A New Task Engineering Approach for Workflow Access Control

  • Hanan El Bakkali
  • Hamid Hatim
  • Ilham Berrada
Conference paper
Part of the Advances in Intelligent and Soft Computing book series (AINSC, volume 85)


Security and particularly Access control is a crucial issue for workflow management systems (WFMS). RBAC (Role based Access Control) model seems to be suitable for enforcing access control policies in such systems. However, without an effective role engineering process -at administration time- that aims to reduce conflicting situations, using RBAC could be more complex and less useful. Additionally to role engineering, a ‘task engineering’ process -at run time- could be useful to allow the satisfaction of access control constraints in even critical situations. In this paper, we identify task engineering as a process to examine the granularity of each workflow’s task in a way to meet -at run time- the main workflow access control requirements, precisely the least privilege and separation of duties principles. Then, we propose an approach of task engineering to improve security enforcement in WFMS. This approach uses an intelligent method namely the Constraints Satisfaction Problem (CSP) formulation and resolution method.


Workflow Access Control Security RBAC Separation of Duties Least Privileges Task engineering Constraint Satisfaction Problem 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    ANSI, American national standard for information technology – Role based access control. ANSI INCITS 359-2004 (2004)Google Scholar
  2. 2.
    El Bakkali, H., Hatim, H.: RB-WAC: New approach for access control in workflows. In: 7th ACS/IEEE International Conference on Computer Systems and Applications, AICCSA 2009 (2009)Google Scholar
  3. 3.
    Bertino, E., Ferrari, E.: The Specification and Enforcement of Authorization Constraints in Workflow Management Systems. ACM Transactions on Information and System Security 2(1), 65–104 (1999)CrossRefGoogle Scholar
  4. 4.
    Botha, R.A., Eloff, J.H.P.: Separation of duties for access control enforcement in workflow environments. IBM Systems Journal 40(3), 666–682 (2001)CrossRefGoogle Scholar
  5. 5.
    Buyens, K., Win, B.D., Joosen, W.: Resolving least privilege violations in software architectures. In: ICSE Workshop on Software Engineering for Secure Systems (2009)Google Scholar
  6. 6.
    Chen, L., Crampton, J.: Inter-domain Role Mapping and Least Privilege. In: 12th ACM Symposium on Access Control Models and Technologies, SACMAT 2007 (2007)Google Scholar
  7. 7.
    Colantonio, A., Di Pietro, R., Ocello, A.: A CostDriven Approach to Role Engineering. In: ACM Symposium on Applied computing (2008)Google Scholar
  8. 8.
    Cone, E.J., Davis, J.M.: Role Engineering for Enterprise Security Management. Artech House, Norwood (2008)Google Scholar
  9. 9.
    Ene, A., Horne, W., Milosavljevic, N., Rao, P., Schreiber, R., Tarjan, R.E.: Fast Exact and Heuristic Methods for Role Minimization Problems. In: 13th ACM Symposium on Access Control Models and Technologies, SACMAT 2009 (2009)Google Scholar
  10. 10.
    Schlegelmilch, J., Steffens, U.: Role Mining with ORCA. In: 10th ACM Symposium on Access Control Models and Technologies, SACMAT 2010 (2005)Google Scholar
  11. 11.
    Sun, Y., Meng, X., Yin, F.: A Novel Approach for Role Hierarchies in Flexible RBAC Workflow. In: 10th International Enterprise Distributed Object Computing Conference (2006)Google Scholar
  12. 12.
    Thomas, R.K., Sandhu, R.S.: Task-based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-oriented Authorization. In: IFIP WG11.3 Workshop on Database Security DBSec (1997)Google Scholar
  13. 13.
    Vaidya, J., Atluri, V., Guo, Q.: The Role Mining Problem: Finding a Minimal Descriptive Set of Roles. In: 12th ACM symposium on Access Control Models and Technologies, SACMAT 2007 (2007)Google Scholar
  14. 14.
    Wolter, C., Schaad, A., Meinel, C.: Task-Based Entailment Constraints for Basic Workflow Patterns. In: 13th ACM Symposium on Access Control Models and Technologies, SACMAT 2008 (2008)Google Scholar
  15. 15.
    Ye, C., Cheung, S.C., Chan, W.K.: Publishing and Composition of Atomicity-equivalent Services for B2B Collaboration. In: 28th International Conference on Software Engineering (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Hanan El Bakkali
    • 1
  • Hamid Hatim
    • 1
  • Ilham Berrada
    • 1
  1. 1.Université Mohammed V - Souissi, ENSIAS 

Personalised recommendations