Abstract
Satisfiability problem of authorization requirements in business process asks whether there exists an assignment of users to tasks that satisfies all the requirements, and methods were proposed to solve this problem. However, the proposed methods are inefficient in the sense that a step of the methods is searching all the possible assignments, which is time-consuming. This work proposes a method to solve the satisfiability problem of authorization requirements without browsing the assignments space. Our method uses improved separation of duty algebra (ISoDA) to describe a satisfiability problem of qualification requirements and quantification requirements (Separation of Duty and Binding of Duty requirements). Thereafter, ISoDA expressions are reduced into multi-mutual-exclusive expressions. The satisfiabilities of multi-mutual-exclusive expressions are determined by an efficient algorithm proposed in this study. The experiment shows that our method is faster than the state-of-the-art methods.
Similar content being viewed by others
References
Becker J, Delfmann P, Dietrich H-A, Steinhorst M, Eggert M. Business process compliance checking —applying and evaluating a generic pattern matching approach for conceptual models in the financial sector. Information Systems Frontiers, 2016, 18(2): 359–405
Ly L T, Rinderle-Ma S, Knuplesch D, Dadam P. Monitoring business process compliance using compliance rule graphs. Lecture Notes in Computer Science, 2011, 7044: 82–99
Ly L T, Rinderle S, Dadam P. Integration and verification of semantic constraints in adaptive process management systems. Data & Knowledge Engineering, 2008, 64(1): 3–23
Li N H, Wang Q H. Beyond separation of duty: an algebra for specifying high-level security policies. Journal of the ACM, 2008, 55(3): 1–46
Wolter C, Schaad A. Modeling of task-based authorization constraints in BPMN. In: Proceedings of International Conference on Business Process Management. 2007, 64–79
Bertino E, Ferrari E, Atluri V. An authorization model for supporting the specification and enforcement of authorization constraints in workflow management systems. ACM Transactions on Information System Security, 1999, 2(1): 65–104
Crampton J, Gutin G, Karapetyan. D. Valued workflow satisfiability problem. In: Proceedings of the 20th ACM Symposium on Access Control Models and Technologies. 2015, 3–13
Karapetyan D, Gagarin A, Gutin G. Pattern backtracking algorithm for the workflow satisfiability problem with user-independent constraints. In: Proceedings of the 9th International Workshop on Frontiers in Algorithmics. 2015, 138–149
Mace J C, Morisset C, Van Moorsel A. Modelling user availability in workflow resiliency analysis. In: Proceedings of Symposium and Bootcamp on the Science of Security. 2015, 1–10
Cohen D, Crampton J, Gagarin A, Gutin G, Jones M. Iterative plan construction for the workflow satisfiability problem. Journal of Artificial Intelligence Research, 2014, 51: 555–577
Crampton J, Gutin G, Yeo A. On the parameterized complexity and kernelization of the workflow satisfiability problem. ACM Transactions on Information and System Security, 2012, 16(1): 1518–1527
Cohen D, Crampton J, Gagarin A, Gutin G, Jones M. Algorithms for the workflow satisfiability problem engineered for counting constraints. Journal of Combinatorial Optimization, 2015: 1–22
Zhai Z N, Wang G, Zheng Z J. Verification of (≠, =) constrained workflow robustness based on satisfiability counting. Chinese Journal of Electronics, 2015, 43(11): 2298–2304
Bo Y, Xia C H, Luo Y, Tang Q. Static compliance checking beyond separation of duty constraints. In: Proceedings of the 9th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing (3PGCIC). 2014, 171–178.
Wang Q H, Li N H. Satisfiability and resiliency in workflow authorization systems. ACM Transactions on Information and System Security, 2010, 13(4): 747–759
Kohler M, Schaad A. Avoiding policy-based deadlocks in business processes. In: Proceedings of International Conference on Availability, Reliability and Security. 2008, 709–716
Strembeck M, Mendling J. Generic algorithms for consistency checking of mutual-exclusion and binding constraints in a business process context. Lecture Notes in Computer Science, 2010: 204–221
Tan K, Crampton J, Gunter C A. The consistency of task-based authorization constraints in workflow systems. In: Proceedings of the 17th IEEE Computer Security Foundations Workshop. 2004, 155–169
Armando A, Ponta S E. Model checking authorization requirements in business processes. Computers and Security, 2014, 40(2): 1–22
Hoffmann J, Weber I, Governatori G. On compliance checking for clausal constraints in annotated process models. Information Systems Frontiers, 2012, 14(2): 155–177
Basin D, Burri S J, Karjoth G. Dynamic enforcement of abstract separation of duty constraints. In: Proceedings of the 14th European Symposium on Research in Computer Security. 2009, 250–267
Barletta M, Ranise S, Vigano L. Verifying the interplay of authorization policies and workflow in service-oriented architectures. In: Proceedings of the 16th International Conference on Computational Science and Engineering. 2009, 289–296
Armando A, Ponta S E. Model checking of security-sensitive business processes. Lecture Notes in Computer Science, 2009, 5983: 66–80
Rodríguez A, Fernández-Medina E, Piattini M. A BPMN extension for the modeling of security requirements in business processes. IEICE Transactions on Information and Systems, 2007, 90(4): 745–752
Cohen D, Crampton J, Gagarin A, Gutin G, Jones M. Engineering algorithms for workflow satisfiability problem with user-independent constraints. Lecture Notes in Computer Science, 2014, 8497: 48–59
Acknowledgements
This work was partially supported by the Project on the Integration of Industry, Education and Research of Aviation Industry Corporation of China (CXY2011BH07), and the Co-Funding Project of Beijing Municipal education Commission (JD100060630).
Author information
Authors and Affiliations
Corresponding author
Additional information
Yang Bo is a PhD candidate of computer science at Beihang University, China. His research concerns the security and privacy of network and business process.
Chunhe Xia received his PhD degree in computer science and engineering from Beihang University, China in 2003. He is now heading the Beijing Key Laboratory of Network Technology, Beihang University. His research interests include network security, network management and security policy analysis.
Zhigang Zhang is a postgraduate student of computer science at Beihang University, China. His research concerns information security.
Xinzheng Lu is an associate research fellow of National Education Examinations Authority of China, China. His research interest includes network and information security.
Electronic supplementary material
Rights and permissions
About this article
Cite this article
Bo, Y., Xia, C., Zhang, Z. et al. On the satisfiability of authorization requirements in business process. Front. Comput. Sci. 11, 528–540 (2017). https://doi.org/10.1007/s11704-016-6016-2
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11704-016-6016-2