Article

A reference monitor for workflow systems with constrained task execution

Author:
Jason Crampton

University of London

University of London
View Profile

SACMAT '05: Proceedings of the tenth ACM symposium on Access control models and technologiesJune 2005Pages 38–47https://doi.org/10.1145/1063979.1063986

Published:01 June 2005Publication History

SACMAT '05: Proceedings of the tenth ACM symposium on Access control models and technologies

Pages 38–47

ABSTRACT

We describe a model, independent of any underlying access control paradigm, for specifying authorization constraints such as separation of duty and cardinality constraints in workflow systems. We present a number of results enabling us to simplify the set of authorization constraints. These results form the theoretical foundation for an algorithm that can be used to determine whether a given constrained workflow can be satisfied: that is, does there exist an assignment of authorized users to workflow tasks that satisfies the authorization constraints? We show that this algorithm can be incorporated into a workflow reference monitor that guarantees that every workflow instance can complete. We derive the computational complexity of our algorithm and compare its performance to comparable work in the literature.

References

Atluri, V., and Huang, W. An authorization model for workflows. In Proceedings of the 4th European Symposium on Research in Computer Security (1996), pp. 44--64. Google ScholarDigital Library
Bertino, E., Ferrari, E., and Atluri, V. The specification and enforcement of authorization constraints in workflow management systems. ACM Transactions on Information and System Security 2, 1 (1999), 65--104. Google ScholarDigital Library
Botha, R., and Eloff, J. Separation of duties for access control enforcement in workflow environments. IBM Systems Journal 40, 3 (2001), 666--682. Google ScholarDigital Library
Casati, F., Castano, S., and Fugini, M. Managing workflow authorization constraints through active database technology. Information Systems Frontiers 3, 3 (2001), 319--338. Also available as Technical Report HPL-2000-156, Hewlett Packard Laboratories. Google ScholarDigital Library
Clark, D., and Wilson, D. A comparison of commercial and military computer security policies. In Proceedings of 1987 IEEE Symposium on Security and Privacy (1987), pp. 184--194.Google ScholarCross Ref
Crampton, J. An algebraic approach to the analysis of constrained workflow systems. In Proceedings of 3rd Workshop on Foundations of Computer Security (2004), pp. 61--74.Google Scholar
Kandala, S., and Sandhu, R. Secure role-based workflow models. In Database Security XV: Status and Prospects (2002), pp. 45--58. Google ScholarDigital Library
Knorr, K., and Stormer, H. Modeling and analyzing separation of duties in workflow environments. In Trusted Information: The New Decade Challenge, IFIP TC11 Sixteenth Annual Working Conference on Information Security (2001), pp. 199--212. Google ScholarDigital Library
Rusinkiewicz, M., and Sheth, A. Specification and execution of transactional workflows. In Modern Database Systems: The Object Model, Interoperability, and Beyond. Addison-Wesley, 1995, pp. 592--620. Google ScholarDigital Library
Tan, K., Crampton, J., and Gunter, C. The consistency of task-based authorization constraints in workflow systems. In Proceedings of 17th IEEE Computer Security Foundations Workshop (2004), pp. 155--169. Google ScholarDigital Library
Wainer, J., Barthelmess, P., and Kumar, A. W-RBAC -- A workflow security model incorporating controlled overriding of constraints. International Journal of Cooperative Information Systems 12, 4 (2003), 455--486.Google ScholarCross Ref

Index Terms

A reference monitor for workflow systems with constrained task execution

Recommendations

Role-based authorizations for workflow systems in support of task-based separation of duty

Role-based authorizations for assigning tasks of workflows to roles/users are crucial to security management in workflow management systems. The authorizations must enforce separation of duty (SoD) constraints to prevent fraud and errors. This work ...
Read More
Exception Handling of Multi-criteria Workflow Task Assignment
SECTECH '08: Proceedings of the 2008 International Conference on Security Technology

With the increases in workflow security requirements, some complex requirements have to be expressed by authorization constraints. When more and more authorization constraints must be treated in workflow task assignment, the exception possibilities of ...
Read More
A Flexible Access Control Model for Dynamic Workflow Using Extended WAM and RBAC
Computer Supported Cooperative Work in Design IV

Security issues pertaining to workflow systems are becoming increasingly important for the cross-enterprises interoperability in insecure environments. Among them, access control for information confidentiality and integrity has attracted widespread ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
SACMAT '05: Proceedings of the tenth ACM symposium on Access control models and technologies
June 2005
186 pages
ISBN:1595930450
DOI:10.1145/1063979
General Chair:
Elena Ferrari
University of Insubria at Como, Italy
,
Program Chair:
Gail-Joon Ahn
University of North Carolina at Charlotte
Copyright © 2005 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 1 June 2005
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
authorization constraint
entailment constraint
reference monitor
workflow system
Qualifiers
- Article
Conference

Acceptance Rates
Overall Acceptance Rate177of597submissions,30%
Upcoming Conference
SACMAT 2024

Sponsor:

sigsac

The 29th ACM Symposium on Access Control Models and Technologies

May 15 - 17, 2024

San Antonio , TX , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 99
  Total Citations
  View Citations
- 830
  Total Downloads
- Downloads (Last 12 months)6
- Downloads (Last 6 weeks)3
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

A reference monitor for workflow systems with constrained task execution

SACMAT '05: Proceedings of the tenth ACM symposium on Access control models and technologies

ABSTRACT

References

Cited By

Index Terms

Recommendations

Role-based authorizations for workflow systems in support of task-based separation of duty

Exception Handling of Multi-criteria Workflow Task Assignment

A Flexible Access Control Model for Dynamic Workflow Using Extended WAM and RBAC