Distributed Workflows: A Framework for Electronic Commerce

0 downloads 0 Views 2MB Size Report
secure distributed workflows is presented in section 6. In section 7 we discuss ... Most of the workflow transaction management theory for multilevel secure ...
JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 19, 15-38 (2003)

Distributed Workflows: A Framework for Electronic Commerce* VLAD INGAR WIETRZYK AND MAKOTO TAKIZAWA+ School of Computing & Information Technology University of Western Sydney Penrith South DC NSW 1797, Australia E-mail: [email protected] + Department of Computers and Systems Engineering Tokyo Denki University Saitama, 3500394, Japan E-Business requires that corporate information systems be available twenty four hours a day, seven days a week (24 × 7 operation). Strategic operational significance carries a major technical challenge for architects of such highly available systems−in particular it is critical to devise and implement on-line utilities for continuous maintenance of the system at the highest available performance level. In this paper, we consider the problem of on-line reorganization in object databases supporting workflow engine. We also choose to develop a formal framework for a secure, highly available distributed workflow architecture since interworkflow is anticipated as a major supporting mechanism for Business-to-Business Electronic Commerce. The contributions of this paper are both of theoretical and of experimental nature. We complement our algorithms with encouraging experimental results. Keywords: distributed architecture, multilevel secure distributed workflow, on-line workflow database reorganization, electronic commerce, system model

1. INTRODUCTION In this paper, we consider the problem of on-line reorganization in object databases supporting workflow engine. Many technical and nontechnical issues hinder enterprise-wide workflow management. Because workflow types cannot always be fully predefined, they often need to be adjusted or extended during operation. Distributed workflow execution across functional domains is necessary, but distribution transparency is currently impossible because, different types of Workflow-Management-Systems (WFMSs) implement different WFMS metamodels. For smooth cooperation among organizations, the most important point is how the hierarchy of the cooperation process among organizations realizes. We can call the interoperation of workflows iterworkflow and the total support technologies, which are necessary for its realization, interworkflow management mechanism. Interworkflow is anticipated as a supporting mechanism for Business-to-Business Electronic Commerce. Received September 22, 2001; accepted April 15, 2002. Communicated by Jang-Ping Sheu, Makoto Takizawa and Myongsoon Park. * Research supported by the UWS, Versant Technology Corporation and Intel Corporation.

15

16

VLAD INGAR WIETRZYK AND MAKOTO TAKIZAWA

Generally we will refer to such applications as multi-system transactional workflows. The new aspects of our approach to distributed workflow database management systems supporting Electronic Commerce include the following research contributions. The novel approach to the notions of correctness for transaction processing. Usually proposed the definition of correctness for multiuser databases are not necessarily suitable when these databases are parts of multilevel secure workflow systems. We believe, that the best approach will depend upon the characteristics of the multilevel workflow database and the applications. The new aspects of our approach to on-line reorganization of the workflow database include the following research contributions. The novel approach to incremental on-line maintenance of good clustering which employs the maintenance of the minimum spanning tree of a dynamic object graph under the presence of concurrent additions and deletions of data objects. We designed and implemented the Large Complex Object Manager (LCOM) on top of the VERSANT disk manager, for managing variable-size storage clusters. During operation our system is incrementally saving all work already done while maintaining consistency after system crashes. 1.1 Outline of the Paper We have planned the presentation of the current research as follows. We first present a brief introduction to work on workflow transaction models and discuss extended − relaxed approach to handle workflow transactions in section 1. Section 2 covers related aspects of workflow distribution and heterogeneity including discussion on interworkflow management mechanism. Section 3 covers a formal approach to support workflow security; inference control theorems of MLS workflow database is also presented here. Section 4 presents the system model related to security policy. An architecture for multilevel secure workflow interoperability is discussed in section 5. Implementation of the secure distributed workflows is presented in section 6. In section 7 we discuss algorithms designed for automatic workflow database reorganization. Evaluating the quantitative effects of the workflow system is presented in section 8. Section 9 concludes the paper with a summary and a short discussion of future research.

2. RELATED WORK Some known examples of extended transaction models include nested and multi-level transactions. A number of relaxed transaction models have been defined in the last several years that permit a controlled relaxation of the transaction isolation and atomicity to better match the requirements of various advanced applications. Some examples of extended − relaxed transaction models are reported in [1, 2]. In the WIDE project [3], a workflow is supported at two transaction levels: global and local. At the global level, the SAGA - based model offers relaxed atomicity through compensation and relaxed isolation by limiting the isolation to the SAGA steps. At this level of granularity the workflow activities are defined and therefore the grouped workflow activities follow the strict ACID properties. However, the flexibility in assigning

DISTRIBUTED WOKFLOWS: A FRAMEWORK FOR ELECTRONIC COMMERCE

17

transaction properties to workflow activities is limited to the extended SAGA or nested transaction model. Support for long-duration applications has been independently extended by practitioners and researchers focusing on workflow systems and transaction systems. Extended transaction systems structure a large transaction into separate sub-transactions and execute them with additional constraints on the individual sub-transactions. Some researchers in workflow systems have proposed the notion of transactional workflow [4]. In transactional workflow environment, additional correctness requirements can be specified on top of traditional workflow specifications. The Workflow Management Coalition has specified a standard interface to facilitate the interoperability between different WFMSs [5]. However, they do not address transactional issues with the exception of writing an audit log. The transaction model used in the Exotica project [6] is based on the SAGA model, but relies on statically computed compensation patterns. As a result, its functionality is limited compared to the work presented in this research paper. Finally, most commercial products are designed around a centralized database. This database and the workflow engine attached to it − in most cases there is a single workflow engine are a single point of failure which quickly become a bottleneck and are not capable of providing a sufficient degree of fault tolerance. To summarize, databases and workflow management systems are complementary tools within the corporate computing resources. Databases address the problem of storing and access data efficiently. Workflow management systems address the problem of monitoring and coordinating the flow of control among heterogeneous activities. Very often, a WFMS processes data for which high standards must be set with respect to privacy and data security. Most of the workflow transaction management theory for multilevel secure database systems has been developed for workflow transactions that act within a single security class. In our research work, we look at workflow transactions that act across security classes, that is, the workflow transaction is a multilevel sequence of database commands, which more closely resemble user expectations. We propose a formal model and semantics for interpreting security issues in a workflow architecture which can incorporate a multilevel deductive database.

3. WORKFLOW DISTRIBUTION AND HETEROGENEITY Management of the workflow operations of each organization in the interworkflow must be done in a distributed environment. Because the interworkflow defines the process of linking among different workflows, naturally the operations management takes place across different workflows. The interworkflow for international procurement, for example, includes the procurement workflow and also the ordering/delivery management workflow of each supplier company; and these workflows are likely to be distributed across the procuring company’s system and the systems of each of the supplier companies. Workflow distribution introduces additional level of requirements. Because distributed workflow execution across heterogeneous WFMSs is currently not possible in a transparent way, we must to consider the problem of workflow functionality isolation.

