Skip to main content
SpringerLink
Log in

Security for Workflow Systems

  • Chapter
Handbook of Database Security

Summary

Workflow technology is often employed by organizations to automate their day-to-day business processes. The primary advantage of adopting workflow technology is to separate the business policy from the business applications so that flexibility and maintainability of business process reengineering can be enhanced. Today’s workflows are not necessarily bound to a single organization, but may span multiple organizations where the tasks within a workflow are executed by different organizations.

In order to execute a workflow in a secure and correct manner, one must ensure that only authorized users should be able to gain access to the tasks of the workflow and resources managed by them. This can be accomplished by synchronizing the access control with the specified control flow dependencies among tasks. Without such synchronization, a user may still hold privileges to execute a task even after its completion, which may have adverse effects on security. In addition, the assignment of authorized users to tasks should respect the separation of duty constraints specified to limit the fraud. Another challenging issue in dealing with workflows spanning multiple organizations is to ensure their secure execution while considering conflictof-interest among these organizations. Another issue that is of theoretical interest is the safety analysis of the proposed authorization models and their extension in this area. In this book chapter, we review all the above security requirements pertaining to workflow systems, and discuss the proposed solutions to meet these requirements.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 169.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Workflow reference model. Technical report, Workflow Management Coalition, 1994.

    Google Scholar 

  2. V. Atluri. Security for workflow systems. Information Security Technical Report, 6(2):705–716, 2001.

    Article  Google Scholar 

  3. V. Atluri, E. Bertino, E. Ferrari, and P. Mazzoleni. Supporting delegation in secure workflow management systems. IFIP WG 11.3 Conference on Data and Application Security, August 2003.

    Google Scholar 

  4. Vijayalakshmi Atluri, Soon Ae Chun, and Pietro Mazzoleni. A chinese wall security model for decentralized workflow systems. In CCS ’01: Proceedings of the 8th ACM conference on Computer and Communications Security, 2001.

    Google Scholar 

  5. Vijayalakshmi Atluri and Wei-Kuang Huang. An Authorization Model for Workflows. In Proceedings of the Fifth European Symposium on Research in Computer Security, in Lecture Notes in Computer Science, No.1146, Springer-Verlag, September 1996.

    Google Scholar 

  6. Vijayalakshmi Atluri and Wei-Kuang Huang. A Petri Net Based Safety Analysis of Workflow Authorization Models. Journal of Computer Security, 8(2/3):209–240, 2000.

    Google Scholar 

  7. Vijayalakshmi Atluri and Janice Warner. Supporting conditional delegation in secure workflow management systems. In SACMAT, 2005.

    Google Scholar 

  8. Elisa Bertino, Piero Andrea Bonatti, and Elena Ferrari. Trbac: A temporal role-based access control model. ACM Transactions on Information and System Security (TISSEC), 4(3):191–203, 2001.

    Article  Google Scholar 

  9. Elisa Bertino, Elena Ferrari, and Vijayalakshmi Atluri. A Flexible Model Supporting the Specification and Enforcement of Role-based Authorizations in Workflow Management Systems. In Proc. of the 2nd ACM Workshop on Role-based Access Control, November 1997.

    Google Scholar 

  10. Elisa Bertino, Elena Ferrari, and Vijayalakshmi Atluri. An Approach for the Specification and Enforcement of Authorization Constraints in Workflow Management Systems. ACM Transactions on Information Systems Security, 2(1), February 1999.

    Google Scholar 

  11. Elisa Bertino, Elena Ferrari, and Vijayalakshmi Atluri. An Approach for the Specification and Enforcement of Authorization Constraints in Workflow Management Systems. ACM Transactions on Information Systems Security, 2(1), February 1999.

    Google Scholar 

  12. R. Botha and J. Eloff. Separation of duties for access control enforcement in workflow environments. IBM Systems Journal, 40(3), 2001.

