skip to main content
10.1145/2914642.2914649acmconferencesArticle/Chapter ViewAbstractPublication PagessacmatConference Proceedingsconference-collections
research-article

Modular Synthesis of Enforcement Mechanisms for the Workflow Satisfiability Problem: Scalability and Reusability

Published: 06 June 2016 Publication History

Abstract

Modularity is an important concept in the design and enactment of workflows. However, supporting the specification and enforcement of authorization in this setting is not straightforward. In this paper, we introduce a notion of component and a combination mechanism for security-sensitive workflows. These are business processes in which execution constraints on the tasks are complemented with authorization constraints (e.g., Separation of Duty) and authorization policies (specifying which users can execute which tasks). We show how authorization constraints can also be imposed across components and demonstrate the usefulness of our notion of component by showing (i) the scalability of a technique for the synthesis of run-time monitors for security-sensitive workflows; and (ii) the design of a plug-in for the reuse of workflows and related run-time monitors inside an editor for security-sensitive workflows.

References

[1]
S. Abiteboul, R. Hull, and V. Vianu. Foundations of Databases. Addison-Wesley, Boston, 1995.
[2]
A. Armando and S. E. Ponta. Model Checking of Security-sensitive Business Processes. In Proc. of FAST, 2009.
[3]
D. Basin, S. J. Burri, and G. Karjoth. Dynamic enforcement of abstract separation of duty constraints. TISSEC, 15(3):13:1--13:30, Nov. 2012.
[4]
C. Bertolissi, D. R. dos Santos, and S. Ranise. Automated synthesis of run-time monitors to enforce authorization policies in business processes. In Proc. of ASIACCS, 2015.
[5]
D. Cohen, J. Crampton, A. V. Gagarin, G. Gutin, and M. Jones. Algorithms for the workflow satisfiability problem engineered for counting constraints. CoRR, abs/1504.02420, 2015.
[6]
L. Compagna, D. R. dos Santos, S. E. Ponta, and S. Ranise. Cerberus: Automated synthesis of monitors for security-sensitive business processes. In Proc. of TACAS, 2016.
[7]
J. Crampton. A reference monitor for workflow systems with constrained task execution. In Proc. of SACMAT, 2005.
[8]
J. Crampton, A. V. Gagarin, G. Gutin, and M. Jones. On the workflow satisfiability problem with class-independent constraints. In Proc. of IPEC, 2015.
[9]
J. Crampton, G. Gutin, and D. Karapetyan. Valued workflow satisfiability problem. In Proc. of SACMAT, 2015.
[10]
J. Crampton, G. Gutin, and A. Yeo. On the parameterized complexity and kernelization of the workflow satisfiability problem. TISSEC, 16(1):4:1--4:31, June 2013.
[11]
J. Crampton, M. Huth, and J. Kuo. Authorized workflow schemas: deciding realizability through LTL(F) model checking. STTT, 16(1):31--48, 2014.
[12]
J. de Freitas. Model business processes for flexibility and re-use: A component-oriented approach. Technical report, IBM, 2009.
[13]
D. R. dos Santos, S. Ranise, and S. E. Ponta. Modularity for Security-Sensitive Workflows. Technical report, arXiv, 2015. Available at http://arxiv.org/abs/1507.07479.
[14]
A. Koschmider, M. Fellmann, A. Schoknecht, and A. Oberweis. Analysis of process model reuse: Where are we now, where should we go from here? Decision Support Systems, 66(0):9--19, 2014.
[15]
C. Leuxner, W. Sitou, and B. Spanfelner. A formal model for work flows. In Proc. of SEFM, 2010.
[16]
N. Li and J. C. Mitchell. Datalog with constraints: a foundation for trust management languages. In Proc. of PADL, 2003.
[17]
J. C. Mace, C. Morisset, and A. Moorsel. Quantitative workflow resiliency. In Proc. of ESORICS, 2014.
[18]
I. Markovic and A. C. Pereira. Towards a formal framework for reuse in business process modeling. In Proc. of BPM, 2008.
[19]
O. Oanea. Verification of Soundness and Other Properties of Business Processes. PhD thesis, TU Eindhoven, 2007.
[20]
OMG. Business Process Model and Notation, v2.0. Technical report, Object Management Group, 2011.
[21]
H. Reijers and J. Mendling. Modularity in process models: Review and effects. In Proc. of BPM, 2008.
[22]
H. Reijers, J. Mendling, and R. Dijkman. On the usefulness of subprocesses in business process models. Technical report, BPM Center, 2010.
[23]
H. Reijers, J. Mendling, and R. Dijkman. Human and automatic modularizations of process models to enhance their comprehension. Inf. Syst., 36(5):881--897, 2011.
[24]
M. L. Rosa, H. Reijers, W. van der Aalst, R. Dijkman, J. Mendling, M. Dumas, and L. Garca-Banuelos. Apromore: An advanced process model repository. Expert Syst. Appl., 38(6):7029--7040, 2011.
[25]
R. Sandhu, E. Coyne, H. Feinstein, and C. Youmann. Role-Based Access Control Models. IEEE Computer, 2(29):38--47, 1996.
[26]
A. U. Shankar. An Introduction to Assertional Reasoning for Concurrent Systems. ACM Comput. Surv., 25(3):225--262, Sept. 1993.
[27]
W. van der Aalst. Workflow verification: Finding control-flow errors using petri-net-based techniques. In Proc. of BPM, 2000.
[28]
W. van der Aalst and A. ter Hofstede. Yawl: Yet another workflow language. Inf. Syst., 30:245--275, 2003.
[29]
W. van der Aalst, A. ter Hofstede, B. Kiepuszewski, and A. Barros. Workflow patterns. Distrib. Parallel Databases, 14(1):5--51, July 2003.
[30]
J. Wainer, A. Kumar, and P. Barthelmess. Dw-rbac: A formal security model of delegation and revocation in workflow systems. Inf. Syst., 32(3):365--384, May 2007.
[31]
Q. Wang and N. Li. Satisfiability and resiliency in workflow authorization systems. TISSEC, 13:40:1--40:35, December 2010.
[32]
M. Weske. Business Process Management: Concepts, Languages, Architectures. Springer, Secaucus, 2007.

