Workflow Access Control from a Business Perspective

Workflow management systems are increasingly being used to support business processes. Methodologies have been proposed in order to derive workflow process definitions from business models. However, these methodologies do not comprise access control aspects. In this paper we propose an extension to the Work Analysis Refinement Modelling (WARM) methodology, which also enables to determine workflow access control information from the business process model. This is done by identifying useful information from business process models and showing how it can be refined to derive access control information. Our approach reduces the effort required to define the workflow access control, ensures that authorization rules are directly related to the business and aligns access control with the information system architecture that implements the business process.

[1]  Patrick McDermott,et al.  Workflow Modeling: Tools for Process Improvement and Application Development , 2001 .

[2]  Jan H. P. Eloff,et al.  Separation of duties for access control enforcement in workflow environments , 2001, IBM Syst. J..

[3]  Stephanie Teufel,et al.  A Formal Security Design Approach for Information Exchange in Organisations , 1995, DBSec.

[4]  Hans Eriksson,et al.  Business Modeling With UML: Business Patterns at Work , 2000 .

[5]  Stephanie Teufel,et al.  Realization of a Context-Dependent Access Control Mechanism on a Commercial Platform , 1998 .

[6]  Joon S. Park,et al.  Access control mechanisms for inter-organizational workflow , 2001, SACMAT '01.

[7]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[8]  Silvana Castano,et al.  Managing Workflow Authorization Constraints through Active Database Technology , 2001, Inf. Syst. Frontiers.

[9]  Stephanie Teufel,et al.  The use of business process models for security design in organisations , 1996, SEC.

[10]  Kurt Bittner,et al.  Use Case Modeling , 2002 .

[11]  Elisa Bertino,et al.  The specification and enforcement of authorization constraints in workflow management systems , 1999, TSEC.

[12]  Ravi S. Sandhu,et al.  Secure Role-Based Workflow Models , 2001, DBSec.

[13]  Dragos-Anton Manolescu,et al.  Micro-Workflow: A Workflow Architecture Supporting Compositional Object-Oriented Software Development , 2000 .

[14]  John E. Dobson,et al.  Database security IX: Status and prospects , 1996 .

[15]  D. Hollingsworth The workflow Reference Model , 1994 .

[16]  Dirk Riehle,et al.  Metadata and active object-models , 1998, OOPSLA Addendum.

[17]  Vijayalakshmi Atluri,et al.  An Authorization Model for Workflows , 1996, ESORICS.

[18]  Ravi S. Sandhu,et al.  Task-Based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-Oriented Autorization Management , 1997, DBSec.

[19]  Jan H. P. Eloff,et al.  Designing role hierarchies for access control in workflow systems , 2001, 25th Annual International Computer Software and Applications Conference. COMPSAC 2001.

[20]  BertinoElisa,et al.  The specification and enforcement of authorization constraints in workflow management systems , 1999 .

[21]  E. B. Fernandez,et al.  Determining role rights from use cases , 1997, RBAC '97.