18

VLAD INGAR WIETRZYK AND MAKOTO TAKIZAWA

To efficiently define a work breakdown structure a functional decomposition by means of subworkflows is required. An often-cited situation is subworkflow distribution, where subworkflows are subject to execution on remote WFMSs. Some variants are possible, such as executing a subworkflow synchronously or asynchronously to the invoking workflow. 3.1 Interworkflow Management Mechanism Composing an MLS workflow from multiple single-level workflows is the only practical way to construct a high-assurance MLS WFMS today. In this particular approach, also the multilevel security of our MLS workflow does not depend on a single-level WFMS, but rather on the underlying MLS distributed architecture. On our platform, an MLS workflow becomes multiple single-level workflows that will be run on the MSL architecture. These independent workflows should work together to achieve the intended operation. Therefore, workflow interoperability is an important issue. We should consider two aspects of workflow interoperability: − The interoperability protocol between independent WMFSs. − The ability to model the interoperability in a workflow process definition tool − workflow builder. The first issue can be defined and handled by a standards body such as OMG. However, the second aspect should be handled by each WFMS. OMG introduces two models of interoperability. They are nested sub-process and chained processes as shown in Figs. 1 and 2.

 Fig. 1. Nested sub-process.

 Fig. 2. Chained processes.

DISTRIBUTED WOKFLOWS: A FRAMEWORK FOR ELECTRONIC COMMERCE

19

We would like to extend the above two models to support a richer interoperability model: cooperative processes. Very often there is a need to consider two independent autonomous workflows that need to cooperate across two different organizations. Let’s assume that organization A is in control of workflow A and organization B is in charge of workflow B. Than, tasks in workflow A and workflow B can communicate and synchronize with each other as shown in Fig. 3.

 Fig. 3. Cooperative processes.

Generally, two or more cooperating workflows may have independent starting and ending points. Let’s state a minimal set of information that is required for communication and synchronization among tasks in cooperating autonomous workflows. These should include: − protocol to establish the location and invocation method of tasks − protocol to coordinate receiving of replies In order to ensure the proper generation of the runtime code, the above specification has to appear in the workflow design. Such an environment will guarantee, that execution will proceed according to the workflow control protocol.

4. A FORMAL APPROACH TO SUPPORT WORKFLOW SECURITY An MLS distributed workflow management system should support functionality equivalent to a single-level workflow management system from the perspective of MLS distributed workflow users who design, implement and utilized multilevel secure distributed workflows. A number of models for secure workflow have been proposed. These models differ in many respects. Despite a heavy interest in building a model of secure workflow management systems, there is no clear understanding regarding what a multilevel secure data model exactly is. 4.1 A Logic − Based Semantics for Multilevel Secure Workflow In a multilevel secure workflow management system users cleared to different security levels access and share a database consisting of data items at different sensitivity levels.

20

VLAD INGAR WIETRZYK AND MAKOTO TAKIZAWA

As a part of our research work, we introduce a belief-based semantics for multilevel secure workflow that supports the notion of a declarative belief and belief reasoning in multilevel security scheme (MLS) in a meaningful way. We strive to develop a practical logical characterization of MLS workflow for the first time using the inherently difficult concept of non-monotonic reasoning. Recent research shows that users in the MLS workflow model have an ambiguous view and confusing belief of data [7]. Multilevel security implements the policy of mandatory protection defined in [8] and interpreted for computerized systems by Bell and LaPadula [9]. In this research paper we assume the representation and execution of MLS rules obey the Bell-LaPadula “no read up, no write down” principles. 4.2 Inference Control Theorems of MLS Workflow Database We argue that any proposed model of MLS workflow database, under either discretionary or mandatory security, should incorporate at least the following elements: − A formally defined model of the MLS including all the security properties that databases under this model will possess. − Classification of any piece of information at any given classification level, should be enforced by powerful inference control rules. − A formal definition−semantics for databases under the proposed model, which can represent the beliefs about the state of the world held by the users at a chosen security level. The axiomatics of the language L, which we consider is based on classical axiom schemas of first order logic with equality, augmented with appropriate axioms of our theory related to the multilevel workflow object--relational database. The subset of our language L is universally consistent with any language based on first order logic with equality [10]. What follows is a set of some axioms, which are relevant to a set of integrity constraints to be enforced by the multilevel workflow object-relational database: − If a is an attribute of the object o then o is an object. ∀a∀o, OA(o, a) → Object(o) − If m is a method of the class c then c is a class. ∀m∀c, Method(c, m) → Class(c) − If a is an attribute of the class c then c is a class. ∀a∀c, CA(c, a) → Class(c) − Any object attribute has a value. ∀a∀o, OA(o, a) ↔ ∃v, Val(o, a, v) − The value of an object attribute is unique. ∀a∀o∀v∀v', Val(o, a, v) ^ Val(o, a, v') → (v = v') − Any object is instance of at least one class. ∀o, Object(o) → ∃c, Instance(o, c) − If o is an instance of c then o is an object and c is a class. ∀o∀c, Instance(o, c) → Object(o) ^ Class(c)

(A) (B) (C) (D) (E) (F) ( G)

DISTRIBUTED WOKFLOWS: A FRAMEWORK FOR ELECTRONIC COMMERCE

21

In this section we also present the general constraints that should be enforced when classifying the workflow database content. Those constraints must be satisfied when classifying Class − c, containing objects o and attributes a at level l and Class(c) at level lˆ . It is generally acknowledged that when classifying any piece of information at a given level, the following inference control rule must be active: Definition 1 Rule – 1 Let x1, …, xn be tuples of variables consecutively compatible with the arity of predicates P1, …, Pn. Let y be another tuple of variables compatible with the arity of Q. For simplicity we assume that each variable in tuple y appears in at least one of the tuples x1, …, xn, therefore if: ∀x1, …, ∀xn, P1(x1) ^, …, ^ Pn(xn) → Q(y)

is an axiom of the non-secure object oriented database, then by following the similar approach as in [10], we can derive the following theorem in relation to the multilevel workflow object oriented database: ∀x1 … ∀xn ∀l1 …∀ln∀l, Pˆ1 ( x1 , l1 ) ∧ K ∧ Pˆn ( x n , l n ) ∧ Qˆ ( y, l ) → l ≤ lub(l1, l2, …, ln)

If the above rule 1 is not complied with, then a subject cleared at level lub(l1, …, ln) can access every Pi(xi) and use the above defined axiom to derive Q(y). On the other hand if the classification of Q(y) is not lower or equal to lub(l1, …, ln), then an inference passage enabling prohibited information to be disclosed is opened. By combining the above derived rule 1 with some more axiomatic of our language, we can derive more useful theorems1. For example by combining Rule - 1 with axiom (D), we can derive the following theorem: −∀ a ∀ o ∀ v ∀ l ∀′l ,Val ′(o, a, v, l ) ∧ OA′(o, a, l ′) → (l ′)

(H)

Which can be described as follows: the sensitivity of “v is a value of the attribute a in object o” dominates the sensitivity of “a is an attribute of object o”. This model includes the possibility to hide some parts of the multilevel workflow database schema and to deal with rules in the database. Therefore, it may also be used as a formal semantics for multilevel workflow deductive databases. When classifying any data of information at a given sensitivity level, the following control rule must be operational if one wants to protect the existence of secure information: Definition 2 Rule - 2 Let x1, …, xn and y1, …, yp be tuples of variables consecutively compatible with the arity of predicates P1, …, Pn and Q1, …, Qp and let y be another tuple of variables. For simplicity we assume that each variable in tuple y appears in at least one of the tuples y1, …, yp and each variable in tuples y1, …, yp appears in at least one of the tuples x1, …, xn, y. If: 1

Detailed demonstration on how similar theorems can be established can be found in [11].

