Obstruction Modeling

Holderer, Julius

doi:10.1007/978-3-658-38154-7_3

Julius Holderer ORCID: orcid.org/0000-0002-3452-2427²

998 Accesses

Abstract

Obstructions exemplify the conflicting goals between business processes and classic IT security. The SecANet approach presented in this chapter will allow putting this field of tension into a well-founded, formal representation of security-aware processes that opens up acting within a security-sensitive realm of maneuver. The SecANet encoding will create an extendable framework that addresses workflow obstructions and will support their comprehensive analysis and handling.

This chapter builds the central part of the thesis. In addressing the requirements for obstructability analysis (see Chapter 2), it is primarily concerned with the modeling of obstructions in security-aware workflows. For this, it will first explore the ways to model processes, in particular, the modeling of the control flow. Based on the selection of an ordinary Petri net model (P/T net) as the method of modeling, a security-aware Petri net representation, the SecANet, will be developed. The general idea of the SecANet modeling is to “flatten” the organizational aspect of a security-aware process specification that subsumes the process model and the policy specification into the model representing the functional and behavioral aspects. That way, a so-called “obstruction marking” can identify and capture obstructions. Moreover, indicators can be assigned to the task- and policy-related Petri net elements as costs. For the evaluation of the SecANet approach, its Petri net-specific properties will be investigated. Moreover, the formal correctness of the SecANet method will be proven by examining the behavioral preservation of the original inputs (i.e., language preservation). To take cyclic workflow behavior into account, the concept of policy re-enactment will add cyclic functionality to the so-far acyclic SecANet encoding. The developed SecANet formalism can be regarded as a target metamodel of security-aware process specifications that creates a basis for further analysis. Accordingly, it will subsume SecANet-based satisfiability and obstructability checks as SecANet soundness and show further extensions to facilitate analysis. An experimental evaluation will compare soundness checking runtimes with typical satisfiability-related approaches. The discussion will then examine the computational complexity of the SecANet encoding and sketch possibilities for extensions. With the introduction of SecANet+, the integration of additional inputs that further constrain the execution of tasks, for instance, counting constraints or user absence (resilience), will be made possible.

You have full access to this open access chapter, Download chapter PDF

The previous chapters identified the need to capture the state of obstruction as well as the fact that the inputs whose interplay may finally result in such a state are the workflow and its related policies. Although the approaches observed in Chapter 2 propose different ways to connect such authorizations and constraints with the workflow, they lack in making the obstruction state tangible in an intuitive way. Currently, it can only tediously be represented based on different inhomogeneous and limited definitions and formalizations. These approaches neither form a basis to conduct obstructability analysis nor find an adequate solution to escape an obstruction.

Based on the general framework of requirements in Chapter 2, this chapter proposes an approach that aims to address the deficits and requirements for obstructability analysis (ROA) stipulated in the previous chapter (cf. Section 2.1). For this, one representation that allows grasping the problem of obstruction (cf. GR-1) and facilitating its analysis (cf. GR-2) is supposed to encode the business goals and compliance requirements. In particular, such a representation should allow an adequate capturing of all inputs (cf. GR-3) of a security-aware process specification, namely the process model and the policy. On the one hand, for an obstructed case, the actual state of obstruction is supposed to be capturable in such a representation. On the other hand, it is meant to provide obstructability analysis, namely to detect obstructions in a security-aware process specification and to capture the results as well. The state of obstruction captured in the representation will then provide to search for ways how to escape from that problem during process enactment but also to be used to identify weak-spots of the policy design. A central question is how to capture the different inputs of a security-aware process expressively and, at the same time, preserve their behavior.

Because obstructions occur during the process execution, the guiding principle of this approach is to represent the obstruction state in a process-oriented way as well. Chapter 2 already introduced the manifold ways to model processes, which usually focus on the control flow as well as policy models (e.g., BPMN, EPC, Petri nets, RBAC, ACL). The process is, therefore, primarily anchored in the control flow. It builds the point of reference for process-oriented modeling. It can further be observed that the authorization and SoD or BoD rules manifest themselves in the activity sequences (or traces) of the process in a PAIS as well, denoting, for example, who executed which task. In this view, the overall policy can be understood in a process-oriented way too. More specifically, authorization can be regarded as a process in itself, i.e., the process of granting user access to a specific task. Further, also SoD or BoD constraints can be expressed in a process-oriented way. To follow the binding or separation of granted accesses, they reduce the options to choose who is supposed to execute which task. More precisely, these possibilities are reduced depending on the tasks already performed. Hence, in order to realize a process-oriented representation, a formalism will first be identified that is able to adequately capture the control flow with respect to the identified requirements. In the next step, the policy will be “flattened” (i.e., incorporated) into the process model by using the same way of modeling as identified for the control flow. It will then be necessary to analyze if the behavior of the inputs as well as the overall system behavior is not changed.

This chapter will first explore the possibilities for the modeling of the process, which can primarily be used for the modeling of the control flow, and relate to comparable approaches beyond the WSP and resilience context. In particular, based on the identified requirements, the modeling method should allow both a comprehensive process structure (ROA-2) and an efficient analysis (ROA-3). Based on the process model representation that is considered reasonable, the policy will also be understood as process-oriented, such that it is integrable into the existing workflow. The policy will consider basic constraints (ROA-4) as well as the option for pre-assignments (ROA-1). That way, a security-aware representation that not only represents the functional and behavioral but also the organizational aspect of a security-aware process specification will emerge, named SecANet. A SecANet will also allow considering costs (ROA-6), which can be manually defined or which consider insights from the process specification or the log as well. Finally, the approach will support capturing obstructed states (ROA-7) as well as synthesizing partial plans (ROA-5) that cause obstructions. In all of this, the general intuition and feasibility behind the flattening in the SecANet approach will crystallize. The important system properties of the resulting representation will be highlighted. A SecANet decomposition will then allow reasoning to what extent the approach maintains the integrity of inputs as well as the integrity of the overall process. By introducing the so-called re-enactment, cyclic security-aware workflows can be considered by the SecANet encoding as well. Section 3.2.6 will subsume SecANet-based satisfiability and obstructability checks as SecANet soundness and show further extensions to facilitate analysis. An experimental evaluation will compare soundness checking runtimes with typical WSP-related approaches. In the course of the discussion, the computational complexity of the SecANet encoding will be examined. With the introduction of SecANet+, the SecANet approach will be generalized further. It will lay the basis to integrate additional inputs that model further behavior that affects the process. To show the extensibility of the SecANet+ approach, the integration of additional inputs that further constrain the execution of tasks, e.g., counting constraints but also resilience, will be indicated. Finally, the development of the SecANet formalism and its use as a target metamodel of security-aware process specifications creates a basis for further analysis. It will build the foundation for the model- and the log-based approach presented in Chapters 4 and 5, respectively.

3.1 Ways to Model Processes

Process models usually contain at least the control flow of a process (i.e., the entirety of valid activity sequences). Depending on the metamodel used, they may also include other aspects (data use and flow, actors, etc.). Although each metamodel has various abilities and characteristics, whose suitability depends on its application scenario, it is often possible that a formalism easily translates into other notations and formalisms [6]. UML [116, 117], BPEL [123], BPMN [118], EPCs, YAWL [105], Petri nets and Transition Systems are the most well-known and studied metamodels. Although the question about the most commonly used metamodel is hard to answer, a recent BPM survey at least states that “the OMG’s modeling notation, BPMN, has become a popular, worldwide standard” [104]. To some extent, the effort of this work in capturing the policy into a single process-aware representation is comparable to approaches that provide modeling support for process-related access control models (Strembeck et. al [191], for example, list further literature for related UML, RBAC and BPMN extensions). However, the focus of this chapter is not to support such a modeling in an established metamodel. Based on a specification given in some metamodel, this chapter aims to deduce a representation that focuses on the analysis and handling of obstructability and that meets the stipulated requirements.

Notwithstanding the ideas or methods pursued or developed by the numerous approaches mentioned in Chapter 2, they all show that the prerequisite for their application is the availability of a formal model. For example, this is the case for the satisfiability analysis in which often partial orders describe the flow of process tasks, but also conformance checking. Regarding the latter, for instance, the differentiation between conforming and non-conforming process behavior demands a formal model of the control flow of the process. Up to now, the use of a formal model for the desired representation has been a rather implicit requirement. Against the background of the various metamodels already mentioned, which are often motivated by practice, it is necessary to make this requirement explicit. Such a formal model is supposed to allow the modeling of realistic processes. As identified in Chapter 2, only a few of the WSP-related approaches support comprehensive structural possibilities of processes. Because process mining aims to look at realistic (lived) processes as well, it is worthwhile to observe the metamodels used in process discovery. While, in the beginning, literature mainly based on directed graphs and state machines, there is a distinct tendency towards Petri nets. Publications from other areas of Process Mining support this trend as well [189]. Petri nets, in comparison to state-based metamodels (e.g., transition systems), are more suitable to depict concurrent behavior and causal relations between single activities within a process [55]. They are not purely textual and formal representations but also allow a graph-wise illustration. Their graphical readability is comparable to BPMN models. Petri nets provide a formal semantic and unique definitions for their structure and behavior. Different Petri net dialects allow various possibilities for analysis [2, 4, 86]. In particular, research findings on Petri net properties can be applied to business processes, such that boundedness, liveness, or reachability, for example, determine process completion. To assess the behavior of business processes, Petri net behavior can be examined by observing the language of the net, which encompasses all possible execution sequences. Because a crucial requirement of the approach of this chapter is to not only preserve the behavior of the process specification but also to consider its applicability for further analysis, it is essential to consider the influence of the chosen Petri net dialect on the existence of (efficient) analysis techniques and observability of behavior-related (in the sense of language-related) properties. Regarding the analysis of Petri nets, especially for the class of ordinary so-called Place-Transition nets (P/T nets), there is a plethora of efficient techniques [186]. In contrast, the analysis of the class of Colored Petri nets, as a typical example of high-level Petri nets, is more complex [77]. There are high-level Petri net representations that, in some way, already allow modeling security requirements. For example, there are works on the definition of security properties on Petri nets [12, 111–113] as well as approaches for the verification of access and usage control guidelines [19, 121, 127, 139], integrity conditions [218] and requirements of information flow control [10, 11], or conflict of interest detection [217]. In contrast to ordinary nets, apart from the higher computational complexity, high-level nets do not directly reveal their behavior in their language, which limits the possibilities to reason on the required language preservation.

In essence, Petri nets are graphical, well-known, and widely used. They are the oldest and best-investigated process modeling language allowing for the modeling of concurrency in a mathematical representation. More specifically, it is the graphical nature of Petri nets, their explicit representation of the notion of state, and the existence of analysis techniques that made them eminently suitable for workflow specification [105]. In particular, their distinction between states and events (which manifest in so-called firing sequences) seems promising to depict the state of obstruction. Moreover, their graphical representation also offers the potential to visualize the security-aware process specification more intuitively. Because Petri nets appear to be suitable in many respects and meet the set requirements, they are the method of choice to model the envisaged representation. The rationale in all of this is that, on the basis of such Petri net-based representation and the plethora of analysis techniques, a way to resolve obstructions can be found as well. As far as known, the identified potential of Petri net techniques has not been applied for obstructability analysis so far. Choosing the Petri net formalism does not mean a loss of generality because it translates to other formalisms. For example, regarding formalisms often used in WSP-related approaches, it is known that a family of partial orders is needed to characterize a single Petri net [126]. Thereby, modeling the control flow with Petri nets has the advantage of compactly representing a workflow specified as potentially many partial orders (cf. Section 2.1). Further, as a rare example of WSP approaches that allow for comprehensive process structure, Basin et al. use Hoarse Process Algebra CSP. In this regard, it is always possible to transform a CSP process [213] into a Petri net (more specifically, a so-called safe Petri net). Moreover, while a transformation of informal models into formalized models is not trivial, at least for the regarded basic modeling constructs, there are transformation techniques, e.g., to transform BPMN models [79] into Petri nets^{Footnote 1}. Although Petri nets provide an intuitive and simple graphical representation, they determine a precise execution semantic.

Thus, the approach of this chapter will use Petri nets as its formal model in such a way that it is able to integrate a security-aware process specification into a single net that allows analyzing the obstructability and capturing obstructions, a so-called SecANet. Because the aim of this work is to allow for efficient computation as well as straightforward encodings and behavioral observation, the idea is to stay with ordinary nets because, as explained above, for other Petri net classes, e.g., colored Petri net, the reasoning gets harder. Therefore, all inputs will be flattened into a single P/T net. Thus, it is possible to keep the net constructions as simple as possible. Because such a P/T net can directly encode the control flow of the process, the essential question will be how to map security policies into the net. In this regard, Chapter 2 only formalizes authorization as a mapping of the set of users to the respective set of workflow tasks so far. Moreover, it captures SoD and BoD constraints with the help of different binary relations from the set of users on the respective tasks, for example, entailment constraints. Thus, also straightforward user-task assignments that can be represented by ACLs will be chosen, instead of the more complex representation of RBAC (which, in turn, may also be decomposed to a direct user-task assignment).

The following section is going to formally describe Petri nets, in particular, ordinary Petri nets (or P/T nets), and related concepts. P/T nets build the foundation for the definition of different net properties and net subclasses such as workflow nets (WF-nets), which allow modeling workflows with a precise task execution semantic. The properties of Petri nets such as boundedness, safeness, liveness or deadlock-freeness, will be of interest because they affect, for example, the computational complexity, the interpretability of the state of the net as well as language-related reasoning. After the definitions related to Petri nets, users, user-task authorization as well as SoD and BoD constraints will be defined. That way, the basis will be laid to formally grasp obstructability in workflows.

3.1.1 Petri Nets: The Method

Petri nets represent a graphical and mathematical modeling tool that can be applied to many systems. As described above, they are very well suited for the description and investigation of information processing systems that are characterized as concurrent, asynchronous, parallel, or non-deterministic. Their graphical nature allows for visual communication similar to flowcharts, block diagrams, and networks. Additionally, within these nets, tokens are used to simulate the dynamic and simultaneous activities of systems. That way, a Petri net can encode certain properties of the system it models. There are structural and behavioral properties that relate to the net structure, or the token-related dynamic behavior, respectively. As a mathematical tool, it is possible to set up state equations, algebraic equations, and other mathematical models for system behavior. Petri nets are therefore suitable for both practical and theoretical use [155]. The following definitions related to Petri nets and to properties that will be of relevance in this thesis will mainly base on the works of Murata et al. [155], Desel, Esparza (e.g., free-choice net [73]), and van der Aalst et al. (e.g., WF-nets [3]).

3.1.1.1 Petri Net

A Petri net is a bipartite graph consisting of places graphically represented as a circle and transitions depicted usually as squares, rectangles, or vertical lines. Only two distinct nodes can be related to each other via directed arcs or edges (i.e., an arc connects a place with a transition or vice versa). The resulting net structure is static, but tokens controlled by the firing rule can flow through the network. The distribution of the tokens over the places determine the state of a Petri net and represents its marking [3].

Figure 3.1 shows an example of a Petri net that models the process of two sequentially ordered tasks $t_1$ and $t_2$ wherein the leftmost place contains one token^{Footnote 2}. The written formal notation of this example will be given after the definition for Petri nets.

Definition 3.1 (Petri Net and Marking).

A Petri net is a 4-tuple $N = \langle P,T,\mathcal {F},m_{0} \rangle $ , where P is the set of places, T is the set of transitions, satisfying $P \cap T = \emptyset $ and $\mathcal {F}: (P \times T) \cup (T \times P) \rightarrow \{0,1\}$ is the flow relation, and $m_0$ is the initial marking.

A marking (state) is an assignment of a non-negative integer to each place. If a non-negative integer k is assigned to place p by a marking, it can be said that p is marked with k tokens. For this, a marking is denoted as a |P|-vector $\textbf{m} \in \mathbb {N}^{|P|}$, where the component p of the vector is a natural number. Then, the p-th component of $\textbf{m}$, denoted by m(p), is the number of tokens in place p. To allow for better readability, markings can also be denoted as sets or multi-sets. Because a linear order is assumed for the set of places $P= \{p_1,\ldots ,p_{|P|}\}$, the characteristic vector (or indicator/incidence vector) can be used to link the vector notation with the (multi-)set notation. For a set $m \subseteq P$ (or a multi-set or bag $m\in \mathcal {B}(P)$ over P), the characteristic vector of m with respect to P can be denoted as $\chi (m)=\langle x_1,\ldots ,x_{|p|}\rangle $, where $x_i = 1$ if and only if (shortened as iff) $p_i\in m$ (or $x_i$ is the multiplicity of $p_i$ in the multi-set m) and 0 otherwise, for $1\le i \le |P|$.In this work, markings will explicitly be written as (place) vectors $\textbf{m}$ if required. Normally, however, the notation used is evident from the given specific context.

Based on Definition 3.1, the net P/T net N depicted in Figure 3.1 can be denoted as $P = \{p_1,p_2,p_3\}$, $T = \{t_1,t_2\}$, $F = \{ \langle p_1 , t_1\rangle , \langle t_1 , p_2\rangle , \langle p_2 , t_2\rangle , \langle t_2 , p_3\rangle \}$ and the marking $m_{0} = \langle 1, 0, 0 \rangle $. The visualized marking defines that a single token (small solid black circle) is assigned to place $p_0$. This is the standard visualization of markings that is equivalent to their formal definition. To illustrate the different marking notations, suppose $p_1$ is marked with 1, $p_3$ with 3 and all other places with 0 tokens. This marking m can be denoted as $m(p_1) = 1$, $m(p_2) = 0$ and $m(p_3) = 3$, or as the multi-set $\{p_1, p_3^3\}$, or as the characteristic vector $\chi (\{p_1, p_3^3\})$ that, in turn, encodes the vector notation of the marking $\langle 1,0,3\rangle $.

The set of places and transitions build the nodes of a net. The definition of flow relations above does not allow so-called arc weights $> 1$. A Petri net is said to be ordinary (or plain) if all of its arc weights are 1’s, i.e., an arc only allows to produce or consume exactly 1 token [155]. As mentioned before, all Petri nets considered in this thesis are ordinary P/T nets. The set-based definition of the flow-relation further implies that there may not be multiple arcs between the same pair of nodes (which prevents the possibility to model arc weights $>1$ with multiple arcs). Based on the given net structure, paths between the nodes are connected by a sequence of arcs.

Definition 3.2 (Paths and Cycles).

A path is a sequence of nodes $u_1, \ldots , u_{r}$ such that $\forall i, 1 \le i < r$ : $F(u_{i},\ u_{i+1}) > 0$, i.e., $u_{i+1}$ is an output of node $u_i$. A path is called simple if no node appears more than once on it. A simple path is called a cycle if all nodes along the path differ, except for the initial and the final node.

Definition 3.3 (Strong Connectedness).

A Petri net is strongly connected iff, for every pair of nodes (i.e., places and transitions) x and y, there is a path leading from x to y.

A further structural characterization related to paths is given by the notion of so-called PT- or TP-handles, whose existence indicates a rather “bad” structure.

Definition 3.4 (PT-handle and TP-handle [90]).

A place-transition pair $(p, t) \in P \times T$ is called a PT-handle iff there are two simple paths from p to t sharing only the two nodes p and t ; a transition-place pair $(t, p) \in T \times P$ is called a TP-handle iff there are two simple paths from t to p sharing only nodes p and t .

Hence, Figure 3.1 is not strongly connected because there is for example no directed path for the pair $(p_3,p_1)$ that leads from $p_3$ to $p_1$. However, it does not contain PT- nor TP-handles. The notion of pre- and post-set is essential to describe net properties, in particular, regarding the net structure.

Definition 3.5 (Pre-set, Post-set).

Given a node $x \in P \cup T$, its pre-set $\{y | \langle y,x \rangle \in \mathcal {F}\}$ and post-set $\{y | \langle x,y \rangle \in \mathcal {F}\}$ are denoted by $^\bullet \!x$ and $x^\bullet $ , respectively.

For instance, in Figure 3.1 the pre- and post-sets of $t-1$ and $p_1$ can be denoted as $^\bullet \! t_{1} =\{p_1\}$,$ t_1^\bullet = \{p_{2}\}$, $^\bullet \!p_{1} = \emptyset $ and $p_1^\bullet =\{t_{1}\}$.

So far, the definitions have mainly focused on the properties given by the basic net structure. As indicated before, besides the net structure, a Petri net model of a dynamic system also consists of a marking. The system dynamics or behavior is given by the evolution rules for the marking [186].

The following definitions are token-related and therefore allow the consideration of properties related to the behavior of the net. The distribution of tokens results from a marking (cf. Definition 3.1). A transition can “fire” when all its input places are marked. This Petri net terminology of “firing” a transition represents the execution of a task (which, in turn, stands for the execution of an activity). Firing a transition generates a new marking. Thereby, each input place of the transition loses one token, and each output place of the transition receives one token. Thus, the execution semantics of a Petri net can be grasped as a token flow game that follows this firing rule. That way, the token flow determines the actual system behavior, which is why, as soon as Petri nets are marked, literature often uses the term “system” in different variations.

Definition 3.6 (Enabledness and Firing Rule).

A transition t is enabled in a marking m when all places in $^\bullet \!t$ are marked, which can be denoted by $(N,m)[t\rangle $ iff $\textbf{m}\ge \chi {(^\bullet \!t)}$ (vector notation) or $m \ge ^\bullet \!\!\!\!t$ (multi-set notation), respectively ^{Footnote 3} . When a transition t is enabled, it can fire by removing (or consuming) a token from each place in $^\bullet \!t$ and putting (or producing) a token to each place in $t^\bullet $ .

