ABSTRACT
We describe a model, independent of any underlying access control paradigm, for specifying authorization constraints such as separation of duty and cardinality constraints in workflow systems. We present a number of results enabling us to simplify the set of authorization constraints. These results form the theoretical foundation for an algorithm that can be used to determine whether a given constrained workflow can be satisfied: that is, does there exist an assignment of authorized users to workflow tasks that satisfies the authorization constraints? We show that this algorithm can be incorporated into a workflow reference monitor that guarantees that every workflow instance can complete. We derive the computational complexity of our algorithm and compare its performance to comparable work in the literature.
- Atluri, V., and Huang, W. An authorization model for workflows. In Proceedings of the 4th European Symposium on Research in Computer Security (1996), pp. 44--64. Google ScholarDigital Library
- Bertino, E., Ferrari, E., and Atluri, V. The specification and enforcement of authorization constraints in workflow management systems. ACM Transactions on Information and System Security 2, 1 (1999), 65--104. Google ScholarDigital Library
- Botha, R., and Eloff, J. Separation of duties for access control enforcement in workflow environments. IBM Systems Journal 40, 3 (2001), 666--682. Google ScholarDigital Library
- Casati, F., Castano, S., and Fugini, M. Managing workflow authorization constraints through active database technology. Information Systems Frontiers 3, 3 (2001), 319--338. Also available as Technical Report HPL-2000-156, Hewlett Packard Laboratories. Google ScholarDigital Library
- Clark, D., and Wilson, D. A comparison of commercial and military computer security policies. In Proceedings of 1987 IEEE Symposium on Security and Privacy (1987), pp. 184--194.Google ScholarCross Ref
- Crampton, J. An algebraic approach to the analysis of constrained workflow systems. In Proceedings of 3rd Workshop on Foundations of Computer Security (2004), pp. 61--74.Google Scholar
- Kandala, S., and Sandhu, R. Secure role-based workflow models. In Database Security XV: Status and Prospects (2002), pp. 45--58. Google ScholarDigital Library
- Knorr, K., and Stormer, H. Modeling and analyzing separation of duties in workflow environments. In Trusted Information: The New Decade Challenge, IFIP TC11 Sixteenth Annual Working Conference on Information Security (2001), pp. 199--212. Google ScholarDigital Library
- Rusinkiewicz, M., and Sheth, A. Specification and execution of transactional workflows. In Modern Database Systems: The Object Model, Interoperability, and Beyond. Addison-Wesley, 1995, pp. 592--620. Google ScholarDigital Library
- Tan, K., Crampton, J., and Gunter, C. The consistency of task-based authorization constraints in workflow systems. In Proceedings of 17th IEEE Computer Security Foundations Workshop (2004), pp. 155--169. Google ScholarDigital Library
- Wainer, J., Barthelmess, P., and Kumar, A. W-RBAC -- A workflow security model incorporating controlled overriding of constraints. International Journal of Cooperative Information Systems 12, 4 (2003), 455--486.Google ScholarCross Ref
Index Terms
- A reference monitor for workflow systems with constrained task execution
Recommendations
Role-based authorizations for workflow systems in support of task-based separation of duty
Role-based authorizations for assigning tasks of workflows to roles/users are crucial to security management in workflow management systems. The authorizations must enforce separation of duty (SoD) constraints to prevent fraud and errors. This work ...
Exception Handling of Multi-criteria Workflow Task Assignment
SECTECH '08: Proceedings of the 2008 International Conference on Security TechnologyWith the increases in workflow security requirements, some complex requirements have to be expressed by authorization constraints. When more and more authorization constraints must be treated in workflow task assignment, the exception possibilities of ...
A Flexible Access Control Model for Dynamic Workflow Using Extended WAM and RBAC
Computer Supported Cooperative Work in Design IVSecurity issues pertaining to workflow systems are becoming increasingly important for the cross-enterprises interoperability in insecure environments. Among them, access control for information confidentiality and integrity has attracted widespread ...
Comments