Using colored Petri nets to model and analyze workflow with separation of duty constraints



Workflow provides a promising solution for organizations to achieve their business goals by interactions and collaborations between users. Separation of duty (SoD) is a security principle to prevent fraud and errors in collaborative workflow environments. It is crucial to verify and ensure the correctness and consistence of workflow with SoD constraints during the design time. In this paper, we propose a method to model and analyze workflow with SoD constraints based on colored Petri nets (CPN). The control flow, authorization rules and SoD constraints in a workflow are all represented by CPN and combined into one integrated CPN model. Then the execution paths of this model can be derived by reachability tree analysis. By analyzing these execution paths, some latent deadlocks caused by the inconsistency between authorization rules and SoD constraints can be detected.


Workflow Separation of duty Colored Petri nets Authorization 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    WfMC (1995) Workflow management coalition: The workflow reference model. WF-TC00-1003, January, 1995Google Scholar
  2. 2.
    WfMC (1998) Workflow security considerations - white paper. WF-TC-1019, Febrary, 1998Google Scholar
  3. 3.
    Clark DD, Wilson DR (1997) A comparison of commercial and military computer security policies. In: Proceedings of IEEE Symposium on Security and Privacy, Oakland, USA, April, 1987, pp 184–195Google Scholar
  4. 4.
    Sandhu RS (1990) Separation of duties in computerized information systems. In: Proceedings of IFIP WG11.3 Workshop on Database Security, Halifax, UK, September, 1990, pp 179–190Google Scholar
  5. 5.
    Murata T (1989) Petri nets: properties, analysis and applications. Proc IEEE 77(4):541–580CrossRefGoogle Scholar
  6. 6.
    Jensen K (1992) Coloured Petri nets - basic concepts, analysis methods and practical use. Volume 1, EATCS Monographs on Theoretical Computer Science, Springer, Berlin Heidelberg New YorkGoogle Scholar
  7. 7.
    van der Aalst WMP (1998) The application of Petri nets to workflow management. J Circuits Syst Comput 8(1):21–66CrossRefGoogle Scholar
  8. 8.
    Adam NR, Atluri V, Huang WK (1998) Modeling and analysis of workflows using Petri nets. J Intell Inf Syst 10(2):131–158CrossRefGoogle Scholar
  9. 9.
    Dong M, Chen FF (2005) Petri net-based workflow modelling and analysis of the integrated manufacturing business processes. Int J Adv Manuf Tech 26(9/10):1163–1172CrossRefGoogle Scholar
  10. 10.
    Atluri V, Huang WK (1996) An authorization model for workflows. In: Proceedings of the Fourth European Symposium on Research in Computer Security, Rome, Italy, September, 1996, pp 44–64Google Scholar
  11. 11.
    Thomas RK, Sandhu RS (1997) Task-based authorization controls (TBAC): A family of models for active and enterprise-oriented authorization management. In: Proceedings of the IFIP WG11.3 Workshop on Database Security, Lake Tahoe, California, USA, August, 1997, pp 166–181Google Scholar
  12. 12.
    Knorr K (2000) Dynamic access control through Petri net workflows. In: Proceedings of the 16th Annual Computer Security Applications Conference, New Orleans, USA, December, 2000, pp 159–167Google Scholar
  13. 13.
    Wu SL, Sheth A, Miller J, Luo ZW (2002) Authorization and access control of application data in workflow systems. J Intell Inf Syst 18(1):71–94CrossRefGoogle Scholar
  14. 14.
    Atluri V, Huang WK (2000) A Petri net-based safety analysis of workflow authorization models. J Comput Secur 8(2/3):209–240Google Scholar
  15. 15.
    Bertino E, Ferrari E, Atluri V (1999) An authorization model for supporting the specification and enforcement of authorization constraints in workflow management systems. ACM T Inform Syst Secur 2(1):65–104CrossRefGoogle Scholar
  16. 16.
    Knorr K, Weidner H (2001) Analyzing separation of duties in Petri net workflows. In: Proceedings of Information Assurance in Computer Networks, Petersburg, Russia, May, 2001, pp 102–114Google Scholar
  17. 17.
    Liu DR, Wu MR, Lee ST (2004) Role-based authorizations for workflow systems in support of task-based separation of duty. J Syst Software 73(3):375–387CrossRefGoogle Scholar
  18. 18.
    Oh S, Park S (2003) Task-role-based access control models. Inform Syst 28(6):533–562MATHCrossRefGoogle Scholar
  19. 19.
    Fung RYK, Au YM, Jiang ZB, Lau HCW (2003) Supply chain workflow modelling using XML-formatted modular Petri nets. Int J Adv Manuf Tech 22(7–8):587–601CrossRefGoogle Scholar
  20. 20.
    Yang N, Lou ZL, Zhou XH (2005) Petri net-based workflow modeling for a die and mould manufacturing resource planning system. Int J Adv Manuf Tech 26(4):366–371CrossRefGoogle Scholar

Copyright information

© Springer-Verlag London Limited 2007

Authors and Affiliations

  1. 1.Key Laboratory for Information System Security, Ministry of Education China, School of SoftwareTsinghua UniversityBeijingPeople’s Republic of China
  2. 2.Department of Computer Science and TechnologyTsinghua UniversityBeijingPeople’s Republic of China

Personalised recommendations