Flexible Scoping of Authorization Constraints on Business Processes with Loops and Parallelism

  • Samuel J. Burri
  • Günter Karjoth
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 100)


Real-life business process specifications include situations where work may be repeated due to exceptions such as the lack of resources or failed approvals. However, most authorization constraint models for business processes describe them as partially ordered sets of tasks. This abstraction simplifies the analysis of constraints greatly but prevents their use in real systems because control flows with loops are not supported. To overcome this limitation, we scope authorization constraints to task instances using the concept of release, which removes associations between users and their previously executed tasks. We define a model applying releases to cardinality and interval constraints, such as Separation of Duty (SoD). The latter is based on the notion of intervals defined by pairs of tasks and imposing conditions on the users executing them. We extend BPMN to visualize our constraints, bridging the gap between IT and business people as well as to auditors.


Business Process Release Event Business Process Modeling Cardinality Constraint Constraint Language 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Basin, D., Burri, S.J., Karjoth, G.: Obstruction-free authorization enforcement: Aligning security and business objectives. In: 24th IEEE Computer Security Foundations Symposium, pp. 99–113. IEEE Computer Society Press (2011)Google Scholar
  2. 2.
    Bertino, E., Ferrari, E., Atluri, V.: The specification and enforcement of authorization constraints in workflow management systems. ACM Transactions on Information and System Security 2(1), 65–104 (1999)CrossRefGoogle Scholar
  3. 3.
    Expert Group on e-Invoicing. Final Report of the Expert Group on e-Invoicing (2009),
  4. 4.
    Business Process Model and Notation (BPMN), Version 2.0. OMG Standard (January 2011),
  5. 5.
    Silver, B.: BPMN Method and Style. Cody-Cassidy Press (2009)Google Scholar
  6. 6.
    Solworth, J.A.: Approvability. In: ACM Symposium on Information, Computer and Communications Security (AsiaCCS 2006), pp. 231–242. ACM Press (2006)Google Scholar
  7. 7.
    Tan, K., Crampton, J., Gunter, C.: The consistency of task-based authorization constraints in workflow systems. In: 17th IEEE Computer Security Foundations Workshop, pp. 155–169. IEEE Computer Society Press (2004)Google Scholar
  8. 8.
    Thomas, R., Sandhu, R.: Conceptual foundations for a model of task-based authorizations. In: 7th IEEE Computer Security Foundations Workshop, pp. 66–79. IEEE Computer Society Press (1994)Google Scholar
  9. 9.
    Wolter, C., Meinel, C.: An approach to capture authorisation requirements in business processes. Requirements Engineering 15, 359–373 (2010)CrossRefGoogle Scholar
  10. 10.
    Wolter, C., Schaad, A.: Modeling of Task-Based Authorization Constraints in BPMN. In: Alonso, G., Dadam, P., Rosemann, M. (eds.) BPM 2007. LNCS, vol. 4714, pp. 64–79. Springer, Heidelberg (2007)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Samuel J. Burri
    • 1
  • Günter Karjoth
    • 1
  1. 1.IBM ResearchZurichSwitzerland

Personalised recommendations