22

VLAD INGAR WIETRZYK AND MAKOTO TAKIZAWA

−∀x1 K∀x n , P1 ( x1 ) ∧ K ∧ Pn ( xn ) → ∃y, Q( y1 ) ∧ K ∧ Q( y p )

(L)

is an axiom of the non--protected workflow object--relational database, then, the following theorem can be derived related to the workflow multilevel object−relational database: −∀x1 K∀x n ∀l1 K∀l n , P1′( x1 , l1 ) ∧ K ∧ Pn′ ( x n , l n ) → ∃y∃l1′ K ∃l ′p , Q ′( y1 , l1′ ) ∧ K ∧ Q ′( y p , l ′p ) ∧ lub(l1′ ,Kl ′p ) ≤ lub(l1 ,K, l n ) (M)

In case, when Rule - 2 is not satisfied, then a subject cleared at level lub(l1, …, ln) can access every Pi(xi) and use the axiom (L) to derive the existence of the secure data (facts) Q(y1), … , Q(yp) some of them being classified higher than lub(l1, …, ln). As the result, effectively a signaling channel is created, which enables the existence of prohibited information within the workflow repository to be disclosed.

5. THE SYSTEM MODEL − SECURITY POLICY We will very concisely review the fundamental concepts of multilevel security and multiversion serialisability theory. We refer the reader to [13, 14] for more details related to the security model and to [12] for additional details relevant to multiversion serialisability. A different approach to the problem of devising secure concurrency control techniques is to adopt less restrictive correctness criteria than the ordinarily acknowledged one-copy serialisability [15]. It has been recognized for some time, that traditional models of concurrency and transactions are too restrictive for many different applications. In particular some difficulties arise for integrity constraints involving data at different security levels [16]. As a direct result of this situation, different correctness criteria weaker than one-copy serialisability can be used for many transactions. Modern, concurrency control algorithm in Trusted Oracle uses a combination of two-phase locking and timestamping for secure concurrency control that generate histories which are not one-copy serialisable. To concur with [17] we consider any multilevel secure system as consisting of a set D of data items, a set T of transactions (streams) which manipulate these data items and lattice S of security levels, called the security lattice, whose elements are ordered by the dominance relation . If two security levels si and sj are ordered in the lattice such that si  sj, then sj dominates si. A security level si is said to be strictly dominated by a security level sj, designated as si ≺ sj, if si  sj and i ≠ j. Each data item from the set D and every transaction from the set T is assigned a fixed security level. The following two conditions are necessary for a system to be secure: − Transaction Ti is not allowed to read data element x  L(Ti). − Transaction Ti is not allowed to write a data element x unless L(x) = L(Ti). The above two restrictions must be augmented with the guard against illegal information flows through signaling and covert channels for the system to be secure. As we already stated before generally our approach to security policy is based on the Bell-LaPadula model. Now we present our relaxed form of correctness criterion, called level-wise seri-

DISTRIBUTED WOKFLOWS: A FRAMEWORK FOR ELECTRONIC COMMERCE

23

alisability. We refer the reader to [13, 17] for additional details related to the security model and for details relevant to multiversion serialisability. It can be used under those circumstances where integrity constraints are independent among data at various access classes. Definition 3 Level-wise serialisability We say a multiversion history H over T is level-wise serialisable if: − For each level s ∈ S, the subhistory Hs of H is one-copy serialisable. − Let Ti be a transaction with L(Ti) = s, and let s′ ≺ s. Then the subhistory HT' where T′ = {Ti ∈ T : L(Ti) = s′} ∪ Rs′(Ti) is one-copy serialisable. The prevalent idea of level-wise serialisability is relevant to the notions of fragmentwise serialisability introduced by Garcia-Molina and Kogan [15]. The above first requirement of level-wise serialisability states that if we consider only those transactions which are executing at a single level, then the concurrent execution involving these transactions is one-copy serialisable. The second requirement promise that whenever a high transaction reads data at a lower level, it only sees a consistent copy of the low data. The concurrency control algorithm that has been implemented in Trusted Oracle, guarantees level-wise serialisability. It is secure and does not require a trusted scheduler. It is composed of the following steps: 1. There is separate scheduler at each security level s. 2. There is a shared, monotonically increasing hardware clock at system low that is guaranteed to return a new value every time it is read. This clock is used to assign a unique timestamp to each transaction Ti, denoted by ts(Ti). Each Ti is also assigned a commit timestamp, cts(Ti), when Ti reaches its commit point. 3. If Ti is a read-only transaction at level s and wishes to read an item x at level s′ such that s  s′, then step 7 is executed. 4. If Ti is a read-write transaction at level s, the following steps are performed. 5. At each security level s, strict two-phase locking is used for concurrency control. However, when Ti writes an item x, it creates a new version xi. A write timestamp wt(xi) is assigned to xi which equals the commit timestamp of Ti. 6. When a transaction Ti at level s wishes to read an item x at level s′ such that s ≻ s′, step 7 is executed. 7. The timestamp ts(Ti) is used to select the appropriate version of x. The version selected is xk with the largest wt(xk) such that wt(xk) ≺ ts(Ti). Thus, the above stated Trusted Oracle DBMS fully supports transactional workflow security requirements.

