Summary
Workflow technology is often employed by organizations to automate their day-to-day business processes. The primary advantage of adopting workflow technology is to separate the business policy from the business applications so that flexibility and maintainability of business process reengineering can be enhanced. Today’s workflows are not necessarily bound to a single organization, but may span multiple organizations where the tasks within a workflow are executed by different organizations.
In order to execute a workflow in a secure and correct manner, one must ensure that only authorized users should be able to gain access to the tasks of the workflow and resources managed by them. This can be accomplished by synchronizing the access control with the specified control flow dependencies among tasks. Without such synchronization, a user may still hold privileges to execute a task even after its completion, which may have adverse effects on security. In addition, the assignment of authorized users to tasks should respect the separation of duty constraints specified to limit the fraud. Another challenging issue in dealing with workflows spanning multiple organizations is to ensure their secure execution while considering conflictof-interest among these organizations. Another issue that is of theoretical interest is the safety analysis of the proposed authorization models and their extension in this area. In this book chapter, we review all the above security requirements pertaining to workflow systems, and discuss the proposed solutions to meet these requirements.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Workflow reference model. Technical report, Workflow Management Coalition, 1994.
V. Atluri. Security for workflow systems. Information Security Technical Report, 6(2):705–716, 2001.
V. Atluri, E. Bertino, E. Ferrari, and P. Mazzoleni. Supporting delegation in secure workflow management systems. IFIP WG 11.3 Conference on Data and Application Security, August 2003.
Vijayalakshmi Atluri, Soon Ae Chun, and Pietro Mazzoleni. A chinese wall security model for decentralized workflow systems. In CCS ’01: Proceedings of the 8th ACM conference on Computer and Communications Security, 2001.
Vijayalakshmi Atluri and Wei-Kuang Huang. An Authorization Model for Workflows. In Proceedings of the Fifth European Symposium on Research in Computer Security, in Lecture Notes in Computer Science, No.1146, Springer-Verlag, September 1996.
Vijayalakshmi Atluri and Wei-Kuang Huang. A Petri Net Based Safety Analysis of Workflow Authorization Models. Journal of Computer Security, 8(2/3):209–240, 2000.
Vijayalakshmi Atluri and Janice Warner. Supporting conditional delegation in secure workflow management systems. In SACMAT, 2005.
Elisa Bertino, Piero Andrea Bonatti, and Elena Ferrari. Trbac: A temporal role-based access control model. ACM Transactions on Information and System Security (TISSEC), 4(3):191–203, 2001.
Elisa Bertino, Elena Ferrari, and Vijayalakshmi Atluri. A Flexible Model Supporting the Specification and Enforcement of Role-based Authorizations in Workflow Management Systems. In Proc. of the 2nd ACM Workshop on Role-based Access Control, November 1997.
Elisa Bertino, Elena Ferrari, and Vijayalakshmi Atluri. An Approach for the Specification and Enforcement of Authorization Constraints in Workflow Management Systems. ACM Transactions on Information Systems Security, 2(1), February 1999.
Elisa Bertino, Elena Ferrari, and Vijayalakshmi Atluri. An Approach for the Specification and Enforcement of Authorization Constraints in Workflow Management Systems. ACM Transactions on Information Systems Security, 2(1), February 1999.
R. Botha and J. Eloff. Separation of duties for access control enforcement in workflow environments. IBM Systems Journal, 40(3), 2001.
D.F.C. Brewer and M.J. Nash. The chinese wall security policy. In IEEE Symposium on Security and Privacy, 1989.
J. Crampton. A reference monitor for workflow systems with constrained task execution. In SACMAT 05, 2005.
Dimitrios Georgakopoulos, Mark F. Hornick, and Amit P. Sheth. An overview of workflow management: From process modeling to workflow automation infrastructure. Distributed and Parallel Databases, 3(2):119–153, 1995.
V. Gligor, S. Gavrila, and D. Ferraiolo. On the formal definition of separation-of-duty policies and their composition. IEEE Symposium on Research in Security and Privacy, 1998.
Michael A. Harrison, Walter L. Ruzzo, and Jeffrey D. Ullman. Protection in operating systems. Commun. ACM, 19(8), 1976.
Wei-Kuang Huang and Vijayalakshmi Atluri. Analyzing the Safety of Workflow Authorization Models. In Proc. of the 12th IFIP WG 11.3 Workshop on Database Security, July 1998.
Patrick C. K. Hung and Kamalakar Karlapalem2. A secure workflow model. In AISW2003, 2003.
Myong H. Kang, Joon S. Park, and Judith N. Froscher. Access control mechanisms for inter-organizational workflows. In SACMAT, 2001.
K. Knorr and H. Stormer. Modeling and anlying separation of duties in workflow environments. In IFIP TC11 Sixtgeenth Annual Working Conference on Information Security, 2001.
Hristo Koshutanski and Fabio Massacci. Interactive access control for web services. SEC, pages 151–166, 2004.
Marek Rusinkiewicz and Amit P. Sheth. Transactional workflow management in distributed systems (invited paper). In Proceedings of the First International Workshop on Advances in Databases and Information Systems, Moscow, Russia, May 23 - 26, 1994, pages 18–33, 1994.
Ravi S. Sandhu. Transaction Control Expressions for Separation of Duties. In Fourth Computer Security Applications Conference, pages 282–286, 1988.
Andreas Schaad, Volkmar Lotz, and Karsten Sohr. A model-checking approach to analysing organisational controls in a loan origination process. In SACMAT ’06: Proceedings of the eleventh ACM symposium on Access control models and technologies, 2006.
K. Tan, J. Crampton, and C. Gunter. The consistency of task-based authorization constraints in workflow systems. In Proceedings of the 17th IEEE Computer Security Foundations Workshop (CSFW’04, 2004.
J. Wainer, P. Barthelmess, and A. Kumar. W-rbac: A workflow security model incorporating controlled overriding of constraints. In International Journal of Cooperative Information Systems, volume 12, 2003.
Janice Warner and Vijayalakshmi Atluri. Inter-instance authorization constraints for secure workflow management. In SACMAT, 2006.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 Springer Science+Business Media, LLC.
About this chapter
Cite this chapter
Atluri, V., Warner, J. (2008). Security for Workflow Systems. In: Gertz, M., Jajodia, S. (eds) Handbook of Database Security. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-48533-1_9
Download citation
DOI: https://doi.org/10.1007/978-0-387-48533-1_9
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-48532-4
Online ISBN: 978-0-387-48533-1
eBook Packages: Computer ScienceComputer Science (R0)