Cited By

View all
  • (2023)Solving the Workflow Satisfiability Problem Using General Purpose SolversIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.322724120:6(4474-4485)Online publication date: Nov-2023
  • (2020)Constraint Branching in Workflow Satisfiability ProblemProceedings of the 25th ACM Symposium on Access Control Models and Technologies10.1145/3381991.3395600(93-103)Online publication date: 10-Jun-2020
  • (2017)On Run-Time Enforcement of Authorization Constraints in Security-Sensitive WorkflowsSoftware Engineering and Formal Methods10.1007/978-3-319-66197-1_13(203-218)Online publication date: 13-Aug-2017
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
SACMAT '16: Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies
June 2016
248 pages
ISBN:9781450338028
DOI:10.1145/2914642
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 June 2016

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. business process
  2. modularity
  3. workflow satisfiability

Qualifiers

  • Research-article

Funding Sources

  • European Union

Conference

SACMAT 2016
Sponsor:

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)3
  • Downloads (Last 6 weeks)1
Reflects downloads up to 20 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2023)Solving the Workflow Satisfiability Problem Using General Purpose SolversIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.322724120:6(4474-4485)Online publication date: Nov-2023
  • (2020)Constraint Branching in Workflow Satisfiability ProblemProceedings of the 25th ACM Symposium on Access Control Models and Technologies10.1145/3381991.3395600(93-103)Online publication date: 10-Jun-2020
  • (2017)On Run-Time Enforcement of Authorization Constraints in Security-Sensitive WorkflowsSoftware Engineering and Formal Methods10.1007/978-3-319-66197-1_13(203-218)Online publication date: 13-Aug-2017
  • (2016)WRAD: Tool Support for Workflow Resiliency Analysis and DesignSoftware Engineering for Resilient Systems10.1007/978-3-319-45892-2_6(79-87)Online publication date: 26-Aug-2016

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media