一個對時序工作流程管理系統進行分析的研究

國

立

交

通

大

學

資訊工程學系

博

博

博

博 士

士

士

士

論

論

論

論

文

文

文

文

一個對時序工作流程管理系統進行分析的研究

A Study to Analyzing Temporal Workflow Management System

研 究 生：許懷中

指導教授：王豐堅 教授

中

中

中

中 華

華

華

華 民

民

民

民 國

國

國

國 一

一 百

一

一

百

百

百 年

年

年

年 七

七

七

七 月

月

月

月

一個對時序工作流程管理系統進行分析的研究

A Study to Analyzing Temporal Workflow Management System

研 究 生：許懷中 Student：Hwai-Jung Hsu

指導教授：王豐堅 Advisor：Feng-Jian Wang

國 立 交 通 大 學

資 訊 工 程 學 系

博 士 論 文

A Dissertation

Submitted to Institute of Computer Science and Engieering College of Computer Science

National Chiao Tung University in partial Fulfillment of the Requirements

for the Degree of Doctor

in

Computer Science

July 2011

Hsinchu, Taiwan, Republic of China

一個對時序

一個對時序

一個對時序

一個對時序工作流程

工作流程

工作流程

工作流程管理系統進行

管理系統進行

管理系統進行

管理系統進行分析

分析的

分析

分析

的

的

的研究

研究

研究

研究

學生：許懷中 指導教授：王豐堅 博士

國立交通大學資訊工程學系 (研究所) 博士班

摘

摘

摘

摘

要

要

要

要

現代化企業利用工作流程管理系統統整文件、資訊系統以及人事組織以遂行其企業 目的，而針對工作流程進行分析，有助於尋找企業程序中所隱藏的問題，避免工作流程 執行時重複發生的錯誤，進而增進企業整體的效率；由於大部分具有良好行為之工作流 程皆可轉換為結構化工作流程，因此結構化工作流程模型是在進行工作流程結構健全性 分析時不可或缺的工具，此外，時序為進行工作流程正確性檢查、驗證以及工作流程效 率分析上必須考量之因素，在此博士論文中，我們將時序因素與結構化工作流程模型結 合統整而成一結構化時序工作流程模型，並且針對三種不同的領域，提出各自的分析方 法；在組織分析領域，針對使用任務與角色為基存取控制模型的工作流程管理系統，我 們建立了一個可以進行工作代理的執行框架，在此框架下，代理行為受到責任分擔以及 企業政策的制約，使用者可以手動進行工作代理授權，而系統也可以自動將緊急的工作 授權給適合的代理人；在資料分析領域，我們建立了一個從結構化時序工作流程中偵測 異常文件使用的方法，藉由這個方法對工作流程定義進行靜態分析，可以有效避免由於 異常資料操作所造成的系統意外行為；最後，針對資源領域，我們提出了一個可以在結 構化時序工作流程建構的過程中，進行資源一致性與時序條件分析的遞增性分析方法， 藉由我們的方法，工作流程設計者可以瞭解他所做的每一個設計決定對於整體工作流程 定義的影響，並且修正由於錯誤的設計邏輯所造成的潛在資源衝突。 關鍵字：工作流程、工作流程管理系統、結構化時序工作流程、代理、任務與角色為基 的存取控制模型、異常文件使用、資源衝突、遞增性分析方法

A Study to Analyzing Temporal Workflow Management System

Student: Hwai-Jung Hsu Advisor: Dr. Feng-Jian Wang

Institute of Computer Science and Engineering

National Chiao Tung University

ABSTRACT

In modern enterprises, Workflow Management System (WfMS) coordinates data, resources, and organizations to enact workflows for various business objectives. Analysis of workflows facilitates locating problems in business processes and prevents repeated errors during workflow enactment. Structured workflow model is a useful tool for analysis of structural integrity because most well-behaved workflows can be reduced to structured workflows. Besides, temporal factors are also essential for workflow analysis, especially for validation, verification and performance analysis of workflows. In this dissertation, we integrate temporal factors into structured workflow model as Temporal Structured Workflow (TS workflow) model, and develop three distinct approaches for analysis of TS workflows in various perspectives. For the organization perspective, a framework for delegating works among users in a WfMS coordinated with Task-Role-based Access Control (TRBAC) model is established. With the framework, delegations can be enacted manually or automatically under restrictions like separation of duty (SOD) and management of enterprise policies. For the data perspective, a methodology detecting artifact anomalies in TS workflows is developed. By analyzing workflow schemas with our methodology, the unexpected run-time behavior generated from abnormal data manipulation can be prevented. Finally, for the resource perspective, an incremental approach is constructed to analyze resource consistencies and temporal constraints during construction of a loop-reduced TS workflow (LRTS workflow). With our approach, designers may realize the effect of each edit operation they made on the workflow schema under design, and correct the potential resource conflicts buried in business processes immediately.

Keywords: Workflow, Workflow Management System (WfMS), Temporal Structured Workflow, Delegation, Task-Role based Access Control (TRBAC), Artifact Anomalies, Resource Conflicts, and Incremental Methodology

誌

誌

誌

誌

謝

謝

謝

謝

獻給在天上看顧著我的祖父

攻讀博士不僅僅是為了獲取一個學位，它是一場對於人生、自我以及真理的探索， 如今這漫長、無止盡的旅程將要來到轉捩點，為了直到今日所完成的小小成就，有很多 人值得感謝，首先要感謝我的指導教授王豐堅老師，感謝他在學術以及人生上對我的指 導與幫助，沒有老師的耐心與包容，我無法在這條道路上堅持到底；感謝我的博士論文 口試委員，朱治平教授、黃慶育教授、黃冠寰教授、梁德容教授、吳毅成教授以及黃世 昆教授，感謝各位口委的指導，讓本博士論文得以順利完成；感謝所有曾經直接或間接 參與過本論文相關研究的實驗室伙伴，許嘉麟、王建偉、王靜慧、張志絃、許熏任、楊 大立、簡璞、陳建志等等，感謝他們在本研究中的貢獻；感謝我的祖父，雖然他沒能親 眼看到我畢業，但是他一生努力掙來的這個家，撫育我成長茁壯；感謝我的祖母，她無 怨無悔的全力支持，讓我得以心無旁騖地進行研究；感謝我的父親，沒有他的一席話， 我不會踏上這條路，沒有他多年來的默默支持，我無以為繼；感謝我的母親，雖然她總 是說自己不懂我在作些什麼，但是她的關愛是我人生的明燈；感謝我的姑姑，感謝她為 這個家的奉獻，彌補了我因著忙碌而未足夠的孝道；感謝我的妻子，感謝她這些年在我 身後的付出以及容忍我的任性，我們還將攜手創造未來；最後，感謝所有曾經在這論文 以及我攻讀博士的過程中有所貢獻的人們，謝謝大家。

目錄 – Table of Contents

摘 要 ...i

ABSTRACT ...ii

誌 謝 ...iii

目錄 – Table of Contents...iv

圖目錄 – Table of Figures ...vi

表目錄 – Table of Tables...vii

定義目錄 – Table of Definitions ...viii

演算法目錄 – Table of Algorithms ...ix

輔助定理目錄 – Table of Lemmas ...x

Chapter 1. Introduction... 1

Chapter 2. Temporal Structured Workflow Model ... 6

2.1 Basic Elements ... 6

2.2 Structured Workflow... 7

2.3 Temporal Structured Workflow ... 9

2.4 Analysis of Structural and Temporal Relationships between Processes in TS workflow... 10

2.4.1 Loop Reduction ... 10

2.4.2 Analysis of Structural Relationships between Processes in LRTS workflow . 12 2.4.3 Analysis of Twisted Temporal and Structural Relationships between Processes in LRTS workflow ... 16