6. AN ARCHITECTURE FOR MULTILEVEL SECURE WORKFLOW INTEROPERABILITY Global information management strategies based on a sound distributed architecture are the foundation for effective distribution of complex applications that are needed to

24

VLAD INGAR WIETRZYK AND MAKOTO TAKIZAWA

support ever changing operational conditions across security boundaries. What we need is a new MLS distributed computing paradigm that can assist users at different locations and at different security levels to cooperate. We present the fully distributed architecture for implementing a Workflow Management System (WFMS). A workflow distributed database consists of a set N of sites, where each site N ∈ N is an MLS database. The sites in the workflow system are interconnected via communication links over which they can communicate. The WFMS architecture operates on top of a Common Object Request Broker Architecture (CORBA) implementation. A CORBA’s Interface Definition Language (IDL) is used to provide a means of specifying workflows. Also we assume that communication links are secure − possibly using encryption. This distributed workflow transaction processing model describes mainly those components necessary for the distribution of a transaction on different domains. Domain is a unit of autonomy that owns a collection of flow procedures and their instances. If a transaction should be distributed on several domains − a global transaction, in every domain there must exist the following components, (see Fig. 4). − TM - Transaction−Manager. The transaction manager plays the role of the coordinator in the respective domain. If a transaction is initiated in this domain, the TM assigns a globally unique identifier for it. The TM monitors all actions from applications and resource managers in its domain. In every domain involved in the distributed workflow transaction environment there exists exactly one TM. − CRM - Communication−Resource−Manager. Multiple applications in the same domain talk with each other via the CRM. This module is used by applications but also other management components for inter-domain communication. CRM is the most important module with respect to the transactional support for distributed workflow executions. Our model specifies the T*RPC as a communication model, which supports a remote procedure call (RPC) in the transactional environment. − RM - Resource−Manager. An accountable performer of work. A resource can be a person, a computer process, or machine that plays a role in the workflow system. This module controls the access to one or more resources like files, printers or databases. The RM is responsible for the ACID properties on its data records. A resource has a name and various attributes defining its characteristics. Typical examples of these attributes are job code, skill set, organization unit, and availability. − AMS - Administration−Monitoring−Service. The monitoring manager is used to control the workflow execution. In our approach, there is no centralized scheduler. In the figue, each Task Manager - designated as TSM, is equipped with a conditional fragment of code which determines if and when a given task is due to start execution. The scheduler communicates with task managers using CORBA’s asynchronous Interface Definition Language (IDL) interfaces. Task managers communicate with tasks using synchronous IDL interfaces as well. AMS module is also responsible for the coordination of the different sites in case of an abort that involves multiple sites. Individual task managers communicate to monitoring manager their internal states, as well as data object references - for possible recovery.

DISTRIBUTED WOKFLOWS: A FRAMEWORK FOR ELECTRONIC COMMERCE

25

Fig. 4. The MLS distributed workflow architecture.

The distributed architecture suits the inherent distributional character of workflow adequately in a natural way. This approach also eliminates the bottleneck of task managers having to communicate with a remote centralized scheduler during the execution of the workflow. This architecture also possesses high resiliency to failures − if any one node crashes, only a part of the workflow is affected.

26

VLAD INGAR WIETRZYK AND MAKOTO TAKIZAWA

7. IMPLEMENTATION OF THE SECURE DISTRIBUTED WORKFLOWS The architecture of our multilevel secure workflow transaction processing system can be divided into a trusted, an untrusted, and a receptive module as shown in Fig. 4. The trusted component consists of two functioning modules: Trusted Lock Manager and Trusted File Manager. The untrusted component is a collection of Transaction Managers (TMs), one for each security level. The receptive component is the Workflow Database - its File Store component, which may be physically partitioned according to the security levels. Fig. 4 shows the interfaces between the different components of our implementation. Except for the native interface between the RMs and the Workflow Database, all interfaces are defined as an API in the X/Open standard: − TX interface (WD ⇔ TM): With this interface an application can demarcate the begin and the end of a transaction to the TM [18]. − XA interface (TM ⇔ RM): The TM coordinates the begin, the suspending and the commit protocol of a transaction to the registred RM in a domains - computer nodes [19]. − XA+ interface (TM ⇔ CRM): With these functions the TMs can communicate via the CRMs in a distributed transaction between different domains [20]. − TxRPC IDL (AP ⇔ CRM): The TxRPC [21] is based on the DCE RPC [22], which can use some other DCE services like the name service for the localization of servers. The DCE interface definition language (IDL) is able to support the TxRPC. The CRMs communicate with each other via the OSI TP protocol. The major advantage of this implementation is the standardization of the interfaces. All APIs are available in C as the cross-platform base, providing maximum flexibility for a variety of other programming languages. You can start work using a standard client with sample activity implementations and then refine activity implementations with the real-life applications and develop your custom clients. Due to the modular concept, all components and applications can be easily extended and replaced. So cooperation between components of different vendors is possible. In our sample environment the transaction monitors TUXEDO (Novell) and Encina (Transarc) can be involved in a single transaction and can even talk to each other via a CRM of a different vendor. The model supports changes in the configuration at runtime because the RM and CRM can also register dynamically at the TM. Multiple transactions initiated by different workflows applications are distinguished by the thread of control (ToC). It is a structure defined in the X/Open model and must be distinguished by the thread-ID or process-ID in the sense of POSIX. The TM manages the sequence of transactions by suspending them and resuming them at a later time. Note that in order to accommodate relevant commercially available DBMS to support our approach, the assumption about Lock Manager being trusted can be relaxed by providing one Lock Manager for each security level. If that particular option is taken, a Trojan Horse inside some untrusted Lock Manager can compromise the correct execution of Concurrent workflow transactions, but cannot violate security. Additionally, as the whole body of a standard Lock Manager, written with all the requisite defensive programming, exception handlers, optimizations, deadlock detectors, etc. comes to about a

DISTRIBUTED WOKFLOWS: A FRAMEWORK FOR ELECTRONIC COMMERCE

27

thousand a thousand lines of actual code, it is easily verifiable. Thus our assumption of a Trusted Lock Manager, which jeopardizes neither security nor integrity, is justified. Composing an MLS workflow from multiple single-level workflows is the only practical way to construct a high-assurance MLS WFMS today. In this approach, the multilevel security of our MLS workflow does not depend on single-level WFMS but rather on the underlying MLS distributed architecture. A transaction Tk at the security level si can read information stored at level si only if sj  si, and can write information only at level si [17]. The corresponding TMi at the level si controls the concurret execution and recovery of those − and only those transactions that are at level si, therefore TMi can be untrusted component of the architecture. In a multilevel secure workflow, tasks may belong to different security levels. Thus ensuring all the task dependencies, especially those from a task at a higher security level to that at a lower security level, may compromise security. This implies that it is important to understand that in a multilevel environment it is not possible to force the abort of a lower level task upon the abort of a higher level task. The workflow Static Integrator and Dispatcher module examines the structure of workflow dependencies which also includes security levels of tasks and alters the workflows accordingly. Integration is done statically, therefore the Integrator and Dispatcher need not be trusted. As it is supported by our architecture, while the WFMS layer enforces all the dependencies existing among the various tasks in a workflow by submitting the tasks to the appropriate DBMS in a coordinated manner, the corresponding DBMS simply executes their respective tasks and sends the responses back to the WFMS. Similar implementations can be found in the context of extended transaction models, for example the reflective transaction framework in [23], etc. The prototype system is client-server oriented. The backend server features a set of transactional activity management primitives, and is built on Transarc’s transaction processing TP monitor Encina. The frontend features several web-friendly graphical user interfaces for activity control and administration at both specification and instance levels, and is built with a mixed use of Java applets, JavaScript, and HTML for portability and reusability. Our WFMS utilises a simple model DBMS from which workflows may be selected for execution. Workflows or components of workflows may be added to the model repository by specifying them in a workflow language. WFSL/TSL may be used to specify workflows [24]. The WorkFlow Specification Language − WFSL is a declarative rule-based language to describe the conceptual workflow specification, while the Task Specification Language TSL [24] is a language to specify simple tasks that run in our workflow systems environment. Once a workflow is selected from the repository, several steps are carried out that instantiate a workflow instance that is able to run within our execution environment.

