A Secure Framework for Dynamic Task Delegation in Workflow Management Systems

Task delegation presents one of the business process security leitmotifs. We currently observe a move away from predefined strict workflow modelling towards dynamic approaches supporting flexibility on the organisational level and dynamic authorisation on the security level. One specific approach is that of task delegation. Delegation defines a mechanism that bridges the gap between both workflow and access control systems. There are two important issues relating to delegation, namely allowing task delegation to complete, and having a secure delegation within a workflow. Delegation completion and authorisation enforcement are specified under specific constraints. Constraints are defined from the delegation context implying the presence of a fixed set of delegation events to control the delegation execution. In this dissertation, we aim to reason about delegation events to model task delegation and to specify delegation policies dynamically. To that end, we present an event-based task delegation model to monitor the delegation process. We then identify relevant events for authorisation enforcement to specify delegation policies. Subsequently, we propose a task-oriented access control model to address these requirements. Using our access control model, we analyse and specify delegation constraints into authorisation policies. Moreover, we propose a technique that automates delegation policies using event calculus to control the delegation execution and to increase the compliance of all delegation changes in the existing policy of the workflow.

[1]  Jan Mendling,et al.  Business Process Execution Language for Web Services , 2006, EMISA Forum.

[2]  Len LaPadula,et al.  Secure Computer Systems: A Mathematical Model , 1996 .

[3]  Jason Crampton,et al.  On delegation and workflow execution models , 2008, SAC '08.

[4]  Bhavani M. Thuraisingham,et al.  Delegation-Based Security Model for Web Services , 2007, 10th IEEE High Assurance Systems Engineering Symposium (HASE'07).

[5]  Wil M. P. van der Aalst,et al.  Workflow Resource Patterns: Identification, Representation and Tool Support , 2005, CAiSE.

[6]  Jason Crampton A reference monitor for workflow systems with constrained task execution , 2005, SACMAT '05.

[7]  Jason Crampton,et al.  Delegation in role-based access control , 2007, International Journal of Information Security.

[8]  Joao Antonio Pereira,et al.  Linked: The new science of networks , 2002 .

[9]  Andrea Klug Workflow Handbook 1997 , 1997 .

[10]  Andreas Schaad,et al.  An Extended Analysis of Delegating Obligations , 2004, DBSec.

[11]  P. R. Balasubramanian,et al.  Adding workflow analysis techniques to the IS development toolkit , 1998, Proceedings of the Thirty-First Hawaii International Conference on System Sciences.

[12]  Mathias Weske,et al.  Business Process Management: Concepts, Languages, Architectures , 2007 .

[13]  Michael zur Muehlen,et al.  Resource Modeling in Workflow Applications , 1999 .

[14]  Thomas Sandholm,et al.  Policy administration control and delegation using XACML and Delegent , 2005, The 6th IEEE/ACM International Workshop on Grid Computing, 2005..

[15]  Elisa Bertino,et al.  The specification and enforcement of authorization constraints in workflow management systems , 1999, TSEC.

[16]  Elisa Bertino,et al.  A fine-grained access control model for Web services , 2004, IEEE International Conference onServices Computing, 2004. (SCC 2004). Proceedings. 2004.

[17]  Jason Crampton,et al.  Delegation and satisfiability in workflow systems , 2008, SACMAT '08.

[18]  François Charoy,et al.  Dynamic Authorisation Policies for Event-Based Task Delegation , 2010, CAiSE.

[19]  Elisa Bertino,et al.  Specifying and enforcing access control policies for XML document sources , 2004, World Wide Web.

[20]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[21]  Bill Curtis,et al.  Process modeling , 1992, CACM.

[22]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[23]  Andreas Schaad,et al.  A Framework for Evidence Lifecycle Management , 2007, WISE Workshops.

[24]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[25]  Eng Wah Lee,et al.  Business process management (BPM) standards: a survey , 2009, Bus. Process. Manag. J..

[26]  Vijayalakshmi Atluri,et al.  Supporting conditional delegation in secure workflow management systems , 2005, SACMAT '05.

[27]  W. J. Howe Organizational Management in Workflow Applications – Issues and Perspectives , 2003 .

[28]  Roshan K. Thomas,et al.  Team-based access control (TMAC): a primitive for applying role-based access controls in collaborative environments , 1997, RBAC '97.

[29]  Andreas Schaad,et al.  Collaboration for Human-Centric eGovernment Workflows , 2007, WISE Workshops.

[30]  Marek J. Sergot,et al.  A logic-based calculus of events , 1989, New Generation Computing.

[31]  Andreas Schaad,et al.  A framework for organisational control principles , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[32]  Mathias Weske,et al.  A reference model for workflow application development processes , 1999 .

[33]  Andreas Schaad,et al.  A Secure Task Delegation Model for Workflows , 2008, 2008 Second International Conference on Emerging Security Information, Systems and Technologies.

