Workflows in Dynamic and Restricted Delegation

Delegation is a key facility in dynamic, distributed and collaborative environments like Grids and enables an effective use of a wide range of dynamic applications. Traditional delegation frameworks approach a top-down model of delegation for delegating rights from a superior to a subordinate in advance before a delegate starts off a delegated task. However, a top-down model of delegation cannot meet all the requirements of dynamic execution of distributed applications, as in such environments, required access rights for completing a task cannot easily be anticipated in advance. Delegating fewer rights than required for completing a task may cause the task execution to fail while delegating more rights than needed may threaten abuse by malicious parties. It is therefore reasonable and more robust to utilize a mechanism that allows determining and acquiring only required rights and credentials for completing a task, when they are needed. This is what we call an on-demand delegation framework, which realizes a bottom-up delegation model and provides a just-in-time acquisition of rights for a restricted and dynamic delegation. In this paper we elaborate the concept of bottom-up delegation and describe how an on-demand delegation framework can leverage workflows to meet the requirements of the least privileges principle. We also discuss the vital need for dynamic and adaptive scientific workflows to support an ondemand delegation framework.We present three different models of bottom-up delegation, which cover a wide range of usage scenarios in Grids and dynamic collaborative environments. Using a standard RBAC authorization model and a graph-based workflow model (DAG), we define and analyze a formal model of our proposed bottom-up delegation approach.

[1]  Elisa Bertino,et al.  A flexible model supporting the specification and enforcement of role-based authorization in workflow management systems , 1997, RBAC '97.

[2]  Ravi S. Sandhu,et al.  The NIST model for role-based access control: towards a unified standard , 2000, RBAC '00.

[3]  Geoffrey Fox,et al.  Special Issue: Workflow in Grid Systems , 2006, Concurr. Comput. Pract. Exp..

[4]  Jano I. van Hemert,et al.  Scientific Workflow: A Survey and Research Directions , 2007, PPAM.

[5]  Karin Venter The Delegation Authorization Model: A Model For The Dynamic Delegation Of Authorization Rights In A Secure Workflow Management System , 2002, ISSA.

[6]  Akhil Kumar,et al.  DW-RBAC: A formal security model of delegation and revocation in workflow systems , 2007, Inf. Syst..

[7]  Vijayalakshmi Atluri,et al.  Modeling and Analysis of Workflows Using Petri Nets , 1998, Journal of Intelligent Information Systems.

[8]  Vijayalakshmi Atluri,et al.  An Extended Petri Net Model for Supporting Workflows in a Multilevel Secure Environment , 1996, DBSec.

[9]  Akhil Kumar,et al.  W-RBAC - A Workflow Security Model Incorporating Controlled Overriding of Constraints , 2003, Int. J. Cooperative Inf. Syst..

[10]  Jim Basney,et al.  Dynamic, context-aware, least-privilege grid delegation , 2007, 2007 8th IEEE/ACM International Conference on Grid Computing.

[11]  Ian T. Foster,et al.  A security architecture for computational grids , 1998, CCS '98.

[12]  Vijayalakshmi Atluri,et al.  Security for Workflow Systems , 2001, Inf. Secur. Tech. Rep..

[13]  Vijayalakshmi Atluri,et al.  An Authorization Model for Workflows , 1996, ESORICS.

[14]  Andrea Klug Workflow Handbook 1997 , 1997 .

[15]  Elisa Bertino,et al.  The specification and enforcement of authorization constraints in workflow management systems , 1999, TSEC.

[16]  Maria E. Orlowska,et al.  Analyzing Process Models Using Graph Reduction Techniques , 2000, Inf. Syst..

[17]  Edward A. Lee,et al.  Implementing BPEL4WS: the architecture of a BPEL4WS implementation: Research Articles , 2006 .

[18]  Jim Basney,et al.  Toward an On-Demand Restricted Delegation Mechanism for Grids , 2006, 2006 7th IEEE/ACM International Conference on Grid Computing.