For instance, based on the given marking in Figure 3.2, transition $t_1$ is enabled (highlighted with red) because all places in $^\bullet \!t_1$ are marked. Firing $t_1$ then consumes a token from each place in $^\bullet \!t_1$ and produces a token in each place $t^\bullet $, which results in the marking $m_{1} = \langle 0, 1, 0 \rangle $ depicted in Figure 3.3.

A transition without any input place is called a “source transition”, and one without any output place is called a “sink transition”. Based on Definition 3.6, a source transition is unconditionally enabled, and the firing of a sink transition consumes tokens, but does not produce any. A pair of a place p and a transition t is called a self-loop if p is both an input and output place of t (e.g, to model a “do-while-loop”). A Petri net is said to be pure if it has no self-loops. Based on the firing rule the set of reachable markings of the Petri net, also called its state space, can be determined.

Definition 3.7 (Reachability and Feasible Sequences).

Given a Petri net N , a marking $m'$ is reachable from m if there is a sequence of firings $t_1 t_2 \ldots t_n$ that transforms m into $m'$ , denoted by $m[t_1 t_2 \ldots t_n\rangle m'$ or $m' \in R(N,m)$ . A sequence of transitions $t_1 t_2 \ldots t_n$ is a feasible sequence if it is fireable from $m_0$ . The set of reachable markings from $m_{0}$ is denoted by $[m_0\rangle $ .

For instance, based on the marking $m_{0} = \langle 1, 0, 0 \rangle $ depicted in the Petri net of Figure 3.1, the marking $m_{1} = \langle 0, 1, 0 \rangle $ shown in Figure 3.3 is reachable through the feasible sequence $t_{1}$, while, for example, the marking $m' = \langle 0, 1, 1 \rangle $ is not reachable. Hence, the reachability of the marking in Figure 3.3 can be denoted as $m_{0}[t_1\rangle m_{1}$.

The set of reachable markings represents the set of states of the system. The transitions between the markings represent transitions between the states. Hence, to capture the behavior of a Petri net, a transition system can be obtained. It contains a set of possible states and a set of transitions that stand for the potential changes of the systems state. That way, transition systems represent automatons that describe the behavior of a system of processes [18]. After the succeeding definition of transition systems, the reachability graph (or marking graph) can be defined.

Definition 3.8 (Transition System).

A Transition System (TS) is a 4-tuple $(S,E,A,s_{in})$ where S is a set of states, E is a set of events where $S \cap E = \emptyset $ , $A\subseteq S\times E\times S$ is the set of arcs (or transitions), which connect states, and $s_{in} \in S$ is the initial state. The transitions are denoted by $(s, e, s')$ or $s\xrightarrow {e}s'$ . $S_0 := \{s\in S\ |\ \not \exists \;(s,e,s')\in A\}$ denotes sinks within the TS, i.e., states without outgoing arcs.

A TS is called finite when S and E are finite. This thesis only deals with finite transition systems. A state $s'$ is reachable from a state s if there is a sequence of events $\sigma = \langle (s, e_1,s_1)\ldots (s_k,e_k,s')\rangle $. Reachability can be denoted with $s \xrightarrow {*} s'$ or, specifically, $s \xrightarrow {\sigma } s'$. Based on this, the reachability graph can be defined as follows.

Definition 3.9 (Reachability Graph).

For a Petri net $N= (P, T, F, m_{0})$, the reachability graph RG(N) represents a TS whose states correspond to the set of reachable markings $ [m_{0}\rangle $ and whose events correspond to transitions. There is an arc $(m, t, m')$ iff $m\xrightarrow {t}m'$. $ m_{0}$ is the initial state.

The boundedness of a Petri net means that, within all reachable markings, there is an upper bound for the number of tokens contained in places. Thus, it is a consequence of the finiteness of its reachability graph. A 1-bounded Petri net is called “safe”.

Definition 3.10 (Boundedness and Safeness).

A Petri net is bounded iff for every reachable state and every place p the number of tokens in p is bounded, i.e., there is an integer k such that the number of tokens in any place cannot exceed k. More specifically, a Petri net is k -bounded if no marking in $[m_{0}\rangle $ assigns more than k tokens to any place of the net. A net is bounded if it is k -bounded for some k such that no place holds more than k -tokens, i.e., $\forall p \in P$ and $\forall m \in [N, m_{0}\rangle : m[p]\ <k.$ A Petri net is safe if the numbers of tokens in each place cannot exceed one, i.e., it is 1-bounded.

Although the terms of liveness and safety that are introduced in this section are reminiscent of the two classes of security properties considered in Chapter 2, it is important to note that safety and liveness security properties are not equivalent to their counterparts in Petri net theory. However, they can be used to describe somewhat similar properties [132].

Definition 3.11 (Liveness).

A PN is live iff every transition can be infinitely enabled through some feasible sequence of firings from any marking in $[m_0\rangle $ . Hence, for no matter which marking has been reached from $m_{0}$ , then for each transition t of the model, there must be a sequence of firing such that the resulted marking enables t , i.e., $\forall m \in [N, m_{0}\rangle $ , $\exists \;m' \in $ $[N, m\rangle $ such that $(N, m)[t\rangle $ . Further, a transition is “simply live” if it can fire at least once. A Petri net is “simply live” if all of its transitions are simply live.

Historically, the concept of a safe or n-safe (or n-bound) Petri net as well as liveness and related variants have been in use since the 1970s. At the beginning of the 1980s, temporal logic then distinguished between safety properties and liveness properties (i.e.,“something bad” or “something good” happens, respectively). As elaborated in Chapter 2, a sensible description of the requirements of a system always includes properties of both types [172]. This analogy also applies to Petri nets because the properties of liveness and n-safeness can be subsumed under the notion of well-formedness.

Definition 3.12 (Well-Formedness).

A Petri net N is well-formed iff there is a state m for the net such that (N, m) is live and bounded.

Definition 3.13 (Deadlock-Freeness).

A Petri net N is said to be deadlock-free if at least one transition is enabled at each marking m derived from the initial marking $m_{0}$ .

Definition 3.14 (Reversibility).

A net is reversible if the initial marking $m_{0}$ is reachable from every marking of $[m_0\rangle $ . This means that the system can get initial settings after it is executed.

It should be noted that liveness, boundedness, and reversibility are independent of each other. Because the notion of obstruction can be compared to a deadlock situation, the notion of siphons and traps will be introduced.

Definition 3.15 (Siphon).

A siphon (or also named deadlock) is a set of places such that every transition that outputs to one of the places in the siphon also inputs from one of these places. Formally, a non-empty subset of places D of a net is a siphon if $\;^\bullet \!D\subseteq D^\bullet $. This means that if a siphon is blank (i.e., does not contain any tokens), it will remain blank for every possible firing sequence. Hence, if a marking $ m\in [N, m_0\rangle $ is in a deadlock state, then $\forall d \in D : m[d]\ =0$, i.e., D is an unmarked set of places. In this case, no transition can place a token in the siphon because there is no token in the siphon to enable a transition that outputs to a place in the siphon.

Because every transition that has an input place in a “blank” siphon is in a deadlock and will have no chance of firing, a siphon is “bad” for liveness. Such a deadlock, in the sense of a Petri Net, is a deadlock in the usual sense only if it is blank. Therefore, literature also refers to the wording “potential deadlock” for the siphons defined above [161].

Definition 3.16 (Trap).

A trap is a set of places such that every transition that inputs from one of these places also outputs to one of these places. Formally, a non-empty subset of places D of a net is a trap if $D^\bullet \subseteq \; ^\bullet \!D$ . Hence, once a trap is marked (i.e., does contain at least one token), it will always be marked, no matter what firing sequences take place. Once a token is in any of the places of a trap, there will always be a token in one of the places of the trap. Hence, if marking $ m\in [N, m_0\rangle $ is in a trap state then $\exists d \in D : m[d]\ =1$ , i.e., D contains at least one marked place. In other words, the firing of transitions may move the token between places but cannot remove all tokens from a trap.

For instance, the net in Figure 3.1 contains the siphon $D=\{P_{0}\}$ because $\;^\bullet \!D= \emptyset $ and $D^{\bullet }=\{t_1\}$, i.e., $\;^\bullet \!D\subseteq D^\bullet $ and the trap $D=\{P_{2}\}$ because $\;D^\bullet = \emptyset $ and $^\bullet \!D=\{t_2\}$, i.e., $D^\bullet \subseteq \; ^\bullet \!D$. A more detailed explanation will be given in the course of the example SecANet in Section 3.2.

Traps and deadlocks are not exclusive. For instance, every strongly connected Petri Net is both a trap and a siphon. An essential connection between traps and siphons is that if a deadlock contains a marked trap, it will never become blank, such that this siphon is no threat to liveness anymore. This property is also known as the siphon/trap- or trap/co-trap-property [51].

3.1.1.2 Basic Modeling Examples

Several fundamental situations may occur in the dynamic behavior of Petri net systems. In particular, a strong feature of Petri net models is that notions concerning concurrent systems can be formulated in a very natural way. Based on the previous definitions, basic modeling possibilities that illustrate how a Petri net can be used and composed to model the required sequential, parallel, conditional (or exclusive) and looping behavior (cf. ROA-2) will be provided. For this, three fundamental relationships that may hold between the occurrence of two events, i.e., the firing of transitions $t_1$ and $t_2$ (which may model tasks, or activities), will be regarded: causality, concurrency, and choice [155].

Causality:

Causality means that the occurrence of an event conditions the occurrence of another one. This results in a sequential order. Figure 3.1 illustrates an example of such a causal relationship. Here, $t_1$ needs to occur to enable $t_2$, or, in other words, firing $t_1$ is the cause that enables $t_2$.

Besides modeling causal relationships, the possibilities of a Petri net modeling concurrent systems are distinctively interesting for parallelism and non-determinism. The non-deterministic and nonsimultaneous firing of transitions is reflected in the following two ways [161]:

Concurrency:

When two enabled transitions do not affect one another in any way (i.e., they are causally independent), and a transition may fire before or after or in parallel with the other, it is called concurrency. There is no need to synchronize the events unless it is required by the underlying system that is being modeled. When synchronization is needed, it is easy to model this as well. The Petri net shown in Figure 3.4 [155] illustrates how this can be expressed. The parallel or concurrent activities are represented by transitions $t_1$ and $t_2$. They are both enabled after the firing of the transition $Parallel\;Begin$. After the firing of both parallel transitions, the transition $Parallel\;End$ can fire. Moreover, the path from $Parallel\;End$ to $Parallel\;Begin$ models a loop.

Choice:

The other situation, in which simultaneousness is more difficult to tackle, can be handled by defining events that occur non-simultaneously. This structure of the place p, having two (or more) output transitions $t_1$ and $t_2$ as shown in Figure 3.5, is referred to as a conflict, decision, or choice, depending on its applications. Both activities are enabled but only one of them can be executed. In other words, only one transition can fire because, by firing, it removes the token in the shared input and disables the other transition. Hence, a choice relationship can be used to model decision nodes for exclusive paths or conditional gateways in a process model. It is a structure exhibiting non-determinism [155], in a sense that the selection which single transition to fire out of a set of enabled transitions may be determined in the modeled system, but not in the model simply because the model does not contain the complete information about the system. For instance, in the DMV example, the decision if the computation of the market value is correct cannot be solely assessed by the information provided by the model. In practice, at least the expertise of the case officer and further context information on the collateral under consideration and its computed market value would be required.

In summary, two events are causal if $t_1$ causes $t_2$, they are in conflict if either $t_1$ or $t_2$ can occur but not both, and they are concurrent if both events can occur in any order without conflicts. These examples illustrate that Petri nets can comprehensively model the required structures and that they constitute a basic construction kit for Petri net modeling. In the combination of these elements, further, but still rather basic, situations can be observed. When conflict and concurrency are mixed, it is called confusion. There are two types of confusion. Figure 3.6 shows a symmetric confusion because two events $t_1$ and $t_2$ are concurrent while each of $t_1$ and $t_2$ is in conflict with event $t_3$. Figure 3.7 shows an asymmetric confusion, where $t_1$ is concurrent with $t_2$ but will be in conflict with $t_3$ if $t_2$ fires first. These elementary relationships between activities will be important in the subsequent identification of Petri net subclasses as well because they provide a means to assess their modeling capabilities.

3.1.2 Petri Net Subclasses

The introduction above on ordinary Petri nets (i.e., P/T nets) allows a more thorough elaboration of the mentioned aspects regarding the suitability of high-level Petri nets. The underlying question is whether ordinary nets are sufficient to cover all relevant inputs or whether extended nets may address the requirements of the envisaged representation in a better way.

To start with, the simpler the structure of a Petri net is, the simpler the formal description of the behavior of individual transitions and also the corresponding analysis procedures become. On the other hand, simplifying the net also lowers the level of detail of the model and counteracts the modeling efficiency and the convenience of modifications and the extension of Petri nets. Regarding the latter, besides timed Petri nets [168] or stochastic nets [151], the introduction of individual objects as tokens particularly increases the descriptive power of nets and allows for small but efficient as well as practical modeling of systems. Such aforementioned high-level nets subsume predicate/transition nets [95], colored Petri nets (CPNs)[120], or nets with individual tokens [171] (e.g., relation nets) [155]. That way, Petri nets can be extended, for example, with resources, data, users, or also time-related information, which results in different Petri nets dialects. Besides the fact that different token colors can be used to represent data-aspects, e.g., modeling data items or the information flow [190], they also allow modeling access control policies by modeling users [139, 191], which is particularly interesting for the intended modeling. However, such data-oriented nets not only require more complex analysis techniques [77] but also complicate behavioral observation. When, for example, token colors represent users, the transition execution sequences may not directly reveal decisions related to user accesses. In this case, the behavior of the system is not explicitly expressed in the language of the net. Although methods to transform CPNs to ordinary nets can overcome these issues, such unfoldings represent a separate step that would have to precede the desired representation [77]. Folding into (or unfolding from) a CPN, however, requires knowledge of the still unknown desired representation. Instead, the language should reflect user accesses for now, which means that transitions need to be used not only for task or activity modeling but for policy modeling as well.

Hence, in contrast to extended Petri nets, using P/T nets for the intended modeling implies that both the data reasoning stays gentle and policy-related behavioral properties are reflected in the language of the net as well. Nevertheless, in the wake of the requirement to allow for efficient solutions, it is not necessarily sufficient to only consider the class of P/T nets for this but it is necessary to also examine the implications of specific subclasses and properties on later analyses. Therefore, the subsequent section will not look at high-level abstractions and extensions beyond P/T nets. Instead, it will scrutinize the class of ordinary Petri nets more thoroughly. By imposing restrictions on these Petri nets, in particular on the net structure, the following different Petri net subclasses can be obtained [32, 51, 101].

3.1.2.1 Place- and Transition-Related Systems

Definition 3.17 ( State Machine or S-System).

A State Machine (SM) is a Petri net such that each transition has exactly one input place and one output place.

Petri net state machines can describe all finite automaton. The characteristic nodes in SMs are the places. Each transition allows the tokens to flow from one place to another, but a token in a particular place may enable multiple transitions, which represents a conflict (as depicted in Figure 3.5).

Definition 3.18 (Marked Graph or T-System).

A Marked Graph (MG) is a Petri net such that each place has exactly one input transition and one output transition.

The characteristic nodes in a marked graph are the transitions. Each place receives tokens from one transition and loses tokens to another, but a single transition may have multiple input and output places. Marked graphs allow synchronization, as depicted in Figure 3.4. That way, tokens in multiple places are simultaneously lost due to the firing of a single output transition and gained by firing a single input transition.

Some nets, for example, a closed-loop of transitions and places (which does not have any conflict or synchronization), are both an MG and an SM. However, in general, the Petri net subclass of state machines allows the representation of decisions but does not allow for synchronization (concurrency is only possible if more than one token is distributed over the net). On the other hand, marked graphs allow the representation of concurrency but not of decisions or conflicts. Hence, both do not allow the comprehensive modeling capabilities that are required for the approach.

3.1.2.2 Choice-Related Nets

A restricted Petri net subclass that allows for non-trivial behaviors, in particular conflicts and synchronizations, builds the class of free-choice Petri nets, which can be seen as a State Machine enriched with a Marked Graph. Free-choice nets have the behavioral feature that if two transitions share an input place, and if that place is marked, both transitions are enabled, or there is no marking that enables one transition and disables the other one. For instance, the choice construct depicted in Figure 3.5 is an example of free-choice.

Definition 3.19 (Free-Choice Nets).

A Free-Choice (FC) net is a Petri net such that every arc $<p,t>$ from a place p to a transition t is either a unique outgoing arc (t is the only output transition of p (no choice)) or a unique incoming arc to a transition (p is the only input place of t (no synchronization)). Hence, for all pairs of places $p_{1}, p_{2} \in P$, if $p_1^\bullet \cap p_2^\bullet \ne \phi $ then $|p_1^\bullet | = |p_2^\bullet | =1.$

In other words, if any output transition of a place p is enabled, then all output transitions of that place p are enabled. Hence, in this sense, it is possible to freely choose which of the enabled transitions is supposed to fire. Each of the three nets in Figure 3.8 represents a self-contained sufficient description of free-choice nets. To extend the class of nets while retaining this basic property of a free-choice between conflicting transitions, the majority of papers on FC nets use a slightly weaker definition. A system of such a so-called extended free-choice net can be simulated by an FC system.

Definition 3.20 (Extended Free-Choice Net).

An Extended Free-Choice (EFC) net, is a Petri net such that for all pairs of places $p_1$,$p_2 \in P$, if $p_1^\bullet \cap p_2^\bullet \ne \emptyset $, then $p_1^\bullet = p_2^\bullet $.

For example, the EFC net in Figure 3.9(a) can be simulated by the FC net in Figure 3.9(b). (Extended) Free-choice nets are essential in the theory of net systems, in particular in the structural theory of Petri nets. Their structural and behavioral properties are strongly interrelated, i.e., the behavior of a marked net can be connected to the structure of the underlying unmarked net [32]. For example, in the light of the state space explosion problem in behavioral Petri net analysis, such structural methods are more appropriate to deduct if a specific marking can be reached. Even in bounded nets, the state space can be exponential on the size of the net. In FC nets, liveness and well-formedness, which subsumes boundedness, can be linked to siphons and marked traps (Commoner’s Theorem [51]) as well as to the rank of the incidence matrix of the net (Rank Theorem [73]). In the course of this work, FC nets are particularly interesting because, firstly, they are able to model the stipulated non-trivial control flow requirements (ROA-2) and, secondly, there are still powerful methods for their analysis and synthesis (ROA-3). While, for example, reachability is EXPSPACE hard for arbitrary Petri nets [146] and still NP-complete [88] for live and safe FC nets, it is efficiently solvable for the class of FC live, safe and reversible Petri nets [75]. Furthermore, the problem of deciding whether an FC Petri net is live and bounded is solvable in $O(n*m)$ time, whereby n is the number of places and m the number of transitions. Many of the analysis problems of live and bounded FC Petri nets have, in turn, been shown to have polynomial time complexity [88].

When decisions are not made “freely” but are influenced by previously executed activities, so-called asymmetric choice (AC) nets may describe this. The combination of choice and synchronization (which has been identified before as “confusion”) is also termed Non-Free-Choice (NFC).

Definition 3.21 (An Asymmetric Choice Net).

An Asymmetric Choice (AC) net (also known as a simple net) is an ordinary Petri net such that for all pairs of places $p_1$,$p_2 \in P$, if $p_1^\bullet \cap p_2^\bullet \ne \emptyset $, then $p_1^\bullet \subseteq p_2^\bullet $ or $p_2^\bullet \subseteq p_1^\bullet $

ACs [32] allow asymmetric confusion (see Figure 3.6 for an asymmetric combination of choice and concurrency) but disallow symmetric confusion (cf. Figure 3.7). The post-sets of any two places may be disjoint or identical (as in free-choice), or one post-set may be contained in the other. Hence, asymmetric choice nets represent an extension of free-choice nets where the theorems that are important in FC only hold partially [73, 122]. The study of the property analysis complexity of ACs found, for example, that it is co-NP-hard for the analysis of liveness and boundedness [136].

3.1.2.3 Workflow Net

As a further subclass within the class of ordinary nets, the so-called workflow nets (WF-nets [4]) can be used to represent processes in process-aware information systems with Petri nets. Therefore, the techniques and methods of this thesis assume that the control flow of the process is specified with such a type of net. A WF-net satisfies two requirements: Firstly, a WF-net is a Petri net that has one input place i (denoting the initial state of the system) with no incoming arcs and an output place o (denoting the final state of the system) with no outgoing arcs. A token in i corresponds to a case that needs to be handled and a token in o corresponds to a handled or completed case. The transitions in a WF-net represent tasks and the places represent conditions. Both should contribute to the processing of a case, such that in a WF-net, there are no dangling tasks or conditions. Therefore, every transition t, or place p, respectively, should be located on a path from place i to place o. The later requirement corresponds to strong connectedness (cf. Definition 3.3). Its examination requires that o is connected to i via an additional transition $t^{*}$ [4]. These two structural properties are termed “WF-structuredness”.

Definition 3.22 (WF-Net).

A Petri net $N = \langle P,T$^{Footnote 4}$,\mathcal {F},m_{0} \rangle $ is a WF-net (Workflow net) iff [4]:

(i)
N has two special places: i (input) and o (output). Place i is a source place: $^\bullet \!i=\emptyset $. Place o is a sink place: $o^\bullet =\emptyset $.
(ii)
If a transition $t^{*}$ is added to N that connects place o with i (i.e., $^\bullet t^{*}=\{o\}$ and $t^{*\bullet }= \{i\}$), then the resulting extended Petri net $\overline{PN}$ is strongly connected.

