Journal of Intelligent Information Systems

, Volume 18, Issue 1, pp 71–94 | Cite as

Authorization and Access Control of Application Data in Workflow Systems

  • Shengli Wu
  • Amit Sheth
  • John Miller
  • Zongwei Luo


Workflow Management Systems (WfMSs) are used to support the modeling and coordinated execution of business processes within an organization or across organizational boundaries. Although some research efforts have addressed requirements for authorization and access control for workflow systems, little attention has been paid to the requirements as they apply to application data accessed or managed by WfMSs. In this paper, we discuss key access control requirements for application data in workflow applications using examples from the healthcare domain, introduce a classification of application data used in workflow systems by analyzing their sources, and then propose a comprehensive data authorization and access control mechanism for WfMSs. This involves four aspects: role, task, process instance-based user group, and data content. For implementation, a predicate-based access control method is used. We believe that the proposed model is applicable to workflow applications and WfMSs with diverse access control requirements.

Workflow management system authorization access control predicate-based access control workflow process metadata-data security workflow repository 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. Atluri V. and Huang, W.-K. (1996a). An Authorization Model forWorkflows. In Proceedings of the Fifth European Symposium on Research in Computer Security, Rome, Italy, (pp. 44–64). Lecture Notes in Computer Science, no. 1146. Berlin: Springer-Verlag.Google Scholar
  2. Atluri, V. and Huang, W.-K. (1996b). An Extended Petri Net Model for Supporting Workflows in a Multilevel Secure Environment. In Proc. of the IFIP Working Conference on Database Security (pp. 199–216).Google Scholar
  3. Atluri, V., Huang, W.-K., and Bertino, E. (1997). An Execution Model for Multilevel Secure Workflows. In 11th IFIP Working Conference on Database Security, August 1997.Google Scholar
  4. Atluri, V., Huang, W.-K., and Bertino, E. (2000). A Semantic-Based Execution Model for Multilevel Secure Workflows. Journal of Computer Security, 8(1).Google Scholar
  5. Barthelmess, P. (2001). Security in Workflow Systems. Available at security/.Google Scholar
  6. Bertino, E., Buccafurri, F., Ferrari, E., and Rullo, P. (1998). An Authorization Model and Its Formal Semantics. In Proceedings of 5th European Symposium on Research in Computer Security. Louvain la Neuve, Belgium, Sep. 16–18, 1998 (pp. 127–142).Google Scholar
  7. Bertino, E., Ferrari, E., and Atluri, V. (1999). An Approach for the Specification and Enforcement of Authorization Constraints in Workflow Management Systems. ACM Transactions on Information Systems Security, 1(1).Google Scholar
  8. Bussolati, U. and Martella, G. (1982). Data Security Management in Distributed Databases. Information systems, 7(3); 217–228.Google Scholar
  9. Castano, S., Casati, F., and Fugini, M. (2001). Managing Workflow Authorization Constraints through Active Database Technology. Information Systems Frontiers, 3(3).Google Scholar
  10. Castano, S., Fugini, M., Martella, G., and Samarati, P. (1995). Database Security. Reading, MA: Addison-Wesley. (1999).Google Scholar
  11. Corley, J., Karp, W., and Sheth, A. (1999). IT at the Hearth of Healthcare. Cover Story for the Special Issues on Healthcare. Silicon India. Available at Scholar
  12. Hollingsworth, D. (1994). Workflow Management Coalition: The Workflow Reference Model. Avenue Marcel Thirty 204, 1200 Brussels, Belgium. http://www.aiim.orgGoogle Scholar
  13. Kang, H., Froscher, J., Sheth, A., Kochut, K., and Miller, J. (1999). A Multilevel Secure Workflow Management System. In 11th International Conference on Advanced Information Systems Engineering—CAiSE'99 (pp. 271–285) M. Jarke and A. Overweis (Eds.). Lecture Notes in Computer Science, (1999). vol. 1626.Google Scholar
  14. Kochut, K., Sheth, A., and Miller, J. (1998). Optimizing Workflow. Component Strategies, 1(9), 45–57.Google Scholar
  15. Miller, J., Fan, M., Wu, S., Arpinar, A., Sheth, P., and Kochut, K. (1999). Security for the METEOR Workflow Management System. UGA-CS-LSDIS Technical Report, University of Georgia, 33 p.Google Scholar
  16. Rindfleisch, T.C. (1997). Privacy, Information Technology, and Health Care. Communication of the ACM, 40, 93–100.Google Scholar
  17. Sadiq, S. and Orlowska, M. (1999). Architectural Considerations for Systems Supporting Dynamic Workflow Modification. In Proceedings of the workshop of Software Architectures for Business Process Management at the CaiSE'99, Heidelberg, June 14–15.Google Scholar
  18. Sandhu, R., Coyne, E., Feinstein, H., and Youman, C. (1996). Role-Based Access Control Models. IEEE Computer, 29(2), 38–47.Google Scholar
  19. Sandhu, R. and Samarati, P. (1996). Authentication, Access Control, and Audit. ACM Computing Surveys, 28(1), 241–243.Google Scholar
  20. Sheth, A.P., Kochut, K.J., Miller, J.A., Worah, S., Das, S., Lin, C., Palaniswami, D., Lynch, J., and Shevchenko, I. (1996). Supporting State-Wide Immunization Tracking Using Multi-Paradigm Workflow Technology. In Proceedings of the 22nd International Conference on Very Large Data Bases, Bombay, India, September 1996 (263–273).Google Scholar
  21. Sheth, A., Worah, D., Kochut, K., Miller, Z.J., Palaniswami, D., and Das, S. (1997). The METEOR Workflow Management System and its use in Prototyping Healthcare Applications. In Proceedings of the Towards an Electronic Patient Record (TEPR'97) Conference, Nashville, TN, April 1997.Google Scholar
  22. Sheth, A. and Kochut, K.J. (1999). Workflow Application to Research Agenda: Scalable and Dynamic Work Coordination and Collaboration Systems. In A. Dogac et al. (Eds.),Workflow Management and Interoperability, (pp. 35–59). Springer–Verlag.Google Scholar
  23. Valia, R. and Al-Salquan, Y. (1997). Secure Workflow Environment. In Sixth IEEE Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (pp. 269–276).Google Scholar
  24. Workflow Management Coalition. (1996). Terminology and Glossary.Google Scholar
  25. Workflow Management Coalition. (1998). Workflow Security Considerations—White Paper.Google Scholar

Copyright information

© Kluwer Academic Publishers 2002

Authors and Affiliations

  • Shengli Wu
    • 1
  • Amit Sheth
    • 2
  • John Miller
    • 2
  • Zongwei Luo
    • 3
  1. 1.The University of StrathclydeGlasgowScotland
  2. 2.LSDIS LabUniversity of GeorgiaAthensUSA
  3. 3.IBM T.J. Watson Research CenterUSA

Personalised recommendations