Abstract
Workflows represent processes in manufacturing and office environments that typically consist of several well-defined activities (known as tasks). To ensure that these tasks are executed by authorized users or processes (subjects), proper authorization mechanisms must be in place. Moreover, to make sure that authorized subjects gain access on the required objects only during the execution of the specific task, granting and revoking of privileges need to be synchronized with the progression of the workflow. A predefined specification of the privileges often allows access for more than the time required, thus, though a subject completes the task or have not yet begun the task, it may still possess privileges to access the objects, resulting in compromising security.
In this paper, we propose a Workflow Authorization Model (WAM) that is capable of specifying authorizations in such a way that subjects gain access to required objects only during the execution of the task, thus synchronizing the authorization flow with the workflow. To achieve this synchronization, we associate an Authorization Template (AT) with each task, which allows appropriate authorizations to be granted only when the task starts and to revoke them when the task finishes. In this paper, we also present a model of implementation based on Petri nets and show how this synchronization can be implemented. Because the theoretical aspects of Petri nets have been extensively studied and due to their strong mathematical foundation, a Petri net representation of an authorization model serves as a good tool for conducting safety analysis since the safety problem in the authorization model is equivalent to the reachability problem in Petri nets.
This work was supported in part by the National Science Foundation grant IRI-9624222.
Chapter PDF
Similar content being viewed by others
References
Vijayalakshmi Atluri and Wei-Kuang Huang. An extended petri net model for supporting workflows in a multilevel secure environment. In Proc. of the 10th IFIP WG 11.3 Workshop on Database Security, July 1996.
Elisa Bertino, Claudio Bettini, Elena Ferrari, and Pierangela Samarati. A temporal access control mechanism for database systems. IEEE Transactions on Knowledge and Data Engineering, 8(1):67–80, 1996.
Elisa Bertino, Pierangela Samarati, and Sushil Jajodia. Authorizations in relational database management systems. In Proc. First ACM Conference on Computer and Communications Security, Fairfax, VA, November 1993.
Elisa Bertino, Pierangela Samarati, and Sushil Jajodia. High assurance discretionary access control for object bases. In Proc. First ACM Conference on Computer and Communications Security, Fairfax, VA, November 1993.
J. Biskup and C. Eckert. About the enforcement of state dependent security specifications. In Proc. of the 7th IFIP WG 11.3 Workshop on Database Security, pages 3–17, August 1993.
David D. Clark and David R. Wilson. A comparison of commercial and military computer security policies. In Proc. IEEE Symposium on Security and Privacy, pages 184–194, Oakland, California, April 1987.
Rene David and Hassane Alla. Petri Nets and Grafcet — Tools for modeling discrete event systems. Prentice Hall, 1992.
E. B. Fernandez, E. Gudes, and H. Song. A security model for object-oriented databases. Proc. IEEE Symposium on Security and Privacy, pages 110–115, May 1989.
Dimitrios Georgakopoulos, Mark Hornick, and Amit Sheth. An overview of workflow management: From process modeling to workflow automation infrastructure. Distributed and Parallel Databases, pages 119–153, 1995.
K. Jensen. Colour petri nets: A high level language for system design and analysis. In K.Jensen and G. Rozenberg, editors, High-level Petri Nets — Theory and Application, pages 44–119. Springer-Verlag, Lecture Notes in Computer Science, 1991.
D. Johnscher and K.R. Dittrich. Argos — A configurable access control system for interoperable environments. In Proc. of the 9th IFIP WG 11.3 Workshop on Database Security, pages 39–63, August 1995.
S. R. Kosaraju. Decidability and reachability in vector addition systems. In Proc. of the 14th ACM Symposium on Theory of Computing, pages 267–281, May 1982.
Lotus Corporation. Lotus Notes Administrator's Reference Manual, Release 4, 1996.
Raul Medina-Mora, Harry K.T. Wong, and Pablo Flores. Action Workflowt m as the enterprise integration technology. Bulletin of IEEE Technical Committee on Data Engineering, 16(2):49–52, 1993.
S. Morasca, M. Pezzè, and M. Trubian. Timed high-level nets. Journal of Real-Time Systems, 3:165–89, 1991.
Tadao Murata. Petri nets: Properties, analysis and applications. Proceedings of the IEEE, 77(4):541–580, April 1989.
F. Rabitti, E. Bertino, W. Kim, and D. Woelk. A model of authorization for next-generation database systems. ACM Trans. on Database Systems, 16(1):88–131, March 1991.
Pierangela Samarati, Paul Ammann, and Sushil Jajodia. Propagation of authorizations in distributed database systems. In Proc. Second ACM Conference on Computer and Communications Security, Fairfax, VA, November 1994.
Ravi S. Sandhu. Transaction control expressions for separation of duties. In Fourth Computer Security Applications Conference, pages 282–286, 1988.
Ravi S. Sandhu. Separation of duties in computerized information systems. In Sushil Jajodia and Carl Landwehr, editors, Database Security, IV: Status and Prospects, pages 179–189. North Holland, 1991.
Ravi S. Sandhu. Role-based access control models. IEEE Computer, pages 38–47, February 1996.
Ravi S. Sandhu and Gurpreet S. Suri. Non-monotonic transformation of access rights. In Proc. IEEE Symposium on Security and Privacy, pages 148–161, Oakland, California, May 1992.
W.M.P van der Aalst. Interval timed coloured petri nets and their analysis. In Application and Theory of Petri Nets 1993, Proc. 14th International Conference, volume 691, pages 453–472, Chicago, (USA), 1993. Springer-Verlag, Lecture Notes in Computer Science.
K.M. van Hee, L.J. Somers, and M. Voorhoeve. Executable specifications for distributed information systems. In E.D. Falkenberg and P. Lindgreen, editors, Proc. of the IFIP TC 8/WG 8.1 Working Conference on Information System Concepts: An In-depth Analysis, volume 691, pages 139–156, Namur, (Belgium), 1989. Elsevier Science Publishers, Amsterdam.
Thomas Y.C. Woo and Simon S. Lam. Authorization in distributed systems: A formal approach. In Proc. IEEE Symposium on Security and Privacy, pages 33–50, Oakland, California, May 1992.
William A. Wulf, Roy Levin, and Samuel P. Harbison. HYDRA/C.mmp, An Experimental Computer System. McGraw-Hill, 1981.
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 1996 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Atluri, V., Huang, WK. (1996). An authorization model for workflows. In: Bertino, E., Kurth, H., Martella, G., Montolivo, E. (eds) Computer Security — ESORICS 96. ESORICS 1996. Lecture Notes in Computer Science, vol 1146. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-61770-1_27
Download citation
DOI: https://doi.org/10.1007/3-540-61770-1_27
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-61770-9
Online ISBN: 978-3-540-70675-5
eBook Packages: Springer Book Archive