Abstract
We propose the role-and-relation-based access control (R 2 BAC) model for workflow systems. In R 2 BAC, in addition to a user’s role memberships, the user’s relationships with other users help determine whether the user is allowed to perform a certain step in a workflow. For example, a constraint may require that two steps must not be performed by users who have a conflict of interest. We also study the workflow satisfiability problem, which asks whether a set of users can complete a workflow. We show that the problem is NP-complete for R 2 BAC, and is NP-complete for any workflow model that supports certain simple types of constraints (e.g., constraints that state certain two steps must be performed by two different users). After that, we apply tools from parameterized complexity theory to better understand the complexities of this problem. We show that the problem is fixed-parameter tractable when the only relations used are = and \(\ne\), and is fixed-parameter intractable when user-defined binary relations can be used. Finally, we study the resiliency problem in workflow systems, which asks whether a workflow can be completed even if a number of users may be absent. We formally define three levels of resiliency in workflow systems, namely, static resiliency, decremental resiliency and dynamic resiliency, and study computational problems related to these notions of resiliency.
Chapter PDF
References
Atluri, V., Huang, W.: An authorization model for workflows. In: Martella, G., Kurth, H., Montolivo, E., Bertino, E. (eds.) ESORICS 1996. LNCS, vol. 1146, pp. 44–64. Springer, Heidelberg (1996)
Atluri, V., Warner, J.: Supporting conditional delegation in secure workflow management systems. In: SACMAT 2005: Proceedings of the tenth ACM symposium on Access control models and technologies, pp. 49–58. ACM Press, New York (2005)
Bertino, E., Ferrari, E., Atluri, V.: The specification and enforcement of authorization constraints in workflow management systems. ACM Transactions on Information and System Security 2(1), 65–104 (1999)
Clark, D.D., Wilson, D.R.: A comparision of commercial and military computer security policies. In: Proceedings of the 1987 IEEE Symposium on Security and Privacy, pp. 184–194. IEEE Computer Society Press, Los Alamitos (1987)
Crampton, J.: A reference monitor for workflow systems with constrained task execution. In: SACMAT 2005. Proceedings of the Tenth ACM Symposium on Access Control Models and Technologies, Stockholm, Sweden, pp. 38–47. ACM Press, New York (2005)
Downey, R., Fellows, M.: Parameterized Complexity. Springer, Heidelberg (1999)
Kang, M.H., Park, J.S., Froscher, J.N.: Access control mechanisms for inter-organizational workflow, pp. 66–74 (2001)
Li, N., Tripunitara, M.V., Wang, Q.: Resiliency policies in access control. In: CCS. Proc. ACM Conference on Computer and Communications Security, ACM Press, New York (2006)
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)
Tan, K., Crampton, J., Gunter, C.: The consistency of task-based authorization constraints in workflow systems. In: CSFW. Proceedings of the 17th IEEE Computer Security Foundations Workshop, pp. 155–169. IEEE Computer Society Press, Los Alamitos (2004)
Wang, Q., Li, N.: Satisfiability and resiliency in workflow systems. Technical Report CERIAS-TR-2007-28, Center for Education and Research in Information Assurance and Security, Purdue University (2007)
Warner, J., Atluri, V.: Inter-instance authorization constraints for secure workflow management. In: SACMAT. Proc. ACM Symposium on Access Control Models and Technologies, pp. 190–199. ACM Press, New York (2006)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Wang, Q., Li, N. (2007). Satisfiability and Resiliency in Workflow Systems. In: Biskup, J., López, J. (eds) Computer Security – ESORICS 2007. ESORICS 2007. Lecture Notes in Computer Science, vol 4734. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-74835-9_7
Download citation
DOI: https://doi.org/10.1007/978-3-540-74835-9_7
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-74834-2
Online ISBN: 978-3-540-74835-9
eBook Packages: Computer ScienceComputer Science (R0)