8. DYNAMIC REORGANIZATION OF A WORKFLOW DATABASE The goal of dynamic reorganization is to arrive at an optimal data layout based on observed access patterns. In this section we present the algorithm without the details of logging and recovery. Dynamical hierarchical clustering, where records remain clustered in a hierarchical order after numerous insertions and deletions, has generated very little publicity, and remains an unsolved problem [26].

28

VLAD INGAR WIETRZYK AND MAKOTO TAKIZAWA

8.1 Monitoring Objects In our model, the objects in the database form a directed graph called the object graph. The nodes of the graph are the objects in the database, and an edge O1 → O2 exists in the graph if and only if O1 contains a reference to O2. In our case the database is divided into units called partitions. Given an object identifier, we can inexpensively find the partition to which the object belongs by executing the hash function on the object identifier. In particular, our objective is to traverse only the objects in a partition, yet find all parents of objects that are to be migrated. To assist with that task, each partition N contains an External Reference Table (ERT), which stores all references O1 → O2 such that O2 belongs to N and O1 does not belong to n. Traversal starts from all the objects that are referenced by objects external to the partitionthese are exactly those objects referenced in the External Reference Table (ERT) of the particular partition. Our novel approach to reorganization allows transactions to execute on the partition all times during reorganization. During examining the references out of the object, parents of an object are constantly changing since other transactions execute currently. As a result the traversal obtains only an approximation of the set of parents of an object. The Reference Counters (RC) of a partition N, are an transient data structure, in which a reference counts to an objects O2 in N are accumulated. Although, functionally plays the similar role as the one used in [25], it represents a novel approach in the way it is implemented. In our system we used the randomized wait-free implementations of long-lived concurrent objectsReference Counters, implementations that guarantee that every operation completes in a finite expected number of steps, even against a powerful adversary. An approach used to maintain the Reference Counters and the External Reference Table, as pointers are updated, is to maintain the system log by a separate process called log analyzer as soon as they are handed over to the logging subsystem. However, for all the practical purposes the logging overheads are perceived to be excessive, especially under heavy system load. 8.2 The Algorithm for Maintaining Minimum Spanning Trees in Dynamic Graphs The basic idea of our dynamic clustering method is to maintain a minimum spanning tree, derived from weighted object graph subjected to objects insertions, deletions and updates. For object instances of nodes shared by several edges, the edge with the highest weight is selected. The object subgraph is kept in primary memory. Once a minimum spanning tree is built, objects can be clustered dynamically and automatically according to the frequency of references between them. The object collection need not already exist, but can grow from any number of insertions. Automatic clustering algorithms, which are scarcely found in the research literature, focus usually on reorganizing an existing database in order to match most common access patterns. Those algorithms allow object database clustering to degrade over time and then to employ frequent reclustering to improve performance. In contrast, our research reported here focuses on ensuring good initial placement followed by dynamic maintenance of clusters, in the hope of making static reorganization unnecessary. In case of frequent changes of user’s access patterns our technique based on reachability index values continuously reflect those changes in the augmented object graph.

DISTRIBUTED WOKFLOWS: A FRAMEWORK FOR ELECTRONIC COMMERCE

29

The application of combinatorial structures to the theory of databases, motivated us to study the node capacitated graph partitioning problem. Formally, given a graph G = (V, E), an integer L ∈ N, edge weights de for e ∈ E, node weights ci for i ∈ V and a capacity F, the problem is to find a partition (V1, V2, …, Vm) of V with m ≤ L, ∑i∈Vj ci ≤ F for j = 1, …, m and such that



de e∈δ (V1 ,V 2 ,...,V m ) is minimized, where δ(V1, V2, …, Vm) denotes the set of edges whose end nodes belong to different elements of the partition, typically called a multicut. When m = 2, we also use the notation δ(V1, V2) = {e = (i, j) : i ∈ V1, j ∈ V2} even if V1 ∪ V2 ⊂ V. For convenience, we introduce the term cluster. A cluster is a subset of V (possibly empty). A cluster partition (V1, V2, …,VL) into L disjoint clusters (Vi ∩ Vj = ø for all i different from j, ∪iL=1 Vi = V ,Vi ⊆ V for all i) correspond to a partition (V1, V2, …, Vm) of V, 1  m  L, where V1, V2, …, Vm are the nonempty clusters in the cluster partition. Now we will consider the problem of dynamically maintaining a minimum spanning tree T of some connected object graph G = (V, E), n = |V|. If some tree edge e is deleted from T, we get two sub-trees T1 and T2. Let R be the set of non-tree edges with end-points in both T1 and T2. Then R is exactly the set of edges f that can replace e in the sense that {T ∪ {F} \ {e}} is a minimum spanning tree of G. Our general goal is to find such a replacement edge f ∈ R. Alternatively, it is acceptable to discover that R is sparse in the following sense: Let S be the set of non-tree edges incident to T1. Then R ⊆ S, and we say that R is sparse if: [θ|R| < |S|, where θ = Θ(log n)]. Otherwise R is said to be dense. Given an algorithm that either:

(α) provides a replacement edge at expected cost t(n), or (β) discovers that R is sparse at cost O(t(n) + |S|), the amortized expected operation cost of our dynamic algorithm is O(t(n) + log2n). Using the data structures from our implementation, edges from S can be sampled and tested for membership in R in time O(log n). Also, in time O(|S|), we can scan all of S, identifying all the edges in R. That approach achieves t(n) = O(log3n) as follows. First, 2θln n random edges from S are sampled. If the sampling successfully finds an edge from R, this edge is returned, as in (α). Otherwise, hoping for (β), in time O(|S|), a complete scan of S is performed, identifying all edges of R. If it turns out, however, that R is dense, an edge from R is returned as in (α). The probability of this “fault” is the probability of not finding a replacement edge in 2θln n samples despite R being dense, which is: ≤ (1 − 1/θ))2θlnn < 1/n2 = O(1/S), Thus, the expected cost of a “fault” is O((log3n + |S|)/|S|). Adding up, we get t(n) = O(log3n), which is hence the expected amortized operation cost for the algorithm. However, we can achieve t(n) = log2n by applying our sampling theorem 5.4.1 stated below. In this section, we will repeatedly use the following Chernoff bounds: Let B(n, p) be a random variable that has a binomial distribution with parameters n and p. Then for δ ≤ 1,

VLAD INGAR WIETRZYK AND MAKOTO TAKIZAWA

30

Pr( B( n, p ) ≥ (1 + δ ) E ( B( n, p ) )) ≤ e

−δ 2 E ( B ( n , p ) ) / 3

Pr( B( n, p ) ≤ (1 − δ ) E ( B( n, p ) )) ≤ e

−δ E ( B ( n , p ) ) / 2

(1)

2

(2)

Theorem 1 Let θ, c ∈ IR>1 and let R be a subset of a nonempty set S of size s. Given that we can uniformly sample from S and test membership of R, there is an algorithm which returns an element from R.