Chapter 3. A Delegation Framework for WfMS based on Task-Role based Access Control and TS workflow ... 21

3.1 Background... 21

3.1.1 Task-Role based Access Control Model ... 21

3.1.2 Delegation Approaches in RBAC and TRBAC... 22

3.1.3 Separation of Duty... 24

3.2 Task and Role Model ... 24

3.3 Delegation Framework for WfMS on TRBAC ... 27

3.3.1 The properties of Delegation ... 27

3.3.2 Delegatee Decision ... 29

3.3.3 Delegation from System Request ... 32

3.3.4 Delegation from User Request ... 34

3.3.5 Revocation ... 36

3.4 Case Study ... 39

3.5 Discussion... 41

4.1 Artifact Anomalies in TS workflow... 43

4.1.1 Artifact Operations ... 43

4.1.2 Artifact Anomalies ... 45

4.2 The Methodology Detecting Artifact Anomalies in LRTS workflow ... 47

4.2.1 Gathering Structural, Temporal, Artifact Information in LRTS workflow... 47

4.2.2 Collecting Structural and Temporal Relationships between Artifact Operations in LRTS workflow ... 49

4.2.3 Detecting Blank Branch ... 57

4.2.4 Identifying Artifact Anomalies in an LRTS workflow ... 59

4.3 Case Study ... 66

4.4 Discussion... 70

4.4.1 Related Works in Analysis of Artifact Anomalies ... 70

4.4.2 Comparison between Our Approach and the Related Works ... 72

Chapter 5. Incremental Detection of Resource Conflicts in LRTS Workflow ... 74

5.1 Resource Conflicts in LRTS workflow ... 74

5.2 Edit Operations for LRTS workflow ... 75

5.3 An Incremental Algorithm Detecting Resource Conflicts in TS workflow... 80

5.3.1 Updating Estimated Active Interval for Processes after Edit Operation ... 80

5.3.2 Identifying Generation or Elimination of Resource Conflicts after Adding/Removing a Resource Reference to/from an Activity Process... 82

5.3.3 Identifying Generation or Elimination of Resource Conflicts after Alteration of EAIs... 84

5.3.4 Combining the Algorithms with Edit Operations ... 87

5.4 Case Study ... 89

5.4.1 Case 1: Adding a Resource Reference... 90

5.4.2 Case 2: Modification of the Working Duration of an Activity Process ... 90

5.4.3 Case 3: Removing an Activity Process... 91

5.5 Related Works... 92

Chapter 6. Conclusion and Future Works... 95

圖目錄 – Table of Figures

Figure 1 The Graphic Notations of the Basic Workflow Elements ... 7

Figure 2 Building Blocks of a Structured Workflow... 8

Figure 3 A Sample Structured Workflow... 9

Figure 4 A Sample TS workflow ... 10

Figure 5 Refined Loop Reduction for TS Workflow Model ... 11

Figure 6 Calculation of ABStacks for Processes in an LRTS Workflow... 14

Figure 7 A Sample TS workflow with ABStacks and EAIs ... 15

Figure 8 The Temporal Relationships between Time Intervals [39] ... 16

Figure 9 Calculation of EAIs in an LRTS Workflow [34][37] ... 18

Figure 10 The TRBAC Model [17] ... 21

Figure 11 The Process for Delegation from User Request ... 35

Figure 12 (a) The Sample TS Workflow Specification, (b) The Sample Role Hierarchy and User Assignment, and (c) The Information about Tasks, Mutually-exclusive Tasks, and Authorization Applications ... 39

Figure 13 The Artifact State Transit Diagram ... 45

Figure 14 Examples for Nestedly Organized Decision and Parallel Structures ... 54

Figure 15 An Example of a Blank Branch... 58

Figure 16 The Sample TS Workflow for the Case Study in Chapter 4... 66

Figure 17 The Sample LRTS Workflow Derived from Figure 16 with Decoration of EAIs and ABStacks... 67

Figure 18 The Sample LRTS Workflow for the Case Study in Chapter 5... 89

Figure 19 The Sample LRTS Workflow after Adding a New Resource Reference ... 90

Figure 20 The Sample LRTS Workflow after Modification of a Working Duration... 91

表目錄 – Table of Tables

Table 1 Classes of Tasks in TRBAC Model [17]... 22

Table 2 Comparison of Characteristics of Various Delegation Models... 41

Table 3 Artifact Operation List for a, and the Corresponding Concurrent Operations ... 67

Table 4 The Output State of the Operations before op9 is Calculated ... 68

定義目錄 – Table of Definitions

Definition 1 (Workflow Model)... 7

Definition 2 (Path) ... 7

Definition 3 (Structural Relationships in a Structured Workflow) ... 9

Definition 4 (TS workflow)... 10

Definition 5 (Branch Mark)... 13

Definition 6 (ABStack)... 13

Definition 7 (Time Intervals)... 17

Definition 8 (Time Descriptions)... 17

Definition 9 (Estimated Active Interval) ... 18

Definition 10 (Structural and Temporal Relationships in LRTS workflow) ... 20

Definition 11 (Task)... 25

Definition 12 (TS workflow Instance and Task Instance) ... 25

Definition 13 (User) ... 26

Definition 14 (Role) ... 26

Definition 15 (The Role Hierarchy) ... 27

Definition 16 (Delegation Record) ... 28

Definition 17 (Delegation Records in Task Instances) ... 28

Definition 18 (Mutually Exclusive Tasks)... 30

Definition 19 (Instance Level SOD constraints) ... 30

Definition 20 (Authorization Form) ... 35

Definition 21 (Approved Form) ... 36

Definition 22 (Artifact Model in TS workflow) ... 45

Definition 23 (Artifact Operation List) ... 47

Definition 24 (Relationships between Artifact Operations) ... 49

Definition 25 (Records of Relationships between Artifact Operations)... 50

Definition 26 (Directly Before) ... 51

Definition 27 (The List of Operations with Smaller LET than Operation op) ... 51

Definition 28 (Set of Operation Sets derived from DB4op) ... 54

Definition 29 (Records of Artifact States) ... 60

Definition 30 (Artifact Anomaly Table) ... 62

Definition 31 (Resources)... 74

Definition 32 (Resource Conflict) ... 75

Definition 33 (Basic LRTS workflow) ... 76

演算法目錄 – Table of Algorithms

Algorithm 1 Delegation Algorithm - DA... 28

Algorithm 2 Removing Users Causing Delegation Loop - RUDL ... 29

Algorithm 3 Removing Users Involved in Mutually-Exclusive Tasks - RUMET ... 30

Algorithm 4 Removing Inappropriate Users - RIU ... 31

Algorithm 5 Discovering the Role Hierarchy - DRH ... 32

Algorithm 6 Delegation from System Request - DSR... 34

Algorithm 7 Handle Forthcoming Delegation - HFD ... 36

Algorithm 8 Revocation Algorithm - RA... 37

Algorithm 9 Information Gathering - IG... 48

Algorithm 10 Identifying Concurrent Operations - ICO ... 50

Algorithm 11 Collecting Directly Before Operations – CDBO... 51

Algorithm 12 Collecting Directly Before Operation Sets - CDBOPS... 55

Algorithm 13 Detecting Blank Branch - DBB... 58

Algorithm 14 Gathering Input States of an Operation - GIS ... 60

Algorithm 15 Identifying Artifact Anomalies for No Operations - IAAN ... 62

Algorithm 16 Identifying Artifact Anomalies for Definitions - IAAD ... 62

Algorithm 17 Identifying Artifact Anomalies for Kills - IAAK... 63

Algorithm 18 Identifying Artifact Anomalies for Usages - IAAU... 63

Algorithm 19 Identifying Artifact Anomalies - IAA... 65

Algorithm 20 Calculate EAI - CEAI... 80

Algorithm 21 Detecting Resource Conflict for New Resource Reference - DRCNRR... 83

Algorithm 22 Updating Resource Conflict for Removal of Resource Reference - URCRRR . 83 Algorithm 23 Detecting Resource Conflict after EAI Expansion - DRCEE... 87

輔助定理目錄 – Table of Lemmas

Lemma 1 ... 12 Lemma 2 ... 15 Lemma 3 ... 19 Lemma 4 ... 19 Lemma 5 ... 20 Lemma 6 ... 31 Lemma 7 ... 49 Lemma 8 ... 52 Lemma 9 ... 56 Lemma 10 ... 56 Lemma 11 ... 82 Lemma 12 ... 84 Lemma 13 ... 85

Chapter 1. Introduction

Enterprises define their business objectives in business processes, and workflows

automate the business processes by completing tasks which realize parts of business goals in a

particular order [1]. As a dominant factor in workflow management, developing appropriate

analysis techniques for workflows is necessary [2]. Irani et al. state that workflow analysis

facilitates locating problems in business processes and preventing repetition errors during

workflow enactment. [3]. Vergidis et al. claim that workflow analysis adopts a range of

different tactics such as simulation, diagnosis, validation, verification, and performance

analysis to clarify the characteristics, potential conflicts, possible bottlenecks and any

promising process alternatives [4].

To assure the correctness of workflow execution, analyses on structural integrity of

workflows are widely studied. Adam’s methodology detects inconsistent dependencies among

tasks to assure the safety of a workflow [5]. van der Aalst et al. develop effective Petri-net based

techniques to verify deadlocks, livelocks (infinite loops), and dead tasks from workflow

schemas [2][6][7]. In [8], Kiepuszewski et al. define structured workflow model and claim that

a structured workflow is well-behaved, i.e. free from deadlock and multiple active instances of

the same activity. Kiepuszewski et al. also claim that although structured workflow model is

less expressive, most arbitrary well-behaved workflows can be transformed into a structured

workflow, and structured workflow model is a good tool for various kinds of workflow

analysis.

Besides, combining timing constraints into analysis of workflow models is also familiar.

dependencies with temporal constraints in a workflow schema [9]. Adam et al. consider timing

constraints as the external conditions for structural correctness of a Petri-net based workflow

model [5]. Chen et al. develop an approach for dynamic verification of fixed-time constraints in

grid workflow system [10]. From a graph based workflow model, Eder et al. develop a timed

graph model to illustrate the working duration of activities among workflows with the

corresponding earliest and latest finish time, and calculate the deadlines among internal

activities to meet the overall temporal constraints on the basis of the model [11][12].

Marjanovic et al. build the timing model based on duration and instantiation space, and model

the absolute and relative deadline constraints for dynamic verification [13]. Zhuge et al.

consider durations of activities for temporal checking in both design-time and run-time and

model the temporal factors in workflows as timed workflow model for further analysis. [14]

For the organization perspective, modern WfMS regulates activities of employees through

varieties of access control methods. Among the methods, role-based access control (RBAC)

model [15][16] grouping users with similar permissions into roles is a popular solution among

enterprises. However, business processes are operated based on not only roles but also tasks.

With both as core concepts, Oh et al. propose task-role-based access control (TRBAC) model to

provide more modeling power for access control in WfMS [17]. Delegation which allows

subjects like access rights or work items being authorized between users or roles during

run-time is an interesting problem for workflow management [18] and is often studied on the

basis of the corresponding access control model. For example, RBDM0 [19], RBDM1 [20], and

the methods in [21], [22], and [23] describe various delegation models based on RBAC

[15][16]. On the basis of RBAC, Crampton et al. describe an approach to manage delegation in

WfMS, and raise several new issues about delegation of tasks for work-list-based WfMS [18].

Delegation for TRBAC is also studied in [24] and [25]. Jian et al. construct a framework and

considering temporal issues in [25].

A well-structured workflow may still fail or produce unanticipated run-time behavior

because of abnormal data manipulation, the artifact anomalies. Detect artifact anomalies in

workflows checks possible data misuse buried in workflow specifications. Various

methodologies have been developed for detection of artifact anomalies generated from

structural relationships between activities in a workflow [26][27][28][29][30]. Sadiq et al.

present seven basic data validation problems, redundant data, lost data, missing data,

mismatched data, inconsistent data, misdirected data, and insufficient data in structured

workflow model [26][31]. Hsu et al. define preliminary improper artifact usages anomalies, and

introduce the analysis of such anomalies in design phase of a structured workflow [27][28]. In

[29], Wang et al. introduce a behavior model to describe the data behavior in a workflow and

refine the work accomplished in [28] by improving its efficiency. In [30], Hsu et al. raise the

issues about analyzing artifact anomalies in workflows adopting message passing data models,

and describe a formal description for such anomalies. Nevertheless, how temporal factors may

affect the analysis of artifact anomalies is still seldom addressed. The methodology detecting

artifact anomalies generated from twisted temporal and structural relationships between

activities in workflows should be further discussed on the basis of the previous studies.

As for the resource perspective, Reveliotis et al. construct a Petri-based model with

consideration of resource allocation, and uses the model for structural and deadlock analysis of

workflow applications [32][33]. Based on Zhuge’s work [14], Li et al. estimate the active

intervals of activities, and develops an algorithm to detect and remove resource conflicts with

respect to both temporal and structural issues [34]. Zhong et al. adopt Li’s methodology [34]

onto a petri-net based workflow model, and develop an algorithm to detect resource conflicts

when a new workflow being put into WfMS during run-time [35]. Based on [36], Hsu et al.

workflows with temporal consideration during design-time [37]. The generation or elimination

of resource conflicts are tracked and alerted along with each edit operation made by designers

of workflows [37]. However, the technique for structural analysis adopted in [37] is inefficient

and can be revised with the methods proposed in [30].

