Abstract
Flexible collaboration is a notable attribute of Web 2.0, which is often in the form of multiple users participating different activities that together complete a whole business process. In such an environment, business processes may be dynamically customized or adjusted, as well as the participants may be selected or attend uncertainly. So how to ensure the legitimacy of a business process for both security and business is increasingly critical. In this paper, we investigate this problem and introduce a novel method to support legally flexible business processes. The proposed Constraint-based Business Process Management Model incorporates constraints into the standard activities composing a business process, where the security constraints place restrictions on participants performing the activities and business constraints restrict the dependencies between multiple activities. By the assembly operations, business processes can be dynamically generated and adjusted with activities, that are obliged to the specified constraints. Several algorithms are presented to verify the consistency of constraints and the soundness of the generated business processes, as well as to perform the execution planning to guarantee the correct execution of a business process on the precondition of satisfying all constraints. We present an illustrative example and implement a prototype for the proposed model that is an application of property rights exchange for supporting legal business processes.
Similar content being viewed by others
References
Adam, N. R., Atluri, V., Bertino, E., & Ferrari, E. (2002). A content-based authorization model for digital libraries. IEEE Transactions on Knowledge and Data Engineering, 14(2), 296–315.
Ahn, G.-J., & Sandhu, R. (2000). Role-based authorization constraints specification. ACM Transaction on Information System Security, 3(4), 207–226.
Bertino, E., Ferrari, E., & Atluri, V. (1999). The specification and enforcement of authorization constraints in workflow management systems. ACM Transactions on Information System Security, 2(1), 65–104.
Chaari, S., Biennier, F., Ben Amar, C., & Favrel, J. (2004). An authorization and access control model for workflow. In Proceedings of the 1st international workshop on computer supported activity coordination, Porto, Portugal (pp. 21–30).
Clark, D. D., & Wilson, D. R. (1987). A comparision of commercial and military computer security policies. In Proceedings of the 1987 IEEE symposium on security and privacy (pp. 184–194). Silver Spring: IEEE Computer Society Press.
Georgiadis, C. K., Mavridis, I., Pangalos, G., & Thomas, R. K. (2001). Flexible team-based access control using context. In Proceeding of ACM symposium on accesss control models and technoloy (pp. 21–27). Chantilly, VA.
Gordon, L. A., & Loeb, M. P. (2006). Economic aspects of information security: An emerging field of research. Information Systems Frontiers, 8(5), 335–337.
Koshutanski, H., & Massacci, F. (2005a). Interactive credential negotiation for stateful business processes. In Proceedings of 3rd international conference on trust management (iTrust 2005), LNCS (Vol. 3477, pp. 256–272). Rocquencourt: Springer.
Koshutanski, H., & Massacci, F. (2005b). An access control framework for business processes for web services. In Proceedings of ACM workshop on xml security, Fairfax VA, USA (pp. 15–24).
Li, N., Tripunitara, M. V., & Wang, Q. (2006). Resiliency policies in access control. In Proc. ACM conference on computer and communications security (pp. 113–123).
Mangan, P. J., & Sadiq, S. (2002). A constraints specification approach to building flexible workflows. Journal of Research and Practice in Information Technology, 35(1), 21–39.
Oh, S., & Park, S. (2003). Task-role-based access control model. Journal of Information System, 28, 533–562.
Paci, F., Bertino, E., & Crampton, J. (2008a). An access-control framework for WS-BPEL. International Journal of Web Service Research 5(3), 20–43.
Paci, F., Ferrini, R., Sun, Y. Q., & Bertino, E. (2008b). Authorization and user failure resiliency for WS-BPEL business processes. In Proceeding of the 6th international conference on service oriented computing, University of Technology, Sydney, Ultimo City (pp. 116–131).
Sandhu, R., Coyne, E., Feinstein, H., & Youman, C. (1996). Rose-based access control model. IEEE Computer, 29(2), 38–47.
Sun, Y. Q., & Pan, P. (2005). PRES-A practical flexible RBAC workflow system. In Proceedings of the 7th international conference on electronic commerce, Xi’an, China (pp. 653–658).
Thomas, R. (1997). Team-based access control. In Proceeding of 2nd ACM workshop on role-based access control, Fairfax VA (pp. 13–19).
Thomas, R. K., & Sandhu, R. (1997). Task-based authorization controls (TBAC): A family of models for active and enterprise-oriented autorization management. In Proceedings of the IFIP 11th international conference on database securty XI (pp. 166–181).
Tolone, W., Ahn, G., Pai, T., & Hong, S. P. (2005). Access control in collaberative systems. ACM Computing Survey 37(1), 29–41.
van der Aalst, W. M. P. (1996). Three good reasons for using petri net-based workflow management system. In Proceedings of the international workflow conference on information and process integration in enterprises (IPIC’96) (pp. 179–201).
van der Aalst, W. M. P. & Berens, P. J. S. (2001). Beyond workflow management: Product-driven case handing. In Proceeding of ACM conference on supporting group work, Boulder, Colorado (pp. 42–51).
van der Aalst, W. M. P. & Jablonski, S. (Eds.) (2000). Flexible workflow technology driving the networked economy. International Journal of Computer Systems, Science, and Engineering, 15(5, special issue).
van der Aalst, W., & van Hee, K. (2004). Workflow management models, methods, and systems. Cambridge: MIT.
Wang, Q., & Li, N. (2007). Satisfiability and resiliency in workflow systems. In Proc. European symp. on research in computer security (ESORICS) (pp. 90–105).
Yu, X., et al. (2007). A model-driven development framework for enterprise web services. Information Systems Frontiers, 9(4), 391–409.
Yuan, Z. (2005). The theory and apllication of petri-net. Beijing: Electronic Industry Publishing Company. ISBN 7-121-00970-6.
Zhang, X. P., Cerone, A., & Krishnan, P. (2006). Verifying BPEL workflows under authorisation constraints. In Proceedings of fourth international conference on business process management (BPM 2006). Vienna, Austria.
Zisman, M. D. (1977). Representation, specification and automation of office procedures. PhD theses. Philadelphia: University of Pennsylvania Wharton School of Business.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Sun, Y., Huang, J.Z. & Meng, X. Integrating constraints to support legally flexible business processes. Inf Syst Front 13, 171–189 (2011). https://doi.org/10.1007/s10796-009-9190-z
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10796-009-9190-z