The expected number of samples associated with an outcome of an algorithm is O(θ). Proof: The construction works with a sequence of fixed rounds, i = 1, …, -θ (log*s). In round i, we will pick ri, ni random elements from S, and if at least ni elements from R are found, one of these is returned. For the initial round 0, n0 = 1, that is, any element from R is returned. In the subsequent confirming rounds, the numbers ni of elements of R increase in order to increase our confidence. At the same time, the thresholds 1/ri are increased, in order to minimize the probability that the threshold is passed in a later round. The exact values of the ni and ri are fine tuned relative to the Chernoff bounds that we use to calculate our probabilities. Let the increasing sequence n0, n1 … be defined such that n0 = 1 and for i > 0, ni = a4i(i + 3), where a = 64ln16 < 178. Let the decreasing sequence r0, r1, … be defined such that r0 = ln(2n1)2eθ ≈ 47θ and for i > 0, ri = 2eθ/ i ∞ (1 + 1 / 2 j ). Since e > (1 + 1 / 2 j ),





j =1

ri = 2eθ /

j =1



i

∏ (1 + 1 / 2 )2θ ∏ (1 + 1 / 2 ) > 2θ . j

j =1

j

j = i +1

The algorithm below satisfies the condition of theorem 5.4.3. Algorithm Random Sampling RS.1. i := 0; S-1 := ∅; RS.2. While rini < 8s/c: RS.2.1. { Let Si ⊆ S, |Si| = niri be a random extension of Si-1, i.e. Si is obtained by adding niri − |Si-1| random elements from S to Si-1. RS.2.2. Ri := Si ∩ R. RS.2.3. If |Ri| ≥ ni, then return x ∈ Si ∩ R RS.2.4. i := i + 1}; RS.3. Let Si be a random subset of S of size 8s/c. RS.4. Ri := Si ∩ R. RS.5. If |Ri| ≥ 4s/(cθ), then return x ∈ Si ∩ R. RS.6. Display “|R|/|S| ≤ 1/θ with probability (Pr > 1 − exp(− s/θc)).”

For i > 0, let pi be the probability that the algorithm returns an element from R in cycle i. Here the cycle refers to the value of i in phase RS.2.3 or RS.5. Lemma 1 For all i ≥ 1, the probability pi that the algorithm returns an element from R is at least 1/(ni2i).

DISTRIBUTED WOKFLOWS: A FRAMEWORK FOR ELECTRONIC COMMERCE

31

Proof: We note that:

1/(ni2i) = 1/(a4i(i + 3)2i) = 1/(a8i(i + 3)) > 1/(178 ⋅ 8i(i + 3)) Let consider: |R|/|S| > (1 + 1/2i+1)/((1 + 1/2i)ri). We will analyze two cases: Case (i = 1): Then |R|/|S| > (1 + 1/22)/((1 + 1/2)r1 = (1 + 1/4)/2eθ > 1/2eθ. Let b be ln(2n1). We did not find any element from R in any of the 2beθ samples in cycle 0, so:

p1 ≤ (1 − R / S ) 2beθ < (1 − 1 / 2eθ ) 2beθ < e − b = 1 /(2n1 ). Case (i > 1): Then |R|/|S| > (1 + 1/2i+1)/((1 + 1/2i)ri) = (1 + 1/2i+1) /ri-1. In cycle i − 1 we did not return, so x = |Ri-1| is less than ni-1. However, the expected value of |Ri-1| is:

µ = ri −1ni −1 R / S > ni −1 (1 + 1 / 2i +1 ) By Chernoff bound (5.2),

pi ≤ Pr ( Ri −1 ≤ e − ( µ − x )

2

/( 2 µ )

)

For µ ≥ ni −1 (1 + 1 / 2i +1 ) and x ≤ ni −1 , we get:  − (ni −1 / 2 i +1 ) 2   < exp(−ni −1 / 2 2i + 4 ) pi ≤ exp  2n (1 + 1 / 2 i +1 )   i −1  = 16 −64⋅4

i −1

⋅(i −1+ 3) / 2 2 i + 4

= 16 −(i + 2) < 1 /(178 ⋅ 8 i (i + 3)) < 1 /( ni 2 i )

(∀ i ≥ 2)

Now, we analyze the expected number of samples associated with the outcome. By Lemma 5.4.1, for i > 0, the probability pi that the algorithm returns an element from R in cycle i is bounded by 1/(ni2i). The expected number of samples is thus bounded by 54θ:

r0 +





pi ri ni ≤ r0 +

i =1

≤ r0 +

∑ r n /(n 2 ) i

i i

i

i =1



∑ 2 eθ / 2



i

= r0 + 2eθ ≤ 54θ



i =1

We now describe a simple fully dynamic minimum spanning tree algorithm (DMST). DMST is an appropriate implementation of a partially dynamic data structure, which is itself a combination of the linking and cutting trees introduced by Tarjan and Sleator and our MST algorithm. During its operations, DMST maintains two data structures. It stores all the edges of graph G in a priority queue Q according to their cost and it also maintains the minimum spanning tree T of the graph G as a linking and cutting tree. In case when a new edge e is inserted into object graph G, DMST updates T and Q in time θ(logn). In case when an edge e is deleted from graph G and it is a non-tree edge, DMST does nothing else − it only deletes e from Q in θ(logn) time. In case when tree edge is deleted from Q, DMST calls minimum spanning tree (MST) algorithm on the

32

VLAD INGAR WIETRZYK AND MAKOTO TAKIZAWA

edges in Q. As a result of those operations DMST requires θ(logn) time plus the running time of MST in case of a tree edge deletion. The expensive case happens with probability n/m, if the edge to be deleted is chosen uniformly at random from object graph G, resulting in an average running time of θ{logn + (n/m) × (m + nlog2n)} = θ{n + (nlogn)2/m} for DMST algorithm. The above analysis suggests that running time of DMST will decrease as the graph density increases - this actually coincides with the results of our experiments. The algorithm exercises a deferred and incremental approach to make the changes in the cluster pages already in main memory. Before the pages from the buffer are flushed out, DMST cluster algorithm updates object graph immediately. However, the pending changes are stored in special memory resident tables. The buffer manager consults those tables when fresh cluster pages are brought into the buffer by a new user request. Although there is a finite number of feasible read sequences, it is not known if there is an efficient algorithm for computing the optimum sequence with minimum disk seek time. Trying to read all the sequences in order to find the optimum sequence is computationally very expensive. As a result of its prohibitive expense, research has been focusing on using heuristics.