In this dissertation, structured workflow modeled in [8] is extended as temporal structured

workflow (TS workflow) model with the temporal issues considered in [34] and [37]. The

techniques for structural and temporal analysis on TS workflows are first introduced, and the

methodology to analyze TS workflows in organization, data, and resource perspectives are then

discussed. For the organization perspective, the works accomplished in [25] are refined to adopt

TS workflow model for temporal constraints. A delegation framework for the WfMS

coordinated with TRBAC model is established, and a series of algorithms for delegation of task

instances and exploration of delegatees are developed. With the framework, a user is able to

delegate his work to another user through an approval process, and WfMS can automatically

delegate an emergent work item to an appropriate delegatee. The constraints such as

elimination of delegation loops and separation of duty (SOD) are validated for delegation

requested by either users or WfMS during run-time. As for the data perspective, a formal model

describing artifact anomalies in TS workflow is established on the basis of define-use-kill

operations. The issues about the artifact anomalies produced from twisted structural and

temporal relationships between activities in a TS workflow are discussed and modeled. The

methodology for static analysis of artifact anomalies buried in a TS workflow is developed.

Finally, for the resource perspective, the incremental methodology accomplished in [37] is

refined to integrate TS workflow model and the analysis techniques proposed in [30]. The edit

operations for constructing loop-reduced TS workflows (LRTS workflows) are first stated, and

the methodology tracking down the generation and elimination of resource conflicts along with

The rest part of this dissertation is organized as following. In chapter 2, TS workflow

model is sketched. The basic elements and the construction rules for TS workflow are described

and the methods for analysis of temporal and structural properties in TS workflows are

introduced. In chapter 3, a delegation framework for the WfMS coordinated with TRBAC

model is introduced. In chapter 4, artifact operations and the corresponding artifact anomalies

are first introduced, and the methodology detecting artifact anomalies in TS workflows is then

described accordingly. In chapter 5, an incremental methodology tracking down the resource

conflicts generated or eliminated in the steps of construction of an LRTS workflow is presented.

The related works for each of the above topics are discussed separately at the end of the

Chapter 2. Temporal Structured Workflow Model

2.1 Basic Elements

A workflow is composed of a start process, an end process, some activity processes and

some control processes. The start (ST) process represents the entry point of a workflow, and the

end (END) process indicates the termination point. An activity (ACT) process stands for a piece

of work to be performed and describes one logical step within a workflow [1].

A control process is a routing construct used to control the divergence and convergence of

sequence flows. The control processes can be classified as AND-split (AS), AND-join (AJ),

XOR-split (XS), and XOR-join (XJ). An AND-split process within a workflow splits a single

sequence of control into two or more sequences to allow simultaneous execution of activities;

on the contrary, an AND-join process merges multiple parallel executing sequences into a

single common sequence of control [13]. An XOR-split process within a workflow is the point

where a single sequence of control decides a branch to take from multiple alternative branches,

and an XOR-join process converges multiple alternative branches in a workflow [13].

Processes are connected by directed flows, the flow(s) leading to a process are called the

in-flow(s) of the process, and the flow(s) departing from a process are called the out-flow(s) of

the process. The process starting a flow is the source process of the flow, and the process ending

a flow is the sink process of the flow. In a workflow, only AND-split and XOR-split processes

have multiple out-flows, and only AND-join and XOR-join processes have multiple in-flows.

Figure 1 The Graphic Notations of the Basic Workflow Elements

With all the descriptions above, a workflow is modeled as following:

Definition 1 (Workflow Model) A workflow w, w = (Pw, Fw, s, e). and

Pw represents the set of the processes in w, and

∀p∈Pw, p.type∈{ACT, AS, AJ, XS, XJ, ST, END}

Fw⊆Pw×Pw represents the set of flows in w.

∀f∈Fw,f = (p, q) is the in-flow of process q and the out-flow of process p, and

p is the source process of f, and q is the sink process of f.

s∈Pw represents the start process of w, s.type = ST, ∃ no in-flow to s.

e∈Pw represents the end process of w, e.type = END, ∃ no out-flow from e.

* In this dissertation, “=” denotes an assignment operator and “==” denotes a Boolean equality operator

A sequence of flow(s) forms a path, and is formally modeled as following:

Definition 2 (Path)

A path is notated as a series of processes quoted by a pair of angle brackets.

For a workflow w, a path, <p1, p2, …, pk>, from p1 to pk exists if and only if (p1, p2),

(p2, p3), … (pk-1,pk)∈Fw.

2.2 Structured Workflow

A structured workflow is a workflow that is syntactically restricted in a number of ways.

Control processes are organized in pair, an XOR-split process is paired with an XOR-join

process, and an AND-split process is paired with an AND-join process. A control block is

composed of a pair of control processes and the processes placed in between the pair of control

processes. According to the type of the control processes, the control blocks can be classified as

parallel structures, decision structures, and structured loops as Figure 2 illustrates. Each process

from it to the end process. Such restriction keeps a structured workflow well-behaved [4], i.e. a

structured workflow is free from deadlocks and multiple active instances. Most arbitrary

well-behaved workflows can be transformed to be structured without loss of their contexts [4].

Figure 2 shows the building blocks of a structured workflow according to the basic elements

and constraints described above.

Figure 2 Building Blocks of a Structured Workflow

All the processes between the start and the end process in a structured workflow are

organized with the building blocks shown in Figure 2. For Figure 2(c) and Figure 2(d), the

blocks X1, X2, …, and Xn represent the branches split and converged in a parallel structure or a

decision structure. Besides, in Figure 2(e), the structured loop acts like a do-while loop when

block Y is null, and acts like a while loop when block X is null. Figure 3 illustrates the control

Figure 3 A Sample Structured Workflow

Two processes are reachable from one to the other if there exists a path between them,

parallel if they reside on different branches of a parallel structure, and exclusive to each other if

they reside on different branches of a decision structure. Take Figure 3 for example. The path

<v1, xs1, v2, v3> indicates that v1 is reachable to v3. v3 and v4 are parallel because they reside on

different branches split from as1. v2 and v8 are exclusive because they reside on different

branches of the decision structure quoted by xs1 and xj1. In this dissertation, the above structural

relationships between processes are notated as following Boolean functions:

Definition 3 (Structural Relationships in a Structured Workflow) For a structured workflow w,

Reachable: Pw×Pw⇒{true, false}

Reachable(p, q) holds if and only if there exists a path from p to q. Parallel: Pw×Pw⇒{true, false}

Parallel(p, q) holds if and only if p and q reside in different branches of a parallel structure.

Exclusive: Pw×Pw⇒{true, false}

Exclusive(p, q) holds if and only if p and q reside in different branches of a decision structure.

2.3 Temporal Structured Workflow

In [14], Zhuge models timed workflow by describing the maximal and minimum working

durations for each activity. In this dissertation, a timed and structured workflow is named as a

Definition 4 (TS workflow)

A workflow w is temporal structured with following properties: (1) w is structured, and

(2) ∀p∈Pw,d(p) and D(p) represents the minimum and maximum working duration

of process p.

To facilitate discussion, we assume that if p is an activity process, 0 < d(p)≤D(p); otherwise, d(p) = D(p) = 0. Figure 4 illustrates a sample TS workflow.

