Embed Size (px)
DESCRIPTION
This presentation was presented in Virtual goods conference 2010 against the paper submitted by the authors. In the paper author presented a case study in the framework of COMPAS(http://www.compas-ict.eu/), a research project focused on supporting compliance monitoring and verification in service based systems. In the paper, authors also illustrated how we translate high-level service licenses (specified in Open Digital Rights Language for Services (ODRL-S)) to low-level rules for verifying the compliance requirements at runtime. Authors have validated their approach by architecting a compliance driven service oriented system, where at runtime business processes are monitored for compliance.
Citation preview
From ODRL-S to Low-level DSL: A Case Study Based on License Compliance in Service
Oriented Systems
Soudip Roy Chowdhury1
G.R. Gangadharan2, Patrcia Silveira1, Vincenzo D’Andrea1
1 University Of Trento, Italy 2 Politecnico Di Milano, Italy
Virtual Goods 2010,Namur , Belgium 1st October,2010
2
License
3
Service License
http://odrl.net/Profiles/Services/
4
Service License• Defines Terms and conditions for usage of service.• Limit the liability of service provider in case of failure.
5
Compliance Requirement - COMPAS
http://www.compas-ict.eu/
6
Compliance Governance Runtime Architecture
7
License requirements in COMPASName of the Compliance
Requirements Control Additional Descriptions
Pay-per-view plan The user ID subscribed for the plan can acquire only n possible streams at price p.
We check whether we comply with the max number of video playbacks allowed, which means max number of service invocations. We do not check (for now) whether the payment has been made.
Time-based plan The user ID subscribed for the plan can acquire any number of times any possible streams from StartDate till EndDate of the plan.
We do check whether we comply with the subscription period.We do not check (for now) whether the payment has been made.
Composition permission Only pre-defined combinations of video and audio providers are allowed due to the licenses specified by the video provider (V1 with A1 or A2, V2 with A2).
If V1 and V2 are provided by two different "content providers", then each should only mention its own content streams not the other ones.
8
Conceptual model for compliance management
9
Runtime License verification framework
10
Challenges
1. How to associate high-level license concerns(constraints) with the low-level events ( actions)-
2. Which low level rules can address the license concerns in Watch-me scenario -
3. What is the best strategy for translating ODRL-S license to ESPER rules-
Bringing IT-Experts into the loop
Creating ESPER rule template
Patterns based translation strategy
11
ODRL-S to ESPER rules
Domain ExpertsIT Experts
Write license in ODRL-S format
Provide low-level process/event information with which license would be attached to, also writes the translation template
License Translator
Low-level rules (e,g ESPER rule)
Business Process Engine
Sends Event Information
Event Processing Engine (e.g ESPER CEP Server)
Design Time
Run Time
Event Processing engine checks the license concern against events,infers about the compliance of the system
CEP online monitor/ Event
log
Notifies violation
Research challenge 1& 2
Research challenge 3
12
License Translator
License Translator
Esper Rule TemplateLicense Pattern
Esper Rule
13
License Translator contd..
ODRL-S Pattern
<o-ex:permission> <o-dd:play>...... </o-dd:play></o-ex:permission> .
Domain Experts
Writes ODRL-S based license
IT Experts
<wm:event name="WatchMeGetVideoStreamEvent">... </wm:event>
Provides low level information
14
License Translator contd..
Esper Rule Template
IT Experts
Providescreate window PayPerViewWindow.win..from WatchMeGetVideoStreamEvent
Low level rules in the intermediate format
• License Translator looks for specific ODRL-S license pattern, finds the corresponding low -level rule from the rule template.
• Associates them together and produce low-level rule which are consumed by ESPER Event processing engine for runtime compliance checking.
15
Pay Per View plan in WatchMe scenario
.
.
.<o-ex:permission> <o-dd:play>
<wm:event name="WatchMeGetVideoStreamEvent"> <o-ex:requirement> <wm:plan> <wm:type>Pay-per-view plan</wm:type> </wm:plan> <o-dd:prepay> <o-dd:payment> <o-dd:amount o-dd:currency="EUR">29.90</o-dd:amount> </o-dd:payment> </o-dd:prepay> </o-ex:requirement> <o-ex:constraint> <o-dd:unit o-ex:type="watchMe:NumberOfStreams" /> <o-dd:count>300</o-dd:count> </o-ex:constraint> </wm:event> </o-dd:play> </o-ex:permission> . . .
16
License Translator generated Esper rule for Pay-per-view plan
<?xml version="1.0" encoding="UTF-8" ?><license><ServiceUID> urn: watchMe:service: watchMe-Provider1-PerUse_service</ServiceUID><PlanType>Pay-per-view plan</PlanType><amount>29.90</amount><unit>watchMe:NumberOfStreams</unit><count>300</count><esper>
<rule1>create window PayPerViewWindow.win:keepall().std:unique(SessionID) as select SessionID, RequesterID from WatchMeGetVideoStreamEvent</rule1><rule2>select count(*) from PayPerViewWindow</rule2></esper>
</license>
Low level rules intermediate form
17
Conclusion and Future work
• Currently translation is pattern-based mapping – This is not efficient for more generic translation
• In future we will also explore on the possibility of semantic based mapping ( semantic mapping between event concepts and license concepts).
18
References1. Classen, W.: Fundamentals of Software Licensing. IDEA: The Journal of Law and
Technology 37(1) (1996)2. Papazoglou, M.P.: Web Services: Principles and Technology. Pearson, Prentice Hall
(2008)3. Gangadharan, G.R., D’Andrea, V.: Licensing Services: Formal Analysis and Im-
plementation. In: Proceedings of the Fourth International Conference on Service Oriented Computing (ICSOC’06), Chicago, USA. (2006) 365–377
4. Gangadharan, G.R., D’Andrea, V., Iannella, R., Weiss, M.: ODRL Service Licensing Profile (ODRL-S). In: Virtual Goods: Technology, Economy, and Legal Aspects. Nova Publishers, USA (2008)
5. Bellamy, R.K.E., Erickson, T., Fuller, B., Kellogg, W.A., Rosenbaum, R., Thomas, J.C., Wolf, T.V.: Seeing is believing: designing visualizations for managing risk and compliance. IBM Syst. J. 46(2) (2007) 205–218
6. Silveira,P.,Rodrguez,C.,Casati,F.,Daniel,F.,D’Andrea,V.,Worledge,C.,Taheri, Z.: On the Design of Compliance Governance Dashboards for Effective Compliance and Audit Management. In: Proceedings of NFPSLAM-SOC’09. (2009)
19
Thank you
20
Licensing clause-pay-per view plan
21
Translation Templates• compositionTemplate =<rule1> create window
CompositionWindow$.win:keepall().std:unique(SessionID) as select SessionID,properties.property[1] from pattern [ every (Event (name= $event1_name AND properties.property[2].value= $video_ProviderID ) AND Event (name=$event2_name AND properties.property[2].value =$audio_ProviderID))] </rule1>
• timeTemplate = <rule1> create window TimebasedWindow$.win:keepall().std:unique(SessionID) as select SessionID, properties.property[1] from $event_name where($start_Time > current_timestamp()) or (current_timestamp() >$end_Time) </rule1>
• countTemplate = <rule1>create window PayPerViewWindow$.win:keepall().std:unique(SessionID) as select SessionID, properties.property[1] from $event_name </rule1><rule2>select count(*) from PayPerViewWindow$ where count(*) > $count </rule2>