9. EVALUATING THE QUANTITATIVE EFFECTS OF THE WORKFLOW SYSTEM We performed some experiments with the prototype in order to demonstrate the difference in operational efficiency between manual and workflow methods. Experiments span between two geographically separated branches of the business enterprise. The experiment was carried out by the members of those two branches who usually are engaged by those operations as a normal part of their work duties. We calculated the average of several independent experiments in order to establish a more objective experimental environment. During the first experiment we measured the time needed to complete the whole operational cycle according to the business process being described by Fig. 5. This experiment was performed by following the usual manual disconnected operation between the two physically separate business establishments. In this case each branch manages the internal workflow individually. Interoperation between organisational units is only supported by an E-mail system. During the second set of experiments the business process depicted on Fig. 5 was carried out by the workflow engines interoperating with each other. Document exchange across the organizations is performed automatically by a messaging function supported by the protocol used by the workflow engines. All accompanying transactional activities were also supported in that way by the supporting workflow environment. The average values; related to the execution time of the business process depicted on Fig. 5, namely: Manufacturing, Warehousing & Storage, Sales − City Distributor and Sales − Country Distributor. Note, that calculated time reflex only values related to the movement of business data within the system under investigation. In particular, it does not include the time consumed by various supporting activities being a part of miscellaneous approval activities.

DISTRIBUTED WOKFLOWS: A FRAMEWORK FOR ELECTRONIC COMMERCE

33

Fig. 5. The evaluated business process.

The results of those experiments show us (see Fig. 6) that savings in time amounts to about 59% in case of using interworkflow environment to support the business processes. From these experiments, we can draw the conclusion, that by deploying workflow operational environment, substantial amounts of time can be saved while supporting the business operations.

Fig. 6. Execution time of manual and workflow methods.

10. CONCLUSIONS Workflow Management Systems (WFMSs) provide an automated framework for managing intra- and inter-enterprise business processes. Workflow is a critical enabler in today’s hot technologies, such as portals and e-business. This thesis describes the design

34

VLAD INGAR WIETRZYK AND MAKOTO TAKIZAWA

of a model as well as the architecture to provide support for distributed advanced workflow transactions. We discuss the application of transaction concepts to activities that involve the integrated execution of multiple tasks over different processes. These kinds of applications are described as transactional workflows. Designing algorithms with good I/O performance is crucial in a number of areas where the I/O-bottleneck is becoming increasingly important. To obtain the performance required for non-standard database applications, we need efficient storage structures for complex objects. Clustering can have substantial impact on ODBMS I/O performance. We also consider the problem of on-line workflow database reorganization. The types of reorganization that we discuss are restoration of clustering, purging of old data and compaction. The contributions of this thesis are both of theoretical and of experimental nature. We present an algorithm for maintaining the biconnected components of a graph during a sequence of edge insertions and deletions. The young field of I/O-efficient computation is to a large extent still wide open. The impetus for our current research is the need to provide an adequate framework for interworkflow as it is anticipated that it will be a supporting mechanism for Business-to-Business Electronic Commerce. We proposed the following auxiliary functions as a necessary mechanism for implementing operations management of workflows in a distributed environment to support Electronic Commerce: − A mechanism for controlling execution of workflows designed on other workflow management systems. − A mechanism for monitoring the status of workflows running on other workflow management systems. − The global-business characteristic of Electronic Commerce workflows requires a high-throughput workflow execution engine. Therefore, to ensure this kind of scalability, load distribution across multiple workflow servers is necessary. − We demonstrated that on-line reclustering is possible, but more research is required to demonstrate its suitability in many practical situations, especially in the presence of greater degrees of concurrently operating transactions. − We chose to develop a formal framework for a secure distributed workflow architecture since interworkflow is anticipated as a major supporting mechanism for Business-to-Business Electronic Commerce. − We also derived a general theorem which must be active when classifying every item of information. − The necessity of efficient replication of workflow servers. This will ensure that the market position of the merchant will not be weakend due to frequent failures and unavailability of Electronic Commerce servers. Our main objective of incremental on−line reorganization is to change a part of the database without affecting on-going transactions for very long. Well-structured process management has become an ingredient to modern information management as essential as data management. Consequently, workflow management systems have entered the arena of business computing as the cornerstone for business process or workflow management. The notions of correctness for transaction processing that are usually proposed for multiuser databases are not necessarily suitable when

DISTRIBUTED WOKFLOWS: A FRAMEWORK FOR ELECTRONIC COMMERCE

35

these databases are parts of a multilevel secure workflow systems. We believe, that the best approach will depend upon the characteristics of the multilevel secure workflow and the applications. It is incumbent upon those who develop multilevel secure workflow systems to ensure that the user’s needs and expectations are met to avoid misunderstandings about the system’s functionality. Distinguishing feature of the workflow transaction support system proposed is the ability to manage the arbitrary distribution of business processes over multiple workflow management systems. The major advantage of our implementation is the standardization of the interfaces. All APIs are available in C as the cross-platform base, providing maximum flexibility for a variety of other programming languages. You can start work using a standard client with sample activity implementations and then refine activity implementations with the real-life applications and develop your custom clients. Due to the modular concept, all components and applications can be easily extended and replaced. So cooperation between components of different vendors is possible. Designing the high scalability and secure architecture enabling efficient Electronic Commerce operations which allows an arbitrary combination of transaction support systems and workflow management systems to which the locations are irrelevant is an objective of our ongoing research. The insight developed in the current research serves as the basis for the next step, which is to build application specific software architecture that encode business logic for coordinating widely distributed manual and automated tasks in achieving enterprise level objectives.

