ABSTRACT
Workflows model and control the execution of business processes in an organization. A workflow typically comprises of a set of coordinated activities, known as tasks. Typically, organizations establish a set of security policies, that regulate how the business process and resources should be managed. While a simple policy may specify which user (or role) can be assigned to execute a task, a complex policy may specify authorization constraints, such as separation of duties. Users may delegate the tasks assigned to them. Often such delegations are short-lived and come into play when certain conditions are satisfied. For example, a user may want to delegate his task of check approval only when going on vacation, when a check amount is less than a certain amount, or when his workload exceeds a certain limit.In this paper, we extend the notion of delegation to allow for such conditional delegation, where the delegation conditions can be based on time, workload and task attributes. When workflow systems entertain conditional delegation, different types of constraints come into play, which include authorization constraints, role activation constraints and workflow dependency requirements. We address the problem of assigning users to tasks in a consistent manner such that none of the constraints are violated.
- N.R. Adam, V. Atluri and W-K. Huang. Modeling and Analysis of Workflows Using Petri Nets. In Journal of Intelligent Information Systems, Special Issue on Workflow and Process Management, Volume 10, Number 2, March 1998, pages 131--158. Google ScholarDigital Library
- V. Atluri, E. Bertino, E. Ferrari, P. Mazzoleni, Supporting Delegation in Secure Workflow Management Systems. In IFIP WG 11.3 Conference on Data and Application Security, August 2003.Google Scholar
- E. Barka and R. Sandhu. Framework for role-based delegation model. In Proceedings of 23rd National Information Systems Security Conference, pages 101-- 114, October 2000.Google ScholarCross Ref
- E. Bertino, E. Ferrari, and V. Atluri. An Approach for the Specification and Enforcement of Authorization Constraints in Workflow Management Systems. ACM Transactions on Information Systems Security, 2(1), February 1999. Google ScholarDigital Library
- E. Bertino, P. Bonatti and E. Ferrari, TRBAC: A Temporal Role-Based Access Control Model. In ACM Transactions on Information and System Security, Vol. 4, No. 3, August 2001, Pages 191-223 Google ScholarDigital Library
- S.K. Chang, G. Polese, R. Thomas, and S. Das. A Visual Language for Authorization Modeling. In Proc. of the IEEE Symposium on Visual Languages (VL97), 1997. Google ScholarDigital Library
- D. D. Clark and D. R. Wilson. A comparison of commercial and military computer security policies. In Proc. IEEE Symposium on Security and Privacy, pages 184--194, Oakland, California, April 1987.Google ScholarCross Ref
- J. Clifford and A. U. Tansel. On an algebra for historical relational databases: two views. In Proceedings of the ACM SIGMOD, pages 247--265, May 1985. Google ScholarDigital Library
- M. Gasser and E. McDermott. An architecture for practical delegation of a distributed system. In Proc. IEEE Symposium on Security and Privacy, May 1990.Google ScholarCross Ref
- D. Georgakopoulos, M. Hornick, and A. Sheth. An Overview of Workflow Management: From Process Modeling to Workflow Automation Infrastructure. Distributed and Parallel Databases, pages 119--153, 1995. Google ScholarDigital Library
- D. Hollingsworth, Workflow reference model, Technical report WfMC-TC-1003, Workflow Management Coalition, January 1994.Google Scholar
- N. Li and B. N. Grosof. A practical implementation and tractable delegation logic. In Proc. IEEE Symposium on Security and Privacy, May 2000. Google ScholarDigital Library
- J.W. Lloyd. Foundations of Logic Programming. Springer-Verlag, 1984. Google ScholarDigital Library
- M. Rusinkiewicz and A. Sheth. Specification and Execution of Transactional Workflows. In W. Kim, editor, Modern Database Systems: The Object Model, Interoperability, and Beyond. Addison-Wesley, 1994. Google ScholarDigital Library
- R. Sandhu. Separation of Duties in Computerized Information Systems. In Database Security IV: Status and Prospects, pages 179--189, 1991.Google Scholar
- Y. Shoham. Reasoning about change: Time and Causation from the standpoint of Artificial Intelligence. MIT press, 1988. Google ScholarDigital Library
- L. Zhang, G. Ahn, and B. Chu. A rule-based framework for role based delegation. In Proceedings of the Sixth ACM Symposium on Access control models and technologies, pages 153--162, 2001. Google ScholarDigital Library
- L. Zhang, G. Ahn, and B. Chu. A role-based delegation framework for healthcare information systems. In Seventh ACM Symposium on Access Control Models and Technologies, pages 125--134, 2002. Google ScholarDigital Library
Index Terms
- Supporting conditional delegation in secure workflow management systems
Recommendations
A rule-based framework for role-based delegation and revocation
Delegation is the process whereby an active entity in a distributed environment authorizes another entity to access resources. In today's distributed systems, a user often needs to act on another user's behalf with some subset of his/her rights. Most ...
Delegation in role-based access control
User delegation is a mechanism for assigning access rights available to one user to another user. A delegation can either be a grant or transfer operation. Existing work on delegation in the context of role-based access control models has extensively ...
Delegation and satisfiability in workflow systems
SACMAT '08: Proceedings of the 13th ACM symposium on Access control models and technologiesSupporting delegation mechanisms in workflow systems is receiving increasing interest from the research community. An important requirement of a constrained workflow is to guarantee the satisfiability of the workflow, which requires that some set of ...
Comments