What you wrote is nothing new. It has been addressed by the DoD (Department of Defense) in the Orange Book (Trusted Computing) back in the 60’s. Have you visited the C2 site (ISO standard)?

Best regards
 -Francis

Part 2 in this article: some expansion beyond basic tenets as areas of focus.

It is very simple, when choosing a product. It depends on what platform the product was developed and implemented. If it is .Net, I know that it can capitalize on Windows’ security model, because it has been C2 certified. If the product is Java based, I would ask for a Critical Criteria—C2 (ISO standard) certification before I would touch it. Java runs in its own world! Many open-source products never had security in mind! It is an all or nothing proposition.

Best regards
 -Francis

I understand your frustration on repetition, but I’ve not had the advantage of seeing your other writings, sorry. I never intended to contradict you about vendors and security. I’m just not so surprised that it happens. History repeats itself.

Please believe that I take everything that you say very seriously, and comment only after considerable reflection of my own perspectives. I certainly cannot match your extensive experience in this field, though our work experience would seem to have similar spans.

All the very best
 -Bob

Process management has been around for about a century, influenced mostly by Frederick Winslow Taylor, the father of sicentific management. Structured methodologies (SADT, IDEF, and DFD) in the 70’s aimed at improving all enterprise processes, not just one or two sets of functional processes. Business processes are one set of functional processes. CAD/CAM were already in force in those days with real-time process control (SCADA) in manufacturing (or production) processes. Read my article posted in this blog almost a year ago, Business User Perspective on UML, BPMN, and BPMS.

C2 in the Orange Book (by DoD) has been the baseline for computing security since the 60’s. Now C2 is also called Common Criteria (ISO 15408). In addition to Operating Systems such as IBM’s AIX or Windows 2000, Oracle’s products are also C2 certified, as they circumvent OS security by taking direct control of physical hard disks, and do their own clustering of computers. Broadly speaking, there are general group policies, and explicit allocation of computing resources to individuals. Meaning, every person has a unique token in using computing resources when authenticated. For instance, Jacques, Bob, and I may belong to the same security class, but there may be resources that I can access, but Jacques and Bob cannot until I grant them the right on each one. W3C has had WS-Security for a long time, but I am not sure how it stacks up against ISO 15408 though! The swimlane or pool in BPMN would work for group policies. When it gets down to an individual, you need the layering capability. Ismael said in a comment of another article that Intalio’s Process Designer did provide such a capability.

Jacques and Bob, I don’t know how many years of experience you have in terms of real-time process control and security. My first real-time process control project was QEW Freeway Surveillance in Ontario back in 1974! My first encounter of stringent requirements for security was a suite of turnkey Patient Registration and A/D/T Systems that I delivered to a world famous teaching hospital back in 1980 in Hamilton, Canada. That was my first management consulting assignment!

Jacques, you are a pretty good marketing man. I, however, cannot afford to pay for a training course. If I had the money, I would go for the PDUs first, as required by the PMP certificate exam. Getting a PMP designation is more profitable to me than knowing how to use a particular software package.

I tend to adhere to de jure standards, ISO in particular, as they are more universal than consortium standards! For instance, PL/1 in North America and Algol in Europe were the de facto standard programming languages in the 60’s and 70’s. Where are they now? Another example, IBM had EBCDIC and SDLC for character encoding and packet switching respectively. Moving to UNIX and Java, IBM had to abandon both of them. Moreover, IBM doesn’t talk about SNA anymore, but Internet! IBM had a grand vision of offering integrated Computer, Telecom, and Satellite products and services in the early 80’s. It bought a telephone manufacturing company (I forgot the name now) that competed against Northern Telecom (now Nortel) and AT&T (now Lucent). There was no way that IBM could integrate its proprietary schemes with CCITT (now ITU) standards-based products and services. In those days, I worked with IBM Canada’s national support SEs to configure underlying IT infrastructures for clients. I always asked tough questions on behalf of clients. One time, one of the 3 consulting SEs came to visit me and told me the roadmap of OS/2. In general, the job for a consulting SE is to advise the President of IBM Canada what businesses IBM Canada should get into. They don’t go out to visit customers. I was the exception. It was a coincidence that the consulting SE who visited me was the CE at the Ministry that I used to work for before I got into the management consulting arena. We never met each other in those days, but we did know the same group of people who worked in the data center at the time. In one of my consulting assignments, I had national support SEs from IBM, DEC, and Tandem to work for a client at the same time! In several occasions, I also worked with the CEOs of software (e.g. Sentry at Chicago) and computer (e.g. Stratus of Canada) vendors! I always challenged a vendor’s overhyped product capabilities. In one of my consulting assignments, I sent an RFP to several vendors—IBM, DEC, Tandem, and Wang. In that RFP, each vendor had to deliver a working prototype, and demonstrate that the products submitted in the proposal could meet the requirements as stipulated in the prototype specification of the RFP. In other words, I go by real-life working products, not claims, even if you are as large as IBM or HP!