[34]  Wil M. P. van der Aalst,et al.  On the suitability of UML 2.0 activity diagrams for business process modelling , 2006, APCCM.

[35]  Peter Gyngell,et al.  Process Innovation: Reengineering Work through Information Technology , 1994 .

[36]  Philip Powell,et al.  Towards a definition of flexibility: in search of the Holy Grail? , 2000 .

[37]  Shari Lawrence Pfleeger,et al.  Security in Computing, 4th Edition , 2006 .

[38]  August-Wilhelm Scheer,et al.  Architecture of Integrated Information Systems: Foundations of Enterprise Modelling , 1994 .

[39]  Charles H. Fine,et al.  An Empirical Study of Flexibility in Manufacturing , 1995 .

[40]  Viviane Torres da Silva,et al.  Model-Driven Security in Practice: An Industrial Experience , 2008, ECMDA-FA.

[41]  David W. Chadwick,et al.  Adding support to XACML for multi-domain user to user dynamic delegation of authority , 2009, International Journal of Information Security.

[42]  David W. Chadwick,et al.  The PERMIS X.509 role based privilege management infrastructure , 2002, SACMAT '02.

[43]  Shazia Wasim Sadiq,et al.  Modeling Control Objectives for Business Process Compliance , 2007, BPM.

[44]  Ravi S. Sandhu,et al.  Framework for role-based delegation models , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[45]  M. Z. Muehlen,et al.  Workflow Management Coalition , 2000 .

[46]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[47]  Ehud Gudes,et al.  Specifying application-level security in workflow systems , 1998, Proceedings Ninth International Workshop on Database and Expert Systems Applications (Cat. No.98EX130).

[48]  Karin Venter A MODEL FOR THE DYNAMIC DELEGATION OF AUTHORIZATION RIGHTS IN A SECURE WORKFLOW MANAGEMENT SYSTEM , 2003 .

[49]  Shon Harris CISSP(R) All-in-One Exam Guide, Third Edition , 2004 .

[50]  Patrick T. Harker,et al.  Designing Workflow Coordination: Centralized Versus Market-Based Mechanisms , 1999, Inf. Syst. Res..

[51]  Jan H. P. Eloff,et al.  Separation of duties for access control enforcement in workflow environments , 2001, IBM Syst. J..

[52]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[53]  Philip Miseldine,et al.  Towards Proactive Policies Supporting Event-Based Task Delegation , 2009, 2009 Third International Conference on Emerging Security Information, Systems and Technologies.

[54]  Jörg Becker,et al.  Workflow Application Architectures: Classification and Characteristics of Workflow-based Information Systems , 2002 .

[55]  Robert R. Moeller,et al.  COSO Enterprise Risk Management: Understanding the New Integrated ERM Framework , 2007 .

[56]  E. Davis,et al.  Common Sense Reasoning , 2014, Encyclopedia of Social Network Analysis and Mining.

[57]  David W. Chadwick,et al.  Adding Support to XACML for Dynamic Delegation of Authority in Multiple Domains , 2006, Communications and Multimedia Security.

[58]  Stephen Chi-fai Chan,et al.  A Task-Oriented Access Control Model for WfMS , 2005, ISPEC.

[59]  Patrick C. K. Hung,et al.  A Secure Workflow Model , 2003, ACSW.

[60]  François Charoy,et al.  Task Delegation Based Access Control Models for Workflow Systems , 2009, I3E.

[61]  Claude Godart,et al.  A declarative approach to timed-properties aware Web services composition , 2010 .

[62]  Ravi S. Sandhu,et al.  PBDM: a flexible delegation model in RBAC , 2003, SACMAT '03.

[63]  Akhil Kumar,et al.  DW-RBAC: A formal security model of delegation and revocation in workflow systems , 2007, Inf. Syst..

[64]  Ravi S. Sandhu,et al.  Task-Based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-Oriented Autorization Management , 1997, DBSec.

[65]  Amit P. Sheth,et al.  An overview of workflow management: From process modeling to workflow automation infrastructure , 1995, Distributed and Parallel Databases.

[66]  E. Mueller Discrete Event Calculus Reasoner Documentation , 2008 .

[67]  Mathias Weske,et al.  Business Process Management: A Survey , 2003, Business Process Management.

[68]  Vijay Karamcheti,et al.  dRBAC: distributed role-based access control for dynamic coalition environments , 2002, Proceedings 22nd International Conference on Distributed Computing Systems.

[69]  P. R. Smith,et al.  Creating a strategic plan for configuration management using computer aided software engineering (CASE) tools , 1993 .

[70]  Sushil Jajodia,et al.  Revocations - A classification , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[71]  Michael Havey,et al.  Essential business process modeling , 2005 .