Abstract
In recent years, workflow management systems (WFMSs) have gained popularity in both research and commercial sectors. WFMSs are used to coordinate and streamline business processes. Very large WFMSs are often used in organizations with users in the range of several thousands and process instances in the range of tens and thousands. To simplify the complexity of security administration, it is common practice in many businesses to allocate a role for each activity in the process and then assign one or more users to each role—granting an authorization to roles rather than to users. Typically, security policies are expressed as constraints (or rules) on users and roles; separation of duties is a well-known constraint. Unfortunately, current role-based access control models are not adequate to model such constraints. To address this issue we (1) present a language to express both static and dynamic authorization constraints as clauses in a logic program; (2) provide formal notions of constraint consistency; and (3) propose algorithms to check the consistency of constraints and assign users and roles to tasks that constitute the workflow in such a way that no constraints are violated.
- ADAM, N., ATLURI, V., AND HUANG, W. K. 1998. Modeling and analysis of workflows using petri nets. J. Intell. Inf. Syst. 10, 2, 131-158. Google ScholarDigital Library
- BONATTI, P., SAPINO, M., AND SUBRAHMANIAN, V. S. 1996. Merging heterogeneous security orderings. In Proceedings of the Conference on Computer Security (ESORICS 96, Rome, Italy), E. Bertino, H. Kurth, G. Martella, and E. Montolivo, Eds. Springer-Verlag, New York, NY, 183-197. Google Scholar
- CADOLI, M. AND SCHAERF, M. 1993. Complexity results for non-monotonic logics. J. Logic Program. 17.Google Scholar
- CHANG, S., POLESE, G., THOMAS, R., AND DAS, S. 1997. A visual language for authorization modeling. In Proceedings of the IEEE Symposium on Visual Languages (VL97, Capri, Italy). IEEE Computer Society Press, Los Alamitos, CA. Google Scholar
- CLARK, D. AND WILSON, D. 1987. A comparison of commercial and military computer security policies. In Proceedings of the IEEE Symposium on Research in Security and Privacy (Oakland, CA). IEEE Computer Society Press, Los Alamitos, CA, 184-194.Google Scholar
- DAS, S. 1992. Deductive Databases and Logic Programming. Addison-Wesley, Reading, MA.Google Scholar
- GELFOND, M. AND LIFSCHITZ, V. 1988. The stable model semantics for logic programming. In Proceedings of the 5th International Conference on Logic Programming (Cambridge, MA). MIT Press, Cambridge, MA, 1070-1080.Google Scholar
- GEORGAKOPOULOS, D., HORNICK, M., AND SHETH, A. 1995. An overview of workflow management: from process modeling to workflow automation infrastructure. Distrib. Parallel Databases 3, 2 (Apr. 1995), 119-153. Google ScholarDigital Library
- JONSCHER, D., MOFFET, J., AND DITTRICH, K. 1994. Complex subjects or the striving for complexity is ruling our world. In Database Security VII: Status and Prospects. Elsevier North-Holland, Inc., Amsterdam, The Netherlands, 19-37. Google Scholar
- LLOYD, J. W. 1984. Foundations of Logic Programming. Springer-Verlag, New York, NY. Google Scholar
- LOTUS CORPORATION, 1996. Lotus Notes Administrator's Reference Manual, Release 4. Lotus Publ. Corp., Cambridge, MA.Google Scholar
- MEDINA-MORA, R., TONG, H., AND FLORES, P. 1993. ActionWorkflow as the enterprise integration technology. IEEE Data Eng. Tech. Bull. 16, 2, 49-52.Google Scholar
- NYANCHAMA, M. AND OSBORN, S. 1993. Role-based security, object oriented databases and separation of duty. SIGMOD Rec. 22, 4 (Dec. 1993), 45-51. Google ScholarDigital Library
- NYANCHAMA, M. AND OSBORN, S. 1996. Modeling mandatory access control in role-based security systems. In Database Security IX: Status and Prospects. Elsevier North-Holland, Inc., New York, NY, 129-144. Google Scholar
- Proceedings of the 1st (1996) ACM Workshop on Role-Based Access Control. ACM Press, New York, NY.Google Scholar
- RAMAKRISHNAN, R., SRIVASTAVA, D., AND SUDARSHAN, S. 1994. The coral deductive system. VLDB J. 3, 2, 161-210. Google ScholarDigital Library
- SANDHU, R. 1991. Separation of duties in computerized information systems. In Database Security IV: Status and Prospects. Elsevier North-Holland, Inc., New York, NY, 179-189.Google Scholar
- SANDHU, R. 1996. Role hierarchies and constraints for lattice-based access controls. In Proceedings of the Conference on Computer Security (ESORICS 96, Rome, Italy), E. Bertino, H. Kurth, G. Martella, and E. Montolivo, Eds. Springer-Verlag, New York, NY, 65-79. Google Scholar
- SANDHU, R., COYNE, E. J., FEINSTEIN, H. L., AND YOUMAN, C. E. 1996. Role-based access control models. IEEE Comput. 29, 2 (Feb.), 38-47. Google ScholarDigital Library
- THOMAS, R. AND SANDHU, R. 1997. Task-based authorization controls (TBAC): Models for active and enterprise-oriented authorization management. In Proceedings of the 11th IFIP Working Conference on Database Security (Lake Tahoe, CA). Chapman & Hall, Ltd., London, UK, 136-151. Google Scholar
- ULLMAN, J. 1989. Principles of Database and Knowledge-Base Systems. Computer Science Press, Inc., New York, NY. Google Scholar
- VAN GELDER, A., ROSS, K. A., AND SCHLIPF, J. S. 1991. The well-founded semantics for general logic programs. J. ACM 38, 3 (July 1991), 619-649. Google ScholarDigital Library
Index Terms
- The specification and enforcement of authorization constraints in workflow management systems
Recommendations
Role-based authorization constraints specification
Constraints are an important aspect of role-based access control (RBAC) and are often regarded as one of the principal motivations behind RBAC. Although the importance of contraints in RBAC has been recogni zed for a long time, they have not recieved ...
Function-Based Authorization Constraints Specification and Enforcement
IAS '07: Proceedings of the Third International Symposium on Information Assurance and SecurityConstraints are an important aspect of role-based access control (RBAC) and its different extensions. They are often regarded as one of the principal motivation behind these access control models. In this paper, we introduce two novel authorization ...
Managing Workflow Authorization Constraints through Active Database Technology
The execution of workflow processes requires authorizations for enforcing the assignment of tasks to agents, either human or automated, according to the security policy of the organization. This paper presents a workflow authorization framework based on ...
Comments