Existing researches include role/task-based security model for SoD, task-based authorization model, and role-based authorizations for workflows. Thomas et al. [29]
proposed task-based authorization control to manage the execution states of tasks by controlling the run-time execution status of tasks. They considered neither SoD nor authorizations among tasks, roles and users. Schier [23] also proposed a role and task based security model. Although authorization rules for SoD have been designed, they are merely derived from SoD in RBAC. The definition of mutual exclusive tasks is simply derived from the definition of mutual exclusive roles. Duty-conflict relationships between tasks have not been explored. In addition, the proposed authorization rules for SoD are merely extended from SoD in RBAC. They considered neither execution dependency nor role-based authorizations for workflow tasks. In contrast, this work provides a novel analysis and defines various duty-conflict relationships among tasks.
Various authorization rules for execution-dependent SoD have been proposed.
Although several researchers have addressed role-based access control and authorization management in workflow systems, few have considered authorization planning in assigning workflow tasks to roles/users. Bertino et al. [5] proposed a flexible model for the specification and enforcement of authorization constraints in workflow management systems. A logical authorization language, defined as clauses in a logic program, is proposed to express authorization constraints on role assignments and user assignments. Deductive approach is then used to conduct consistency checking on the logical constraints. Moreover, algorithms have been proposed for authorization planning in assigning users and roles to workflow tasks such that no authorization constraints are violated. The comparison of their work with ours can be elucidated as follows. First, although examples have been presented to illustrate how to express static and dynamic SoD via the proposed authorization language, they considered neither the execution dependency nor the variations of SoD that arises from different duty-relationships among tasks. On the contrary, we have defined several authorization rules for SoD based on various duty-conflict and execution dependent relationships. The execution-dependent SoD supports the enforcement of SoD across users’ active sessions and historical sessions.
Second, the authorization planning algorithms proposed by Bertino et al. mainly find
constraints expressed in logic language. Deductive inference needs to check all constraints to find if there is inconsistency. Different from their work, our approach finds valid assignments by verifying SoD constraints based on various duty-conflict relationships among tasks, and in particular, the execution dependency among tasks in workflow instances. Only tasks that are duty-conflict and execution dependent need to be verified. Moreover, we have considered the AND/XOR split structure of a workflow to explore the execution dependency.
With the rapid growth of Internet usage for business applications, conducting workflow management on the Internet is an inevitable trend for business commerce. Ahn et al. [1] developed a system architecture for enforcing role-based access control in Web-based workflow management systems. The architecture mainly consists of a role server for maintaining user-role assignments and issuing certificates with client’s role information. Role-based authorization is conducted as follows. The client needs to request a client certificate with role information, implemented as an X.509v3 certificate with role attributes, and presents it to the Web server of the workflow system. The Web server then retrieves role information from the certificate to verify if the client has the privileges to execute the task by the role. Detailed implementation has been presented to show the feasibility of the proposed system. However, the proposed role-based authorization is still based on the simple RBAC96 model.
Atluri and Huang proposed a Workflow Authorization Model (WAM) for workflows [3]. The model associates each task with authorization templates that specify static parameters of authorization defined during the design time. When a task of a workflow instance starts to execute in run time, the actual authorization of granting a subject to execute the task is derived from the authorization templates. The WAM model has also been enhanced to incorporate separation of duty constraints. Huang and Atluri [13] also presented a secure Web-based workflow management system (SecureFlow).
The SecureFlow system is developed based on the WAM. A workflow authorization server, which is separated from the WfMS, is employed to support the specification and enforcement of security policies based on role-based access control and separation of duty. In addition, a simple 4GL language is used to specify authorization constraints.
Botha and Eloff [6] presented access control requirements in document-centric workflow systems. A Context-sensitive Access Control model, which is based on
role-based access control, is proposed to protect unauthorized access to documents (sensitive information) used in workflow systems. The model considers conflicting tasks, conflicting users (e.g. family members) and access history of document in supporting dynamic SoD requirements. Moreover, an agent-based approach is used to implement the proposed model.
As the demand of business globalization increases, inter-organizational workflows are gaining importance in collaborative business environments. From this aspect, access control mechanisms and security models have been proposed for inter-organizational workflows [2][16]. Kang et al. [16] proposed a notion of role domain, instead of an organization’s role structure, to specify the data access policy associated with each task of the workflow. To participate in the inter-organizational workflow, an organization needs to map its role structure to the role domain for the workflow. The role domain approach decouples the workflow-specific security structure from an organization’s security structure. X.509 certificate is used to provide user identity and role/organization information. The mechanism also supports context-based access control, in which data access is enforced according to the capability (context) of each task, i.e., read/write permissions on fields of data objects. Moreover, Atluri et al. [2] considered the issues of conflict-of-interest among competing organizations of inter-organizational workflows in decentralized workflow environments. The model mainly prevents sensitive dependency information or sensitive output of a task leaking to another task agent (organization) with conflict-of-interest.
The comparisons of our work with above literatures [1][2][3][6][13][16] are illustrated as follows. First, they did not consider authorization planning for assigning workflow tasks to roles/users. In contrast, we have developed the user/role/task planning algorithms in planning-time phase and the plan-adjust algorithm in run-time phase, respectively. The user/role/task planning algorithms generate initial workflow activation plans in advance, which assign tasks to a set of valid roles/users, to satisfy the constraints of SoD. The plan-adjust algorithm identifies an available user authorized to activate the current task, and generates a new activation plan. Second, they considered neither the execution dependency nor the variations of SoD that arises from different duty-relationships among tasks. On the contrary, we have defined several authorization rules for SoD based on various duty-conflict and execution dependent relationships.
inter-organizational workflows. Inter-organizational workflows are gaining importance in B-to-B commerce. Our current work does not focus on inter-organizational environments, though some of the proposed work can still be applied in such environments. Further investigation is required to extend our work to inter-organization workflows, and thus is proposed as future work.