Abstract
The execution of workflow processes requires authorizations for enforcing the assignment of tasks to agents, either human or automated, according to the security policy of the organization. This paper presents a workflow authorization framework based on roles and organizational levels, and on authorization constraints. To facilitate the assignment of tasks to agents, roles and organizational levels are organized into hierarchies. Authorization constraints are introduced to specify instance-dependent, time-dependent, and history-dependent authorizations. Authorization constraints are specified in terms of active rules, used also for authorization management. The Workflow Management System determines authorized agents on the basis of the contents of an authorization base maintained through the active rules defined in the system.
Similar content being viewed by others
References
Atluri V, Haung W. An extended petri-net model for supportingwork-flows in a multilevel secure environment. In: Proceedings of the 10th IFIP TC11/WG11.3 International Conference on Database Security, Como, Italy, Chapman & Hall, Pulheim, Germany, 1996.
Baan COSA Reference Manual, 1998.
Baralis E, Widom J. An algebraic approach to rule analysis in expert database systems. In: Proceedings of the 20th International Conference on Very Large Data Bases (VLDB'94), Santiago, Chile, 1994.
Bertino E, Ferrari E, Atluri,V. A flexible model supporting the specification and enforcement of role-based authorizations in workflow management systems. In: Proceedings of 2nd ACM Workshop on Role-Based Access Control, Santiago, Chile, 1997.
Casati F, Castano S, Fugini M. Enforcing workflow authorization constraints using triggers. Journal of Computer Security, 1999;6(4).
Casati F, Castano S, Fugini M. Managing workflow authorization constraints through active database technology. Technical report, Hewlett-Packard Labs, 2000.
Casati F, Castano S, Fugini M, Mirbel I, Pernici B. Using patterns to design rules in workflows. IEEE Transactions on Software Engineering, 2000;26(8):760–785.
Casati F, Ceri S, Paraboschi S, Pozzi G. Specification and implementation of exceptions in workflow management systems. ACM Transactions on Database Systems, 1999;24(3):405–451.
Casati F, Fugini M, Mirbel I. An environment for designing exceptions in workflows. In: Proceedings of the 10th International Conference on Advanced Information Systems Engineering (CAiSE'98), Lecture Notes in Computer Science, SpringerVerlag, Pisa, Italy. Berlin: Springer-Verlag, 1998.
Castano S, De Capitani DiVimercati S, Fugini M. Automated derivation of global authorizations for database federations. Journal of Computer Security, IOS Press, 1997;5(4).
Castano S, Fugini M, Martella G, Samarati P. Database Security. Addison Wesley, ACM Press.
Ceri S, Ramakrishnan R. Rules in database systems.ACMComputing Surveys, 1996;28(1):109–111.
Ceri S, Widom J. Deriving production rules for incremental view maintenance. In: Proceedings of the 17th International Conference on Very Large Data Bases (VLDB'91), Bavcelona, Spain. Lecture Notes in Computer Science. Berlin: Springer-Verlag, 1991:577–589.
Clark D, Wilson D. A comparison of commercial and military computer security policies. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, USA, 1987:184–194.
Cochrane R, Pirahesh H, Mendonça Mattos N. Integrating triggers and declarative constraints in SQL database sytems. In: Proceedings of the 22th International Conference on Very Large Data Bases (VLDB'96), Bombay, India, Morgan-Kaufmann, 1996.
Ellmer E, Pernul G, Quirchmayr G. Security for workflow management. In: Proceedings of 6th IASTED/ISMM International Conference on Parallel and Distributed Computing and Systems, Washington D.C., 1994.
Georgakopoulos D, Hornick M, and Sheth A. An overview of workflow management: From process modeling to workflow automation infrastructure. Distributed and Parallel Databases, 1995;3(2):119–153.
Grefen P, Pernici B, Sanchez G. Database Support for Workflow Management: The WIDE Project. Kluwer Academic Publishers, Bled, Slovenia, 1999.
Herrmann G, Pernul G. A general framework for security and integrity in interorganizational workflows. In: Proceedings of 10th International Bled Electronic Commerce Conference, 1997.
Hollingsworth D. The workflow reference model. Technical Report WFMC-TC-1003, 1.1, Workflow Management Coalition, 1995.
HP. Changengine Process Design Guide, 2000a.
HP. Changengine Resource Management Guide, 2000b.
IBM MQ Series Workflow—Concepts and Architectures, 1998.
McCarthy D, Sarin S. Workflow and transactions in In concert. IEEE Data Engineering, 1993;16(2):53–56.
Paton NW, Diaz O, Williams MH, Campin J, Dinn A, Jaime A. Dimensions of active behaviour. In: Paton, NW and Williams MH, ed. Proceedings of First Workshop on Rules in Database Systems, WICS, Edinburgh, Scotland. Berlin: Springer-Verlag, 1993.
Sandhu R. Separation of duties in computerized information systems. In: Jajodia S. and Landwehr C, ed. Database Security IV: Status and Prospects. North-Holland, Halifax, U.K., 1991.
Sandhu R, Coyne E, HL Feinstein, CE Youman Role-based access control models. IEEE Computer, 1996;29(2):38–47.
Staffware Staffware 2000 White Paper. Available at http://www. staffware.com/home/products/Staffware 2000WP.zip, 1998.
Ullman JD. Principles of Database and Knowledge-Base Systems. Computer Science Press. 2 Volumes, 1989.
Widom J, Ceri S. Active Database Systems. Morgan-Kaufmann: San Mateo, California, 1996.
Author information
Authors and Affiliations
Rights and permissions
About this article
Cite this article
Casati, F., Castano, S. & Fugini, M. Managing Workflow Authorization Constraints through Active Database Technology. Information Systems Frontiers 3, 319–338 (2001). https://doi.org/10.1023/A:1011461409620
Issue Date:
DOI: https://doi.org/10.1023/A:1011461409620