Figure 4 A Sample TS workflow

2.4 Analysis of Structural and Temporal Relationships between Processes in TS workflow

2.4.1 Loop Reduction

The structural and temporal relationships between processes are the bases of any further

analysis of a TS workflow. In [9], [11], and [12], Hsu et al. give several methodology to reveal

the structural and temporal relationships between processes in acyclic structured and timed

workflows. In [28] and [29], Hsu and Wang et al. claim that in a structured workflow, all the

possible state variations of the artifact operated in loops with more than two iterations are the

same as those with exact two iterations. Therefore, they reduce a structured loop into a decision

structure with three branches representing for no iteration, a single iteration, and two iterations

for the analysis of artifact anomalies with better efficiency. In this dissertation, we adopt an

approach similar to [7] and [8] to reduce the structured loops in a TS workflow as decision

structures to retrieve structural and temporal information in a TS workflow as in [9], [11], and

In a TS workflow, the number of iterations of a loop affects the active timing of processes

succeeding to the loop. The loop reduction introduced in [7] and [8] may bring inaccuracy to the

analysis of temporal factors, and is therefore not feasible for TS workflow. In [38], Leong

considers the worst case scenarios for loops in a workflow and develops a methodology to

detect whether the workflow possibly exceeds its deadline during run-time. Here, we combine

Leong's concept and the methodology in [7] and [8] to describe a refined loop reduction method

for the analysis of TS workflow.

First, it is assumed that the maximal number of iterations for a structured loop in a TS

workflow is finite. In other words, the infinite loops are not discussed in this study. Based on the

assumption, a structured loop is transformed into a decision structure with three branches: no

iteration, a single iteration, and maximal iterations as Figure 5 illustrates.

Figure 5 Refined Loop Reduction for TS Workflow Model

The refined loop reduction bring following advantage: (1) All the possible state variations

of artifacts between iterations are still completely captured, (2) the active intervals of the

processes succeeding to the structured loop can still be accurately estimated because the worst

case scenario is considered, and (3) the methodology for acyclic structured workflow can be

adopted in TS workflow because the structured loops are reduced. In this dissertation,

2.4.2 Analysis of Structural Relationships between Processes in LRTS workflow

The structural relationships between activity processes are the groundwork for analysis of

TS workflow, and are described and proved in the following lemma.

Lemma 1

For an LRTS workflow w, p and q∈Pw, and p.type == q.type == ACT, one and

exactly one of the following statements, Reachable(p, q), Reachable(q, p), Parallel(p, q), and Exclusive(p, q), holds.

Proof:

An LRTS workflow is still structured, and the lemma can be proved through the discussion of the construction rules of a structured workflow. Because a single activity process is a basic building block of a structured workflow, p and q can always be distributed into two different building blocks combined in a sequence, a parallel structure, or a decision structure illustrated in Figure 2.

Let bp and bq be the building blocks containing p and q separately. If bp and bq is

combined in a sequence block, p and q are reachable from former to the later. Since w is loop-reduced, i.e. w is loop free, if Reachable(p, q) holds, Reachable(q, p) is false, and vice versa. Besides, according to the construction rules, there exist no paths between the building blocks split from an XOR/AND-split process. Therefore, Parallel(p, q) and Exclusive(p, q) can not hold in this case.

Otherwise, if bp and bq is combined in a decision block, bp and bq represents different

branches split from the XOR-split process starting the decision structure. In other words, p and q resides in different branches of a decision structure, and therefore, Exclusive(p, q) holds. Since w is loop-reduced, there exist no paths between p and q, both Reachable(p, q) and Reachable(q, p) are false. On the other hand, according to the construction rules, since bp and

bq reside on different branches of a decision structure, they can not reside in different branches

of a parallel structure. Therefore, Parallel(p, q) does not hold. With similar reason, we can also show that when Parallel(p, q) holds, none of Reachable(p, q), Reachable(q, p), and Exclusive(p, q) holds, and hence, Lemma 1 is shown correct with all the statements above. □

In [9], Hsu et al. use a data structure, ABStack, to record the structural information of

processes, and achieve an efficient analysis of the structural relationships between processes in

an acyclic structured workflow. In this dissertation, the similar approach is adopted. All the

flows in an LRTS workflow are tagged with a branch mark. The branch mark is a natural

in the LRTS workflow. The branch mark in this dissertation is formally defined as following.

Definition 5 (Branch Mark) For an LRTS workflow w, BMw: Fw⇒INTEGER ∀(p, p’)∈Fw,    − ∈ = otherwise 1 AS) (XS, if number natural a )) ' , (( BMw p p p.type

For p, q, q’∈Pw, p.type∈{XS, AS}, and (p, q), (p, q’)∈Fw,

BMw((p, q)) ≠ BMw((p, q’))

A process in an LRTS workflow might reside in nested decision/parallel structures, and the

structures are recorded in the ABStack corresponding to the process. Each of the structures is

presented as a structural item composed of the split process starting the structure and the branch

mark mapped to one of the out-flows of the split process. In the dissertation, an ABStack is

notated as a series of structural items quoted by a pair of double angle brackets, “«” and “»”.

The items representing the inner structures are recorded higher in the ABStack, where the

leftmost item is the top of the stack and the rightmost item is the bottom. The definition of an

ABStack is formally described as following.

Definition 6 (ABStack)

∀p∈Pw, p.abstack represents the ABStack corresponding to p.

A structural item, stitem = (sp, bm), is included in p.abstack if and only if

(1) sp∈Pw, sp.type∈{AS, XS}, and ∃a path <sp, …, p, …, jn> in w where jn is the

corresponding join process of sp.

(2) bm = BM( (sp, p’) ) where p’ == p or Reachable(p’, p) == true.

p.abstack == « » if and only if p resides in no decision/parallel structure.

p.abstack == «(sp1, bm1), (sp2, bm2), …, (spk, bmk)» exists if and only if a path

<spk, …, sp2, …, sp1, …, p, …, jn1, …, jn2, …, jnk> exists.

To calculate ABStacks of the processes in an LRTS workflow, push and pop functions associated with ABStack are defined as following:

Let an ABStack abs == «(sp1, bm1), (sp2, bm2), …, (spk, bmk)»

Push( abs, (sp, bm) ) returns a new ABStack abs’, where

abs’ == «(sp, bm), (sp1, bm1), (sp2, bm2), …, (spk, bmk)»

Pop( abs ) returns a new ABStack abs’, where

Figure 6 illustrates how push and pop functions work for the calculation of the ABStacks

corresponding to the processes in an LRTS workflow.

Figure 6 Calculation of ABStacks for Processes in an LRTS Workflow

Figure 7 illustrates a sample LRTS workflow decorated with ABStacks. Take process v5

for example. The items (as1, 2), and (xs1, 1) in the ABStack of v4 shows that v4 resides on #2

branch split from the AND-split process as1 and #1 branch split from the XOR-split process xs1.

The order of (as1, 2) and (xs1, 1) indicates that the parallel structure started from as1 is nestedly

Figure 7 A Sample TS workflow with ABStacks and EAIs

Besides, the structural items (as1, 1) and (as1, 2) in the ABStacks of v4 and v5

correspondingly indicate that v4 and v5 reside on different branches split from AND-split

process, as1. In other words, v4 and v5 are parallel. The parallelism or exclusiveness between

processes can be identified through comparing the ABStacks of the corresponding processes,

and Lemma 2 shows how ABStacks work for identification of structural relationships between

processes in an LRTS workflow.

Lemma 2

For an LRTS workflow w, and p, q∈Pw

(1) Parallel(p, q) holds if and only if

∃(sp, bm)∈p.abstack and (sp, bm’)∈q.abstack where sp∈Pw, sp.type == AS and

bm ≠ bm’.