Best regards
 -Francis

P.S. I am getting tired of repeating myself many times over in different articles! In essence, retrofitting security into a software product is a very expensive undertaking. Moreover, if security is not incorporated in the first general release of a software product, it only means that the vendor is inexperienced!

It is an interesting point that you make about secure, fail-safe transactional calls to back end systems. This is exactly what I’m involved with at the moment. Providing such sub-processes provides a nice, clean interface that business folks can use without any concern about underlying IT requirements.

What is interesting is that not many people talk about patterns when it comes to processes and yet, I notice that they exist everywhere. In fact I tend to use Facade and Proxy patterns quite a lot in my thinking and design work.

Do you know of anyone who discusses process in these terms? I’m sure that if people did for process that which has been done for general programming, it would be quite fruitful. You might even manage to make a few converts on the way.

Cheers
 -Bob

It does not take BPMN to find security holes in database management systems. Security is a serious issue for all systems and organizations, and it’s been so for a long time, and will probably remain so for many more years to come. I don’t understand how BPMN or the BPMS could create new security issues that did not exist at all before, nor why they could not be overcome.

I certainly understand that BPM is a paradigm shift, and it’s a challenge for most of us to undertake it. Every paradigm shift brings its share of fear. How many people were concerned about the Internet, or Java, or even relational databases at a time when hierarchical database systems where the standard? It does not mean that Internet killed newspapers or TV, nor that Java killed C++, and BPMN does not mean the death of other older notations. But at the end of the day, either people will adopt it and overcome the difficulties, or they will stay where they feel more comfortable, or they will move on to something else.

There’s no such thing in BPMN as one pool per user. Pools are used to define participants, which can represent a system, a service, an application, a user, a role, an organization, another process. In short, a pool represents any entity that is involved in performing tasks in an end-to-end process.

A BPMN diagram can represent a “myCompany” pool that has one task that could be “GenerateProfit”. This would be a valid BPMN diagram, although I’m not sure it would help much. A pool can as well represent “Francis Ip”, who is requested to give a call to his boss as soon as possible.

In an end-to-end business process, there are different levels of granularity, from the high level view that business decision makers can work on when defining business strategy and organisational structures, down to defining robust, secure, fail-safe transactional calls to the ERP. Sub-processes, and what we call reusable processes at Intalio, provide the capability to work at these different layers, and link them to each other in a very natural way, so that business analysts and process analysts can cover processes end-to-end.

In addition, even when considering a specific layer where dozens of pools could be used, it is still possible to hide some of them, or look at the process from one specific perspective, filtering information as necessary. This is where the tool can provide interesting functionality to help scaling business models beyond the typical flow charts that you can see on many organizations’ walls.

When you combine all of this, BPMN can definitely be used to model real, large, and complex business processes used in many industries, including defense, healthcare, and manufacturing, to name a few, where you seem to have doubts it can be used. If you’re still not convinced, please come attend one of our training sessions, and we’ll show you this in more details.

We’re on the same page.

Best regards
 -Ismael

You’re bringing a very important question, which is the data dimension in business processes. To a large extent, it is ignored by BPEL, which only cares about the outer shell of data, incarnated by the XML schemas used for any given WSDL interface. Beyond such a shell, a proper system would need a way to express rules on data, especially for security purposes. One could argue that such a thing should be handled by some Master Data Management (MDM) system (using SAP’s terminology), and that all data manipulations handled by the BPMS should actually be deferred to the MDM layer. I discussed this with the executive in charge of MDM at SAP, but I do not believe that SAP is going down this path yet, for it would require deep integration between components that are managed by totally separate teams. Nevertheless, I believe that to be the best way of handling the kind of scenarios you’re describing. How about we work on this together through a D3 project?