    Google Scholar 

  13. D.F.C. Brewer and M.J. Nash. The chinese wall security policy. In IEEE Symposium on Security and Privacy, 1989.

    Google Scholar 

  14. J. Crampton. A reference monitor for workflow systems with constrained task execution. In SACMAT 05, 2005.

    Google Scholar 

  15. Dimitrios Georgakopoulos, Mark F. Hornick, and Amit P. Sheth. An overview of workflow management: From process modeling to workflow automation infrastructure. Distributed and Parallel Databases, 3(2):119–153, 1995.

    Article  Google Scholar 

  16. V. Gligor, S. Gavrila, and D. Ferraiolo. On the formal definition of separation-of-duty policies and their composition. IEEE Symposium on Research in Security and Privacy, 1998.

    Google Scholar 

  17. Michael A. Harrison, Walter L. Ruzzo, and Jeffrey D. Ullman. Protection in operating systems. Commun. ACM, 19(8), 1976.

    Google Scholar 

  18. Wei-Kuang Huang and Vijayalakshmi Atluri. Analyzing the Safety of Workflow Authorization Models. In Proc. of the 12th IFIP WG 11.3 Workshop on Database Security, July 1998.

    Google Scholar 

  19. Patrick C. K. Hung and Kamalakar Karlapalem2. A secure workflow model. In AISW2003, 2003.

    Google Scholar 

  20. Myong H. Kang, Joon S. Park, and Judith N. Froscher. Access control mechanisms for inter-organizational workflows. In SACMAT, 2001.

    Google Scholar 

  21. K. Knorr and H. Stormer. Modeling and anlying separation of duties in workflow environments. In IFIP TC11 Sixtgeenth Annual Working Conference on Information Security, 2001.

    Google Scholar 

  22. Hristo Koshutanski and Fabio Massacci. Interactive access control for web services. SEC, pages 151–166, 2004.

    Google Scholar 

  23. Marek Rusinkiewicz and Amit P. Sheth. Transactional workflow management in distributed systems (invited paper). In Proceedings of the First International Workshop on Advances in Databases and Information Systems, Moscow, Russia, May 23 - 26, 1994, pages 18–33, 1994.

    Google Scholar 

  24. Ravi S. Sandhu. Transaction Control Expressions for Separation of Duties. In Fourth Computer Security Applications Conference, pages 282–286, 1988.

    Google Scholar 

  25. Andreas Schaad, Volkmar Lotz, and Karsten Sohr. A model-checking approach to analysing organisational controls in a loan origination process. In SACMAT ’06: Proceedings of the eleventh ACM symposium on Access control models and technologies, 2006.

    Google Scholar 

  26. K. Tan, J. Crampton, and C. Gunter. The consistency of task-based authorization constraints in workflow systems. In Proceedings of the 17th IEEE Computer Security Foundations Workshop (CSFW’04, 2004.

    Google Scholar 

  27. J. Wainer, P. Barthelmess, and A. Kumar. W-rbac: A workflow security model incorporating controlled overriding of constraints. In International Journal of Cooperative Information Systems, volume 12, 2003.

    Google Scholar 

  28. Janice Warner and Vijayalakshmi Atluri. Inter-instance authorization constraints for secure workflow management. In SACMAT, 2006.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Rutgers University, Newark, NJ

    Vijayalakshmi Atluri & Janice Warner

Authors
  1. Vijayalakshmi Atluri
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Janice Warner
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Dept. of Computer Science, University of California at Davis, One Shields Avenue, Davis, CA 95616-8562

    Michael Gertz

  2. George Mason University Center for Secure Information Systems Research I, Suite 417, Fairfax, VA 22030-4444

    Sushil Jajodia

Rights and permissions

Reprints and permissions

Copyright information

© 2008 Springer Science+Business Media, LLC.

About this chapter

Cite this chapter

Atluri, V., Warner, J. (2008). Security for Workflow Systems. In: Gertz, M., Jajodia, S. (eds) Handbook of Database Security. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-48533-1_9

Download citation

  • DOI: https://doi.org/10.1007/978-0-387-48533-1_9

  • Publisher Name: Springer, Boston, MA

  • Print ISBN: 978-0-387-48532-4

  • Online ISBN: 978-0-387-48533-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation