Modeling of Task-Based Authorization Constraints in BPMN

  • Christian Wolter
  • Andreas Schaad
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4714)


Workflows model and control the execution of business processes in an organisation by defining a set of tasks to be done. The specification of workflows is well-elaborated and heavily tool supported. Task-based access control is tailored to specify authorization constraints for task allocation in workflows. Existing workflow modeling notations do not support the description of authorization constraints for task allocation commonly referred to as resource allocation patterns.

In this paper we propose an extension for the Business Process Modeling Notation (BPMN) to express such authorizations within the workflow model, enabling the support of resource allocation pattern, such as Separation of Duty, Role-Based Allocation, Case Handling, or History-Based Allocation in BPMN. These pattern allow to specify authorization constraints, for instance role-task assignments, separation of duty, and binding of duty constraints. Based on a formal approach we develop an authorization constraint artifact for BPMN to describe such constraints.

As a pragmatic demonstration of the feasibility of our proposed extension we model authorization constraints inspired by a real world banking workflow scenario. In the course of this paper we identify several aspects of future work related to verification and consistency analysis of modeled authorization constraints, tool-supported and pattern-driven authorization constraint description, and automatic derivation of authorization policies, such as defined by the eXtensible Access Control Markup Language (XACML).


Security in business processes Business process modeling and analysis 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Russell, N., van der Aalst, W.M.P., ter Hofstede, A.H.M., Edmond, D.: Workflow Resource Patterns: Identification, Representation and Tool Support. In: Pastor, Ó., Falcão e Cunha, J. (eds.) CAiSE 2005. LNCS, vol. 3520, Springer, Heidelberg (2005)Google Scholar
  2. 2.
    Wohed, P., van der Aalst, W.M.P., Dumas, M., ter Hofstede, A.H.M., Russell, N.: On the Suitability of BPMN for Business Process Modelling. In: Proceedings of the 4th International Conference on Business Process Management (BPM) (2006)Google Scholar
  3. 3.
    Schaad, A., Lotz, V., Sohr, K.: A Model-checking Approach to Analysing Organisational Controls in a Loan Origination Process. In: SACMAT 2006: Proceedings of the eleventh ACM symposium on Access control models and technologiesGoogle Scholar
  4. 4.
    Saltzer, J.H., Schroeder, M.D.: The Protection of Information in Computer Systems. In: 4th ACM Symposium on Operating System Principles (1975)Google Scholar
  5. 5.
    Clark, D., Wilson, D.: A Comparison of Commercial and Military Security Policies. In: IEEE Symposium on Security and Privacy (1987)Google Scholar
  6. 6.
    Nash, M., Poland, K.: Some Conundrums Concerning Separation of Duty. In: IEEE Symposium on Security and Privacy, Oakland, CA, pp. 201–209 (1990)Google Scholar
  7. 7.
    Botha, R.A., Eloff, J.H.P.: Separation of duties for access control enforcement in workflow environments (2001)Google Scholar
  8. 8.
    Hoagland, J.A., Pandey, R., Levitt, K.N.: Security Policy Specification Using a Graphical Approach. Technical Report (1998)Google Scholar
  9. 9.
    Tan, K., Crampton, J., Gunter, C.: The consistency of task-based authorization constraints in workflow systems. In: CSFW 2004: Proceedings of the 17th IEEE workshop on Computer Security Foundations (2004)Google Scholar
  10. 10.
    Bertino, E., Crampton, J., Paci, F.: Access control and authorization constraints for WS-BPEL. In: Proceedings of IEEE International Conference on Web Services (2006)Google Scholar