Best regards
 -Ismael

I’m not sure why you have such a lack of faith in what Ismael describes here. I would agree in principle with everything he has to say. The description is simple because at this granularity, it is. However, I do have my own spin on where the application of security should be located within a BPMS. My take is that it should reside in the process engine and the rules set through administration. I will not go into details, but I have a white paper on the subject.

By the way Ismael, I would suggest a third dimension to your view of authentication and entitlement; that being behaviour. A role only indicates what your job is, not what you can do for that role. You don’t want a manager to approve their own expenses, but he will need to for his employees.

Francis: I notice that you’re a bit hung up on the notion of one person per swimlane, when in actual fact it is one role per swimlane, moderated by information on behaviour that could preclude someone with that role from a particular process instance. Now, while BPEL does not directly support this, it can be constructed with processes.

You feel that Ismael is over promoting BPMN and BPMS; you might be near the mark for the former, but not for the later. Don’t forget that BPMN is based on mathematical principles. I cannot agree with your suggestion that security should have been incorporated in its first release. Did that happen with Microsoft Windows or with Web Services?

How do you use process hierarchy? Is that your starting point? Is this going to be the one and only way to design processes? Hierarchy is very top down, a functional decomposition. Far better is to understand the end-to-end process and use sub-processing, just as Ismael describes (comment 4 above).

Regarding your comments on the previous posting, the approach of using process owners is a long standing one (Michael Hammer & James Champy). The point (1) that you made is close to the truth; a process owner is the business organisation unit. The problem is that a process can cross multiple business units. Who is the process owner then? You have to appoint someone with authority to take on that responsibility.

2 & 3. I agree that software should be easy to use. However, I would suggest that it be fit for purpose first. I concur that a BPMS is not necessarily user friendly (Intalio excepted…), but who is building the system? Once it is in place, the business owners (business analysts) can readily maintain and improve the business process with the process tools. If the system is poorly designed, it is not the fault of the BPMS. A BPMS is not just the processes and the process engine, but a collection of components, including BAM and portal. Loose one, and that particular BPMS is broken.

4. You’re absolutely correct, software can be built anyway you like. BPM is just one way, but also one of the best ways of doing it, and is standards based. It also gives you the potential to share processes between different systems.

I still am of the opinion that BPEL is best used to interface to systems like manufacturing processes. I don’t see that manufacturing processes are business processes, despite of the similarity. I am sure that some minor extensions to BPEL would allow this however. A BPMS is designed to integrate with other systems, so use it that way. Otherwise it’s a bit like suggesting using BPEL rather that PL/SQL!

All the best
 -Bob

What you describe is comparable to the trust relationship we (usually) have between a database and an enterprise application. Nevertheless, DBAs are complaining that they cannot use their audit tools anymore. Is this the future for all of us, application developpers? And what about data security? To me, there is something that is often missed when talking about security: the data axis.

Even if in most cases people consider this is an applicative issue (I do, most of the time), what about the fact that if authorizations are centrally managed it can apply as well to the fact that a particular user may or may not be able to see such data in this application, based on rules shared with another application, or depending on data in another application. It’s a little bit like this guy can see data A only if he has this role, and can see data B as well, and data A and B are managed by two different applications.

Beside the fact that integrating a centrally managed authorization system is an applicative issue, I have a hard time figuring how this is going to work in a pure BPEL environment like the one you describe. And I am not only talking about technical stuff, I am talking about having a clear, concise, and standard way of defining this kind of interaction using BPMN.

McGovern is right in saying that something needs to be done, otherwise BPMS vendors will start defining their own way, thus breaking the compatibility/interoperability promise of BPMN/BPEL.

Regards
 -Claude

Please see my answers there too.

Best regards
 -Ismael

In response to your reply, please refer to comment #11 of this article. I do not want to repeat myself many times over in different articles.

Best regards
 -Francis

What I said is you use one swimlane for each abstract participant in the process (ERP system, account manager). Then you can have multiple actual actors (SAP R/3 instance in Germany, John Doe) bound to each participant at runtime. This is no different than what is done with UML activity diagrams by the way. And BPMN does actually support the process, activity, task hierarchy you mentioned. An end-to-end process is designed as a collection of independent processes modeled through swimlanes, and each process contains activities. In turn, each activity can contain multiple activities through recursive nesting, and some of these activities can be task assigned to roles, usually held by human beings.

