Abstract: In one embodiment the present invention includes a method of performing a secure transaction in a software system, such as a software service system, for example. Embodiments of the invention include encoding symmetric keys for securing transactions between a service consumer and service provider. Asymmetric keys are also used for providing additional security during transactions. In one embodiment, license tokens and capability tokens are encoded and passed between a service consumer and service provider for allowing a consumer secure access to authorized services.

Abstract: An embodiment includes a computer-implemented method of managing access control policies on a computer system having two high-level programming language environments. The method includes managing, by the computer system, a structured language environment. The method further includes managing, by the computer system, a dynamic language environment within the structured language environment. The method further includes receiving a policy. The policy is written in a dynamic language. The method further includes storing the policy in the dynamic language environment. The method further includes converting the policy from the dynamic language environment to the structured language environment. The method further includes generating a runtime in the structured language environment that includes the policy.

Abstract: A method and system to automatically monitor business collaborations. Collaboration participants can formally express obligations about their expected behavior during the collaboration in business terms, then automatically monitor processes carrying out the collaboration using the formulated obligations. The method and system extends existing service oriented monitoring standards and architecture, specifically, with additional business oriented metrics and plug-in components that allow the monitoring system to calculate business parameters from measurements of multiple services.

Abstract: A method and system to delegate an authority to access collaborative resources are provided. The system enables a participant to re-delegate the authority to another participant by an authorization certificate. A chain of the authorization certificate is established along with the re-delegation of the authority from one participant to another. The participant requesting access to the collaborative resources is requested to provide the owner with the chain of authorization certificate for verification. Therefore, the re-delegation process may be performed without the need to notify the owner and yet without comprising the security of the collaborative resources. In addition, the system provides for restricting the participant from accessing the collaborative resources. Consequently, though the participant may not have access to the collaborative resources, he is still able to re-delegate the authority to another participant.

Abstract: In one embodiment the present invention includes a security manager for managing security in a dynamic programming environment. The security manager interfaces between the dynamic programming environment and a non-dynamic programming environment. In this manner, the dynamic programming environment is unable to compromise the non-dynamic programming environment, yet still provide features desirable in a dynamic programming environment. An example using Ruby in a robust business programming environment is detailed.

Abstract: A system and method to collaborate participants of different administrative domains in a workflow process is provided. The system includes a membership module for managing the participants, an event module for correlating activities of the workflow process, the membership module and the event module exchanging information relating to changes in the participants and the activities of the workflow process. The membership module for managing the participants includes registering, identifying, adding, querying and modifying the participants. On the other hand, the event module for correlating activities of the workflow process further includes specifying, executing and terminating the activities.

Abstract: An embodiment includes a computer-implemented method of managing access control policies on a computer system having two high-level programming language environments. The method includes managing, by the computer system, a structured language environment. The method further includes managing, by the computer system, a dynamic language environment within the structured language environment. The method further includes receiving a policy. The policy is written in a dynamic language. The method further includes storing the policy in the dynamic language environment. The method further includes converting the policy from the dynamic language environment to the structured language environment. The method further includes generating a runtime in the structured language environment that includes the policy.

Abstract: A method and system for a source participant assessing trustworthiness of a destination participant through one or more neighboring participants in a collaborative environment. The method comprises modeling all of the participants as network nodes and relationships between the participants as network paths and identifying a set of the network nodes and the network paths representing the neighboring participants that connects the network node of the source participant to the network node of the destination participant. Each of the network nodes of the neighboring participants as identified has a trust rating with best result, the trust rating is a relative measurement of feedback ratings. The trust rating of a first one of the network nodes of the neighboring participants as identified is computed with the feedback ratings between the first one of the network nodes and others of the network nodes directly connected to the first one of the network nodes.

Abstract: In one embodiment the present invention includes a method of performing a secure transaction in a software system, such as a software service system, for example. Embodiments of the invention include encoding symmetric keys for securing transactions between a service consumer and service provider. Asymmetric keys are also used for providing additional security during transactions. In one embodiment, license tokens and capability tokens are encoded and passed between a service consumer and service provider for allowing a consumer secure access to authorized services.