The example of a Petri net in Figure 3.1 already represents a WF-net. It can be regarded as the mapping of the BPMN workflow model of the “determine market value” process into a WF-net representation, in which $t_1$ represents the “determine market value” task, and $t_2$ stands for the “control computation” task. Moreover, there is a source place, and a sink place whereas all other nodes are on a path between them.

In order to be able to elaborate on possible task execution sequences of a given workflow net, systems nets are introduced. This will particularly be relevant to grasp complete but also incomplete execution sequences.

Definition 3.23 (System Net, Full and Terminal Firing Sequences).

A System Net (SN) defines a set of sequences, each one starting from the initial marking and ending in the final marking. A SN is a tuple $SN = (N, m_{start}, m_{end})$ , where N is a WF-net and the two last elements define the initial and final marking of the net, respectively. The set $ \digamma _{\!SN} = \{ \sigma \mid (N,m_{start})[\sigma \rangle (N,m_{end})\}$ denotes all the full firing sequences of SN .

In this work, the notion of an end marking or final state differs from a terminal state. Final states, such as $m_{end}$ , are defined. Terminal states represent the states (markings) that do not allow the firing of any further transition. Accordingly, the set $ \mathcal {T}_{\!N}\ = \{ \sigma \mid (N,m_{0})[\sigma \rangle (N,m') \wedge m' \in [m_0\rangle \wedge \not \exists t \in T: m'[t\rangle \}$ denotes all the terminal firing sequences of the net N with its initial marking $m_0$ . Accordingly, based on an initial marking $m_{0}$ , the set of terminal markings $\{m | m \in [m_0\rangle \wedge \not \exists t \in T: m[t\rangle \}$ is denoted by ${[m_0\rangle }_{\!\mathcal {T}}$ .

For example, for the WF-net in Figure 3.1, the set of full firing sequences of the system net $SN = (N, \{p_0\}, \{p_2\})$ is $\digamma _{\!SN}=\{\langle t_1,t_2 \rangle \} = \mathcal {T}_{\!N}$. That way, it is possible to link reachability with completability because a non-reachable end marking may indicate an unsatisfiable workflow. The fact that the firing sequence of the example net encodes safety properties (e.g., $t_1$ occurs before $t_2$) and liveness properties (e.g., eventually $t_2$ occurs) underlines that each property of an initially marked Petri net can be composed of its safety and liveness properties [13].

3.1.2.4 Workflow Soundness

The requirements stated for a WF-net in Definition 3.22 are minimal requirements [4]. Even if these requirements are satisfied, it is still possible to determine a workflow process definition with potential deadlocks. Hence, WF-nets must meet some properties to avoid unexpected results subsumed in the subsequent soundness criteria [7]. To a large extent, these assumptions often refer in some way to the absence or existence of deadlocks, which underlines, in turn, the effort to ensure the completion of the workflow. Based on the typical properties of a P/T net and WF-structuredness, a WF-net is sound if and only if the following three requirements are satisfied:

Definition 3.24 (Soundness of a Workflow Net).

A WF -net with input place i and output place o is sound if the following conditions are met:

(i)
Option to complete: For each case and any marking reached from the initial marking it is still always possible to reach a state that marks the end place o, i.e., $\forall m \in R(N, i)$, $m(o) \in R(N, m)$;
(ii)
Proper completion: If o is marked all other places are empty for a given case, i.e., $\forall m\in R(N, i)$, if $o\in m$ then $m = \{o\}$;
(iii)
No dead transitions: It is possible to execute an arbitrary activity by following the appropriate firing sequence through the WF-net, i.e., $\forall t\in T,\; \exists m\in R (N, i)$ such that $(N,\ m)[t\rangle $ .

To analyze these criteria, the structural characteristics of the regarded nets are again decisive. While, for a complex WF-net, it may be intractable to decide on its soundness, if the structure of a WF-net is, for example, free-choice, the soundness problem is solvable in polynomial time [7]. In contrast, the soundness problem in asymmetric choice WF-nets has been proven to be Co-NP-Hard [136].

Block-Structure:

As a further way to facilitate soundness analysis, another approach that aims to obtain a structural characterization of “good” workflows is to assume block-structured models [7]. Although, in general, there are different definitions in this respect [105, 140, 212], the property of such block-structured models usually refers to the need for synchronization of splits and joins of the paths in the control flow. These blocks are entered as well as left at a single point. That way, there is only a single branch going in and out, before and after the block. Thus, these blocks are also called single-entry single-exit (SESE [40, 110]) regions. Subsequently, the fundamental types of such blocks in workflows, which are also known as basic workflow patterns [6], will be illustrated (building on the concise summary of the patterns from Carmona et al. [40]). Thereby, their similarity to the previously introduced basic Petri net examples will become evident.

Sequential Pattern: The sequence pattern forms a strong relationship between the connected tasks (see Figure 3.10). It restricts the process in such a way that activities are only executed in the sequential order specified for the respective tasks.
Figure 3.10
Sequential pattern
Full size image

Figure 3.11
Exclusive pattern
Full size image
Exclusive Choice: The exclusive choice pattern depicted in Figure 3.11 can be used to represent a conflict or choice in a process (e.g., the conflicting activities $t_1$ and $t_2$ in the net in Figure 3.5). Two modeling constructs help in designing models that contain choices in a block-oriented way: first, the exclusive split (or OR/XOR-split), which indicates the mutually exclusive alternatives to continue at a specific point, and second, the exclusive join, which brings together alternative branches in the model to continue from there on a common path.
Parallel Execution: There may be activities in a process, which all need to be performed, but there are no dependencies between them (e.g., the activities $t_1$ and $t_2$ in the net in Figure 3.4). Thus, the activities can be performed in parallel. Parallel execution starts at the parallel split (or AND-split). It shows that all outgoing branches are executed independently. Within the branches that leave the parallel split, other workflow patterns or block structures can still be used (i.e., “nested”). If the execution of the parallel branches is terminated and any further activity in the process depends on these branches one after the other, all these branches will need to be completed before moving on. To capture this synchronization in a process model, a parallel join is used. It has several incoming branches and a single outgoing branch. The parallel join operation ensures that the process cannot continue until all incoming branches are completed. Figure 3.12 depicts the respective split and join.
Loop: The loop pattern can be realized by a combination of the exclusive split and the join (see Figure 3.13). Unlike with the normal exclusive pattern, it is possible to choose to go back to an earlier point in the process to indicate that one wishes to repeat the activities represented by the respective tasks starting from that point. That way, the control flow forms a loop that can have as many iterations as desired. Each time the same decision point is reached, it can be decided whether to go back and do another iteration or to leave the loop and continue the process. It is important to note that such a loop or cycle begins with an exclusive join operation that merges the current control flow with a branch that may only be taken in the future. Hence, such a loop has a single-entry and a single-exit point as well.

Based on these blocks, it is possible to build more complex process models by nesting these workflow patterns. Despite the specific pattern, it can be observed that splits initiate branching and thus set paths in either a parallel or exclusive relationship to each other. Joins reunite these paths, i.e., they synchronize them. Hence, two parallel flows initiated by a parallel split must not be joined by an exclusive join. Equivalently, two alternative flows created via an exclusive split, must not be synchronized by a parallel join. Instead, a parallel join should complement a parallel split, and an exclusive join should complement an exclusive split [7]. If a model consists only of such blocks, or such SESE regions, respectively, the model is called block-structured (or well-structured). “Unstructured models” describe models that do not have this property. To define this characteristic of balancing equivalent splits and joins for WF-net models, the existence of PT- and TP-handles will be examined.

Definition 3.25 (Well-Handled).

A Petri net PN is well-handled iff it has neither PT-handles nor TP-handles.

A Petri net that is well-handled has several desirable properties, for example, strongly connectedness and well-formedness coincide [7]. That way, a well-handled extended WF-net can be live and bounded for the initial marking $m=\{i\}$.

Definition 3.26 (Well-Structured).

A WF-net PN is well-structured iff its extended net $\overline{PN}$ is well-handled.

Due to the well-structuredness property, it is possible to deduce further properties from WF-nets. To decide if a well-structured WF-net is sound can be verified in polynomial time. Moreover, a sound well-structured WF-net is safe [7].

SESE regions support applying specific reductions as well [200], i.e., net reduction methods allow transforming Petri nets into simpler nets while keeping properties of the initial net. Because the problem size of a net is reduced that way, net reductions can facilitate later analysis.

Block-Structured Free-Choice WF-Nets:

Regarding the different identified net classes, it can be summarized that SMs admit no synchronization, MGs admit no conflicts, FCs admit no confusion, and ACs allow asymmetric confusion (but disallow symmetric confusion) [155]. When these subclasses are associated with block-structured models, it seems that SESE models already imply a certain “good structure” as well. However, the subsequent counter-examples are constructed to show that block-structured models do not necessarily imply free-choice or even asymmetric choice. There are live bounded free-choice WF-nets that are not well-structured (Figure 3.14) as well as well-structured live bounded WF-nets that are not free-choice (Figure 3.15) or not even AC (Figure 3.16).

To unite the advantages of free-choice and block-structured models for the control flow of the process, this thesis assumes WF-nets that are both FC and SESE. Besides the already illustrated mild computational aspects of FC nets and block-structured models, working with a block structure that allows for all required modeling constructs will be beneficial for modeling further constructs into the model as well. In particular, such SESE regions will help to identify blocks, for which parts of the authorization policy and constraints have to be modeled, namely, blocks that encode sequential, exclusive, parallel, and loop patterns. Loops, or loop-affected blocks, can be identified easily because the block structure explicitly determines how loops may occur.

Still, there may be the problem that a given block-structured WF-net model is not free-choice. However, for the envisaged WF-net type, this is a surmountable difficulty because there are transformations for arbitrary Petri nets into free-choice nets [124, 187, 188]. In general, such transformations increase the structural complexity of the nets, in particular the number of nodes and arcs. However, given block-structured models, the considered NFC nets are not that “arbitrary” anymore and already show such a structural limitation that they can often be transformed into a free-choice net by means of only a few modifications. For example, to make the net from Figure 3.15 free-choice, only a single so-called silent transition (which merely acts for routing purposes) and a single place needs to be added (see Figure 3.17). Thus, the increase in the structural complexity that the transformation requires remains moderate. However, such a modification, consequently extends the state space. It creates intermediate steps and intermediate states, which must be considered as such to ensure the interpretation of the original net.

To illustrate a comprehensive example of such a WF-net net, the CEW process from the previous chapters will be considered again. As indicated before, there are straightforward transformations into Petri nets for a subset of BPMN elements. Figure 3.18 depicts this basic mapping that goes back to Dijkman et. al [79]. Due to the block-structure of the BPMN model in Figure 3.19, transforming the BPMN model results in a block-structured and also free-choice Petri net, which can be seen in Figure 3.20.

3.1.2.5 Policy-Aware Workflow Net

To prepare a directly processable formal input for the approach that entails not only the so far emphasized control flow of the process but also the whole process specification, the definitions of authorizations and constraints will also be directly related to the WF-Net. This will prepare a process-oriented definition of the policy as well. The definitions are adapted from the WSP-related works of Crampton et al. [49, 60] because they allow for a simple, though, comprehensive representation of authorization and relevant constraints.

User-Task Authorization:

In practice, the authorization policy will not explicitly be defined as a user-task authorization. Instead, the authorization policy will be inferred from typical access control data structures [58]. Because, for common access control policies (e.g., RBAC), it is straightforward to derive the tasks for which users are authorized, a user-task authorization will be used in order to simplify the exposition. By making the inputs simple, the idea of keeping the net constructs involved as simple as possible, as described in the introduction to this chapter, is underlined.

Definition 3.27 (User-Task Authorization).

Because the transitions into a WF-net represent tasks, given a workflow net $N = \langle P,T,\mathcal {F},m_{0} \rangle $ and a set of users U, an authorization policy (or a user-task authorization) for N can be denoted as a relation $TA \subseteq U\times T $, which may be represented as a set of authorization lists $\mathcal {A} = \{TA(u) : u \in U\}$, where $TA(u) = \{t \in T : (u, t) \in TA\}$ denotes the set of tasks for which u is authorized. Analogously, it may be represented as a set of task-assignment lists $\mathcal{T}\mathcal{A} = \{TA(t) : t\in T\}$, where $TA(t) = \{u \in U : (u, t) \in TA\}$ denotes the set of users that are authorized for t. User u is authorized to perform task t iff $(u, t) \in TA$. It is assumed that for every task $t \in T$, there is some user $u\in U$ such that $(u, t) \in TA$^{Footnote 5}.

For example, the user-task authorization depicted in Figure 3.21(a) is formalized as $TA = \{(Alice, t_1) ,(Alice, t_2) ,(Bob, t_1)\}$, the authorization list as $TA(Alice)= \{t_1,t_2\}$ and $TA(Bob)= \{t_1\}$.

Constraints:

As mentioned before, although further constraints regarding workflow satisfiability analysis have already been investigated [61], the focus is on common user-independent constraints, namely SoD/BoD-related binary constraints, which suffice to reach an obstructed state (ROA-4). For the sake of completeness, it should be mentioned that an authorization list may be interpreted as a unary constraint as well, where the scope of the constraint is a single task [50]. However, as elaborated in Chapter 2, a separated view on these both types will be maintained.

Definition 3.28 (Constraints).

A constraint $c\in C$ may be viewed as a pair $(T_c, \Theta )$, where $T_c \subseteq T$ is the scope of c and $\Theta $ is a set of functions from $T_c$ to U, specifying the assignments of steps in $T_c$ to users in U that satisfy the constraint. In practice, the elements of $\Theta $ are not enumerated. Instead, its members are defined by implicitly using some constraint-specific syntax. For example, $(t, t^\prime , \rho )$ can be written, where $t, t^\prime \in T$ and $\rho $ is a binary relation defined on U, to denote a constraint that has scope $\{t,t^\prime \}$ and is satisfied by any assignment $\pi : T\rightarrow U$ such that $(\pi (t),\pi (t^\prime )) \in \rho $. In particular, the separation-of-duty constraint $(t, t^\prime , \ne )$ requires t and $t^\prime $ to be performed by different users. Similarly, the binding-of-duty constraint $(t, t^\prime , =)$ requires t and $t^\prime $ to be performed by the same user.

For example, the SoD constraint indicated in Figure 3.21(b)can be denoted as $(t_1, t_2, \ne )$. Although the focus is on such SoD and BoD constraints, the possibilities of considering further constraints will be addressed as well at the end of this chapter. Based on these definitions, it is now possible to define the input for the approach, namely a policy-aware workflow net. It comprises a WF-net with policy formalizations tailored to it and thus bundles the different aspects of a security-aware process specification. In other words, it contains all inputs required for the desired representation.

Definition 3.29 (Policy-aware Workflow Net).

A policy-aware workflow net $N^{pol}$ is represented as a tuple $\langle N, U, TA, C\rangle $, where N is a WF-net, U is a set of users, $ TA\subseteq \mathcal {U}\times T$ is the user-task authorization, and C is a set of constraints.

Thus, the complete security-aware specification of the DMV process can, for example, now be formalized as a policy-aware WF-net $N^{pol} = \langle N, U, TA, C\rangle $, where $N = \langle \{p_1,p_2,p_3\},\{t_1,t_2\}, \{ \langle p_1 , t_1\rangle , \langle t_1 , p_2\rangle , \langle p_2 , t_2\rangle , \langle t_2 , p_3\rangle \},\langle 1, 0, 0 \rangle \rangle $, $U=\{Alice, Bob\}$, $TA = \{(Alice, t_1) ,(Alice, t_2) ,(Bob, t_1)\}$, and $C=\{(t_1, t_2, \ne )\}$.

3.2 The SecANet Solution

This section proposes the SecANet approach as a way to analyze and capture process obstructions in PAISs. Its methodology will allow the flattening of a workflow and the corresponding authorization data into a Security-Aware Petri net (which gives the approach its name). That way, a process representation that not only includes functional and behavioral but organizational process aspects as well emerges. Besides desirable Petri net properties, language-related properties are of particular interest to examine the behavior of the different process aspects in the resulting representation. In this regard, the approach is supposed to preserve the integrity of all process aspects involved, which will be regarded on different levels.

Integrity of Inputs: In this thesis, the different process aspects manifest themselves in the process model and its policies. Each such input constitutes a common (abstract) representation used in a PAIS. The encoding of such input is supposed to preserve its initial behavior. Moreover, it should be possible to unambiguously retrace results from the representation back to given inputs. In case of an obstruction, this allows deducing conclusions or improvements for the process design.
Integrity of the Overall Representation: The representation is supposed to provide a consistent full picture of the overall process in a PAIS. For this, the overall representation needs to preserve the behavior of the initial inputs. Moreover, each part of the overall representation is supposed to allow traceability to its corresponding initial input as well.

Based on an example, this section will first depict the general idea behind the principle of flattening and resulting possibilities for analyses. For behavioral observation, it will first be sufficient to consider related full firing sequences. A more thorough language-oriented examination will be performed after the introduction of the SecANet definitions. Based on the example, the approach will be generalized for authorization policies as well as SoD and BoD constraints. That way, based on a WF-net, obstructions can be captured with an “obstruction marking”. The representation will already be prepared in such a way that it will allow encoding cycles (loops) as well. For the sake of simplicity and efficiency, this generalized encoding will be described on acyclic nets first. After introducing the formal basis for language-related observations on Petri nets, this section will decompose the approach to examine its language. The resulting SecANet language will allow investigating the behavioral integrity of inputs as well as the integrity of the overall process. Then, nets containing cycles will be introduced. They have a more complex encoding but preserve the idea of the encoding described in the acyclic case. An example will show the flattening of a process specification that involves a comprehensive workflow structure. It will be used to illustrate obstructability analysis resulting from the execution semantic of a SecANet.

3.2.1 The Principle of “Flattening”

Figure 3.22 depicts the SecANet approach, in particular, its idea of flattening: Based on a policy-aware workflow net (Definition 3.29), the policy is supposed to be encoded into the given workflow net step by step. As elaborated before, the authorization and constraints can be understood in a process-oriented way. User-task authorization is the process of granting user access to execute a specific task. Constraints impose restrictions on this authorization process. Because the assignment of a user to a task can only be done before its execution, the general idea is to model policy specific sub-processes that operate as a precondition to the actual activities of the control flow of the business process. In the context of Petri nets, this means that a task (transition) affected by the policy may only be enabled if the corresponding user-task authorization or constraint is fulfilled. Thus, the idea is to put a net construct that models the part of the policy required to execute the corresponding task in each pre-area of the respective transition. Based on this general idea, the principle of flattening will first be described with the help of the example policy for the DMV process presented in Figure 3.21. Here, the authorization policy and constraints will be flattened into the DMV WF-net step by step. The resulting net will illustrate how the states provided by Petri nets can be used to capture an obstruction and how to analyze satisfiability and obstructability. Thereby, desirable Petri net properties and characteristics against the background of the established requirements will be indicated. A more detailed examination of the properties of the created net constructs will follow along with the generalization of the approach.

3.2.1.1 Modeling Authorization

Because of the absence of ambiguous gateways in the BPMN model of the DMV process, the workflow can straight-forwardly be transformed into the WF-net in Figure 3.1. For better clarity, the input place $p_0$ of the WF-net will subsequently be represented by $p_i$ and the output place $p_2$ by $p_o$. To model access control, the simple access control model without roles from Figure 3.21a is assumed, namely $TA = \{(u_1, t_1) ,(u_1, t_2) ,(u_2, t_1)\}$. Such user-task authorizations represent safety properties that explicitly state what is allowed. As mentioned before, a user-task authorization can also be regarded as a unary constraint that relates authorized user accesses to the scope of a single task. These possible assignments of users to tasks are mutually exclusive since only one of the authorized users can eventually be assigned to execute a task. Based on these considerations, Figure 3.23a depicts the first flattening step of the DMV WF-net example. It illustrates the initial user-task authorization and its flattened counterpart with authorization-related Petri net elements (the Petri net construct above the initial WF-net). The user-task assignments encode the corresponding transitions. For example, transition $t_{u_1t_1}$ encodes that user $u_1$ is permitted to access $t_1$. Each transition pre-area consists of the same single incoming place marked with a single token such that a mutually exclusive choice must be made. Hence, a marked incoming place represents the state in which no user has yet been assigned to the corresponding task. It enables all transitions that encode the possible user-task assignments provided by the authorization policy for the corresponding task. Firing $t_{u_1t_1}$, for instance, then represents the decision that $u_1$ is assigned to the execution of task $t_1$. In the post-area of all user-task transitions corresponding to the same task, there is the same single outgoing place. The firing of $t_{u_1t_1}$, for example, then produces a single token in this place. Hence, a marked outgoing place indicates the state that a user has been assigned to a task. However, the related task has not yet been executed. That way, pre-assignments (ROA-1) may also be considered (in case of the unordered version of obstructability, cf. Chapter 2).

Based on this example encoding, the full and terminal firing sequences can now be observed. For a more intuitive understanding of the net behavior, the number of possible permutations of theses sequences is limited by conducting a “lazy” workflow-oriented execution. This execution strategy aims to complete the workflow with the least effort by always trying to execute the workflow tasks in the first place. If some next workflow is not executable, the transitions in its pre-area are fired in such a way that they reach an enabling marking for that task. Based on this, the set of full and the set of terminal firing sequences for the WF-net with authorization, where $m_{start} =\{p_1, p_{t_1-}, p_{t_2-}\}$, and $m_{end} = \{p_3\}$, is

$$\begin{aligned}\digamma _{\!SN_{TA}} = \{&\langle t_{u_1t_1}, t_1, t_{u_1t_2}, t_2 \rangle ,\\&\langle t_{u_2t_1}, t_1, t_{u_1t_2}, t_2 \rangle \},\\ and&\\ \!\!\mathcal {T}_{\!N_{TA}} = \ \ {}&\digamma _{\!SN_{TA}}.\end{aligned}$$

The individual user-task transitions directly indicate (and allow to retrace) the underlying authorization policy (e.g., as a user-activity matrix), thus preserving the behavior of the exemplary user-task authorization input $TA = \{(u_1, t_1) ,(u_1, t_2) ,(u_2, t_1)\}$.