Best regards
 -Ismael

I couldn’t agree with you more that there is life after the Mainframe. The Mainframe was designed and optimized to do batch processing that automate book-keeping tasks in the 60’s. It was amazing that when I visited IBM’s birthplace, Endicott, back in 1988, the research engineer in the lab came out and said that the 360, 370, and 390 architectures were designed and optimized for batch or sequential processing. For online real-time processing, one should choose something else. Examples were IBM System 88 (Stratus with IBM’s label), or even DEC! At that time, I was on contract with Rogers AT&T cellular phone services provider in Canada as Chief Architect. The problem needed to be solved was how to handle the call’s detailed records (or toll tickets) sent from a telephone switch. The IBM 3745, the largest communication controller at the time, couldn’t handle the speed and volume of data sent from a telephone switch! A viable solution at that time was to get either a Tandem or a Stratus to handle the volume of data off-loaded by a telephone switch via asynchronous trasmission mode. Although a telephone switch could transmit data in HDLC mode, IBM’s communication controller could only handle SDLC mode at 2,400 bits per second. The asynchronous transmission software never worked on the communication controller!

I am not convinced that BPMN can handle the type of real-time modelling as you believe it could. If it does, activities on SysML and PSL should be terminated. DoD, MOD, NIST, OMG, NATO, etc. are wasting their time in evolving those standards.

Didn’t you say to use one swimlane per person to model the process? That is impractical. As I mentioned elsewhere in this blog, BPMN is rich in symbology but poor on supporting the time-honored hierarchy of process, activity, and task! When you can demonstrate to me how you can model the process hierarchy, then I will be convinced that BPMN can handle real-life process control such as SCADA (Supervisory Control and Data Acquisiton)!

When a standard is really good, a large organization can always fast track it. Examples are: Microsoft on C# with ECMA and DoD on EVM with ANSI/EIA!

Best regards
 -Francis

I did not suggest that all existing systems should be replaced by Web-based alternatives. On the contrary, I am promoting a model that can let both play side by side.

As far as processes are concerned, I believe that you should re-read the BPMN specification, and actually try to implement some processes with Intalio. This would give you a better appreciation for what is possible. Our model certainly does not assign one process per person, therefore the comments you made in your second paragraph do not really apply.

Regarding standards, we all agree that having BPMN and BPEL become de jure standards would be better for everyone. But guess what? This takes time, and it needs support from many parties that are using the technology in order to make it mature to the level where it can become a de jure standard. It seems to me that you’re saying: it’s not ready, so I won’t use it. That’s perfectly fine, but it does not mean that the approach does not have value. It just means that it needs more work, and the sooner we start, the sooner we’ll be done with it.

There is a life after the mainframe!

Best regards
 -Ismael

I believe that you have oversimplified things a lot. In the real world, not every enterprise can do a wholesale migration from current systems to Web-based systems. Some systems will never get migrated anytime soon, if ever. The death of COBOL has been predicted more than 20 years ago, but it is still going strong and got objectified. Many banking transactions are conducted behind the scene through CICS and IMS databases for their optimized performance on IBM System 390 architecture (batch machine).

Your method of assigning one person to a business per process is impractical. Remember that process consists of activities and activity entails tasks. With high volume of transactions and specialization of work, a group of individual would perform similar, but not always identical tasks concurrently. Moreover, senior staff and supervisors, in general, have more authority and can do more than junior staff members. For example, a supervisor can write off certain amounts on the spot with a customer, but not a junior staff member.

You seem to over promote the capabilities of BPMN and BPMS with theoretical but impossible practices. Most of the current BPMSes with BPMN can not even handle EDI, let alone other enterprise activities such as production (or manufaturing), strategic management, innovation, etc. If BPMN and BPMS are that powerful and can handle everything under the sun, DoD and ISO would have abandoned SysML and PSL a long time ago! Don’t forget OMG, OASIS, and the like are not de jure standard bodies such as ISO, IEEE, ANSI, EIA, BSI, EMAC, CSA, etc.

I believe that I have repeated myself many times over throughout this blog under different articles. This is my last time to suggest to you not over promoting the capabilities of BPMN and BPMS. They are still in their infancy. If they are matured enough, security would have been incorporated in its first release! Leaving out security in a software product is a sign of inexperience!

Best regards
 -Francis