SOWAC: a service-oriented workflow access control model

Workflow access control is the fundamental issue in workflow security. With the development of enterprise globalization and the constant re-engineering and optimizing of enterprise business, the organization becomes more dynamic and its business process is frequently changing. As a result, workflow access control turns more complicated and entails a comparatively operational mechanism. To solve the problem, in view of decoupling workflow access control model from workflow model, we propose a service-oriented workflow access control (SOWAC) model in this paper. In the SOWAC model, service is the abstraction of a task and the unit for applying access control. We present the elements of the SOWAC model and illustrate the enforcement of SOWAC with an example workflow. Then the dynamic separation of duty for the SOWAC model is proposed based on the authorization history of services. By applying SOWAC in a real workflow management system, we show that the SOWAC model is practical and effective.

[1]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[2]  Ravi S. Sandhu,et al.  Conceptual foundations for a model of task-based authorizations , 1994, Proceedings The Computer Security Foundations Workshop VII.

[3]  Ravi S. Sandhu,et al.  Task-Based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-Oriented Autorization Management , 1997, DBSec.

[4]  Ravi Sandhu,et al.  Transaction control expressions for separation of duties , 1988, [Proceedings 1988] Fourth Aerospace Computer Security Applications.

[5]  Elisa Bertino,et al.  The specification and enforcement of authorization constraints in workflow management systems , 1999, TSEC.

[6]  Ravi S. Sandhu,et al.  Separation of Duties in Computerized Information Systems , 1990, DBSec.

[7]  Konstantin Knorr,et al.  Analyzing Separation of Duties in Petri Net Workflows , 2001, MMM-ACNS.

[8]  Patrick C. K. Hung,et al.  Issues in document security enforcement for activity execution in CapBasED-AMS , 1998, Proceedings Twelfth International Conference on Information Networking (ICOIN-12).

[9]  Ravi S. Sandhu,et al.  Secure Role-Based Workflow Models , 2001, DBSec.

[10]  Michael J. Nash,et al.  Some conundrums concerning separation of duty , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[11]  Jan H. P. Eloff,et al.  Separation of Duty administration , 2001, South Afr. Comput. J..