3.2.1.2 Modeling Constraints

Contrary to the authorization policy, which determines allowed user-task assignments, constraints specify safety properties that explicitly state violations (i.e., what is not allowed). These constraints act upon the authorization policy and are mutually exclusive for the respective user-task assignments between two (sets of) tasks (i.e., binary constraints). More specifically, constraints mutually exclude that the same user is assigned to a scope of tasks (SoD) or that different users are assigned to a scope of tasks (BoD). That way, constraints restrict possible user-task assignments. Consequently, only users authorized for the tasks that lie in the scope of a constraint can be constrained at all. Hence, there is the implicit assumption that the users affected by an SoD or BoD constraints are part of the user-task authorization as well. For Petri net modeling, this means that constraints are supposed to act upon the user-task assignment transition and do not operate on the tasks themselves for which they are defined (although, for example, the constraint $(t_1,t_2, \ne )$ itself may suggest this). Hence, the envisaged encoding of constraints is supposed to restrict the given user-task assignments.

Regarding the modeling of constraints, it can be observed that a Petri net without any places and a non-empty set of transitions allows for any “unconstrained” behavior involving the activities represented by these transitions. Adding a place can then be compared to the introduction of a constraint. The underlying fundamental idea of Petri nets is that transitions are independent (i.e., concurrent) unless specified otherwise [1]. Concurrency also applies to the occurrence of the user-task assignments for different tasks because they occur independently from other task-assignments. Hence, places that establish relations between the user-task transitions for different tasks can be used to constrain their occurrence as well. In particular, such places can be used to model a choice (or conflict) between the user-task transitions for different tasks. For a BoD constraint on two tasks, the choice, which of the users executes both tasks, has to be made. This choice then means that all other user-task assignments involving other users for the given tasks are excluded. For an SoD constraint on two tasks, the choice, which of the users executes the one or the other task, has to be made.

The introductory example will focus on SoD constraints to illustrate the idea behind constraint modeling. These observations will then be used for the generalization of constraint modeling, where BoD constraints will be covered as well. For tasks affected by an SoD constraint, a place is added for every two corresponding user-task assignments. The place is then connected to the user-task assignment transitions. It encodes a choice between the connected transitions. That way, such a place and its outgoing arcs pointing to the involved two user-task transitions in conflict reflect an SoD constraint on the two activities for which the same user is authorized. Based on this, the example in Figure 3.23 shows how the SoD constraint $(t_1, t_2, \ne )$ can be flattened into the WF-net with authorization (highlighted in red). By introducing the place encoding choice (or, “choice-place”), denoted as “SoD”, the set of full firing sequences, where $m_{start} =\{p_1, p_{t_1-}, p_{t_2-}, p_{SoD}\}$ and $m_{end} = \{p_3\}$ is constrained (depicted by a comparison with the full firing sequences of $\digamma _{\!{SN}_{TA+SoD}}$):

IMAGE

Hence, only the latter firing sequence of $\digamma _{\!{SN}_{TA+SoD}}$ meets the SoD constraint. The set of terminal firing sequences is now not in accordance with the full firing sequences anymore.

$$\begin{aligned} \mathcal {T}_{\!{N}_{TA+SoD}}=\{&{ \langle t_{u_1t_1}, t_1 \rangle },\\&\langle t_{u_2t_1}, t_1, t_{u_1t_2}, t_2 \rangle \}. \end{aligned}$$

Based on this, it can be observed that the set of full firing sequences is reduced. More specifically, the terminal firing sequences of the user-task authorization construct is restricted by the modeled constraint. Although each transition is enabled for some marking of the net (i.e., it is simply live), this may not mean that all enabled transitions are part of a single full firing sequence. The full firing sequences themselves stay the same. Hence, only the latter firing sequence meets the SoD constraint in the example and some full firing sequences are not allowed anymore. However, it can be noted that the leftover full firing sequences do not change in themselves. This will be of particular interest for behavioral observations.

3.2.1.3 Example SecANet Analysis

Given that the authorization policy and constraints have now been flattened into the SecANet example with the initial marking represented in Figure 3.23b, playing the token game is going to show how it can be used for analysis and to capture an obstructed state. The set of (full) firing sequences encompasses not only the process activities and their execution order but also the information who is assigned to the corresponding activities or tasks. Hence, the transition firing sequences of a SecANet can be regarded as traces that can be used to check which safety and liveness security properties they may or may not fulfill. Because safety properties are encoded and enforced by the flattening of the policy, the examination of the liveness of the overall system is of particular interest, i.e., if the WF-net execution can be completed with the given policy (or, in other words, if the process goal can be achieved).

Satisfiability:

Chapter 2 has already shown that the DMV process and its policy is satisfiable. The example SecANet can now be used to illustrate this as well. By firing $t_{u_2u_1}$ ($u_2$ is assigned to $t_1$) and firing $t_1$ (the execution of the first task), followed by firing $t_{u_1t_2}$ ($u_2$ is assigned to $t_2$) and then firing $t_2$ (the execution of the second task), the output place is marked. This means that the workflow and its policy are satisfiable. Thus, satisfiability can be assessed by looking at the set of full firing sequences of the SecANet, which is $\{\langle u_2u_1, t_1, u_1t_2, t_2 \rangle \}$ for the system net $SN_\textsf {SecANet}\,\,= (N_{\textsf {SecANet}}, m_{start}, m_{end})$, where $m_{start} = \{p_i, p_{t_1-}, p_{t_2-}, p_{SoD}\}$ and $m_{end} = \{p_o\}$. Concerning the WSP, the set of full firing sequences represents synthesized plans to conduct satisfiable workflow executions. If such plans exist, such sequences fulfill the safety properties given by the policy as well as the liveness property of process completion. An empty set of full firing sequences would therefore mean that the workflow is not satisfiable.

Capturing Obstructions:

As identified in Chapter 2, besides its satisfiability, the respective process specification inherits an obstruction. By playing the token game again, the obstruction can easily be identified. More specifically, firing $t_{u_1t_1}$ and $t_1$ ($t_1$ has been executed by $u_1$) results in an obstructed state, in which no further transition is enabled (as illustrated in Figure 3.24). This state of obstruction can be denoted by the marking $m_{\otimes } = \{ p_1,p_{t_2-}\}$, where $\otimes $ is the symbol that denotes “obstruction” (in its abbreviated form “ox”). The obstructing execution sequence can be denoted by $\sigma _{\otimes }=\langle u_1t_1, t_1\rangle $. The reachability of this obstructed marking can be denoted by $m_{0}[t_{u_1t_1}, t_1\rangle m_\otimes $. Hence, there is a decisive difference between the two nets, which can be observed if not only the full firing sequences but all terminal firing sequences are considered. Such terminal firing sequences only reach markings in which no further transition is enabled, and which are also known as “deadlock markings”. For the WF-net with authorization $N_{TA}$, the terminal firing sequences are just the same as its full firing sequences $\digamma _{\!SN_{TA}}$. However, after adding the SoD constraint, the set of full firing sequences $\digamma _{\!{SN}_{TA+SoD}}$ loses a sequence of $\digamma _{\!SN_{TA}}$. Moreover, $\mathcal {T}_{\!{N}_{TA+SoD}}$ now contains the additional terminal firing sequence $\langle t_{u_1t_1}, t_1 \rangle $, which does not reach the intended final marking (and is thus not in the set $\digamma _{\!{SN}_{TA+SoD}}$). Still, $\langle t_{u_1t_1}, t_1 \rangle $ is a feasible sequence of transitions. It only contains the first two transitions of the missing full firing sequence $\langle t_{u_1t_1}, t_1, t_{u_1t_2}, t_2 \rangle $ of $\digamma _{\!SN_{TA}}$ and represents a synthesized partial plan, which, however, leads to an obstruction. Hence, based on a WF-net with authorization, the modeling of constraints can now, for the first time, lead to deadlocks in the resulting nets, in the sense that the output place $p_o$ of the WF-net can no longer be reached. Such a deadlock manifests the obstructive conflict between the organizational aspect and the functional aspect of the workflow. Hence, apart from the end marking, a marking in a SecANet, in which no transition is enabled, represents an obstructed state. Here, a decisive advantage of Petri nets comes to light. They allow having a single representation of the system that captures the event sequences and the state at the same time. In this way, Petri nets do not only record how the obstruction occurred but they also capture the system state of the obstruction of the affected process in a PAIS. That way, a SecANet can be used to synthesize partial plans that encode obstructed workflow executions. Such obstructed partial plans or sequences fulfill and enforce the policy-based safety properties as well. However, these partial plans lack in satisfying the liveness property of process termination, i.e., they can not be used to complete the workflow.

Obstructability:

Obstructability analysis is supposed to detect and capture obstructions. Based on the observations from the example, deadlocks that do not reach the final marking indicate obstructions. For small nets, such obstruction markings can be found by hand, for example, with the token game as done above. For bigger Petri nets, there is a variety of methods for analyzing and detecting deadlocks, which is a fundamental issue in Petri net analysis [45, 51, 157, 219]. Their suitability will be illustrated after the subsequent generalization of the flattening example.

3.2.2 Generalizing Flattening

Based on the presentation of the basic idea of flattening, the SecANet approach will subsequently be generalized. The aim is to flatten the user-task authorization TA and the set of constraints C of a policy-aware workflow net $N^{pol}=\langle N, U, TA, C\rangle $ into a single net $N_{TA+C}$. As a first step, the user-task authorization TA is considered and encoded into the net $N_{TA}$. Based on this, further SoD and BoD constraints are flattened into the net, denoted by $N_{TA+C_{SoD}}$ and $N_{TA+C_{BoD}}$.

3.2.2.1 Flattening of User-Task Authorization

As described before, the user-task authorization is flattened with the intention that for every possible assignment, a transition denoted by user and transition name (e.g., $t_{u_1t_1}$) is introduced. Each user-task transition can consume tokens from the single place marked with a single token. This ensures that the transition can only be executed once by a specific user. Moreover, this user can execute the corresponding task only once.

Definition 3.30 (Flattening User-Task Authorization).

Given a policy-aware workflow $N^{pol}=\langle N, U, TA, C\rangle $ , flattening the user-task authorization TA into N is as follows:

1.
For each transition $t_i$ in N, create a place $p_{t_i-}$ and a place $p_{t_i+}$ representing the state that no user is assigned (−) or a user was assigned ($+$) to execute $t_i$, respectively, and mark each of the $p_{t_i-}$ places with one token.
2.
For each user-task authorization $(u_j,\ t_i) \in TA$ , create a transition $t_{u_jt_i}$ .
3.
For every place $p_{t_i-}$ and its corresponding transition(s) $t_{u_jt_i}$ , create an arc $\langle p_{t_i-,t_{u_jt_i}}\rangle $ .
4.
For every transition $t_{u_jt_i}$ and its corresponding place $p_{t_i+}$ , create an arc $\langle t_{u_jt_i},p_{t_i+}\rangle $ .
5.
For every place $p_{t_i+}$ and its dedicated transition $t_i$ , create an arc $\langle p_{t_i+},t_i\rangle $ .

After performing these steps, the net $N_{TA} = \langle P_{TA},T_{TA},F_{TA},m_{TA_0} \rangle $ is obtained, where

${P_{TA} = P \cup \{p_{t_1-}, p_{t_2-}, \ldots , p_{t_i-}\}\cup \{p_{t_1+}, p_{t_2+}, \ldots , p_{t_i+}\}}$,

${T_{TA} = T \cup \{t_{u_1t_1}, t_{u_1t_2}, {t_{u_2t_1}, t_{u_2t_2}, \ldots ,t_{u_jt_i}}\}}$,

${F_{TA} \phantom {\;\;\;\;\;} = \phantom {\;\;\;\;\;} F \phantom {\;\;\;}\cup \{\langle p_{t_1-,t_{u_1t_1}}\rangle , \langle p_{t_2-,t_{u_1t_2}}\rangle , \langle p_{t_1-,t_{u_2t_1}}\rangle , \langle p_{t_2-,t_{u_2t_2}}\rangle , \ldots ,}$

${\langle p_{t_i-,t_{u_jt_i}}\rangle \}\phantom {\;\;\;\;} \cup \{ \langle t_{u_1t_1}, p_{t_1+}\rangle , \langle t_{u_1t_2}, p_{t_2+}\rangle , \langle t_{u_2t_1},p_{t_1+}\rangle ,\langle t_{u_2t_2}, p_{t_2+}\rangle , \ldots ,}$

${\langle t_{u_jt_i},p_{t_i+}\rangle \} \cup \{ \langle p_{t_1+}, t_1 \rangle , \langle p_{t_2+}, t_2 \rangle , \ldots , \langle p_{t_i+}, t_i \rangle \}}$

and the marking $m_{TA_0} = \langle 1,0,0,\ldots ,0,1,0,1,0,\ldots ,1,0 \rangle $ with $m_{TA_0}$ according to the order $p_{input}, p_2, \ldots , p_{output}, p_{t_1-}, p_{t_1+}, p_{t_2-}, p_{t_2+},\ldots ,$

$p_{t_i-}, p_{t_i+}$.

The five steps from Definition 3.30 are applied to the running example based on its net N and the user-task authorization TA. First, the places $p_{t_1-}$, $p_{t_1+}$ , $p_{t_2-}$, and $p_{t_2+}$ are created for the transitions $t_1$ and $t_2$, and $p_{t_1-}$ and $p_{t_2-}$ are marked with one token. Afterwards, the user-task transitions $t_{u_1t_1}$, $t_{u_2t_1}$, and $t_{u_1t_2}$ are created based on the user-task authorization. Then, the arcs $\langle p_{t_1-,t_{u_1t_1}}\rangle $ and $\langle p_{t_1-,t_{u_2t_1}}\rangle $ are created for $p_{t_1-}$ and its corresponding transitions $t_{u_1t_1}$ and $t_{u_2t_1}$, and the arc $\langle p_{t_2-,t_{u_1t_2}}\rangle $ is created for $p_{t_2-}$ and its transition $t_{u_1t_2}$. After that, the arcs $\langle t_{u_1t_1},p_{t_1+}\rangle $ and $\langle t_{u_2t_1},p_{t_1+}\rangle $ are created for transitions $t_{u_1t_1}$ and $t_{u_2t_1}$ and its corresponding place $p_{t_1+}$, and the arc $\langle t_{u_1t_2},p_{t_2+}\rangle $ is created for $t_{u_1t_2}$ and its corresponding place $p_{t_2+}$. The idea of the last step is to then connect all the created Petri net parts with the initial WF-net, which is realized by adding arcs from $\langle p_{t_1+},t_1\rangle $ to $\langle p_{t_2+},t_2\rangle $. That way, TA is flattened into the WF-net N, which results in the net $N_{TA}$, where $P_{TA} = \{p_1,p_2,p_3,p_{t_1-}, p_{t_1+}, p_{t_2-}, p_{t_2+}\}$, $T_{TA} = \{t_1,t_2,t_{u_1t_1}, t_{u_2t_1}, t_{u_1t_2} \}$, ${F_{TA} = \{ \langle p_1 , t_1\rangle , \langle p_1 , t_2\rangle \, \langle t_2 , p_3\rangle \langle p_{t_1-,t_{u_1t_1}}\rangle , \langle p_{t_1-,t_{u_2t_1}}\rangle , \langle p_{t_2-,t_{u_1t_2}}\rangle , \langle t_{u_1t_1},p_{t_1+}\rangle , }$${\langle t_{u_2t_1},p_{t_1+}\rangle , \langle t_{u_1t_2},p_{t_2+}\rangle \}}$ and the marking $m_{TA_0} = \{p_1, p_{t_1-}, p_{t_2-}\}$.

3.2.2.2 Flattening of SoD Constraints

Figure 3.25a depicts the encoding of SoD constraints. The basic idea behind the flattening of SoD constraints is to introduce a choice-place for all users authorized for conflicting tasks (as depicted in Figure 3.23b). Hence, choice-places are added for every user-task transition pair involving the same user for the tasks affected by the constraint. Every such choice-place will then prevent the firing of a user-task transition containing the same user. Moreover, arcs are added from each choice-place to every conflicting user-task transition pair. Note that an SoD choice-place is introduced only for user-task assignments that conflict with each other (see $SoD_{u_1}$ and $SoD_{u_2}$). Furthermore, the restriction on the sequential execution of $t_i$ and $t_j$ can be dropped, e.g., $t_i$ and $t_j$ can be concurrent (as reflected in Figure 3.25a).

Definition 3.31 (Flattening SoD Constraints).

Given a policy-aware workflow net $N^{pol}=\langle N, TA, C\rangle $ , after transforming the user-task authorization TA into N resulting in $N_{TA}$ (according to Definition 3.30 ), flattening of SoD constraints $c_{SoD}\in C$ of the form $(t_k, t_l, \ne )$ into $N_{TA}$ is as follows:

1.
For each pair of user-task transitions $t_{u_{j}t_{k}}$ and $t_{u_{j}t_{l}}$ of each transition $t_{k}$ and $t_{l}$ of each SoD constraint $(t_k, t_l, \ne )$, create a place $SoD_{u_jt_kt_l}$ and mark it with one token. Because there will be no SoD transitions, the usual place notation p that indicates the SoD place $p_{SoD_{u_jt_kt_l}}$ is omitted for better readability.
2.
For every created place $SoD_{u_jt_kt_l}$ and its corresponding user-task transitions $t_{u_{j}t_{k}}$ and $t_{u_{j}t_{l}}$, create the arcs $\langle SoD_{u_jt_kt_l}, t_{u_{j}t_{k}} \rangle $ and $\langle SoD_{u_jt_kt_l}, t_{u_{j}t_{l}}\rangle $.

After performing these steps, the net $N_{TA+SoD}=$

$\langle P_{TA+SoD}, T_{TA+SoD}, F_{TA+SoD},$

$m_{TA+SoD_0}\rangle $ is obtained, where

$P_{TA+SoD} = P_{TA} \cup \{ SoD_{u_1t_1t_2}, SoD_{u_2t_1t_2}, \ldots , SoD_{u_jt_kt_l}\} $,

$T_{TA+SoD} = T_{TA}$,

$F_{TA+SoD} = F_{TA} \cup \{\langle SoD_{u_1t_1t_2},t_{u_1t_1}\rangle , \langle SoD_{u_1t_1t_2},t_{u_1t_2}\rangle ,$

$\langle SoD_{u_2t_1t_2},t_{u_2t_1}\rangle , \langle SoD_{u_2t_1t_2},t_{u_2t_2}\rangle , \ldots , \langle SoD_{u_jt_kt_l}, t_{u_{j}t_{k}} \rangle , \langle SoD_{u_jt_kt_l}, t_{u_jt_l}\rangle \}$

and the marking $m_{TA+SoD_0} = \langle 1,0,0,\ldots ,0,1,0,1,0,\ldots ,1,0,1,1,\ldots ,1 \rangle $ with $m_{TA+SoD_0}$ according to the order $p_{input}, p_2, \ldots , p_{output}, p_{t_1-}, p_{t_1+},$

$p_{t_2-}, p_{t_2+},\ldots , p_{t_i-}, p_{t_i+}, SoD_{u_1t_1t_2}, SoD_{u_2t_1t_2}, \ldots , SoD_{u_jt_kt_l}$.

These two steps are exemplified with the SoD constraint $(t_1, t_2, \ne )$ of the running example. First, an SoD place $SoD_{u_1t_1t_2}$ is created for the user-task-transition pair $t_{u_{1}t_{1}}$ and $t_{u_{1}t_{2}}$, and one token is added to it. Secondly, the arcs $\langle SoD_{u_1t_1t_2}, t_{u_{1}t_{1}} \rangle $ and $\langle SoD_{u_1t_1t_1}, t_{u_{1}t_{2}}\rangle $ are created to make the SoD place act as a choice place (see Figure 3.23b). Flattening $c_{SoD}$ into the net $N_{TA}$ results in the net $N_{TA+SoD}$, with ${P_{TA+SoD} = \{p_1,p_2,p_3,p_{t_1-}, p_{t_1+},p_{t_2-},}$

${p_{t_2+}, SoD_{u_1t_1t_2}\}}$, $T_{TA+SoD} =\{t_1,t_2,t_{u_1t_1}, t_{u_2t_1}, t_{u_1t_2} \}$, ${F_{TA+SoD} = \{\langle p_1 , t_1\rangle ,}$

${\langle p_1 , t_2\rangle \, \langle t_2 , p_3\rangle \langle p_{t_1-, t_{u_1t_1}}\rangle , \langle p_{t_1-, t_{u_2t_1}}\rangle , \langle p_{t_2-, t_{u_1t_2}}\rangle , \langle t_{u_1t_1}, p_{t_1+}\rangle , \langle t_{u_2t_1}, p_{t_1+}\rangle ,}$

${\langle t_{u_1t_2}, p_{t_2+}\rangle \langle SoD_{u_1t_1t_2}, t_{u_{1}t_{1}} \rangle , \langle SoD_{u_1t_1t_1}, t_{u_{1}t_{2}}\rangle \}}$ and the marking $m_{TA+SoD_0} = \{p_1, p_{t_1-}, p_{t_1-}, SoD_{u_1t_1t_2}\}$. Figure 3.25b depicts this net, which is just the net of Figure 3.23a with additional place annotations.