REFERENCES 1. V. Wietrzyk and M. A. Orgun, “A foundation for high performance object database systems,” in Proceedings of the 9th International Conference on Management of Data, 1998, pp. 115-125. 2. A. Elmagarmid, Transaction Models for Advanced Database Applications, Morgan-Kaufmann, February 1992. 3. G. Grefen, B. Pernici, and G. Sanchez, Database Support for Workflow Management − The WIDE Project, Kluwer Academic Publishers, August 1999. 4. M. Rusinkiewicz and A. Sheth, “On transactional workflows,” Bulletin of the Technical Committee on Data Engineering, June 1993, pp. 234-239. 5. WFMC, “Interoperability abstract specification,” The Workflow Management Coalition, 1996, pp. 123-154. 6. G. Alonso and D. Agrawal, “Advanced transaction models in workflow contexts,” in Proceedings of International Conference on Data Engineering, 1996, p. 112-124. 7. N. A. Jukic and S. V. Vrbsky, “Asserting beliefs in mls relational models,” in Sigmod Record, 1997, pp. 30-35. 8. “Department of defense trusted computer system evaluation criteria, 1985,” Department of Defense, National Computer Security Center, DOD 5200.28-STD, 1985, pp. 120-240. 9. D. E. Bell and L. J. LaPadula, “Secure computer systems: mathematical foundations

36

VLAD INGAR WIETRZYK AND MAKOTO TAKIZAWA

and model,” Technical Report, No. 2547, MITRE Corporation, 1974, pp. 23-85. 10. F. Cuppens, “Querying a multilevel database: a logical analysis,” in Proceedings of the 22nd VLDB Conference, VLDB Endowment, 1996, pp. 34-45. 11. A. Gabillon, Sécurité Multi-Niveaux dans les Bases de Données à Objects, ENSAE, 1995, pp. 24-85. 12. P. A. Bernstein, V. Hadzilacos, and N. Goodman, “Decomposition of multilevel objects in an object-oriented database,” in Proceedings of the European Symposium on Research in Computer Security, 1994, pp. 56-75. 13. V. Wietrzyk, M. Takizawa, and V. Varadharajan, “A strategy for MLS workflow,” in Proceedings of the 6th International Conference on Information Security and Privacy, ACISP 2001, 2001, pp. 158-175. 14. V. Wietrzyk, M. Takizawa, M. A. Orgun, and V. Varadharajan, “A secure environment for workflows in distributed systems,” in Proceedings of the 8th International Conference on Parallel and Distributed Systems, ICPADS 2001, 2001, pp. 198-205. 15. B. Kogan and S. Jajodia, “Secure concurrency control,” in Proceedings of the Third RADC Workshop Multilevel Database Security, 1990, pp. 101-112. 16. C. Meadows and S. Jajodia, “Integrity versus security in multilevel secure databases,” in Database Security, Status and Prospects, C. E. Landwehr, ed., Amsterdam, North Holland, 1988, pp. 34-54. 17. S. Jajobia, B. Elisa, and V. Atluri, “1SR-consistency: a new notion of correctness for multilevel secure, multiversion database management systems,” in Proceedings of 19th Latin American Informatics Conference, 1999, pp. 12-24. 18. “X/Open Ltd., CAE specification 1995: distributed transaction processing,” The TX (Transaction Demarcation) Specification, X/Open Company Ltd., 1995, pp. 81-121. 19. “X/Open CAE specification: distributed transaction processing,” The XA Specification, X/Open, 1991, pp. 40-98. 20. “X/Open snapshot: distributed transaction processing,” The XA+ Specification, X/Open, Version 2, X/Open Company Ltd., 1999, pp. 21-49. 21. “X/Open CAE specification: distributed transaction processing,” The TxRPC Specification, X/Open, Version 2, X/Open Company Ltd., 2000, pp. 23-84. 22. A. Schill, “DCE − Das OSF distributed computing environment,” The DCE Transaction Demarcation Specification, Verlag, 2001, ISBN 3-540-55335-5. 23. R. Barga and C. Pu, “A practical and modular method to implement extended transaction models,” in Proceedings of the VLDB, 1995, pp. 24-32. 24. N. Krishnakumar and A. Sheth, “Managing heterogeneous multi-system tasks to support enterprise-wide operations,” Distributed and Parallel Databases, Vol. 3, 1995, pp. 20-34. 25. L. Amsleg and O. Gruber, “Efficient incremental garbage collection for client-server object database systems,” in Proceedings of the VLDB, 1995, pp. 56-62. 26. V. I. Wietrzyk and M. A. Orgun, “Dynamic reorganization of object databases,” in Proceedings of International Database Engineering and Applications Symposium, IDEAS99, 1999, pp. 34-42.

DISTRIBUTED WOKFLOWS: A FRAMEWORK FOR ELECTRONIC COMMERCE

37

Vlad Ingar Wietrzyk obtained his Dr. Eng. degrees from the Department of Computers and Systems Engineering at Tokyo Denki University, Japan, in 2002 and his diploma in Computer Science from the University of Technology, Sydney. Since 1999, he has been at the University of Western Sydney. In 1997 and 1998, he was a visiting researcher at Stuttgart and Mannheim Universities, and in 1999 at the Institute of Software Engineering of Montreal University in Canada. He has served on the program committees of international conferences like ICPADS, IDEAS, CIT, COMAD, ENTER, and AINA. He has delivered industrial seminars on computing to companies like VERSANT and ALCATEL. He is session organizer and chair of the Special Session on Internet Computing and Security at the International Conference on Networks, Parallel and Distributed Processing, and Applications NPDPA 2002, Japan. His current research interests include object distributed databases, security, various aspects of information systems design methodologies (including distributed systems), and distributed workflow technology supporting electronic commerce. He is a member of IEEE and AIEA.

Makoto Takizawa was born in Tokyo, Japan, 1950. He received his B.E. and M.E. degrees in Applied Physics from Tohoku University, Japan, in 1973 and 1975, respectively. He received his D.E. in Computer Science from Tohoku University in 1984. From 1975 to 1986, he worked for Japan Information Processing Developing Center (JIPDEC) supported by the MITI. He has been a full professor of the Department of Computers and Systems Engineering, Tokyo Denki University (TDU) since 1986. He is also a director of the Information Division of TDU Research Institute for Technology. From 1989 to 1990, he was a visiting professor at the GMD-IPSI, Germany. Since 1990, he has been a regular visiting professor at the Department of Computer Science and DAKE Centre of Keele University, England. He was a vice-chair of communication networks and protocols area of IEEE ICDCS14, 1994, and was a program co-chair of IEEE ICDCS-18 held in Amsterdam in 1998. He was a general co-chair of IEEE ICDCS-2001 to be held in Vienna in 2001. He was a program chair of IEEE ICPADS. He is currently serving on the program committees of many international conferences like ICPADS, ICOIN, ICNP, DEXA, ISORC, SRDS. He won the best paper awards at the 4th IEEE ICPADS, 1996, and the best paper awards at ICOIN-9, 1994 and ICOIN-12, 1998. He was a chair of IPSJ (Information Processing Society of Japan) SIGDPS in Japan from 1997 to March of 2000. He is now a member of the executive board of IPSJ and is also an IPSJ fellow. From 1975 to 1986, he worked at JIPDEC for the packet-switched network JIPNET, which was the first packet switched network in Japan. During this period, from 1976 to 1986, as a project leader and manager at JIPDEC, he developed the first heterogeneous distributed database system JDDBS. He has been doing research on many areas of distributed systems based networks and database systems technologies

38

VLAD INGAR WIETRZYK AND MAKOTO TAKIZAWA

after joining Tokyo Denki University. His research interests include communication protocols, group communication protocols, distributed systems, distributed database systems, transaction management, fault-tolerant systems, and security. He is a member of IEEE, ACM, IPSJ, and IEICE.