Supporting conditional delegation in secure workflow management systems

Workflows model and control the execution of business processes in an organization. A workflow typically comprises of a set of coordinated activities, known as tasks. Typically, organizations establish a set of security policies, that regulate how the business process and resources should be managed. While a simple policy may specify which user (or role) can be assigned to execute a task, a complex policy may specify authorization constraints, such as separation of duties. Users may delegate the tasks assigned to them. Often such delegations are short-lived and come into play when certain conditions are satisfied. For example, a user may want to delegate his task of check approval only when going on vacation, when a check amount is less than a certain amount, or when his workload exceeds a certain limit.In this paper, we extend the notion of delegation to allow for such conditional delegation, where the delegation conditions can be based on time, workload and task attributes. When workflow systems entertain conditional delegation, different types of constraints come into play, which include authorization constraints, role activation constraints and workflow dependency requirements. We address the problem of assigning users to tasks in a consistent manner such that none of the constraints are violated.

[1]  Gail-Joon Ahn,et al.  A role-based delegation framework for healthcare information systems , 2002, SACMAT '02.

[2]  Amit P. Sheth,et al.  An overview of workflow management: From process modeling to workflow automation infrastructure , 1995, Distributed and Parallel Databases.

[3]  Ravi S. Sandhu,et al.  Separation of Duties in Computerized Information Systems , 1990, DBSec.

[4]  Elisa Bertino,et al.  TRBAC: a temporal role-based access control model , 2000, RBAC '00.

[5]  Benjamin N. Grosof,et al.  A practically implementable and tractable delegation logic , 2000, S&P 2000.

[6]  Morrie Gasser,et al.  An architecture for practical delegation in a distributed system , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[7]  Vijayalakshmi Atluri,et al.  Modeling and Analysis of Workflows Using Petri Nets , 1998, Journal of Intelligent Information Systems.

[8]  S.K. Chang,et al.  A visual language for authorization modeling , 1997, Proceedings. 1997 IEEE Symposium on Visual Languages (Cat. No.97TB100180).

[9]  Amit P. Sheth,et al.  Specification and Execution of Transactional Workflows , 1995, Modern Database Systems.

[10]  James Clifford,et al.  On an algebra for historical relational databases: two views , 1985, SIGMOD Conference.

[11]  Elisa Bertino,et al.  Supporting Delegation in Secure Workflow Management Systems , 2003, DBSec.

[12]  Elisa Bertino,et al.  The specification and enforcement of authorization constraints in workflow management systems , 1999, TSEC.

[13]  Y. Shoham Reasoning About Change: Time and Causation from the Standpoint of Artificial Intelligence , 1987 .

[14]  Gail-Joon Ahn,et al.  A rule-based framework for role based delegation , 2001, SACMAT '01.

[15]  John Wylie Lloyd,et al.  Foundations of Logic Programming , 1987, Symbolic Computation.

[16]  D. Hollingsworth The workflow Reference Model , 1994 .

[17]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[18]  Ravi S. Sandhu,et al.  Framework for role-based delegation models , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).