3.2.2.3 Flattening of BoD Constraints

Fig. 3.26(a) depicts how BoD constraints are encoded. Here, choice places are added as well. However, the arcs are connected differently. The idea is that, for a BoD constraint on two tasks, every choice place aims to prevent the firing of a user-task transition that contains another user. Therefore, for each user-task assignment transition for a task, a choice place is introduced and connected to that user-task transition. Then, from each choice place, arcs are added to every user-task transition for the other task that does not contain the user for which the choice place has been introduced. Note that, just like in SoD flattening, $t_i$ and $t_j$ can be concurrent.

Definition 3.32 (Flattening BoD Constraints).

Given a policy-aware workflow net $N^{pol}=\langle N, U, TA, C\rangle $ , after transforming the user-task authorization TA into N resulting in $N_{TA}$ (according to Definition 3.30 ), flattening of BoD constraints $c_{BoD}\in C$ of the form $(t_k, t_l, =)$ into $N_{TA}$ is as follows:

1.
For each user-task transition $t_{u_{j}t_{k}}$ or $t_{u_{j}t_{l}}$ of each transition $t_{k}$ and $t_{l}$ of each BoD constraint $(t_k, t_l, =)$, create a place $BoD_{u_jt_kt_l}$ and mark it with one token. If the respected user-task transition is already connected to a BoD place regarding the respective constraint, proceed to the next user-task transition or terminate if there are none left.
2.
For every created place $BoD_{u_jt_kt_l}$ and its corresponding user-task transition $t_{u_{j}t_{k}}$, create an arc $\langle BoD_{u_jt_kt_l}, t_{u_{j}t_{k}} \rangle $. For every user-task transition for $t_{l} $ except $ t_{u_{j}t_{l}}$, create an arc $\langle BoD_{u_jt_kt_l}, t_{ut_{l}} \rangle $.

Analogous to $N_{TA+SoD}$ , after performing these steps, the net $N_{TA+BoD} = \langle P_{TA+BoD},T_{TA+BoD},F_{TA+BoD},m_{TA+BoD_0} \rangle $ is obtained, where

$ P_{TA+BoD} = P_{TA} \cup \{ BoD_{u_1t_1t_2}, BoD_{u_2t_1t_2}, \ldots , BoD_{u_jt_kt_l}\} $,

$T_{TA+BoD} = T_{TA}$,

$F_{TA+BoD}= F_{TA} \cup $

$\{\langle BoD_{u_1t_1t_2},t_{u_1t_1}\rangle \} \cup \{ \langle BoD_{u_1t_1t_2},t_{ut_2} \rangle | t_{ut_2} \in T_{TA} - \{t_{u_1t_2}\} \wedge u \in U \wedge (u, t_2) \in TA\} \cup $

$\{\langle BoD_{u_2t_1t_2},t_{u_2t_1}\rangle \} \cup \{ \langle BoD_{u_2t_1t_2},t_{ut_2} \rangle | t_{ut_2} \in T_{TA} - \{t_{u_2t_2}\} \wedge u \in U \wedge (u, t_2) \in TA\} \cup \ldots \cup $

$\{\langle BoD_{u_jt_kt_l}, t_{u_{j}t_{k}}\rangle \} \cup \{ \langle BoD_{u_jt_kt_l}, t_{ut_l}\rangle | t_{ut_l} \in T_{TA} - \{t_{u_jt_l}\} \wedge u \in U \wedge (u, t_l) \in TA\}$

and the marking $m_{TA+BoD_0} = \langle 1,0,0,\ldots ,0,1,0,1,0,\ldots ,1,0,1,1,\ldots ,1 \rangle $ with $m_{TA+BoD_0}$ according to the order $p_{input}, p_2, \ldots , p_{output}, p_{t_1-}, p_{t_1+},$

$p_{t_2-}, p_{t_2+},\ldots , p_{t_i-}, p_{t_i+}, BoD_{u_1t_1t_2}, BoD_{u_2t_1t_2}, \ldots , BoD_{u_jt_kt_l}$.

To illustrate this, suppose that the SoD constraint in the example is replaced by the BoD constraint $(t_{1}, \ t_{2},=)$, such that the computation of the market value ($t_1$) and its control ($t_2$) is supposed to be done by the same user. Applying the first step of Definition 3.32 then creates the place $BoD_{u_1t_1t_2}$ for the user-task transition $t_{u_{1}t_{1}}$ and $BoD_{u_2t_1t_2}$ for $t_{u_{2}t_{1}}$. Secondly, the arcs $\langle BoD_{u_1t_k1_1}, t_{u_{1}t_{1}} \rangle $ are created. Here, the second arc can not be created because there is no other user-task transitions for $t_2$ than $t_{u_{1}t_{2}}$. Then, the arcs $\langle BoD_{u_2t_k1_1}, t_{u_{2}t_{1}} \rangle $ and $\langle BoD_{u_2t_k1_1}, t_{u_{1}t_{2}} \rangle $ are created. Flattening $c_{BoD}$ into the net $N_{TA}$ results in the net $N_{TA+BoD}$, with $P _{TA+BoD}= \{p_1,p_2,p_3,p_{t_1-}, p_{t_1+},$ $ p_{t_2-}, $ $p_{t_2+},$ $ BoD_{u_1t_1t_2}, BoD_{u_2t_1t_2}\}$, $T_{TA+BoD} = \{t_1,t_2, t_{u_1t_1},t_{u_2t_1}, t_{u_1t_2} \}$, $F_{TA+BoD} = \{ \langle p_1 , t_1\rangle $, $ \langle p_1 , t_2\rangle $, $ \langle t_2 , p_3\rangle $,$ \langle p_{t_1-,t_{u_1t_1}}\rangle , $ $ \langle p_{t_1-,t_{u_2t_1}}\rangle , $ $ \langle p_{t_2-,t_{u_1t_2}}\rangle , \langle t_{u_1t_1},p_{t_1+}\rangle , \langle t_{u_2t_1},p_{t_1+}\rangle , \langle t_{u_1t_2},p_{t_2+}\rangle $ $ \langle BoD_{u_1t_1t_2}, t_{u_{1}t_{1}} \rangle , $ $ \langle BoD_{u_2t_1t_2}, t_{u_{2}t_{1}} \rangle , $ $ \langle BoD_{u_2t_1t_2}, t_{u_{1}t_{2}}\rangle $ $\}$ and the marking $m_{TA+BoD_0} = \{p_1, p_{t_1-}$, $p_{t_2-}$, $BoD_{u_1t_1t_2}$, $BoD_{u_2t_1t_2}\}$. Figure 3.26b depicts this net graphically.

3.2.2.4 SecANet Obstructions

Based on the SecANet flattening and the observations from the example, the state of obstruction and the affected WF-tasks can now be grasped formally. Obstructions may not only obstruct a single task during the execution of a workflow, as in the example. Depending on the structure of the considered process, for instance, in a parallel branch, multiple tasks may become obstructed at the same time in a single execution as well.

Definition 3.33 (Obstruction Marking, Obstructed Task).

Let ${N}_{TA+C}$ be a SecANet with an initial marking $m_o \in P_{TA+C}$ and the output place $p_o \in P$ of the WF-net N. Based on the set of reachable markings from $m_o$, an obstruction marking $m_\otimes $ represents a terminal marking that does not contain the output place $p_o$ of the workflow net, i.e., $m_\otimes = m \in [m_0\rangle $ iff $\not \exists t \in T_{TA+C}: m[t\rangle $ and $ p_o \nsubseteq m $. Accordingly, the set of obstruction markings $M_\otimes $ is represented by all obstruction markings, i.e., $M_\otimes = \{m\in [m_0\rangle |\not \exists t \in T_{TA+C}: m[t\rangle \wedge p_o \nsubseteq m\}$. Moreover, an obstructed task $t_\otimes $ denotes the task of the WF-net that can not be executed due to an obstruction. It represents the post-area of a marked WF-place $p^\bullet $ contained in the obstruction marking $m_\otimes $. Accordingly, the set of obstructed tasks for an obstruction marking $m_\otimes $ in a workflow is defined as $T_\otimes = \{p^\bullet | p \in m_\otimes \wedge p \in P\} $.

For example, the set of obstruction markings of the SecANet in Figure 3.24 is the singleton marking $M_\otimes = \{ \{ p_1,p_{t_2-}\} \}$. The set of obstructed tasks for this obstruction marking is $T_\otimes = \{ p_1^\bullet \} = \{ t_2\}$. In contrast to the output place of the workflow determining complete workflow executions, it is not known which of all the other places will indicate an obstructed workflow execution. In this regard, it must be noted that there may be markings that do not represent terminal markings but already obstruct some workflow task(s). For example, there may still be enabled, rather non-relevant user-task transitions for tasks that were not supposed to be executed due to exclusive branching. However, especially regarding loops, one can, in general, not rule out that the firing of some user-task transition may not enable further transitions that eventually allow progression in the execution of the workflow. Therefore, in order to exclude such uncertainties, the more restrictive type of obstruction markings is assumed, i.e., markings in which no further transitions are enabled. Given such an obstructed marking, it can then be identified easily which workflow task(s) $t_\otimes $ were affected by an obstruction and which of the fired user-task transitions were not relevant at all.

Due to the observations on satisfiability and obstructability in the example, the SecANet encoding allows defining obstructed and satisfiable workflow executions. On the one hand, transition sequences that reach markings that do not enable further transitions and moreover do not contain the output place of the WF-net represent obstructed workflow executions, or, in other words, obstructed partial plans. On the other hand, transition sequences that reach markings that contain the output place $p_0$ of the WF-net represent complete workflow executions, or, in other words, satisfiable execution plans.

Definition 3.34 (Obstructed and Satisfiable Firing Sequences).

The set of obstructed firing sequences can be denoted as $\mathcal {T_\otimes }_{\!{N}_{TA+C}} = \{ \sigma \mid (N_{TA+C},m_{0})[\sigma \rangle (N_{TA+C},m') \wedge m' \in [m_0\rangle \wedge \not \exists t \in T_{TA+C}: m'[t\rangle \wedge p_o \nsubseteq m\}$. To adequately consider the case that an end marking may not only contain the place $p_0$ but there may be further tokens left, which were not consumed due to the given encoding, the system net to determine the set of full firing sequences is $SN_{TA+C} = \{N_{TA+C}, m_o, m_{end} | m_{end} \in [m_0\rangle \wedge m_{end}\ge p_o \}$. Hence, the set of full firing sequences of the system SecANet $\digamma _{\!{SN_{TA+C}}}$ represents complete satisfiable workflow executions. Based on this, the set of obstructed firing sequences can equivalently be defined by the set of terminal sequences without the set of full firing sequences, i.e.,

$\mathcal {T_\otimes }_{\!{N}_{TA+C}} = \mathcal {T}_{\!{N}_{TA+C}} - \digamma _{\!{SN}_{TA+C}}$ .

For example, the set of obstructed firing sequences of the SecANet in Figure 3.24 is $\mathcal {T_\otimes }_{\!{N}_{TA+C}}=\{{ \langle t_{u_1t_1}, t_1 \rangle }\}$. The set of full firing sequences of the system SecANet example is $\digamma _{\!{SN}_{TA+C}}=\{\langle t_{u_2t_1}, t_1, t_{u_1t_2}, t_2 \rangle \}$^{Footnote 6}. Full firing sequences (or plans) of a SecANet can be used to pre-assign all users to tasks before the actual execution of the WF-task. Such pre-assignment can be used to ensure, for example, that each task of the workflow can be executed and, that way, every potential execution sequence is feasible. However, such plans may encode that each user-task assignment is done only when required directly before the execution of the task (i.e., “on-demand”, so to speak, or comparable to the “lazy” execution). In the latter case, if respective plans reach the end of the workflow, the user-task transitions of the tasks that have not been executed, e.g., due to exclusive branching, would still be enabled by the marking reached by the plan. However, although the marking resulting from a plan may still enable transitions, it always completes the workflow because its output place $p_o$ is marked.

3.2.2.5 Capturing Indicators by Costs

Based on the previously identified need for an indicator-based process security that manifests itself in the requirement to consider costs (cf. Chapter 2), the SecANet representation is supposed to captures costs as well. That way, the basis for a security-sensitive solutions will be laid. Formally, to consider indicators in the SecANet, a cost function $c: T,P \rightarrow \mathbb {R}^{+}$ can be defined to add costs to the nodes of the net (transitions or places). Graphically, such further information can be annotated to the respective net elements (i.e., the respective nodes), such that the SecANet places and transitions can be annotated with the costs. Based on different execution sequences and the costs assigned to the involved transitions, costs would allow to determine the least costly user-task assignment based on a certain utility function. For example, given that there would be multiple paths of a satisfiable firing sequences, based on the cost assigned to the user-task transition involved in these sequences, a least costly sequences (or execution plan) could be determined. Assigning costs to transitions will allow to express costs of user-task assignment decisions. Moreover, determining costs for places could encode the cost to add a token to certain places. Here, for example, a violation of a constraint could be encoded in order to allow for a user-task assignment that allows to complete an obstructed workflow execution. That way, even initially “impossible” or “violating” executions sequences could be considered as long as the associated cost would be lower than the risk of obstruction. That way, the SecANet encoding allows capturing indicators by costs. The consideration of these costs will particularly be relevant for finding solutions to obstructions, which will follow after this chapter.

3.2.3 SecANet Properties

Based on the provided generalization, it is now possible to observe the properties of SecANets. This elaboration will first consider the properties of the nets resulting from the flattening of the authorization policy. Afterwards, it will be regarded how the properties change when further constraints are encoded. Figure 3.25 and Figure 3.26 will serve to illustrate the properties of the respective user-task construct (labelings beginning with $u\ldots $) and the different constraint constructs (labelings beginning with $SoD\ldots $, $BoD\ldots $, respectively).

3.2.3.1 Net Properties of Modeled User-Task Authorization

The modeling intention for SecANets is to obtain safe (i.e., 1-bounded) nets. Safeness allows for decidability and staying within polynomial complexity bounds for a large number of Petri net problems [87], which aligns with the desire to construct nets that allow for efficient analyses. Moreover, safeness also addresses the requirement of behavioral integrity. It is strongly related to the condition and event principle, which can be connected to the way how Carl Adam Petri introduced his nets [162]. He decomposed state elements to such an extent that each component can be understood as a condition. Such a condition is fulfilled in some situations and is not in others. A token in a place then indicates that a condition is fulfilled. In this view, a place can have at most one token, just as a condition cannot be fulfilled more than once. If the firing of a transition resulted in a second token in a place, the condition and event principle would be violated. It would be considered as an error because the examined space of possible states of places as conditions is left (analogously, the division by 0 or the addition of a number with a truth value leave the intuition of division and addition for numbers). A system model that uses the intuitive term “condition” reasonably excludes such situations [173]. For example, in the aforementioned WF-nets, places represent conditions and transitions represent tasks (or events). The condition-event principle represents the guideline in the modeling of the user-task assignments based on an authorization policy as well. Assigning a user to a task conditions that no user has yet been assigned. The state of assignment is determined by the presence or absence of a token in the place indicating unassignment. The presence or absence of a token in the place indicating assignment determines that a user is assigned or not. The assignment, in turn, conditions the execution of the activity of the process, i.e., the task of the WF-net. The meaning of a place with two tokens, which might even be produced by different user-task transitions into the same place, would therefore be unclear and would constitute an error as well. This further implies that the net is plain (i.e., all arc weights are at most one).

Based on these considerations, the safeness of the authorization construct from Definition 3.30 will be examined. First, it can be observed that every user-task transition has the same pre- and post-area. Moreover, each transition introduced is bounded to fire only once due to the incoming place marked with a single token. z To limit the maximum number of tokens a place may contain, in particular, to obtain 1-boundedness, the Definition 3.30 mimics the so-called “complementary-place transformation” (see Murata [155]). The complementary-place transformation creates additional net components in such a way that they ensure that the number of tokens in a place may not exceed the desired capacity. It first creates a complementary-place $p'$ for each place p. Subtracting the initial marking of the place p from the desired maximum number of tokens in the place p results in the initial marking of the place $p'$. Then, for all transitions that are connected to each place p, complementary-arcs that connect the complementary-place $p'$ with the transitions in reverse order are created, i.e., an incoming (outgoing) arc of place p results in an outgoing (incoming) arc for the place $p'$. That way, the sum of tokens for each pair of place p and its place-complement $p'$ equals the maximum number of tokens for each place p before and after firing the regarded transitions [155].

Hence, to show that each user-task construct itself (without its connection to the workflow task) is safe, its identical counterpart resulting from the application of the complementary-place transformation will subsequently be created. Based on the fundamental choice construct, the basic net depicted in Figure 3.27 models the choice between an arbitrary number of users to be assigned to a single task. Its place is marked with a single token because only one user-task transition is supposed to be selected. Moreover, based on the considerations on safeness above, the maximum number of tokens (i.e., the place capacity) is supposed to be “1” as well.

Based on this, a complementary-place $p_t+$ is first built for each place $p_t-$. Given that $p_t-$ is initially marked with a single token, and that this is also the maximum number of tokens p may contain, this results in an initial marking of $p_t-$ of zero tokens. Then, for all outgoing transitions connected to place $p_t-$, incoming arcs are created that connect each transition with the complementary place $p_t+$, as depicted in Figure 3.28. Hence, the net resulting from the complementary-place transformation of a basic net that models the choice between different transitions and whose maximal number of tokens is bound to 1 exactly models the task-specific authorization resulting from the steps 1-4 from Definition 3.30. Because the workflow task, which is added in the fifth step of Definition 3.30, only additionally consumes a token of the place indicating assignment $p_t+$, it does not contribute to an increase of tokens at all.

In terms of the integrity of inputs, a user-task authorization modeled this way makes both the meaning of each possible state and the associated events (or transitions) unambiguous, thus ensuring traceability to the original authorization policy and its state in a PAIS. In terms of the integrity of the composition, the additional constructs constitute a further precondition for the transitions of the WF-net. That way, although the added transitions extend the language of the initial WF-net, the order of execution is supposed to be preserved. A closer look at this aspect will be taken in the course of a language decomposition.

Besides safeness, there are further properties of the user-task encoding, which are easy to ascertain based on the provided behavioral and structural definitions related to Petri nets. Each user-task authorization construct for a WF-task (i.e., the parts in Figure 3.25a where the labeling begins with $u\ldots $) represents a state machine (which implies FC) because each transition has exactly one input place and one output place. An authorization construct is plain (all arc weights are 1) and pure (no self-loops), well-handled (there are no PT/TP handles for any of the resulting PT or TP pairs). Moreover, the choice construct implies that each transition is enabled for some marking (simply live). Since the encoding introduces further input (or source) places, the overall net is not a WF-net anymore.

3.2.3.2 Net Properties of Modeled Constraints

The modeling of SoD and BoD constraints share the same modeling principle. They both introduce choice places (positioned in the upper area in Figure 3.25 and Figure 3.26) to model mutual exclusion in some way. Therefore, the properties of these nets will be subsumed under the notion of constraint nets.

Analogously to the intention of safeness in the user-task constructs, the choice place that is used for the modeling of constraints indicates whether the constraint affects the user-task assignment or not. Accordingly, the meaning of multiple tokens in such an SoD or BoD place would be unclear as well. For example, two tokens in such a place would directly represent an error, i.e., they would violate the intended constraint since both transitions affected by the choice place would then be fireable, and that way they circumvent the mutual exclusion of the two conflicting transitions. Hence, constraint modeling constructs are supposed to be safe as well. The safeness of the constraint constructs, i.e., a marked choice place connected to several user-task transitions, directly results from the fact that these arcs only consume tokens. Hence, the marking of the initially marked place may not increase. The safeness of constraint constructs connected to some user-task-related constructs results from this observation as well. The modeling of constraints only uses arcs that consume tokens from choice places. They represent a further condition for the affected user-task-transitions to fire. Hence, the overall number of produced tokens does not increase due to the modeling of constraints, i.e., the net construct remains safe.

However, with the introduction of places that connect multiple initially free-choice authorization constructs, the overall regarded construct modeling the policy is not free-choice anymore. Indeed, structurally, some rather simple constructs may model an asymmetric choice, for example, if one considers the BoD place $p_{BoD_{u_1t_1}}$ and the affected user-task construct from Figure 3.26 in isolation. However, each user-task construct affected by a constraint usually then depends on some further places influenced by the firing of transitions beyond the scope of the transitions within a single user-task construct, i.e., they are not free-choice. For instance, the firing of $t_{u_1t_2}$ in the SecANet example reduces the choice between the transitions $t_{u_1t_1}$ and $t_{u_2t_1}$. Hence, the FC-property that, if any output transition of the place $p_t-$ is enabled, all output transitions of that place are enabled, does not hold. Apart from the structural downside, this, is nevertheless just in line with the desired interpretation of the encoded policy elements. Given that there are SoD or BoD constraints, the choice between the users that can be assigned to a task is not free anymore but depends on whether the users are involved in other tasks as well.

Further, since the connection with the WF-net finally allows drawing two simple paths from the constraint place to a respective transition in the WF-net (PT-Handle), the overall net is not well-handled anymore. Although important properties for an efficient computation are remained, e.g., the overall net still represents a safe P/T net, the effect of this modeling on complexity will be considered in the evaluation of the approach. For instance, as indicated before, there are ways to make this construct hold the free-choice property again, whereby, the structural complexity increases to some extent though.

