Modeling of Task-Based Authorization Constraints in BPMN

Workflows model and control the execution of business processes in an organisation by defining a set of tasks to be done. The specification of workflows is well-elaborated and heavily tool supported. Task-based access control is tailored to specify authorization constraints for task allocation in workflows. Existing workflow modeling notations do not support the description of authorization constraints for task allocation commonly referred to as resource allocation patterns.

In this paper we propose an extension for the Business Process Modeling Notation (BPMN) to express such authorizations within the workflow model, enabling the support of resource allocation pattern, such as Separation of Duty, Role-Based Allocation, Case Handling, or History-Based Allocation in BPMN. These pattern allow to specify authorization constraints, for instance role-task assignments, separation of duty, and binding of duty constraints. Based on a formal approach we develop an authorization constraint artifact for BPMN to describe such constraints.

As a pragmatic demonstration of the feasibility of our proposed extension we model authorization constraints inspired by a real world banking workflow scenario. In the course of this paper we identify several aspects of future work related to verification and consistency analysis of modeled authorization constraints, tool-supported and pattern-driven authorization constraint description, and automatic derivation of authorization policies, such as defined by the eXtensible Access Control Markup Language (XACML).