(2) Exclusive(p, q) holds if and only if

∃(sp, bm)∈p.abstack and (sp, bm‘)∈q.abstack where sp∈Pw, sp.type == XS and

bm ≠ bm’.

Proof:

Consider the if-part of statement (1), according to Definition 6, if ∃(sp, bm)∈p.abstack

and (sp, bm’)∈q.abstack where sp∈Pw, sp.type == AS and bm ≠ bm’, there exists a process m

that bm == (sp, m), and m is either equivalent to p or Reachable(m, p) holds. Similarly, there exists another process n for q. bm ≠ bm’ indicates that m ≠ n, and p and q reside on different branches split from the AND-split process, sp. Thus Parallel(p, q) holds and the if part is shown correct.

As for the only-if-part, if Parallel(p, q) == true, p and q reside on different branches of a parallel structure. Let sp be the AND-split process starting the parallel structure, and jn be the

AND-join process terminating it. The nodes in the path from sp to p are totally different from those in the path from sp to q. Besides sp and jn, two distinct paths, <sp, …, p, …, jn> and <sp, …, q, …, jn>, exist. Therefore, there exists a process m that (sp, m)∈Fw and either m is

equivalent to p or Reachable(m, p) == true. Similarly, there also exists such a process n for q.

m and n can not be the same process because they reside on different branches split from sp,

and thus, BM(sp, m) ≠ BM(sp, n). According to Definition 6, (sp, BM(sp, m)) is included in

p.abstack, and (sp, BM(sp, n)) is included in q.abstack. The only-if part of statement (1) of

the lemma is proved.

Part (2) can be proved similarly and the proof is omitted here. With the paragraphs above, Lemma 2 is shown correct.□

2.4.3 Analysis of Twisted Temporal and Structural Relationships between Processes in LRTS

workflow

In a TS workflow, the temporal and structural relationships between processes are twisted.

This section firstly shows how to identify the temporal property between processes.

Figure 8 The Temporal Relationships between Time Intervals [39]

A time interval is duration of a segment of time. In [39], Allen defines seven reasoning

relationships between time intervals. Figure 8 illustrates the temporal relationships adopted in

definition of time intervals and the temporal relationships between time intervals adopted in

this dissertation.

Definition 7 (Time Intervals)

A time interval ti = [S(ti), E(ti)] indicates a duration from the time point S(ti) to E(ti), E(ti)≥S(ti).

A time point tp can be represented as a time interval [tp, tp], and ctime is the time point indicating the current time.

For any two time intervals ti1 and ti2,

ti1 is before ti2, notated as ti1pTIti2, if and only if E(ti1)≤S(ti2).

ti1 is after ti2, notated as ti1fTIti2, if and only if ti2 is before ti1.

ti1 overlaps ti2, notated as ti1≈TIti2, if and only if

MIN({E(ti1), E(ti2)}) – MAX({S(ti1), S(ti2)}) > 0

ti2 contains ti1, notated as ti2⊇TIti1, if and only if S(ti2)≤S(ti1) and E(ti2)≥E(ti1).

In Definition 7, two utility functions MAX and MIN are invoked. Function MAX returns

the element with the maximum value among the parameter set, and function MIN returns the

minimal one.

In [23] and [40], Joshi et al use not only individual time intervals but also the periodic

temporal expressions to describe the temporal constraints in roles for temporal RBAC model.

For example, the expression “the night time duty is activated 6pm to 11pm every Wednesday

and Friday” indicates that the permissions for night time duty are activated during certain

repeated time durations. The periodic temporal expressions can be viewed as a combination of

multiple time intervals, and are grouped as a time description as following definition.

Definition 8 (Time Descriptions)

A time description td is a set of time intervals. For any two time intervals tiz and tiy

in td, tix and tiy are exclusive. On the other hand, for any two non-empty time

description tda and tdb, tda contains tdb notated as tda⊇TDtdb if and only if

Figure 9 Calculation of EAIs in an LRTS Workflow [34][37]

In [34] and [37], the minimum and maximum working durations are used to estimate the

active duration of a process corresponding to the start of workflow. The Estimated Active

Interval (EAI) of a process is a time interval indicating when the process can be initialized and

when it should be terminated. In this dissertation, the Estimated Active Interval of a process p,

notated as EAI(p) is defined as following:

Definition 9 (Estimated Active Interval) For a TS workflow w and a process p∈Pw,

EAI(p) = [EST(p), LET(p)], and corresponding to when w starts: EST(p) indicates the earliest time that p can be initialized. LET(p) indicates the latest time that p must terminate.

With the assumption that the EST and LET of the start process of a TS workflow are zero,

the methodology described in [34] and [37] is adopted to calculate the EAIs of processes in an

LRTS workflow as Figure 9 illustrates.

With Lemma 1 and Lemma 2, whether two processes in an LRTS workflow are

exclusive, parallel, or reachable from one to the other is identified with corresponding

the corresponding EAIs, and the following lemmas show how EAIs can be adopted in

analysis of LRTS workflow.

Lemma 3

For an LRTS workflow w, p and q∈Pw, q.type == ACT,

if Reachable(p, q), LET(p) < LET(q) Proof:

Reachable(p, q) represents that the path <p, m1, m2, …, mn, q> exists. Now we prove the

lemma with mathematical induction. For n = 0, (p, q)∈Fw, since q.type = ACT, D(q) > 0 and

LET(q) = LET(p) + D(q). LET(p) < LET(q) holds. Hypothesis: The lemma holds when n < k.

For n = k, LET(q) = LET(mk) + D(q) and LET(mk) < LET(q). According to the

construction rule of TS workflow, mk.type ≠ S, E, and mk.type∈{AS, XS, AJ, XJ, ACT}. The

following conditions should be discussed:

For any 1≤i≤k, if there exists an mi where mi.type = ACT, according to the hypothesis,

LET(p) < LET(mi) and LET(mi) < LET(q). Therefore, LET(p) < LET(q). Otherwise, for any

1≤i≤k, mi.type∈{AS, XS, AJ, XJ}, according to the EAI calculation methods, for any (u, mi)

∈Fw, LET(u)≤LET(mi). Since there exists a path from p to mi, LET(p)≤LET(mi). On the

other hand, according to the hypothesis, LET(mi) < LET(q). Therefore, LET(p) < LET(q).

With statements above, we know the lemma holds for n = k, and on the basis of mathematical induction, Lemma 3 is proved. □

Lemma 4

For an LRTS workflow w, p and q∈Pw, p.type == q.type == ACT,

if Parrallel(p, q) == Exclusive(p, q) == false, and LET(p) < LET(q), Reachable(p, q) == true.

Lemma 4 can be shown correct with Lemma 1 and the construction rule of LRTS

workflow. Lemma 4 describes that if two activity processes in an LRTS workflow are not

mutually parallel or exclusive, the process with larger LET is reachable from the process with

smaller LET. From Lemma 1, we know that in an LRTS workflow, two processes are either

parallel, exclusive, or reachable from one to the other. Therefore, Lemma 4 can be re-stated as

Lemma 5 that if two activity processes in an LRTS workflow are reachable from one to the

Lemma 5

For an LRTS workflow w, p, q∈Pw, p.type == q.type == ACT,

If (Reachable(p, q)⊕Reachable(q, p)) == true, and LET(p) < LET(q), Reachable(p, q) == true.

