Flexible Scoping of Authorization Constraints on Business Processes with Loops and Parallelism
Real-life business process specifications include situations where work may be repeated due to exceptions such as the lack of resources or failed approvals. However, most authorization constraint models for business processes describe them as partially ordered sets of tasks. This abstraction simplifies the analysis of constraints greatly but prevents their use in real systems because control flows with loops are not supported. To overcome this limitation, we scope authorization constraints to task instances using the concept of release, which removes associations between users and their previously executed tasks. We define a model applying releases to cardinality and interval constraints, such as Separation of Duty (SoD). The latter is based on the notion of intervals defined by pairs of tasks and imposing conditions on the users executing them. We extend BPMN to visualize our constraints, bridging the gap between IT and business people as well as to auditors.
KeywordsBusiness Process Release Event Business Process Modeling Cardinality Constraint Constraint Language
Unable to display preview. Download preview PDF.
- 1.Basin, D., Burri, S.J., Karjoth, G.: Obstruction-free authorization enforcement: Aligning security and business objectives. In: 24th IEEE Computer Security Foundations Symposium, pp. 99–113. IEEE Computer Society Press (2011)Google Scholar
- 3.Expert Group on e-Invoicing. Final Report of the Expert Group on e-Invoicing (2009), http://bit.ly/bwlgEF
- 4.Business Process Model and Notation (BPMN), Version 2.0. OMG Standard (January 2011), http://www.omg.org/spec/BPMN/2.0/PDF
- 5.Silver, B.: BPMN Method and Style. Cody-Cassidy Press (2009)Google Scholar
- 6.Solworth, J.A.: Approvability. In: ACM Symposium on Information, Computer and Communications Security (AsiaCCS 2006), pp. 231–242. ACM Press (2006)Google Scholar
- 7.Tan, K., Crampton, J., Gunter, C.: The consistency of task-based authorization constraints in workflow systems. In: 17th IEEE Computer Security Foundations Workshop, pp. 155–169. IEEE Computer Society Press (2004)Google Scholar
- 8.Thomas, R., Sandhu, R.: Conceptual foundations for a model of task-based authorizations. In: 7th IEEE Computer Security Foundations Workshop, pp. 66–79. IEEE Computer Society Press (1994)Google Scholar