Abstract: In one embodiment the present invention includes a security manager for managing security in a dynamic programming environment. The security manager interfaces between the dynamic programming environment and a non-dynamic programming environment. In this manner, the dynamic programming environment is unable to compromise the non-dynamic programming environment, yet still provide features desirable in a dynamic programming environment. An example using Ruby in a robust business programming environment is detailed.

Abstract: A method and system to delegate an authority to access collaborative resources are provided. The system enables a participant to re-delegate the authority to another participant by an authorization certificate. A chain of authorization certificates is established along with the re-delegation of the authority from one participant to another. The participant requesting access to the collaborative resources is requested to provide the owner with the chain of authorization certificates for verification. Therefore, the re-delegation process may be performed without the need to notify the owner and yet without comprising the security of the collaborative resources.

Abstract: A computer system, method and computer program for controlling a workflow process. A process modeling unit is configured to define a process model with at least a first task and a second task, wherein the second task needs to comply with a control aspect and depends on the first task, and is further configured to insert into the process model a control task between the first and the second task, wherein the control task is configured to enforce the control aspect on the second task by using a control service of a subsystem. A process execution unit of the system is configured to generate a process instance from the process model and to instantiate a control context to capture the current state of the process instance, the control context being used by an instance of the control task to invoke the control service according to the control aspect.

Abstract: Automatic secure application composition, in which a specification for a business process is accessed, the specification including a security annotation that defines a security intention, and a task that defines at least a portion of the business process, and that calls an external service. A security pattern associated with the security annotation is invoked, and a service provider associated with the external service that satisfies the security intention is identified based on the invoked security pattern. The business process is invoked using the identified service provider.

Abstract: Automatic secure application composition, in applying a security framework is applied to a business process. An external policy negotiation is conducted to specify a common policy between the composite application and an external service based on applying the security framework, the common policy is enforced for each interaction between the composite application and the external service, and access by the external service to local services and objects is regulated based on the security objectives.

Abstract: A system, to establish a trustworthy supplier in an online commerce environment, includes an aggregated service provider represents a buyer to source and evaluate a seller. The aggregated service provider collects the requirements from the buyer, whereby the requirements include product specification and qualifications of the seller. The aggregated service provider presents the requirements to a trusted service provider. At the same time, the aggregated service provider grants the trusted service provider a permit to issue bound property. A bound property is an award given to a seller in recognition for his qualifications. The trusted service provider first provides the seller with a Request For Invitation and requests the seller to submit a property certificate. The property certificate contains qualifications of the seller which are affirmed by a trusted agent. The trusted service provider evaluates the qualifications of the sellers based on the submitted property certificate and awards a bound property.

Abstract: A method and system to automatically monitor business collaborations. Collaboration participants can formally express obligations about their expected behavior during the collaboration in business terms, then automatically monitor processes carrying out the collaboration using the formulated obligations. The method and system extends existing service oriented monitoring standards and architecture, specifically, with additional business oriented metrics and plug-in components that allow the monitoring system to calculate business parameters from measurements of multiple services.

Abstract: A method and system for a source participant assessing trustworthiness of a destination participant through one or more neighboring participants in a collaborative environment. The method comprises modeling all of the participants as network nodes and relationships between the participants as network paths and identifying a set of the network nodes and the network paths representing the neighboring participants that connects the network node of the source participant to the network node of the destination participant. Each of the network nodes of the neighboring participants as identified has a trust rating with best result, the trust rating is a relative measurement of feedback ratings. The trust rating of a first one of the network nodes of the neighboring participants as identified is computed with the feedback ratings between the first one of the network nodes and others of the network nodes directly connected to the first one of the network nodes.

Abstract: A computer system, method and computer program for controlling a workflow process. A process modelling unit is configured to define a process model with at least a first task and a second task, wherein the second task needs to comply with a control aspect and depends on the first task, and is further configured to insert into the process model a control task between the first and the second task, wherein the control task is configured to enforce the control aspect on the second task by using a control service of a subsystem. A process execution unit of the system is configured to generate a process instance from the process model and to instantiate a control context to capture the current state of the process instance, the control context being used by an instance of the control task to invoke the control service according to the control aspect.