In terms of the integrity of inputs, the constraints are applied to the specific user-task authorizations. Hence, they do not directly allow following and tracing the policy in an explicit way as it was possible in the modeling of the authorization policy with explicit user-task transitions. Rather, it is the case that they manifest themselves in what is not allowed, thereby restricting the possibilities given by the user-task assignment. However, based on the given choice-place, it is at least traceable which constraint has had an impact on the execution. For example, because an SoD place denotes the user and its two conflicting tasks, an empty SoD place encodes that the constraint is in force for the two conflicting user-task assignments. In connection with the fired user-task assignment transition, it is further traceable, which of the users has been assigned to which activity, thereby adhering to the constraint. Hence, the presence or absence of a token in an SoD place traces if the SoD constraint is applied or not. The name of the SoD constraint and its arcs allow retracing tasks affected by it. The user-task assignment itself is then a result of the applied SoD constraint. In this way, the encoding of the SoD constraint preserves its intended behavior.

In terms of the integrity of the overall composition, the impact that results from constraint modeling is observed. Because the constraint restricts given allowed states, what is not allowed can be depicted by comparing the constrained allowed states with what would be allowed if the constraint was not there. With each choice place, the corresponding user task transition is limited, such that the firing sequences reflect the constraint behavior. A closer look at these aspects will be taken in the course of the language-related examination.

3.2.4 Language-Based SecANet Properties

The observation of the full firing sequences of the example SecANet shows that, whereas the authorization policy provides different possibilities to assign users to tasks, constraints restrict these possibilities. In particular, constraints do not add new behavior. Rather, they determine which of the full firing sequences given by the user-task assignment are not allowed anymore. So far, it has seemed that the encoding of authorizations preserves the integrity of the overall representation. It appears that this is also the case for the encoding of constraints. The following examination of language-related properties will deepen these considerations, in particular for proving the behavioral integrity of the SecANet approach.

For this, formal details on the language of Petri nets and useful language-related operators will be introduced first. The SecANet will then be broken down into its smaller increments and reassembled again. This will allow to reason on language-related properties on different subnet levels and to finally determine the overall SecANet language.

3.2.4.1 Language-Related Operators and Nets

The theory of formal languages provides a large number of operations on languages, some of which will be briefly introduced here. The subsequent language-related Petri net definitions were adapted from Priese and Wimmel [167].

To begin with, an alphabet of a language is usually a finite, non-empty set.

Definition 3.35 (Word and Language).

A word wover an alphabet $\Sigma $ consists of a finite (possibly empty) sequence of letters from $\Sigma $. The empty word is denoted by $\epsilon $. |w| denotes the number of letters in w, w(i) for $1\le i\le |w|$ stands for the i-th letter of the word w. Furthermore, $\#_{a}(w)$ is the number of occurrences of the letter $ a\in \Sigma $ in the word w. A language over $\Sigma $ is a set of words over $\Sigma $. The set of all words over $\Sigma $ is denoted by $\Sigma ^{*}$; the empty language by $\emptyset $. For a language L, the alphabet $\Sigma _{L}:=\{a|\exists w\in L \exists i\in \{1,\ldots ,|w|\}:w(i)=a\}$ denotes the (minimal) alphabet, which consists of all letters that actually occur in at least one word of L. Therefore, for $L\subseteq \Sigma ^{*}$, $\Sigma _{L}\subseteq \Sigma $ holds. The Parikh image P(w) of a word $w\in \Sigma ^{*}$ is the vector in $\mathbb {N}^{\Sigma }$ with $P(w)(a):=\#_{a}(w)$ for $a\in \Sigma $. The mapping P : $\Sigma ^{*}\rightarrow \mathbb {N}^{\Sigma }$ with P(w) as the Parikh image of w is also called “Parikh mapping”. The set of all prefixes of a word $w\in \Sigma ^*$ is defined as $Pre\, w:=\{v_{1}\in \Sigma ^{*}|\exists v_{2}\in \Sigma ^{*}:v_{1}v_{2}=w\}$.

A language containing only the empty word, i.e., $L=\{\epsilon \}$, has the alphabet $\Sigma _{L}=\emptyset $. Thus, by definition, this $\Sigma _{L}$ is not an alphabet at all. For the sake of simplicity, this case is also referred to as the minimal “alphabet” $\Sigma _{L}$ for L.

Definition 3.36 (Language Operations).

Let $L_{1}$ and $L_{2}$ be languages of an alphabet $\Sigma $ . The following operations are defined:

Union( $\cup $ ): The union of two languages $L_{1} \cup L_{2}$ is defined as

$L_{1}\cup L_{2}:=\{w\in \Sigma ^{*}|w\in L_{1} \vee w\in L_{2}\}.$
Intersection ( $\cap $ ): The intersection of two languages $L_{1}\cap L_{2}$ is defined as

$L_{1}\cap L_{2}:=$ {$w\in \Sigma ^{*}|w\in L_{1}\wedge w\in L_{2}$ }. A special case of intersection is the restriction of a language:
Language Restriction $(|_{\Sigma _{0}})$: Let $L\subseteq \Sigma ^{*}$ be a language and $\Sigma _{0}$ an alphabet (usually with $\Sigma _{0}\subseteq \Sigma $), then $L|_{\Sigma _{0}}:=L\cap \Sigma _{0}^{*}$^{Footnote 7}.
Concatenation ( $\cdot $ ): The concatenation $L_{1}\cdot L_{2}$ or $L_{1}L_{2}$ is defined as

$L_{1}L_{2}:= \{w_{1}w_{2}|w_{1}\in L_{1}\wedge w_{2}\in L_{2}\}$ .
Kleene-Star $(^{*}$ ): The Kleene-Star-Closure of $L_{1}$ is given by

$L_{1}^{*}:= \displaystyle \bigcup _{i\ge 0}L_{1}^{i}$ with $L_{1}^{0}:=\{\epsilon \}$ and $L_{1}^{i+1}:=L_{1}^{i}\cdot L.$

Moreover, in order to label the Petri net transitions with letters, the definition of a homomorphism will be used.

Definition 3.37 (Homomorphism).

Given that $\Gamma $ and $\Sigma $ are alphabets and h is a map h : $\Gamma \rightarrow \Sigma ^{*}$, the homomorphism $\hat{h}$ : $\Gamma ^{*}\rightarrow \Sigma ^{*}$ is inductively given by $\hat{h}(\epsilon ):=\epsilon $ and for $w_{1},w_{2}\in \Gamma ^{*}$: $\hat{h}(w_{1}w_{2}) :=\hat{h}(w_{1})\cdot \hat{h}(w_2)$. Usually, there is no distinction between h and $\hat{h}$. For a language $L_1 \subseteq \Gamma $, $h(L_{1})$ is defined as $ h(L_{1}):=\{h(w)|w\in L_{1}\}$.

A homomorphism $h:\Gamma \rightarrow \Sigma \cup \{\epsilon \}$ is also called a fine homomorphism.
A homomorphism h : $\Gamma \rightarrow \Sigma $ is also called a very fine homomorphism.
A homomorphism h : $\Gamma \rightarrow \Gamma $ with $h(a)=a$ for all $ a\in \Gamma $ is called the identity on $\Gamma $ and denoted $\textbf{id}_{\Gamma }$.
A fine homomorphism $\delta _{\Sigma }:\Gamma \rightarrow (\Gamma -\Sigma ) \cup \{\epsilon \}$ with $\delta _{\Sigma }(a)=\epsilon $ for all $ a\in \Sigma $ and $\delta _{\Sigma }(a)=a$ for all $ a\in \Gamma -\Sigma $ is also called deletion homomorphism. If $\Sigma $ is a singleton, for example $\Sigma =\{a\}$, this can be denoted as $\delta _{a}$ instead of $\delta _{\{a\}}$. Thus $\delta _{\Sigma }$ “deletes” all symbols in $\Sigma .$

A language operator that is particularly interesting for Petri nets is the shuffle operator. It builds a link to reflect the concurrent nature of Petri nets in the sequential nature of word sequences determining a language. It can be visualized by “sticking” two stacks of playing cards together while shuffling. The single cards stand for letters and the two stacks represent two words.

Definition 3.38 (Shuffle ( $IMAGE$ )).

The shuffle for two words $IMAGE$ is defined as $IMAGE$ $\{w_1\}$, $IMAGE$ . The shuffle is canonically extended to languages $L_{1},L_{2}\subseteq \Sigma ^{*}$ as $IMAGE$ .

For example, for the two languages $\{ab,ad\}$ and $\{ef\}$ is

IMAGE

The shuffled words are thus composed of one word from each of the languages involved. While the letters of the same word remain in the given order, the letters of different words in the shuffle can appear in any order. There are no causal dependencies between these words. In this sense, the shuffle $IMAGE$ reflects concurrency that is not directly recognizable in a target word. If the inherently concurrent behavior of Petri nets is modeled using shuffle, one also speaks of interleaving models. Moreover, the shuffle operator now allows the definition of the restriction of two languages.

Definition 3.39 (Restriction Operator ( $\circledR $ )).

The restriction operator $\circledR $ for two languages $L_{1}$ and $L_{2}$ is defined over (the minimally selected) alphabets $\Sigma _{L_{1}}$ and $\Sigma _{L_{2}}$ as $IMAGE$

In order to assign a language to a Petri net, it is extended with a mapping that assigns a letter to be generated to each transition. Firing a sequence of transitions creates a word. In this case, the transition system of the marking graph determines the language. In order to increase the expressive power of Petri nets, or, their languages, respectively, final states are often assigned to Petri nets, such that the word belonging to a firing sequence lies in the language of the net only if one of the final markings can be reached at the end of the firing sequence. Because the focus of obstructability lies on process completion, a language-generating Petri net is supposed to consider final markings as well. Moreover, a letter assigned to a transition may also be the empty word $\epsilon $, or the same letter is assigned to multiple transitions. Hence, the labeling of a Petri net may be free (i.e., an identity homomorphism), $\epsilon $-free (i.e., a very fine homomorphism), or arbitrary (i.e., a fine homomorphism, such that multiple transitions may have the same letter assigned to them).

Definition 3.40 (Language-Generating Petri Net).

A language-generating Petri Net N is a 7-tuple $N =\langle P, T, F, m_{0},M_{f},\Sigma ,\ h_\ell \rangle $, consisting of a Petri net $\langle P, T, F, m_0\rangle $ with an initial marking $m_{0}$, a finite set of final markings $M_{f} \subseteq \mathbb {N}^{P}$, an alphabet $\Sigma $ and a labeling $h_\ell $: $T\rightarrow \Sigma \cup \{\epsilon \}$. $h_\ell $ is continued on $T^*$, by defining $h_\ell (\epsilon ) =\epsilon $ and $h_\ell (\sigma _{1}\sigma _{2}) =h_\ell (\sigma _{1})h_\ell (\sigma _{2})$, such that $h_\ell $ is then a homomorphism.

Every Petri Net $N=\langle P,T,F,m_{0}\rangle $ is canonically identified with the language-generating Petri Net $\langle P, T, F, m_{0}, \emptyset , T, id \rangle $ , where the labeling function is the identity. From now on, the word “language-generating” will be omitted as it is always clear what is meant in each case.

The labeling $\tau $ is identified for transitions with the empty word $\epsilon $. Thus, $h_{\ell }$ can be extended to a homomorphism in the usual way $h_{\ell }$ : $T^{*} \rightarrow \Sigma ^{*}$:

$h_{\ell }(\epsilon )\ :=\epsilon $,

$h_{\ell }(t) := \left\{ \begin{array}{l} t,\ if \ t\in \Sigma -\{\tau \}\\ \epsilon ,\ if \ t=\tau \ \end{array}\right. $

$h_{\ell }(\sigma t)\ :=h_{\ell }(\sigma )h_{\ell }(t)$

A Petri net $N = \langle P,T,F,m_{0},M_{f},\Sigma ,h_\ell \rangle $ in which $h_\ell (t) \ne \epsilon $ for all $t \in T$ is called “$\epsilon $-free”. The net N wherein $\Sigma = T$ and $h_\ell (t) = t$ for all $t \in T$ is called “free”. For an arbitrary Petri net $N = \langle P,T,F,m_{0}, M_{f},\Sigma ,h_\ell \rangle $, $N^{f} =\langle P, T, F, m_{0}, M_{f}, T, id\rangle $ is the free version of N.

$\tau $ is just another name for the empty word $\epsilon $. In Petri net theory, $\tau $ has become customary. One notion is that transitions labeled with $\tau $ are supposed to be invisible to an observer of a Petri net. The symbol $\lambda $ can often be found for $\tau $ as well. In case that Petri nets are used to model business processes, it is not unusual to distinguish between so-called regular transitions (i.e., t labeled with some letter in $\Sigma -\{\tau \}$) and silent transitions (i.e., t labeled with $\tau $). Silent transitions do not represent the execution of a process activity and are used for routing purposes or to achieve a more compact representation of the net. That way, for example, optional process activities can be modeled as a choice between a silent transition and the process activity itself. Moreover, silent transitions may also be introduced in case that a net is transformed in order to obtain desirable net properties. For example, if an arbitrary net is transformed into a free-choice net, it may be describable that the transitions added in the course of the free-choice transformation are silent as well. Silent transitions are not considered in the language determined by (completed) firing sequences.

Based on such a (somehow) labeled Petri net, the set of all possible firing sequences resulting from the execution that starts in an initial marking and terminates in some final marking determines a language. The term “final” must indeed be considered in a more differentiated way: Whereas arbitrary markings can be defined as final markings, the notion of “terminal” markings describes markings given by all states that do not allow the firing of any further transition, namely deadlock markings.

Based on these considerations, the study of Petri nets in formal language theory has introduced several notions of Petri net languages. The standard notion of a Petri net language accepts sequences of transition labels in a run from an initial to a final marking. The prefix language considers all markings to be final. Here, each prefix of a word is itself a word of the language. The covering language accepts sequences leading to markings that are greater or equal to a given set of final markings. Finally, the terminal languages only accept sequences leading to a deadlock [160, 161]:

Definition 3.41 (Petri Net Language).

Let $N = \langle P,T,F,m_{0},M_{f},\Sigma ,h_\ell \rangle $ be a Petri net.

The language of N accepts firing sequences to the final marking, i.e., the set of final markings is defined by a finite marking set. It is defined as $L(N)=\{w\in \Sigma ^{*}|\exists \sigma \in T^{*}\; \exists m_{f}\in M_{f}:m_{0}[\sigma \rangle m_{f}\wedge h(\sigma )=w\}$ .

The prefix language of N accepts all transition sequences (in other words, all reachable markings are final markings) and is defined as

$P(N)=\{w\in \Sigma ^{*}|\exists \sigma \in T^{*}:m_{0}[\sigma \rangle \wedge \ h(\sigma )=w\}$.

The covering language of N accepts all transition sequences reaching a marking that is greater than or equal to any element of the set of final markings. It is defined as $C(N)=\{w\in \Sigma ^{*}|\exists \sigma \in T^{*}\; \exists m_{f}\in M_{f}\;\exists m\in \mathbb {N}^{P}$ : $m_{0}[\sigma \rangle m\wedge m\ge m_{f}\wedge h(\sigma )=w\}{} \textit{.}$

The terminal language N accepts runs to deadlock markings, such that the set of final markings results from any terminal marking (a marking in which no transition is enabled). The terminal language is defined as

$T(N)=\{w\in \Sigma ^{*}|\exists \sigma \in T^{*}\; \exists m\in \mathbb {N}^{P} : m_{0}[\sigma \rangle m \wedge h(\sigma )=w \wedge \not \exists t\in T$: $m[t\rangle \}$.

Petri net languages represent the interleaving semantic of Petri nets. As indicated before, Petri net languages can model the inherently concurrent behavior of Petri nets with the help of the shuffle operator. It is assumed, however, that narrowing down the view from true concurrency to interleaving behavior is not significant for the consideration of business process activities in the context of this thesis. Indeed, it is unlikely and irrelevant whether parallel tasks will take place at exactly the same time such that they happen in one step (true concurrency). Rather, the point is that parallel tasks in business processes (or parallel user-task assignments) can be executed independently from each other.

Hence, the three different labeling functions and the four different language types result in twelve different language classes. The focus of this work can be limited to non-prefix-closed languages of predominantly free nets. Hence, the prefix type and the terminal type (which is non-prefix-closed) do not require the definition of a final marking. P-type languages represent the sequence semantics, i.e. each possible fire sequence corresponds to one word of the language of the net. T-type languages stand for the complete sequence semantics, which reduces the language of the net to those words that are created by completed terminal firing sequences. However, both languages can be represented with the help of final markings as well. On the one hand, the prefix language P(N) can be expressed as the covering language of the marking that assigns zero to all places, i.e., $P(P,T,F,m_{0},\emptyset ,\Sigma ,h_\ell ) = C(P,T,F,m_{0},\textbf{0},\Sigma , h_\ell )$, or equivalently, $C(P,T,F,m_{0},\emptyset ,\Sigma , h_\ell )$. That way, the prefix-closure could also be reproduced by defining each reachable marking as a final state of the language $L=C(P,T,F,m_{0},[m_{0}\rangle ,\Sigma , h_\ell )$ . On the other hand, the terminal language T(N) can be represented as the language L of the set of final markings that contains all terminal markings, that is, $T(P,T,F,m_{0},\emptyset ,\Sigma ,h_\ell ) = L(P,T,F,m_{0},[m_0\rangle _{\!\mathcal {T}},\Sigma , h_\ell )$.

These different perspectives are also underlined by observing the different languages of the basic WF-net of the DMV example from Figure 3.29, i.e., $N = \langle P,T,F,m_{0},M_{f},T,id\rangle $ where $M_{f}=\{\{p_o\}\}$, $\Sigma =\{t_1,\ t_2\}$, and $h_\ell (t_{1})=t_1, h(t_{2}) =t_2$. Here, $L(N) = C(N)=T(N) =\{t_1 \cdot t_2\}$ and $P(N) =\{\emptyset , t_1, t_1 \cdot t_2\}= Pre\;L(N)$. For a different final marking $M_{f}=\{\{p_2\}\}$ only the L- and C-type languages change, namely $L(N)=\{t_1\}$ and $C(N) =\{t_1, t_1 \cdot t_2\}$. In this regard, Peterson has already recognized that the language types L and T are equally expressive, that is, for every net N, there is a net $N'$ with $L(N) =T(N')$ and vice versa. The types P and C have less expressive power [161].

3.2.4.2 SecANet Language Types

Based on these language-related definitions, the language of a SecANet will now be examined. First of all, in order to investigate language related properties, a labeling function will assign an alphabet $\Sigma $ to the transitions of the SecANet. Because the SecANet definitions encode each transition distinctively, the labeling function represents the identity function. Hence, the labeling of a SecANet is free, that means, there are no arbitrary labelings or $\epsilon $-labelings. That way, the language types can be directly related to the set of full and terminal, obstructed and satisfiable firing sequences of a SecANet:

In analogy to full firing sequences for some workflow net, the language L(N) of the SecANet $N=\{P,T,F,m_0,M_f,T,id_T\}$ contains all words leading to the set of final markings containing $p_o$, i.e., $M_f=\{m|m \in [m_0\rangle \wedge m \ge p_o\}$.
Similar to terminal firing sequences, the terminal language T(N) of the SecANet $N=\{P,T,F,m_0,\emptyset ,T,id_T\}$ contains all words that lead to deadlock markings.
Comparable to satisfiable firing sequences, a SecANet is satisfiable in case that the covering language C(N) of the SecANet $N=\{P,T,F,m_0,p_o,T,id_T\}$ is not empty. It contains the words leading to all markings that contain the output place $p_o$. Words of such a covering language may still enable further transitions as well. Each of the words of the covering language is therefore at least a prefix of or identical with words from the terminal language.
Analogously to obstructed sequences, $L_\otimes = L(\{P,T,F,m_0,M_\otimes ,T,id_T\})$ is the obstruction language and determines all sequences leading from the initial marking to obstruction markings, i.e., terminal markings that do not contain the output place of the workflow. Here, the obstruction words also represent words of the terminal language that do not relate to any word in the covering language. Therefore, a SecANet contains obstructions if the terminal language T(N) of the net without the elements of the covering language C(N) is not $\emptyset $, such that $L_\otimes (N)=T(N)-C(N)$. A SecANet is obstruction-free if the words of the terminal language represent a subset of the words in the covering language, i.e., all T-type words are also C-type words, such that $T(N)-C(N)=\emptyset $.

In order to obtain an expressive SecANet language that is able to encode satisfiable but also obstructed firing sequences, its language-type is supposed to contain words that reach final markings that are terminal. Because satisfiable words can contain prefixes that are already satisfiable (i.e., words of the covering language), this means no loss of generality, i.e., the terminal words encode all relevant firing sequences. Based on these considerations, the subsequent language observations assume T-type languages. Because L-type languages are able to express all different language-types with a corresponding set of final markings, the terminal SecANet language $T(\textsf {SecANet})$ is equal to the SecANet language $L(\textsf {SecANet})$ with the finite marking set $[m_0\rangle _{\!\mathcal {T}}$. Hence, the language-generating SecANet that is subsequently considered is a free Petri net of the form $N = \langle P, T, F, m_{0}, [m_0\rangle _{\!\mathcal {T}}, T, id_T\rangle $.

However, determining the language of a SecANet already appears to be difficult for the supposedly simple example of the DMV SecANet in Figure 3.25. Thus, to determine the language of a SecANet, further operations that allow to decompose the net such that the language of smaller parts of the net can actually be determined are required. These parts of the language can then be combined again in a further step, whereby the language of the entire net can be determined. In the following, this decomposition and composition will first be illustrated by determining the language of the example SecANet.

