A policy-based authorization model for workflow-enabled dynamic process management
Introduction
Generally speaking, a workflow has three independent dimensions, namely: process logic, IT infrastructure and organization (Leymann and Roller, 2000). Process logic describes the “what” in terms of which activities are to be performed and in which sequence the activities are executed; IT infrastructure describes which IT resources, such as software programs that perform a particular activity, are required; the organization dimension describes the organizational structure of a company or an enterprise in terms of partners, departments, business roles and people, which provides the who should perform what activity.
As workflow has been applied to an increasing number of areas, many designs and implementation technologies exist (Becker and zur Muehlen, 2002). Many workflow models such as web service composition languages BPEL4WS (IBM, 2004) and Enterprise Application Integration (EAI), do not define or include any notion of human activities. Similarly, researchers and vendors have been focused mainly on the process logic and IT infrastructure dimensions of workflow and often neglected the linkage between the organizational elements and process activities. The complete relationship among the three dimensions of workflow and especially the critical role played by the organization dimension are not well studied (Zur Muehlen, 2004). However, as a technology that roots in office automation of the 1970s (History of Workflow Research, 2004), workflow should support human-centric business processes and therefore must include the modeling of dynamic business roles and human activities. The importance of human involvement in workflow applications has recently been pointed out by (Moore, 2002), who has identified the excessive activity automation and poor design of work assignment strategies as critical issues in workflow projects.
The enforcement of task assignment relies on an authorization model, which is expressed in terms of roles rather than in terms of specific individuals in order to reduce the number of authorizations necessary in the system and to simplify their maintenance (Casati et al., 2001). However, this role-based model alone is inadequate to meet all the requirements of processes within an organization. Such requirements may include: (1) role delegation (Akhil and Zhao, 2002), for example, when a worker is not available, a workflow system should be able to locate (and possibly assign) appropriate alternate workers to prevent excessive delays; (2) binding of roles (Akhil and Zhao, 2002), for example, a customer's complaint should be handled by the person who sold the product originally, and (3) separation of duties (Botha and Eloff, 2001), for example, individuals may not be allowed to approve his or her own travel expenses or supply requisitions.
A business process in an organization can be quite complex and dynamic (Chung et al., 2003). However, current workflow systems can typically only support simple and predictable processes, but not the dynamically changing processes (van der Aalst and Jablonski, 2000). The dynamic business process brings additional challenges to the authorization strategy. For example, as most business processes involve team work, authorization strategy should not only be role based but also be team based (van der Aalst, 2001). Furthermore, each organization in an enterprise usually enforces its specific management policies; authorization strategies from different management policies should be coordinated.
In this paper a policy-based authorization model for workflow-enabled dynamic business processes is proposed. A policy is specified in a Task Authorization Policy Language (TAPL), which can be easily translated into SQL query sentences so that the policy can be directly executed by a database management system. Based on the TAPL, a policy modeling and enforcement framework to support dynamic business processes is proposed.
The remainder of the paper is organized as follows. Section 2 gives a brief review of workflow management and introduces a workflow-enabled dynamic process management framework. Section 3 presents an organizational model for dynamic business processes. Section 4 defines the syntax of TAPL and discusses the policy modeling and management problem in an organization. Section 5 introduces a framework together with some key techniques to support policy enforcement within a workflow management system. Section 6 describes briefly the implementation of a demonstration system. Section 7 discusses related work. Finally, Section 8 provides some concluding remarks.
Section snippets
A workflow-enabled dynamic business process management framework
There are many process model representations for workflow management implemented by different vendors and proposed by researchers (van der Aalst et al., 2003). To facilitate discussion, a brief introduction to a generic process model for workflow management is first given.
A process consists of a set of activities and the dependencies among the activities. The dependencies prescribe the ordering relationships between activities within a process. According to the workflow management coalition
An organization model for dynamic business processes
The organization model for dynamic business processes is shown in Fig. 4. In Fig. 4, a project model consists of one or more process models. A process model in turn is composed of a set of activities.
An activity can be complex or atomic. A complex activity includes a set of activities as its children. An atomic activity has no child activities, i.e., for an atomic activity a, ¬∃x sup(x)=a. When a workflow model is instantiated as a process, an atomic activity should be assigned and it is also
An authorization model for dynamic business processes
There are different task authorization strategies that can be deployed for task assignment in a business process. The four most basic task authorization types are:
- (1)
Staff-authorization: to assign a staff for a task.