  11. 11.
    Kloppmann, M., Koenig, D., Leymann, F., Pfau, G., Rickayzen, A., von Riegen, C., Schmidt, P., Trickovic, I.: WS-BPEL Extension for People - BPEL4People (2005)Google Scholar
  12. 12.
    Object Management Group: Business Process Modeling Notation Specification (2006),
  13. 13.
    Stephen, A.: White. Using BPMN to Model a BPEL Process. BPTrends (2005)Google Scholar
  14. 14.
    Recker, J., Mendling, J.: On the translation between bpmn and bpel: Conceptual mismatch between process modeling languagesGoogle Scholar
  15. 15.
    Ahn, G., Sandhu, R.: Role-based authorization constraints specification. ACM Trans. Inf. Syst. Secur. 3(4), 207–226 (2000)CrossRefGoogle Scholar
  16. 16.
    Thomas, R.K., Sandhu, R.S.: Task-Based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-Oriented Autorization Management. In: IFIP Workshop on Database Security, pp. 166–181 (1997)Google Scholar
  17. 17.
    Bertino, E., Ferrari, E., Atluri, V.: The Specification and Enforcement of Authorization Constraints in Workflow Management Systems. ACM Transactions on Information and System Security 2, 65–104 (1999)CrossRefGoogle Scholar
  18. 18.
    Knorr, K., Stromer, H.: Modeling and Analyzing Separation of Duties in Workflow Environments. In: Sec 2001: Proceedings of the 16th international conference on Information security: Trusted information, pp. 199–212 (2001)Google Scholar
  19. 19.
    Dobmeier, W., Pernuk, G.: Modellierung von Zugiffsrichtlinien für offene Systeme. In: Tagungsband Fachgruppentreffen Entwicklungsmethoden für Informationssysteme und deren Anwendung (EMISA 2006) (2006)Google Scholar
  20. 20.
    Kalnins, A., Vitolins, V.: Use of UML and Model Transformations for Workflow Process Definitions. TECHNIKA 3 (2006)Google Scholar
  21. 21.
    Jürjens, J.: UMLsec: Extending UML for Secure Systems Development. In: UML 2002: Proceedings of the 5th International Conference on The Unified Modeling Language, pp. 412–425 (2002)Google Scholar
  22. 22.
    Basin, D., Doser, J., Lodderstedt, T.: Model Driven Security for Process-Oriented Systems. In: SACMAT 2003: Proceedings of the eighth ACM symposium on Access control models and technologies, pp. 100–109 (2003)Google Scholar
  23. 23.
    Chang, S.K., Polese, G., Cibelli, M., Thomas, R.: Visual Authorization Modeling in E-commerce Applications. IEEE MultiMedia 10(1), 44–54 (2003)CrossRefGoogle Scholar
  24. 24.
    Huang, W.-K., Atluri, V.: SecureFlow: A Secure Web-enabled Work ow Management System. In: Proceedings of the fourth ACM workshop on Role-based access control (1999)Google Scholar
  25. 25.
    Kostaki, P., Kokolakis, S., Pandolfo, C.: Serenity - System Engineering for Security & Dependability WP A2.D4.1 (2006),
  26. 26.
    Iwaihara, M.: Access Control of XML Documents and Business Rule Processing for Advanced Information Exchange. In: Second International Conference on Informatics Research for Development of Knowledge Society Infrastructure (ICKS 2007), pp. 177–184 (2007)Google Scholar
  27. 27.
    Schaad, A.: An Extended Analysis of Delegating Obligations (2004)Google Scholar
  28. 28.
    Shapiro, R., Marin, R.N.M.: XML Process Definition Language Version 2.0. Workflow Management Coalition (2005)Google Scholar
  29. 29.
    Kleppe, A., Warmer, J., Bast, W.: MDA Explained: The Model Driven Architecture: Practice and Promise. Addison Wesley, Reading (2003)Google Scholar
  30. 30.
    Moses, T.: eXtensible Access Control Markup Language Version 2.0. OASIS Standard (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Christian Wolter
    • 1
  • Andreas Schaad
    • 1
  1. 1.SAP Research, Vincenz-Priessnitz-Str. 1, 76131 KarlsruheGermany

Personalised recommendations