-implemented method for executing a workflow is described, wherein the workflow comprises a set of individual activities, the method comprising the operations of deriving a global workflow access type and receiving a request to execute a workflow. Execution of access control based on the global workflow access type is performed. If access is allowable, the user is authorized to execute all activities belonging to the workflow. If access is not allowable, the user is rejected before executing the workflow.

Abstract: A method and system to control an interaction of a plurality of participants in a workflow process. The method classifies the plurality of activities as (1) first activity of the workflow process, (2) first activity of a participant in an on-going workflow process, and (3) interaction activity. A set of access control policies is generated for each type of activity. The policies include workflow initialization policy, participation policy and interaction policies. The policies determine if a requesting participant is permitted to interact with a responding participant. In addition, the system includes a policy enforcement point for receiving a request from a requesting participant, wherein the request is for activating an activity of a responding participant. The policy enforcement point forwards the request to a policy decision point where the request is evaluated based on the set of access control policies.

Abstract: There is provided a computer-implemented method, computer-program product, system and security index structure for a security enforcement strategy for a composite application. The method comprises providing a workflow for the composite application, wherein the composite application is constructed from a set of sub-applications and wherein at least a plurality of the sub-applications has a policy. A consolidated workflow policy is generated for the workflow by combining the policies of the sub-applications and by taking into account a control flow of the workflow, wherein the control flow provides an order in which the set of sub-applications are performed. The consolidated workflow policy is enforced by providing a security index structure for the consolidated workflow policy adapted for checking authorization in the workflow.

Abstract: The present description refers to a method for protecting data of a mobile agent (MA) from a first server (A) which are intended for at least one second server (B) within a network system against an attack and an unauthorized access, wherein the first server (A) as well as the at least one second server (B) have a pair of a public key (KA, KB) and a private key (PKA, PKB) associated therewith, respectively, the method comprising, starting from the first server, at least the steps of choosing an unique number (r0) and assigning it to the mobile agent (MA), choosing a secret symmetric key (SKo) and assigning it to the data (mB) to be protected, encoding the secret key (SKo) with the public key (KB) of the second server (B), encrypting the secret key (SKo) and the public key (KA) of the first server via a cryptographic wrapping function (h), thus forming a data authentication code (h(KA, SKo)), encoding the data (mB) with the secret key (SKo), and combining the unique number (r0), the encoded data ({mB}SKo) and

Abstract: Systems and methods for reverse engineering access control include determining a set of potential access control target methods, functions and/or subroutines that may be used in software applications. A software application is then analyzed to determine if the access control targets are present in the software application. If an access control target is used by the software application, then the access control policy for the target is analyzed to determine the roles, privileges, or rights that are necessary to successfully execute the access control target. A report is then generated that provides information about the access control policy elements actually used by the software application.

Abstract: There is proposed a method for executing a workflow, comprising providing the workflow comprising process level activities, at least one process level activity being able to access system resources, the access to the system resources being mediated by a plurality of backend modules. A backend module of the plurality of backend modules carries out the steps of receiving a hierarchical attribute certificate, validating the attribute certificate, checking whether the attribute certificate grants a right to execute the backend module, checking whether a predefined execution path from the process level activity to the backend module has been traversed, and if both checking steps are successful, executing the backend module. Moreover, there is proposed a respective device, computer program medium and computer program product.

Abstract: The present description refers to a method for securing processing of an order by a mobile agent from a first server (So) within a network system with a plurality of servers (So, S1, . . . ,Sn), at least a number of which the mobile agent has to pass according to an appropriate succession, wherein each of the plurality of servers has a pair of a public key (KSo, . . . ,KSi, . . . , KSn) and a private key (PKSo, . . . ,PKSi, . . . , PKSn) associated therewith, respectively, the method comprising, starting from any one of the number of servers the mobile agent has to pass, called herein the i'th server at least the steps of receiving the mobile agent which has been prepared by the first server by choosing a unique number (r0) and assigning it to the mobile agent, encoding the chosen unique number (r0) with the private key (PKSo) of the first server (So), thus forming an agent specific initialisation number (Co) as basis for a sequence of checksums (Co, . . . ,Ci, . . .

Abstract: There is provided a computer-implemented method, computer-program product, system and security index structure for a security enforcement strategy for a composite application. The method comprises providing a workflow for the composite application, wherein the composite application is constructed from a set of sub-applications and wherein at least a plurality of the sub-applications has a policy. A consolidated workflow policy is generated for the workflow by combining the policies of the sub-applications and by taking into account a control flow of the workflow, wherein the control flow provides an order in which the set of sub-applications are performed. The consolidated workflow policy is enforced by providing a security index structure for the consolidated workflow policy adapted for checking authorization in the workflow.

Abstract: A method for automatically filling an electronic timesheet includes extracting one or more calendar entries from an electronic calendar and matching each calendar entry of the one or more calendar entries to a corresponding project of a list of projects. An electronic timesheet is then filled based on each calendar entry matched with the corresponding project.

Abstract: A computer-implemented method for executing a workflow is described, wherein the workflow comprises a set of individual activities, the method comprising the operations of deriving a global workflow access type and receiving a request to execute a workflow. Execution of access control based on the global workflow access type is performed. If access is allowable, the user is authorised to execute all activities belonging to the workflow. If access is not allowable, the user is rejected before executing the workflow.

Abstract: The present description refers to a method for securing processing of an order by a mobile agent from a first server (S0) within a network system with a plurality of servers (S0, S1, . . . ,Sn), at least a number of which the mobile agent has to pass according to an appropriate succession, wherein each of the plurality of servers has a pair of a public key (KS0, . . . ,KSi, . . . , KSn) and a private key (PKS0, . . . ,PKSi, . . . , PKSn) associated therewith, respectively, the method comprising, starting from any one of the number of servers the mobile agent has to pass, called herein the i'th server at least the steps of receiving the mobile agent which has been prepared by the first server by choosing a unique number (r0) and assigning it to the mobile agent, encoding the chosen unique number (r0) with the private key (PKS0) of the first server (S0), thus forming an agent specific initialisation number (C0) as basis for a sequence of checksums (C0, . . . ,Ci, . . .

Abstract: The present description refers to a method for protecting data of a mobile agent (MA) from a first server (A) which are intended for at least one second server (B) within a network system against an attack and an unauthorized access, wherein the first server (A) as well as the at least one second server (B) have a pair of a public key (KA, KB) and a private key (PKA, PKB) associated therewith, respectively, the method comprising, starting from the first server, at least the steps of choosing an unique number (r0) and assigning it to the mobile agent (MA), choosing a secret symmetric key (SKo) and assigning it to the data (mB) to be protected, encoding the secret key (SKo) with the public key (KB) of the second server (B), encrypting the secret key (SKo) and the public key (KA) of the first server via a cryptographic wrapping function (h), thus forming a data authentication code (h(KA, SKo)), encoding the data (mB) with the secret key (SKo), and combining the unique number (r0), the encoded data ({mB}SKo) and