On the other hand, two processes are concurrent if and only if they are structurally parallel

and overlapped in EAIs. On the basis of Lemma 5, a process is before another one if one of the

following statements holds, (1) the latter is structurally reachable from the former, and (2) they

are structurally parallel and the EAI of the former is before the EAI of the latter. The definition

of the structural and temporal relationships in LRTS workflow is formally described as

following.

Definition 10 (Structural and Temporal Relationships in LRTS workflow) For an LRTS workflow w,

Concurrent: Pw×Pw⇒{true, false}

Concurrent(p, q) == true if and only if

( Parallel(p, q)∧EAI(p)≈TIEAI(q) ) == true.

Before: Pw×Pw⇒{true, false}

Before(p, q) == true if and only if

( Reachable(p, q)∨( Parallel(p, q)∧EAI(p)pTIEAI(q) ) ) == true.

After: Pw×Pw⇒{true, false}

Chapter 3. A Delegation Framework for WfMS based on

Task-Role based Access Control and TS workflow

Tasks represent the basic logical steps of business processes, and roles combining users

with similar responsibility together are the core components for access control management in

modern WfMS. With both tasks and roles as core concept, we introduce a delegation

mechanism for WfMS coordinated with TRBAC. In section 3.1, TRBAC and the issues related

to delegation in WfMS are sketched. The task and role models adopted in this dissertation are

described in section 3.2, and our delegation framework for WfMS and TRBAC is depicted in

section 3.3. In section 3.4, a case study is made, and the related works are discussed and

compared with our methodology in section 3.5.

3.1 Background

3.1.1 Task-Role based Access Control Model

Based on RBAC96 [15][16], TRBAC model [17] illustrated in Figure 10 works for

modern enterprise environments in which tasks are the fundamental units of business processes.

TRBAC model binds permissions on tasks and groups users operating the same tasks into roles.

Rather than accessing business objects directly [15][16], users accomplish their works through

tasks in which permissions are properly defined and protected. Restricting the access rights of

business objects on tasks facilitates permission management and reduces the risks of

inappropriate permission authority made by users. In TRBAC [17], tasks are classified into four

classes according to whether the task participates in a business process and whether the task is

inherited by the ancestor job. The classes of tasks in TRBAC model are illustrated in Table 1.

Table 1 Classes of Tasks in TRBAC Model [17]

Non-inheritable Inheritable Passive access P (private) S (supervision)

Active access W (workflow) A (approval) 3.1.2 Delegation Approaches in RBAC and TRBAC

Delegation is to authorize subjects like access rights or works between users or roles, and

is often built based on access control models. The user (or role) authorizing the subject is the

delegator, and the one who receives it is the delegatee. In RBAC [15][16], permissions to

business objects, like documents or devices, etc. are bound with roles. RBDM0 [19] provides a

flexible way for granting and revoking permissions between roles. RBDM1 [20], an extension

of RBDM0 [19], is more realistic since it organizes roles with hierarchy. Both techniques are

focused on delegation of roles among human users through identifying can-delegation

relationships between roles.

In [21], the essence of this delegation model is that a user delegates a particular right to

another user, and delegation of partial permissions is allowed. Osborn separates users in

organization, role hierarchies, and relationships among privileges into different graph models in

role. In [18], Crampton gives a further discussion about both granting and transferring access

rights between roles. When access rights are granted from the delegator to the delegatee, the

delegated access rights are available for both the delegator and the delegatee [18]. On the other

hand, if the access rights are transferred, only the delegatee holds the access rights after the

delegation [18]. Besides, Crampton considers both can-delegate and can-receive relationships,

and introduces the concept of administrative scope to improve the efficiencies in delegation

controlling [18].

Besides, tasks, the basic logic units of business processes, should also be considered in

delegation. In [18], Crampton addresses the issues like upward delegation and authorization of

appropriate permissions for delegation to adopt RBAC-based delegation mechanism in

task-based WfMS. Bammigatti associates tasks into permission management and develops a

new model for using RBAC in workflow system [42]. In TAC model [43], the permissions

possessed by roles and required by tasks are described separately, and the assignment of tasks to

roles is thus constrained. With such constraints, a protocol enabling delegation of task instances

from users to roles is established [43].

TRBAC [17] binds the permissions with tasks, and the tasks with roles. With the roles

assigned to users, users access business objects and accomplish their duties through tasks.

Therefore, authorization of permissions is not necessary for delegation of tasks and task

instances in TRBAC. In our previous work [24], a delegation framework for TRBAC has been

initially established without considering the temporal issues. Zhang et al. develops a delegation

model for time constraints-based TRBAC [44]. However, Zhang reduces TRBAC model as

TRBACM model in which permissions and tasks are separately bound with roles. In [44], users

delegate permissions together with tasks to accomplish their works, and the methodology

3.1.3 Separation of Duty

Separation of Duty (SOD) is a security principle which requires multiple users to be

responsible for the completion of a work [45]. Since delegation transfers permissions and tasks

among users, the delegation approaches also follows the SOD policy of the corresponding

access control system. In RBDM1 [16], Ferraiolo defines SOD as “For a particular set of

transactions, no single individual is allowed to execute all the transactions within the set.”

Botha discusses SOD in workflow environments both statically and dynamically [46]. In

Botha’s study, four possible conflicts, conflicting roles, conflicting permissions, conflicting

users, and conflicting tasks, are described, and the corresponding methods for the conflicts are

developed.

TRBAC [17] offers SOD policy at both task and instance level, and defines that some tasks

are mutually-exclusive to each other. In task level SOD, for the roles played by a user, none of

the tasks assigned to the roles are mutually-exclusive. In instance level SOD, the policy is

effective for the tasks belonging to the same workflow instance. The task instances instantiated

from the mutually-exclusive tasks in a workflow instance can not be executed by the same user

[17]. In this dissertation, we follow the SOD policy established in TRBAC when delegation.

3.2 Task and Role Model

Tasks are the basic components describing pieces of works in logical steps within a

workflow [1], and are modeled as activity processes in TS workflow model. Permissions are

the rules describing the admission in accessing business objects such as documents or

computation resources. In this dissertation, individual permissions are bound with tasks on the

basis of TRBAC. Besides, it is assumed that only the tasks related to enactment of workflows

can be delegated during run-time, and therefore, only “Workflow” and “Approval” are

Definition 11 (Task)

For a TS workflow w, Tw = {t | t∈Pw, t.type == ACT} is the set of tasks in w.

Let T be the set of all the tasks managed by WfMS,

Tw⊆T, ∀t∈T, the following properties are additionally modeled:

Pt is the set of permissions to business objects bound on t.

Rt is the set of roles assigned to t.

t.class∈{Workflow, Approval} is the class of t.

During run-time, TS workflow instances are instantiated from a TS workflow, and the

tasks in the TS workflow are also instantiated as Task Instances. Task instances are the basic

units for daily duties. When a task instance is going to be executed, the system offers the

instance to a role in accordance with the corresponding TS workflow. Then, the instance is

allocated to the work list of one of the users playing the offered role. The user executes the

instances in his work list, and submits the instance whenever it is complete. A task instance is

suspended once the responsible user becomes unavailable for a certain time, and is resumed

from suspension when the responsible user is again available. A task instance is failed if it is not

completed in its active interval, and is discarded if it is not executed until the end of the TS

workflow instance. The active interval of a task instance is obtained from the EAI of its source

task and the starting time of the TS workflow instance, and indicates when it can be started and

the corresponding deadline. TS workflow instance and task instances are modeled as following.