3.2.4.3 Decomposition

To obtain the language of a particular Petri net, it will first be decomposed into smaller subnets whose languages are straightforwardly determinable. To do this, the subnet are constructed by a selection of disjoint subsets of places. The place subsets together with their incoming and outgoing transitions will constitute the elements of the resulting subnets. Their initial and final markings will be determined based on the markings of the initial net. If the subnets are small enough, their languages can then be determined easily.

As a preparation for the subsequent definition of a subnet, projections will be useful in order to obtain the initial and final markings of the subnets. They are denoted by $\pi $. For a set P, $\mathbb {N}^P$ stands for the set of all mappings $f: P \rightarrow \mathbb {N}$. For finite sets $P=\{p_1, \ldots , p_n\}$, $\mathbb {N}^{P}$ can be identified with $\mathbb {N}^{|P|}$, which denotes the set of all |P|-dimensional column vectors over $\mathbb {N}$. If p is a distinguished element in P and $P' \subseteq P = \{p_1, \ldots , p_n\}$ is a distinguished subset of P, then $\pi _{p}:\mathbb {N}^P\rightarrow \mathbb {N}$ and $\pi _{p'}:\mathbb {N}^P\rightarrow \mathbb {N}^{P'}$ are the projections with $\pi _p(v)=v(p)$ and $\pi _{P'}(v)=(v(p_{i_1}), \ldots , v(p_{i_k}))^\top $^{Footnote 8} for a vector v and $P'=\{p_{i_1},\ldots ,p_{i_k}\}$ with $i_1< \ldots < i_k$. A vector $ v\in \mathbb {N}^{P'}$ is understood as an element of $\mathbb {N}^P$ with $v(p)=0$ for all $p \in P-P'$, which describes the canonical embedding of $\mathbb {N}^{P'}$ in $\mathbb {N}^P$.

Definition 3.42 (Subnet).

Given a Petri net $N = \langle P, T, F, m_{0}, M_{f},\Sigma , h_{\ell }\rangle $ and $P'\subseteq P$ , the following can be defined:

$$ m_{0,P'}:=\pi _{P'}(m_{0}),\ M_{f,{P'}} :=\pi _{P'}(M_{f}). $$

The subnet generated by $P'$ is defined as

$N(P') :=\langle P', T', F|_{(P'\times T') \cup (T'\times P'),m_0,P'}, \Sigma , h_\ell |_{T'}, M_{f,P'}\rangle $ , where $T' := {}^\bullet \!P' \cup P'^\bullet $ . For $P'\subseteq P$ with $N'=N(P')$ , $N'$ represents a so-called “closed” subnet of N . Additionally, a net with $|P'| =1$ is called “elementary”.

Whereas, in the course of the flattening, all inputs were integrated into the WF-net step by step, for a decomposition, it will be necessary to decompose the elements of the flattened net into smaller tuples or subsets. Therefore, a dot-notation, which is supposed to unambiguously indicate which specific set or tuple is regarded, will be introduced for better clarity.

Definition 3.43 (Dot-Notation).

Let Q be some set and s a description of some subset of Q . The dotted-set notation $\dot{Q}_s$ determines the subset of Q consisting only of the elements described with the subscripted s . The dot-notation is canonically extended for tuples such that for some tuple $Y=\langle Q_1, Q_2\ldots , Q_n\rangle $ , the dot-notation is continued onto its elements, i.e., $\dot{Y}_s=\langle \dot{Q}_{1_s}, \dot{Q}_{2_s}\ldots , \dot{Q}_{n_s}\rangle $ .

For the example SecANet, the dotted $\dot{P}_{TA+SoD}$ thus determines that this set does only contain the subscripted net elements, e.g., in this case, only $TA+SoD$ places from user-task or SoD-constraint modeling without WF-net places, i.e., $\dot{P}_{TA+SoD} = P_{TA+SoD}- P= \{p_{t_1-}, p_{t_1+}, p_{t_2-}, p_{t_2+}, SoD_{u_1t_1t_2} \}$.

Decomposition of the Example SecANet:

The decomposition of a free Petri net into subnets is demonstrated by means of the SecANet example depicted in Figure 3.23b. First, the set of places is divided into two disjoint subsets $P = \{p_{i}, p_{2}, p_o \}$ and $\dot{P}_{TA+SoD} = \{p_{t_1-}, p_{t_1+}, p_{t_2-}, p_{t_2+}, SoD_{u_1t_1t_2} \}$. The closed subnets $N = N(P)$ and $\dot{N}_{TA+SoD} = N(\dot{P}_{TA+SoD})$ are illustrated in Figure 3.30. The initial marking of the two subnets N and $\dot{N}_{TA+SoD}$ is $m_{0,P}= \{p_i\}$ and $m_{0,\dot{P}_{TA+SoD}}=\{p_{t_1-}, p_{t_2-}, SoD_{u_1t_1t_2}\}$. Because the final markings for the example nets result from the terminal markings of the SecANet $M_{f}=[m_0\rangle _{\!\mathcal {T}}= \{\{p_o\},\{p_2, p_{t_2-}\}\}$, the projection of this marking onto the subnets N(P) and $N_{TA+SoD}$ is $M_{f,{P}}=\{\{p_o\},\{p_2\}\}$, and $M_{f,{\dot{P}_{TA+SoD}}}=\{\emptyset ,\{p_{t_2-}\}\}$, respectively. The language generated by the subnet $N= \{P,T,F,m_0,M_{f,{P}}, T, id_T\}$ and its alphabet is now easy to determine, namely

$$\begin{aligned} L(N) ={} & {} \{t_1\;t_2, t_1\}\text { and}\\ \Sigma _{N}={} & {} \{t_1, t_2\}. \end{aligned}$$

In order to determine the language of the other subnet $L(\dot{N}_{TA+SoD}) $, a further decomposition is necessary. The set of places of $\dot{N}_{TA+SoD}$ is divided into two disjoint subsets $\dot{P}_{TA} = \{p_{t_1-}, p_{t_1+}, p_{t_2-}, p_{t_2+}\}$ and $\dot{P}_{SoD} = \{ SoD_{u_1t_1t_2} \}$. That way, the closed subnets $\dot{N}_{TA} = N(\dot{P}_{TA})$ and $\dot{N}_{SoD} = N(\dot{P}_{SoD})$ are obtained, as illustrated in Figure 3.31. The projection of the final markings of the subnet $N(\dot{P}_{TA+SoD})$, namely $M_{f,{\dot{P}_{TA+SoD}}}=\{\emptyset ,\{p_{t_2-}\}\}$, onto the subnets $N(\dot{P}_{TA})$, and $N(\dot{P}_{SoD})$ is $M_{f,{\dot{P}_{TA}}}=\{ \emptyset ,\{p_{t_2-}\}\}$ and $M_{f,{\dot{P}_{SoD}}}=\{\emptyset \}$, respectively. The languages and alphabets generated by $\dot{N}_{TA}$ and $\dot{N}_{SoD}$ are

IMAGE

Note that, $(t_{u_1t_1}\cup t_{u_1t_2})$, for example, represents the union of two disjoint sets (or symmetric difference) and stands for the logical exclusive-or (XOR) for sets. It results in the SoD subnet language $\{t_{u_1t_1}, t_{u_1t_2}\}$, which, thus, directly encodes the exclusive choice between two conflicting user-task transitions.

3.2.4.4 Composition

Based on the decomposition, it can now be considered how to determine the language of a free Petri net if the languages of its subnets are known. Apparently, in order to assemble the subnets, transitions that occur in several subnets must be “merged” in some way. This points to the use of a further operation in the theory of formal languages, namely synchronization. Indeed, a couple of operations such as intersection, shuffle and restriction are simple special cases of synchronization, and synchronization is a quite natural operation for Petri nets. Unfortunately, as a language operation, it is all the more complicated [167]:

Definition 3.44 (Synchronization of Languages).

Let ${\varSigma }_{1}, {\varSigma }_{2}$ be two alphabets, ${\varSigma }$ a finite set and $L_{1} \subseteq {\varSigma }_{1}^{*}$ and $L_{2} \subseteq {\varSigma }_{2}^{*}$ two languages. The ${\varSigma }$ -Synchronization $L_{1}\;sy_{\varSigma }\;L_{2}$ of $L_{1}$ and $L_{2}$ is defined by

IMAGE

where h : ${\varSigma }_{1}^{*} \rightarrow ({\varSigma }'_1$ $\cup $ ${\varSigma })^{*}$ is the labeling with $h(a) :=a$ for $a \in {\varSigma }$ and $h(a) :=a'$ for $ a\in {\varSigma }_{1}-{\varSigma } $ , where ${\varSigma }'_1$ is the alphabet ${\varSigma }'_1$ $:=\{a'\ |a\in {\varSigma }_{1}\}$ , and $g: ({\varSigma }_{2} \cup ({\varSigma }_{1}-{\varSigma }))^{*} \rightarrow ({\varSigma }_{1}\cup {\varSigma }_{2} \cup {\varSigma })^{*}$ is the labeling with $g(a') :=a$ for $ a'\in {\varSigma }'_1$ and $g(a) :=a$ for $a\in {\varSigma }_{2}$ . ${\varSigma }$ can also be denoted as the synchronization alphabet and may—in contrast to usual alphabets—also be empty.

Note that, for an empty synchronization alphabet, it is directly apparent that

IMAGE

Because the the restriction is just defined as $L_{1} \circledR L_{2} = (L_{1} (\Sigma _{2}-\Sigma _{1})^{*})\cap (L_{2} (\Sigma _{1}-\Sigma _{2})^{*}))$ according to Definition 3.39, this means that:

IMAGE

$(*)$ can be observed straightforwardly because h renames the letters in $\Sigma _{2}-\Sigma _{1}$, i.e., exactly those letters that do not exist in $L_{2}$ anyway. So h and g can also be dropped [167].

The synchronization of languages can canonically be extended to Petri nets. It stands for the counterpart of the decomposition into subnets and allows to combine nets and other languages. While subnets are determined by means of a selection of a set of disjoint places, the synchronization of nets aims at combining transitions labeled identically. The definition of the synchronization of nets by Priese and Wimmel [167] will subsequently be adapted to the definitions provided in this thesis.

Definition 3.45 (Synchronization of Nets).

Let $N_{i} = \langle P_{i}, T_{i}, \mathcal {F}_{i}, m_{o_i}, M_{f,i}, {\varSigma }_{i}, h_{\ell i}\rangle $ for $i\in \{1$, 2$\}$ be two Petri nets and ${\varSigma }$ a (possibly empty) synchronization alphabet $(\tau \not \in {\varSigma })$. Without losing generality, it is assumed that the nets are disjoint. The ${\varSigma }$-Synchronization of the nets $N_{1}$ and $N_{2}$ is defined as

$N_{1}\; sy_{\varSigma }\; N_{2} $ $:=$($P_{1}\dot{\cup }P_{2},\hat{T}_{1}\cup T^{\times } \cup \hat{T}_{2}, \hat{\mathcal {F}}_{1}\cup \mathcal {F}^{\times } \cup \hat{\mathcal {F}}_{2},$ $(m_1, m_2),$ $ {\varSigma }_{1}$ $\cup $ ${\varSigma }_{2}, h_\ell , M_{f,1} \times M_{f,2}$) with the following components:

$\hat{T}_{i} :=\{t\in T_{i}|h_{\ell i}(t)\not \in {\varSigma \}}$ for $i\in \{1, 2\},$

$T^{\times } :=$ $\{(t_{1}, t_{2}) \in T_{1} \times T_{2} \mid h_{\ell 1}(t_{1})=h_{\ell 2}(t_{2}) \in {\varSigma \}},$

$\hat{\mathcal {F}}_{i}=\mathcal {F}_{i}-\{\langle t, p\rangle ,\langle p,t\rangle \in \mathcal {F}_{i}|t\in T_i \wedge h_{\ell i}(t)\in \Sigma \},$

$\mathcal {F}^{\times }=\{\langle (t_1,t_2), p\rangle | (t_1, t_2) \in T^\times \wedge (\langle t_1,p\rangle \in \mathcal {F}_1 \vee \langle t_2,p\rangle \in \mathcal {F}_2) \} \cup \{\langle p, (t_1,t_2) \rangle | (t_1, t_2) \in T^\times \wedge (\langle p,t_1\rangle \in \mathcal {F}_1 \vee \langle p,t_2\rangle \in \mathcal {F}_2) \}$.

Figure 3.32 depicts the $\Sigma $-synchronization of $\dot{N}_{TA}$ and $\dot{N}_{SoD}$ of the example net with the synchronization alphabet $\Sigma = \{t_{u_1t_1}, t_{u_1t_2}\}$. It illustrates how the synchronization takes place via the transitions whose labels lie within the synchronization alphabet ${\varSigma }$. Each single transition of two nets $N_{1}$ and $N_{2}$ with the same labeling of ${\varSigma }$ is combined (or “merged”) with each other, including its former pre- and post-areas. The resulting transitions are in $T^{\times }$. All other transitions and places are simply transferred to the new net. Note that $L(N_{1}) sy_\Sigma L(N_{2}) =L(N_{1} sy_\Sigma N_{2})$ [167].

For the synchronization of two subnets $N(P_1)$ and $N(P_2)$ resulting from the decomposition of a free Petri net (without isolated transitions) $N=\langle P, T, F, m_0, M_f, T, id\rangle $ with $P_1 \cap P_2 = \emptyset $ and $P_1 \cup P_2 = P$ , and the synchronization alphabet representing the common transitions of the two subnets $\Sigma = T_{N(P_1)} \cap T_{N(P_2)}$, the following applies (for a detailed proof see Priese et al. [167]): If the final state set of N is just the product of the two final state sets of the subnets, i.e., $M_f = M_{f,1} \times M_{f,2}$, the synchronization of the two subnets just constitutes the original net again, i.e., $N=N(P_1)sy_\Sigma N(P_2)$. Then, the synchronization $N(P_1)sy_\Sigma N(P_2)$ is identical to N, except for the negligible renaming of the transition names. Accordingly, the synchronization of the language of the subnets then determines the language of the original net. More precisely, this represents the restriction because, as described above, $L_{1^{Sy}\Sigma _{1}\cap \Sigma _{2}}L_{2} =L_{1}\circledR L_{2}$. This does not only apply to free Petri nets that have the same final marking as the product of the final marking sets of the subnets. Indeed, for the general case of such a free Petri net that is decomposed, its language can be composed by applying the restriction operator onto the languages of the subnets. Priese and Wimmel show this by transforming the net and its subnets into a normal form that encloses each (sub)net. This normal form transforms all final states of a net into a single final state. That way, it is achieved that the product of the two subnets in normal form (see Definition 3.45) is the final marking of the original net such that the synchronization of the subnets results in the initial net again, i.e., $N=N(P_1)sy_\Sigma N(P_2)$. A special case of this restriction is represented by the case in which the languages of two nets $N_1$ and $N_2$ do not have any common letters, such that the synchronization alphabet of the languages of two nets is empty. Because $IMAGE$ , the shuffle can then be used to combine the two languages, such that, for $\Sigma _{L(N_1)}\cap \Sigma _{L(N_2)}=\emptyset $, $IMAGE$ ^{Footnote 9}.

Hence, the restriction operator can be applied if the synchronization alphabet of the languages of the two nets involved in the synchronization represents the intersection of both alphabets, which will be denoted by $\Sigma _\cap $. That way, the restriction provides an interface that is able to combine the common transitions that occur in the alphabets of both languages. In case there are multiple subnets from a decomposition of a free Petri net, the composition of the languages of two such subnets results in the language of a further subnet. In this case, the languages of the initial net will need to be obtained by a step-by-step composition of the subnet languages. Depending on whether $\Sigma _\cap $ is empty for all such compositions, the restriction or the shuffle operator needs to be applied. The subsequent definition bases on the presented findings on the synchronization of free (sub)nets and provides a compact notation for the synchronization applied on the languages of a set of subnets.

Definition 3.46 (Composition of Subnet Languages).

Given a free Petri net (without isolated transitions) N(P) with $P=\{p_1, \ldots , p_{|P|}\}$ and some positive integer n of disjoint subsets $P' \in \{P'_1, \ldots ,P'_n\}$ with $P'_1 \cup \ldots \cup P'_n=P$ and $P'_1 \cap \ldots \cap P'_n=\emptyset $ for all $P' \subseteq P$, the subsequent notation describes the synchronization of the languages of all subnets $L(N(P'))$ to compose the language of the net L(N(P)). Based on the synchronization alphabet $\Sigma _\cap =\Sigma _{L_1}\cap \Sigma _{L_2}$ that represents the intersection of the alphabets of the two languages $L_1$ and $L_2$ involved in the synchronization, two cases may occur:

(1)
For $|\Sigma _\cap | >0$ (in all synchronizations):
$$\begin{aligned} L(N(P)) ={} & {} L(N(P'_1))sy_{\Sigma _\cap } L(N(P'_2)) sy_{\Sigma _\cap } \ldots sy_{\Sigma _\cap } L(N(P'_n)) \\ ={} & {} L(N(P'_1))\circledR L(N(P'_2)) \circledR \ldots \circledR L(N(P'_n)) \\ ={} & {} \displaystyle \mathop {\circledR }_{i=1}^{n} L(N(P'_i)) \end{aligned}$$
(2)
For $\Sigma _\cap =\emptyset $ (in all synchronizations):
$IMAGE$

The synchronization only considers the intersection of the alphabets of the involved languages, which means that, based on the commutativity of the intersection operator, the order of how such a synchronization is applied does not matter in the end. Note that after the restriction has been applied on two languages, e.g. $L_1 \circledR L_2$, a restriction with a further language, for example $L_1 \circledR L_{2} \circledR L_{3}$, then considers the alphabet of this further language, i.e., $\Sigma _{L_3}$, as well as the alphabet of the language resulting from the first restriction, i.e., $\Sigma _{L_1\circledR L_2}$ (and not only $\Sigma _{L_2}$).

Composition of the Example SecANet:

Because the subnets resulting from the decomposition of the example SecANet above are free as well, the restriction operator will be used to determine the languages of the compositions of the subnets. More specifically, the language of the DMV example SecANet will be composed step by step in reverse order to the order of the decomposition. Therefore, the languages of the two subnets $N_{TA}$ and $N_{SoD}$ will be synchronized first. In a further step, the combination of these languages will be synchronized with the initial WF-net N. That way, the overall language of the SecANet example will be determined. For the composition of the language of $\dot{N}_{TA}$ and $\dot{N}_{SoD}$, the synchronization alphabet is $\Sigma _{TA}\cap \Sigma _{SoD}=\{t_{u_1t_1}, t_{u_1t_2}\}$. This underlines the fact that the previously indicated special case of the synchronization, namely the restriction, is at hand, such that $L(N_{TA})sy_{\Sigma _{TA}\cap \Sigma _{SoD}}L(N_{SoD}) = L(N_{TA})\circledR L(N_{SoD})$ [167]. Hence, to obtain the language of the two policy-related subnets of the example, the restriction operator for two languages can directly be applied:

IMAGE

For the composition of the language of this subnet with the language of the WF-net, i.e., $L_{N^{Sy}\Sigma _{N}\cap \Sigma _{TA+SoD}}L_{TA+SoD}$, the synchronization alphabet is $\Sigma _N\cap \Sigma _{TA+SoD}=\{t_{1}, t_{2}\}$. Hence, the synchronization can be conducted by using the restriction operator again:

IMAGE

Thus, the words that correspond to the set of full firing sequences (or plans) of the example SecANet are given by the set $IMAGE$ . The set of obstructed firing sequences (or partial plans) relates to the remaining word that does not contain the end activity $t_2$, namely $\{t_{u_1t_1} t_1\}$.

3.2.4.5 SecANet Language

In order to determine the SecANet language, the decomposition and the composition of the example SecANet will be generalized. Figure 3.33 depicts the big picture of the SecANet decomposition, in particular the subnets that are to be separated, namely, the WF-net, the user-task subnets and the constraint subnets (i.e., the SoD and BoD subnets). The following considerations will go through this decomposition step by step in order to determine the essential place subsets in a comprehensive way.

Given a SecANet ${N}_{TA+C}$, its disjoint place subsets P and $\dot{P}_{TA+C}$ allow to determine the WF-net N and the net modeling the policy $\dot{N}_{TA+C}$. The subnet $\dot{N}_{TA+C}$ contains the disjoint place subsets $\dot{P}_{TA}$ and $\dot{P}_{C}$, which allow to obtain the subnets $\dot{N}_{TA}$ and $\dot{N}_{C}$. Based on the disjoint place subsets $\dot{P}_{C_{SoD}}$ and $\dot{P}_{C_{BoD}}$, the subnet $\dot{N}_{C}$ can be decomposed into the subnets $\dot{N}_{C_{SoD}}$ and $\dot{N}_{C_{BoD}}$. This results in the four basic disjoint place subsets P, $\dot{P}_{TA}$, $\dot{P}_{C_{SoD}}$, and $\dot{P}_{C_{BoD}}$, which will determine the subnets N, $\dot{N}_{TA}$, $\dot{N}_{C_{SoD}}$, and $\dot{N}_{C_{BoD}}$, respectively. The considered place subsets can easily be identified based on the previous SecANet definitions, namely

$$\begin{aligned} P =&P&\text {(the places of the initial WF-net)} , \qquad \\ \dot{P}_{TA} =&{P}_{TA} - P&\quad \text {(the places of the user-task subnets)} , \ \,\\ \dot{P}_{C_{SoD}}=&P_{TA+SoD} - {P}_{TA}&\quad \text {(the places of the SoD subnets), and}\ \ \\ \dot{P}_{C_{BoD}}=&P_{TA+BoD} - {P}_{TA}&\text { (the places of the BoD subnets).}\qquad \end{aligned}$$

The policy-related subnets will then be decomposed further into basic subnets that allow to determine their languages straightforwardly. The language of each subnet $N(P')$ will be obtained according to the initial marking $m_{0,P'}$ and the set of final markings $M_{f,P'}$ given by the projection of the initial marking and the terminal markings of the SecANet onto the places $P'$ of the considered subnet, that is, $m_{0,P'}=\pi _{P'}(m_{0})$ and $M_{f,P'}=\pi _{p'}([m_0\rangle _{\mathcal {T}})$, respectively. The listing below provides an overview of the subnets and languages resulting from the subsequent decomposition and composition.

