Assisting the Deployment of Security-Sensitive Workflows by Finding Execution Scenarios

  • Daniel R. dos Santos
  • Silvio Ranise
  • Luca Compagna
  • Serena E. Ponta
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9149)

Abstract

To support the re-use of business process models, an emerging trend in Business Process Management, it is crucial to assist customers during deployment. We study how to do this for an important class of business processes, called security-sensitive workflows, in which execution constraints on the tasks are complemented with authorization constraints (e.g., Separation of Duty) and authorization policies (constraining which users can execute which tasks). We identify the capability of solving Scenario Finding Problems (SFPs), i.e. finding concrete execution scenarios, as crucial in supporting the re-use of security-sensitive workflows. Solutions of SFPs provide evidence that the business process model can be successfully executed under the policy adopted by the customer. We present a technique for solving two SFPs and validate it on real-world business process models taken from an on-line library.

References

  1. 1.
    Armando, A., Ponta, S.E.: Model checking of security-sensitive business processes. In: Degano, P., Guttman, J.D. (eds.) FAST 2009. LNCS, vol. 5983, pp. 66–80. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  2. 2.
    Basin, D., Burri, S.J., Karjoth, G.: Obstruction-free authorization enforcement: aligning security with business objectives. In: CSF 2011, pp. 99–113. IEEE (2011)Google Scholar
  3. 3.
    Basin, D., Burri, S.J., Karjoth, G.: Optimal workflow-aware authorizations. In: Proceedings of SACMAT 2012, pp. 93–102. ACM, New York (2012)Google Scholar
  4. 4.
    Bertino, E., Ferrari, E., Atluri, V.: The specification and enforcement of authorization constraints in workflow management systems. TISSeC 2, 65–104 (1999)CrossRefGoogle Scholar
  5. 5.
    Bertolissi, C., dos Santos, D.R., Ranise, S.: Automated synthesis of run-time monitors to enforce authorization policies in business processes. In: ASIACCS 2015. ACM, USA (2015)Google Scholar
  6. 6.
    Ceri, S., Gottlob, G., Tanca, L.: What you always wanted to know about datalog (and never dared to ask). IEEE TKDE 1(1), 146–166 (1989)Google Scholar
  7. 7.
    Cohen, D., Crampton, J., Gagarin, A., Gutin, G., Jones, M.: Iterative plan construction for the workflow satisfiability problem. JAIR 51, 555–577 (2014)MATHMathSciNetGoogle Scholar
  8. 8.
    Crampton, J.: A reference monitor for workflow systems with constrained task execution. In: 10th ACM SACMAT, pp. 38–47. ACM (2005)Google Scholar
  9. 9.
    Crampton, J., Gutin, G., Yeo, A.: On the parameterized complexity of the workflow satisfiability problem. In: CCS 2012, pp. 857–868. ACM (2012)Google Scholar
  10. 10.
    Crampton, J., Huth, M., Kuo, J.: Authorized workflow schemas: deciding realizability through LTL(F) model checking. STTT 16(1), 31–48 (2014)CrossRefGoogle Scholar
  11. 11.
    Dijkman, R., La Rosa, M., Reijers, H.A.: Editorial: managing large collections of business process models-current techniques and challenges. CI 63(2), 91–97 (2012)Google Scholar
  12. 12.
    Kohler, M., Schaad, A.: Avoiding policy-based deadlocks in business processes. In: ARES 2008, pp. 709–716. IEEE (2008)Google Scholar
  13. 13.
    Li, N., Mitchell, J.C.: DATALOG with constraints: a foundation for trust management languages. In: Dahl, V. (ed.) PADL 2003. LNCS, vol. 2562, pp. 58–73. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  14. 14.
    Lu, H., Hong, Y., Yang, Y., Fang, Y., Duan, L.: Dynamic workflow adjustment with security constraints. In: Atluri, V., Pernul, G. (eds.) DBSec 2014. LNCS, vol. 8566, pp. 211–226. Springer, Heidelberg (2014) Google Scholar
  15. 15.
    OMG. Business process model and notation (BPMN), Version 2.0. Technical report, Object Management Group (2011)Google Scholar
  16. 16.
    Ray, I., Yang, P., Xie, X., Lu, S.: Satisfiability analysis of workflows with control-flow patterns and authorization constraints. IEEE TSC PP(99), 1–14 (2013)CrossRefGoogle Scholar
  17. 17.
    Sandhu, R., Coyne, E., Feinstein, H., Youmann, C.: Role-based access control models. IEEE Comput. 2(29), 38–47 (1996)CrossRefGoogle Scholar
  18. 18.
    Solworth, J.A.: Approvability. In: Proceedings of ASIACCS 2006, pp. 231–242. ACM, New York (2006)Google Scholar
  19. 19.
    van der Aalst, W.M.P.: Business process management: a comprehensive survey. ISRN Softw. Eng. 2013, 1–37 (2013)CrossRefGoogle Scholar
  20. 20.
    van der Aalst, W.M.P., Ter Hofstede, A.H.M.: Yawl: yet another workflow language. Inf. Sys. 30, 245–275 (2003)CrossRefGoogle Scholar
  21. 21.
    Wang, Q., Li, N.: Satisfiability and resiliency in workflow authorization systems. TISSeC 13, 40:1–40:35 (2010)Google Scholar
  22. 22.
    Weske, M.: Business Process Management: Concepts, Languages, Architectures. Springer-Verlag New York Inc., Secaucus (2007) Google Scholar
  23. 23.
    Zaaboub Haddar, N., Makni, L., Ben Abdallah, H.: Literature review of reuse in business process modeling. Softw. Syst. Model. 13(3), 975–989 (2014)CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2015

Authors and Affiliations

  • Daniel R. dos Santos
    • 1
    • 2
    • 3
  • Silvio Ranise
    • 1
  • Luca Compagna
    • 2
  • Serena E. Ponta
    • 2
  1. 1.Fondazione Bruno Kessler (FBK)TrentoItaly
  2. 2.SAP Labs FranceMouginsFrance
  3. 3.University of TrentoTrentoItaly

Personalised recommendations