Definition 12 (TS workflow Instance and Task Instance) A TS workflow instance wi = (w, Iwi, st).

w is the TS workflow instantiating wi

Iwi is the set of the task instances instantiated from the tasks in Tw.

Let I be the set of all the task instances managed by WfMS. Iwi⊆I, ∀i∈Iwi, i = (wi, tk, ar, s, eu, ai).

tk∈Twi.w is the task instantiating i.

ar∈Rtk is the role i offered.

s∈{Initiated, Discarded, Offered, Allocated, Completed, Suspended, Failed} is the status of i.

eu is the user executing the task instance.

ai = [wi.st + EST(tk), wi.st + LET(tk.eai)] is the active interval of i. st is the time point wi being initialized.

Users are the participants of business processes. A user may play multiple roles for various

businesses, and a role can be played by multiple users also. During run-time, users execute task

instances in their work list to accomplish their daily duties. The status of a user is normally

available and is transited to unavailable when he/she is not available for work. A user is

formally modeled as following.

Definition 13 (User)

Let U be the set of all the users managed by WfMS. ∀u∈U, u = (Ru, WL, cs).

Ru is the set of roles played by u.

WL = { i | i∈I, i.eu = u, i.s∈{Allocated, Completed, Suspended, Failed} } is the work list of u.

cs∈{Available, Unavailable} is the current status of u.

Roles represent the collections of users with common responsibilities [15][16]. In this

dissertation, a role is modeled as a collection of the users responsible for the same tasks with

certain timing constraints. The definition roles are formally described as follows.

Definition 14 (Role)

Let R be the set of all the roles managed by WfMS. ∀r∈R, r = (Ur, Tr, etd).

Ur is the set of users playing r.

Tr is the set of tasks assigned to r.

etd is a time description indicating when r is active.

Roles are organized with the role hierarchy. The role hierarchy indicates inheritance

relationships and partial orders between roles to reflect the organization lines of authority or

responsibility [15]. In this dissertation, the role hierarchy is modeled with directed acyclic

graph (DAG) like in [15], [47], and [48]. Among the role hierarchy, the roles in higher positions

possess larger authority, and the connected roles are more coherent than disconnected ones

[15][47][48]. The number of edges between two connected roles in the role hierarchy is defined

as their distance. The roles closer in distance are related more tightly than roles farther. The role

in the following definition.

Definition 15 (The Role Hierarchy) The role hierarchy RH⊆R×R.

∀(r1, r2)∈RH, (r1, r2) shows a partial order that all inheritable tasks assigned to

r1 can also be assigned to r2.

∀r, r’∈R, r’frh r holds if there exists (r, r1), .., (rk, r’)∈RH*.

RH is acyclic, and if r’frh r holds, rfrh r’ does not.

DisRH() shows the distance between two roles in the role hierarchy: (1) DisRH(r, r) = 0,

(2) if r’frh r, DisRH(r, r’) = -(k+1) and DisRH(r’, r) = k+1,

(3) DisRH(r, r’) is undefined while neither r’frh r nor rfrh r’ holds.

3.3 Delegation Framework for WfMS on TRBAC

3.3.1 The properties of Delegation

A delegation is primarily composed of a delegator, a delegatee and a delegating subject. In

TRBAC, since the permissions are bound with tasks, the task instances are delegated between

users during run-time. For each delegation, the delegator, the delegatee, the delegated task

instance, and the delegation duration are recorded in a delegation record. In this dissertation, the

duration is constrained not exceeding the active interval of the delegated task instance. Our

framework allows multi-level delegation [19][21], and a task instance might be delegated

several times. For each delegated task instance, a delegation record keeps tracking its status no

matter how many times it is delegated. All the delegators who once delegated the task instance

are put into the historical delegator list in the corresponding delegation record.

Besides, we assume that the maximal times that a task instance can be delegated are

constrained by an enterprise policy named the Maximal Levels of Delegation (MLD). MLD is a

non-negative integer. If MLD is equal to 1, multi-level-delegation is forbidden. With above

features, the format of a delegation record is defined in Definition 16. When a delegation occurs,

Definition 16 (Delegation Record)

Let D be the set of all the delegation records managed by WfMS.

∀d∈D, d = (di, dr, de, dur, HDRL).

di is the delegated task instance, and ∀d’∈D, if d’≠d, d’.di≠d.di. dr∈U is the original delegator.

de∈U, is the current delegatee.

dur is a time interval indicating during when d is effective, and di.ai⊇TIdur.

HDRL = {u1, u2, …, uk} is the historical delegator list. u1 == dr, and

∀um∈HDRL, m<k, um delegated di to um+1, and uk delegated di to de.

|HDRL|≤MLD.

Definition 17 (Delegation Records in Task Instances)

For any task instance i, if i is delegated, i.dr∈D, i.dr.di == i; otherwise, i.dr == Ø. Algorithm 1 describes how a task instance is delegated in our framework.

Algorithm 1 Delegation Algorithm - DA Input: the delegating task instance dti,

the delegatee u, and

the designated delegating duration ddur Pre-Condition: dti.ai⊇_TIddur

DA {

01:if (dti.dr ≠ Ø) {

02: if( |dti.dr.HDRL|+1 > MLD )

03: EXCEPTION( MAX_DELEGATION_LEVEL_REACHED );

04: else {

05: add dti.eu to dti.dr.HDRL; 06: dti.dr.dur = ddur;

07: dti.dr.de = u; 08: }

09:} else {

10: dti.dr = (dti, dti.eu, u, ddur, {dti.eu}); 11: add dti.dr to D;

12:}

13:remove dti from dti.eu.WL; 14:add dti to u.WL;

15:dti.eu = u;

The system invokes Algorithm 1 when delegating a task instance to the designated

delegatee. At line 1, the algorithm checks whether the input task instance has been delegated. If

so, the algorithms checks the size of historical delegator list of the task instance at line 2 to

assure that the delegation does not violate the restriction held by MLD. According to the input

parameter, the delegation record is updated from line 5 to 7. Otherwise, the task instance is

delegated for the first time. A new delegation record is created and attached to dti at line 10 and

11. After the delegation record is well updated or created, the task instance is transferred from

the delegator’s work list to the delegatee’s from line 13 to 15

3.3.2 Delegatee Decision

Algorithm 1 does not concern whether a delegatee is appropriate for delegation or not. In

multi-level-delegation, if a task instance is delegated to one of the delegators who once

delegated the task instance, a delegation loop occurs. Delegation loop causes redundancy in

business and should be avoided [49]. Algorithm 2 is constructed to remove users inducing

delegation loop from the candidate users.

Algorithm 2 Removing Users Causing Delegation Loop - RUDL Input: the candidate user set CUS, and

the target task instance ti Pre-Condition: CUS⊆U User Set RUDL { 01:if (ti.dr ≠ Ø)

02: CUS = CUS \ ( ti.dr.HDRL ); 03:return CUS;

}

Taking a set of users and a task instance as the input parameters, Algorithm 2 eliminates

users causing delegation loop from the input user set. Each delegator user who once delegated

the instance is recorded in the historical delegator list of the delegation record. After removing