The consistency of task-based authorization constraints in workflow systems

Kaijun Tan, Jason Crampton, Carl A. Gunter

Research output: Contribution to journalConference articlepeer-review

Abstract

Workflow management systems (WFMSs) have attracted a lot of interest both in academia and the business community. A workflow consists of a collection of tasks that are organized to facilitate some business process specification. To simplify the complexity of security administration, it is common to use role-based access control (RBAC) to grant authorization to roles and users. Typically, security policies are expressed as constraints on users, roles, tasks and the workflow itself. A workflow system can become very complex and involve several organizations or different units of an organization, thus the number of security policies may be very large and their interactions very complex. It is clearly important to know whether the existence of such constraints will prevent certain instances of the workflow from completing. Unfortunately, no existing constraint models have considered this problem satisfactorily. In this paper we define a model for constrained workflow systems that includes local and global cardinality constraints, separation of duty constraints and binding of duty constraints. We define the notion of a workflow specification and of a constrained workflow authorization schema. Our main result is to establish necessary and sufficient conditions for the set of constraints that ensure a sound constrained workflow authorization schema, that is, for any user or any role who are authorized to a task, there is at least one complete workflow instance when this user or this role executes this task.

Original languageEnglish (US)
Pages (from-to)155-169
Number of pages15
JournalProceedings of the Computer Security Foundations Workshop
Volume17
StatePublished - 2004
Externally publishedYes
EventProceedings - 17th IEEE Computer Security Foundations Workshop, CSFW 04 - Pacific Grove, CA, United States
Duration: Jun 28 2004Jun 30 2004

ASJC Scopus subject areas

  • Software

Fingerprint

Dive into the research topics of 'The consistency of task-based authorization constraints in workflow systems'. Together they form a unique fingerprint.

Cite this