- (2)
Role-authorization: to assign a specific role for a task.
- (3)
Team-authorization: to form a team and assign the task to the team. A team can further be divided into sub-teams. If a team t1 is a sub-team of team t, then (team_member (t1) ⊆ team_member (t)) ∧ (team_role (t1) ⊆ team_role (t))
A task assignment framework
Fig. 9 depicts a task assignment framework for dynamic business processes. Before a project begins, a project manager can form a project team according to the knowledge about the project. The project manager can also add certain task assignment policies to the project and to the project team. As activities are decomposed into sub-processes, sub-teams and their team policies can be established. A sub-team manager can further append policies to the activities or tasks. For example, the sub-team
Implementation
A workflow management system for dynamic business process has been implemented based on the framework shown in Fig. 2. Task authorization policy modeling and enforcement modules are two important parts of the whole system.
Fig. 15(a) is a process-modeling environment through which a workflow process model can be defined and saved into a workflow library. In the environment, each workflow model is represented as a process graph. The model shown in Fig. 15(a) is the component development process
Related work
It is widely accepted processes are the core of organizations (Willaert et al., 2007), organizations also have important impact on process. Organizational models for workflow management have been proposed by (Bussler, 1998; Rupietta, 1997; Zur Muehlen, 2004). But they only defined some Meta models of the organization structure for workflow management, which can only serve as a basis for task assignment research.
Most of the researches in recent years regard role-based model as an access control
Conclusions and future work
There is a need to develop tools and models for supporting dynamic business processes. This paper focuses on providing an effective task assignment strategy for dynamic business processes. A framework is proposed to support dynamic task authorization policy modeling and enforcement in a business process environment where assignment policies come from different sources. The mechanism for facilitating task assignment policy is based on an SQL-like language called TAPL, which can be rewritten into
Acknowledgments
This work was supported by China NSF (under Grant no. 60503041), the National High-Tech Research and Development Plan of China (under Grant no. 2006AA04Z152, 2007AA01Z137) and China Basic Research Grant (under Grant no. 2003CB317005). This work was also partly supported by Swinburne Dean Collaborative Grants Scheme 2007–2008, and Swinburne Research Development Scheme 2008.
References (29)
- et al.
Knowledge-based process management—an approach to handling adaptive workflow
Know-Based Syst
(2003) A reference model for team-enabled workflow management systems
Data Know Eng
(2001)- Akhil K, Zhao LJ. EROICA: A rule-based approach to organizational, policy management. In: Meng X, Su J, Wang Y,...
- et al.
A petri net based safety analysis of workflow authorization models
J Comput Secur
(2000) - Becker J, zur Muehlen M. Workflow application architectures: classification and characteristics of workflow-based...
- et al.
The specification and enforcement of authorization constraints in workflow management systems
ACM Trans Inf Syst Secur
(1999) - et al.
Separation of duties for access control enforcement in workflow environments
IBM Syst J
(2001) Organisationsverwaltung in workflow-management-systemen
(1998)- Bussler C, Jablonski S. Policy resolution for workflow management systems. In: 28th Hawaii international conference on...
- et al.
Managing workflow authorization constraints through active database technology
J Inf Syst Front (Special Issue on Workflow Automation And Business Process Integration)
(2001)
A taxonomy of grid workflow verification and validation
Concurr Comp-Pract E
Workflow modeling for virtual processes: an order-preserving process-view approach
Inf Syst
Cited by (24)
Association-based active access control models with balanced scalability and flexibility
2014, Computers in IndustryCitation Excerpt :However, repetitive authorizations among different tasks cannot be handled. In 2009, Cao and Chen et al. proposed a policy-based authorization model for team-enabled workflows [14]. However, it does not concern the permission assignment since its main focus is the organization dimension of workflows.
A survey on modeling dynamic business processes
2021, PeerJ Computer ScienceAgile business process management: A systematic literature review and an integrated framework
2020, Business Process Management JournalFormal approach for authorization in distributed business process related task document role based access control
2019, 2019 15th International Wireless Communications and Mobile Computing Conference, IWCMC 2019Privacy-aware multi-tenant access control for cloud workflow
2019, Jisuanji Jicheng Zhizao Xitong/Computer Integrated Manufacturing Systems, CIMSRole transition management: Issues and control in a call center
2015, Proceedings - 2014 3rd International Conference on User Science and Engineering: Experience. Engineer. Engage, i-USEr 2014