[jbpm-dev] Security information request on jBPM

Thu Jun 20 14:30:12 EDT 2013

Hi Boer,
This is a developer list, and usually we redirect the question here to the
jBPM User Forum.
Your questions in this case are targeted to development team, so I think
that is ok.
jBPM is a lightweight framework that you can embed in your applications, so
most of the time all the security aspects are delegated to the application
that is embedding jbpm. All the users and roles will be coming from the
application, so the application is the one that should check authorizations
and authentications of the users and their actions.

The process engine itself make sure that the data is kept in a consistent
state at all times, so you don't need to worry about that.

Cheers

On Tue, Apr 23, 2013 at 3:05 PM, Boer (J31), Jan de <
jan.de.boer at capgemini.com> wrote:

>  ** **
>
> Hello jBPM community,****
>
> ** **
>
> Capgemini is planning to implement jBPM for a large customer.****
>
> My role in this project is security advisor, but unfortunately I’m not
> familiar with jBPM.****
>
> Could someone from the community please inform me (or send documents)
> about the security aspects of jBPM. Anything will help.****
>
> ** **
>
> Security aspects more in detail:****
>
> **-          **Confidentiality****
>
> **o   **Access control mechanism****
>
> **o   **Administrator’s roles****
>
> **o   **Access to storage****
>
> **-          **Integrity****
>
> **o   **Ensure data not to be changed without permission by “owners” of
> data or process****
>
> **o   **Ensure data not to be changed due to system problems****
>
> **o   **Change of data will be detected****
>
> **-          **Availablity****
>
> **o   **Ensure access to data when needed****
>
> **o   **Features to ensure no data loss****
>
> **o   **Features to prevent data loss****
>
> **-          **Non Repudiation****
>
> **o   **Proof of access to documents and processes****
>
> **o   **Secure logging (tamper free)****
>
> **o   **Tampering of logfiles should be detected****
>
> ** **
>
> Please feel free to inform me about other aspects of security.****
>
> Please contact me on jan.de.boer at capgemini.com****
>
> Best regards and lots of thanks in advance.****
>
> Jan****
>
> _____________________________________________________________****
>
> Jan de Boer MSIT****
>
> *Cap**gemini* / NL-Utrecht****
>
> Master of Security in the Information Technology
> Managing Consultant Information Security
> T. +31 30 689 02 76 / Mob. +31 6 15 03 02 76
> www.nl.capgemini.com****
>
> *Don’t think network security and firewalls will protect your information.
> The vulnerability lies in your employees.*
> _____________________________________________________________
> Please consider the environment and only print this email if absolutely
> necessary. Capgemini encourages environmental awareness.****
>  This message contains information that may be privileged or confidential
> and is the property of the Capgemini Group. It is intended only for the
> person to whom it is addressed. If you are not the intended recipient, you
> are not authorized to read, print, retain, copy, disseminate, distribute,
> or use this message or any part thereof. If you receive this message in
> error, please notify the sender immediately and delete all copies of this
> message.
>
> _______________________________________________
> jbpm-dev mailing list
> jbpm-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/jbpm-dev
>

-- 
 - MyJourney @ http://salaboy.com <http://salaboy.wordpress.com>
 - Co-Founder @ http://www.jugargentina.org
 - Co-Founder @ http://www.jbug.com.ar

 - Salatino "Salaboy" Mauricio -
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jbpm-dev/attachments/20130620/b608f1ad/attachment.html 