Workflow Subnet N
- Language of Workflow Subnet $L_N$
User-Task Subnets $\dot{N}_{TA}$
- User-Task Subnet $N_{t-+}$
- Language of the User-Task Subnet $L_{t-+}$
SoD Subnets $\dot{N}_{C_{SoD}}$
- SoD Subnet $N_{\ne }$
BoD Subnets $\dot{N}_{C_{BoD}}$
- BoD Subnet $N_{=}$
Constraint Subnet $N_{c}$
- Language of Constraint Subnet $L_{c}$
Composition of Languages
- Language of User-Task Subnets $L_{TA}$
- Language of Constraint Subnet $L_{C}$
- Language of Policy Subnets $L_{TA+C}$
- Language of SecANet $L_{N+TA+C}$

After the languages of the smallest subnets $N_{t-+}$ and $N_{c}$ are determined, they will be combined with the languages of the other subnets step by step in the course of the composition of languages. Through this step-by-step composition of the languages of all subnets in reverse order to the decomposition, the language of the SecANet will finally be obtained.

To begin with, the workflow subnet can be determined through the places of the initial WF-net. Although structurally, it is equivalent to the initial WF-net, the final markings may differ.

Definition 3.47 (Workflow Subnet).

Based on a SecANet $N_{\textsf {SecANet}}=\langle P_{TA+C}, T_{TA+C}, F_{TA+C}, m_{0}, [m_{0}\rangle _{\!\mathcal {T}}, T_{TA+C}, id\rangle $ with $m_o \in P_{TA+C}$, the workflow subnet

$N=N(P)=\langle P,T,\mathcal {F},m_{0,P}, M_{f,P},T,id \rangle $ is obtained, where

$P= \{p_i, p_1, \ldots , p_o\}$,

$T= \{t_1, t_2, \ldots ,t_{|T|}\}$,

$F= \{ \langle p_i, t_1\rangle , \langle t_1, p_1 \rangle , \ldots , \langle t_{|T|}, p_o\rangle \}$,

$m_{0,P}=\pi _{P}(m_{0})$ and $M_{f,P}=\pi _{P}([m_0\rangle _{\mathcal {T}})$.

For example, the initial and final markings of the workflow subnet N in Figure 3.30a is $m_{0,P}= \{p_{i}\}$ and their set of final markings is $M_{f,P}= \{\{p_{o}\},\{p_{2}\}\}$.

Since the SecANet formalism is given for arbitrary well-structured free-choice WF-nets, whose comprehensive structure can involve parallelism or exclusive paths, the language of such WF-net can only be defined in general terms. However, the SecANet encoding allows to draw conclusions on the alphabet of the language of the workflow subnet. In fact, the language of the initial WF-net can differ from the language of the WF-net that is decomposed from the SecANet because their final markings may be different. On the one hand, if the workflow is satisfiable, the set of final markings of the workflow subnet still contains $\{p_o\}$ (as it was the case for the initial WF-net). On the other hand, in case of obstructions, the set of final markings of the workflow subnet may not (only) contain the output place anymore but the markings of the places $p \in P$ that are in the set of obstruction markings $m \in M_\otimes $. Hence, since the alphabet of a language consists of all letters that actually occur in at least one word of the language, the actual alphabet of the workflow subnet language determined by the terminal markings of the SecANet can differ from the alphabet of the language of the initial net.

In case of a satisfiable execution, the alphabet of the language of the WF-net contains all workflow tasks. However, in case the workflow is not satisfiable, it does not contain the final marking set $\{p_o\}$ and therefore not all workflow tasks of the workflow net are reflected in its language $\Sigma _N$. In workflow nets with exclusive branches, it may moreover be possible that only one path is satisfiable, whereas another is not. This would also result in an alphabet $\Sigma _N$ of the language of the net N that would not contain all tasks either.

Definition 3.48 (Language of the Workflow Subnet).

Based on the language definition applied on the workflow subnet, the language of a workflow net is $L_N =L(N(P)) =\{w\in T^{*}|\exists \sigma \in T^{*}\; \exists m_{f}\in M_{f, P}:m_{0, P}[\sigma \rangle m_{f}\wedge h(\sigma )=w\}$.

The alphabet of L(N(P)) is then:

$$\begin{aligned}\Sigma _{N}=\{a \in T^{*}|{} & {} \exists m_f \in M_{f, P}: m_f =\{p_o\}\wedge a \in \{t | \forall t\in T : m_0[t_1 t_2 \ldots t_n\rangle m_f\}\\ {}{} & {} \vee m_f \in \{P-p_o\} \wedge a\in \{t | \forall t\in T : m_0[t_1 t_2 \ldots t_l\rangle m_f\wedge t_l \notin \,^\bullet \!p_o \}\}.\end{aligned}$$

Hence, in case of an unsatisfiable net (or path), the alphabet of the language of the workflow subnet $\Sigma _N$ may be a subset of the alphabet $\Sigma $ defined in the definition of the language-generating workflow subnet. This observation will also be key for the alphabets of the languages for the user-task subnets since, as illustrated in Figure 3.33, a user-task subnet contains the tasks of the workflow subnet as well.

Definition 3.49 (User-Task Subnets).

Based on the flattening of user-task authorizations in Definition 3.30, the subnet

$\dot{N}_{TA} = N(\dot{P}_{TA})= \langle \dot{P}_{TA},\dot{T}_{TA},\dot{\mathcal {F}}_{TA},m_{0,\dot{P}_{TA}}, M_{f,\dot{P}_{TA}},\dot{T}_{TA},id \rangle $ is obtained, where

$\dot{P}_{TA} = \{p_{t_1-}, p_{t_2-}, \ldots , p_{t_i-}\} \cup \{p_{t_1+}, p_{t_2+}, \ldots , p_{t_i+}\} $,

$\dot{T}_{TA}= T_{TA} = T \cup \{t_{u_1t_1}, t_{u_1t_2}, {t_{u_2t_1}, t_{u_2t_2}, \ldots ,t_{u_jt_i}}\}$,

$\dot{F}_{TA} = \{ \langle p_{t_1-,t_{u_1t_1}}\rangle , \langle p_{t_2-,t_{u_1t_2}}\rangle , \langle p_{t_1-,t_{u_2t_1}}\rangle , \langle p_{t_2-,t_{u_2t_2}}\rangle , \ldots , \langle p_{t_i-,t_{u_jt_i}}\rangle \} \cup $

$\{ \langle t_{u_1t_1}, p_{t_1+}\rangle , \langle t_{u_1t_2}, p_{t_2+}\rangle , \langle t_{u_2t_1},p_{t_1+}\rangle ,\langle t_{u_2t_2}, p_{t_2+}\rangle , \ldots , \langle t_{u_jt_i},p_{t_i+}\rangle \} \cup $

$\{ \langle p_{t_1+}, t_1 \rangle , \langle p_{t_2+}, t_2 \rangle , \ldots , \langle p_{t_i+}, t_i \rangle \}$,

$m_{0,\dot{P}_{TA}}=\pi _{\dot{P}_{TA}}(m_{0})$ and $M_{f,\dot{P}_{TA}}=\pi _{\dot{P}_{TA}}([m_0\rangle _{\mathcal {T}})$.

For instance, the initial markings and final markings of the user-task subnets $\dot{N}_{TA}$ in Figure 3.31a is $m_{0,\dot{P}_{TA}}= \{p_{t_1-}, p_{t_2-}\}$ and its set of final markings is $M_{f,\dot{P}_{TA}}= \{\{p_{t_2-}\},\emptyset \}$. The language of each user-task authorization can now be obtained by building the basic subset for each pair of assigned and unassigned places for a single workflow task.

Definition 3.50 (User-task subnet).

For each set of pairs $P_{t-+} = \{p_{t-},p_{t+}\}$ , where $t\in T$ and $P_{t-+} \subseteq \dot{P}_{TA}$ , the subnet

$N_{{t-+}}= N(P_{t-+} )= \langle P_{t-+}, T_{P_{t-+}},\mathcal {F}_{P_{t-+}}, m_{0,P_{t-+}}, M_{f,P_{t-+}},T_{P_{t-+}},id \rangle $ is obtained, where

$P_{P_{t-+}} = \{p_{t-},p_{t+}\}$,

$T_{P_{t-+}}= \{t\} \cup \{t_{u_1t}, {t_{u_2t}, \ldots ,t_{u_jt}}\}$,

$F_{P_{t-+}} = \{ \langle p_{t -,t_{u_1t}}\rangle , \langle p_{t-,t_{u_2t}}\rangle , \ldots , \langle p_{t-,t_{u_jt}}\rangle \} \cup \{ \langle t_{u_1t}, p_{t+}\rangle , \langle t_{u_2t},p_{t+}\rangle , \ldots , \langle t_{u_jt},p_{t+}\rangle \} \cup \{ \langle p_{t+}, t \rangle \}$

$m_{0,P_{t-+}}=\pi _{P_{t-+}}(m_{0})$ and $M_{f,P_{t-+}} =\pi _{P_{t-+}}([m_0\rangle _{\mathcal {T}})$.

Accordingly, Figure 3.34 depicts the user-task subnet $N(P_{t_2-+} )$ for the task $t_2$ and $P_{t_2-+} = \{p_{t_2-},p_{t_2+}\}$ of the example SecANet. Its initial marking is $m_{0,P_{t_2-+}}= \{p_{t_2-}\}$ and its set of final markings is $M_{f,P_{t_2-+}}= \{\{p_{t_2-}\},\emptyset \}$. Hence, in the example of the user-task subnet $N(P_{t_2-+} )$ resulting from the DMV SecANet, there are actually two final markings, i.e., $\emptyset $ relates to the successful execution and $\{p_-\}$ corresponds to the obstruction marking. Indeed, there may also be a third final marking $\{p_+\}$, in which only the place indicating assignment is marked (i.e., the state that a user-task transition has been fired) .

Whereas for each user-task subnet decomposed from a SecANet, the projection $\pi $ of the initial marking always results in the initial marking $\langle 1,0\rangle $ (according to the order $\{p_-\}$, $\{p_+\}$) or $\{p_-\}$ in set notation, for the general case, the projection of the terminal marking may result in the maximum number of three final markings, namely $\langle 1,0\rangle $, $\langle 0,1\rangle $, and $\langle 0,0\rangle $, or $\{p_-\}$, $\{p_+\}$, and $\emptyset $ respectively. Hence, based on the definition of the L-type language $L(N)=\{w\in \Sigma ^{*}|\exists \sigma \in T^{*}\; \exists m_{f}\in M_{f}:m_{0}[\sigma \rangle m_{f}\wedge h(\sigma )=w\}$ (with $\Sigma = T$ and $T=T_{P_{t-+}}$), the initial marking $\{p_-\}$ and the three possible final markings (1) $\{p_-\}$, (2) $\{p_+\}$, and (3) $\emptyset $, the following three transition firing sequences $\sigma $ and their corresponding (sets of) words w can be identified.

$$\text {For }\{p_-\}[\sigma \rangle \{p_-\}\text {, this results in}$$

$$\text {(1) }\{h(\sigma ) |\sigma = \langle \epsilon \rangle \} = \{w|w = \epsilon \},$$

$$\{p_-\}[\sigma \rangle \{p_+\}\ {\text {yields}}$$

$$\text {(2) }\{h(\sigma ) |\sigma \in \{\langle t_{ut} \rangle | t_{ut} \in \{t_{u_1t}, {t_{u_2t}, \ldots ,t_{u_jt}}\}\}\} = \{w|w \in \{t_{u_1t}, {t_{u_2t}, \ldots ,t_{u_jt}}\}\},$$

$${\text {and}}\ \{p_-\}[\sigma \rangle \emptyset \ {\text {is reflected in}}$$

$$\text {(3) }\{h(\sigma ) |\sigma \in \{\langle t_{ut},t \rangle | t_{ut} \in \{t_{u_1t}, {t_{u_2t}, \ldots ,t_{u_jt}}\}\}\} = \{w|w \in \{\{t_{u_1t}, {t_{u_2t}, \ldots ,t_{u_jt}}\} \cdot t\}\}\}.$$

(1) and (2) represent the cases in which the workflow task that is associated with the user-task assignment is not executed. Both cases can be caused either by an obstruction or an exclusive path that has not been taken. Here, especially (1) directly indicates an obstruction, in which no transition has been fired at all. However, if the obstruction affects an exclusive path that has not been taken and the workflow is completed (i.e., a marking involving the output place $p_o$ is reached anyway), the obstruction has no effect. However, it could also have been the obstruction itself that lead to the decision to not take the affected path in the first place. In (2), only user-task transitions have been fired. On the one hand, this may encode an assignment of a user to a workflow task in an exclusive path that has not been taken. On the other hand, this may also result from an obstruction beforehand that blocks the execution of further workflow tasks, which users have already been assigned to. In (3), the final marking stands for successful user-task assignments that involve the execution of the workflow task. A firing sequence consists of a user-task transition followed by the transition of the corresponding workflow task.

According to these three cases, the language $L(N(P_{t-+}))$ can be denoted for each of the three possible final markings, namely

$$\begin{array}{rr}L(N(P_{t-+}),M_{f,P_{t-+}}=\{\{p_-\}\}) =&{} \{\epsilon \},\\ L(N(P_{t-+}),M_{f,P_{t-+}}=\{\{p_+\}\}) =&{} \{t_{u_1t}, {t_{u_2t},\ldots ,t_{u_jt}}\},\\ L(N(P_{t-+}),M_{f,P_{t-+}}=\{\emptyset \}) =&{} \{\{t_{u_1t}, {t_{u_2t}, \ldots ,t_{u_jt}}\} \cdot t\}.\end{array}$$

Due to the initial marking provided by the SecANet, the possible permutations of these three final markings are limited. This is because the initial marking directly enables all user-task transitions, such that every user-task subnet is always able to execute each of their user-task transitions (as in case (2)) at least once. A fired user-task transition may, however, only be a prefix of a successful user-task execution (as in case (1)). Hence, the set of final markings of a user-task subnet always contains at least $\{p_{t_+}\}$ or $\emptyset $. Based on this and given some user-task subnet and some possible combinations of the three final markings, the overall language of the user-task subnet can be obtained by the union of the set of words resulting from each marking of the set of final markings. For example, for $M_{f,P_{t-+}}=\{\{p_-\}, \{p_+\}\}$, the language $L(N(P_{t-+}))=\{\epsilon \} \cup \{t_{u_1t}, {t_{u_2t},\ldots ,t_{u_jt}}\} $ is obtained, the set of final markings $M_{f,P_{t-+}}=\{\{p_-\}, \{p_+\}, \emptyset \}$ results in the language $L(N(P_{t-+}))= \{\epsilon \} \cup \{t_{u_1t}, {t_{u_2t},\ldots ,t_{u_jt}}\} \cup \{\{t_{u_1t}, {t_{u_2t}, \ldots ,t_{u_jt}}\} \cdot t\} $, and $M_{f,P_{t-+}}=\{\emptyset \}$ has the language $L(N(P_{t-+}))= \{\{t_{u_1t}, {t_{u_2t}, \ldots ,t_{u_jt}}\} \cdot t\} $. Hence, similarly to the workflow subnet, the alphabet of the language of a user-task subnet may not always involve the workflow tasks, or, more formally:

Definition 3.51 (Language of the User-Task Subnet).

Based on the definition of the language applied to the user-task subnet, i.e., $L(N)=\{w\in T_{P_{t-+}}^{*}|\exists \sigma \in T_{P_{t-+}}^{*}\; \exists m_{f}\in M_{f, P_{t-+}}:m_{0, P_{t-+}}[\sigma \rangle m_{f}\wedge h(\sigma )=w\}$, the language of a user-task subnet $N(P_{t-+})$ is

$$\begin{aligned}L_{{t-+}}=L(N(P_{t-+})) =\{w \in T_{P_{t-+}}^{*}|{} & {} \exists m_f \in M_{f, P_{t-+}}: m_f =\{p_-\}\wedge \epsilon =w\\ {}{} & {} \vee m_f =\{p_+\}\wedge w\in \{t_{u_1t}, {t_{u_2t},\ldots ,t_{u_jt}}\} \\ {}{} & {} \vee m_f = \emptyset \wedge w \in \{\{t_{u_1t}, {t_{u_2t}, \ldots ,t_{u_jt}}\} \cdot t\}\}\}.\end{aligned}$$

The alphabet of $L_{{t-+}}$ is denoted as $\Sigma _{{t-+}}= (\Sigma _{N} \cap \{t\}) \cup \{t_{u_1t}, {t_{u_2t}, \ldots ,t_{u_jt}}\}$.

For example, the language of each user-task subnet of the DMV SecANet with its different sets of final markings is $L(N(P_{t_1-+}))= \{ \{t_{u_1t_1}, t_{u_2t_1}\}\cdot t_1\}$ and $L(N(P_{t_2-+}))= \{\epsilon , t_{u_1t_2}t_2\}$.

Analogously to the decomposition of the user-task subnet $\dot{N}_{TA}$, constraint-related subnets will now be decomposed in order to determine their language. The definitions of SoD- and BoD-related subnets will be explained in order to understand how they can finally be subsumed under the notion of “constraint subnets”.

Definition 3.52 (SoD Subnets)

Based on the flattening of SoD constraints in Definition 3.31 , the subnet

${\dot{N}_{C_{SoD}} = N(\dot{P}_{C_{SoD}})= }$

$\langle \dot{P}_{C_{SoD}},\dot{T}_{C_{SoD}}, \dot{\mathcal {F}}_{C_{SoD}},m_{0,\dot{P}_{C_{SoD}}}, M_{f,\dot{P}_{C_{SoD}}},\dot{T}_{C_{SoD}},$

$id \rangle $ is obtained, where

${\dot{P}_{SoD} = \{ SoD_{u_1t_1t_2}, SoD_{u_2t_1t_2}, \ldots , SoD_{u_jt_kt_l}\}}$,

${\dot{T}_{SoD} = \{ t_{u_1t_1},t_{u_1t_2}, t_{u_2t_1},t_{u_2t_2}, \ldots , t_{u_jt_k}, t_{u_jt_l}\}}$,

$\dot{F}_{TA+SoD} = \{\langle SoD_{u_1t_1t_2},t_{u_1t_1}\rangle , \langle SoD_{u_1t_1t_2},t_{u_1t_2}\rangle ,$

$\langle SoD_{u_2t_1t_2},t_{u_2t_1}\rangle , \langle SoD_{u_2t_1t_2},t_{u_2t_2}\rangle , \ldots , \langle SoD_{u_jt_kt_l}, t_{u_{j}t_{k}} \rangle , \langle SoD_{u_jt_kt_l}, t_{u_jt_l}\rangle \}$

and the markings $m_{0,\dot{P}_{C_{SoD}}}=\pi _{\dot{P}_{C_{SoD}}}(m_{0})$ and

$M_{f,\dot{P}_{C_{SoD}}} =\pi _{\dot{P}_{C_{SoD}}}([m_0\rangle _{\mathcal {T}})$ .

Similarly to the basic user-task subnets, the basic SoD subnet can be determined:

Definition 3.53 (SoD Subnet).

For each SoD place $p_{\ne } \in \dot{P}_{SoD} $ , the subnet

$N_{\ne }=N(p_{\ne })= \langle \{p_{\ne }\}, T_{p_{\ne }},\mathcal {F}_{p_{\ne }}, m_{0,p_{\ne }}, M_{f,p_{\ne }},T_{p_{\ne }},id \rangle $ is obtained, where

$p_{\ne } = \{SoD_{ut_kt_l}\}$,

$T_{p_{\ne }}= \{ t_{ut_k}, t_{ut_l} \}$,

$F_{p_{\ne }} = \{\langle SoD_{ut_kt_l}, t_{ut_{k}} \rangle , \langle SoD_{ut_kt_l}, t_{ut_l}\rangle \}$

and the markings $m_{0,p_{\ne }}=\pi _{p_{\ne }}(m_{0})$ and $M_{f,p_{\ne }} =\pi _{p_{\ne }}([m_0\rangle _{\mathcal {T}})$.

Similarly to SoD subnets, BoD subnets also base on choice-places. However, given a large set of users, they may contain multitudes of outgoing arcs (and transitions).

Definition 3.54 (BoD Subnets).

Based on the flattening of BoD constraints in Definition 3.32 , the subnet $ \dot{N}_{C_{BoD}} = N(\dot{P}_{C_{BoD}})=\langle \dot{P}_{C_{BoD}},\dot{T}_{C_{BoD}},\dot{\mathcal {F}}_{C_{BoD}},m_{0,\dot{P}_{C_{BoD}}}, M_{f,\dot{P}_{C_{BoD}}},\dot{T}_{C_{BoD}},id \rangle $ is obtained, where

$\dot{P}_{TA+BoD} = \{ BoD_{u_1t_1t_2}, BoD_{u_2t_1t_2}, \ldots , BoD_{u_jt_kt_l}\} $,

$\dot{T}_{BoD} =$

$\{ t_{u_1t_1}\} \cup \{ t_{ut_2}| t_{ut_2} \in T_{TA} - \{t_{u_1t_2}\} \wedge u \in U \wedge (u, t_2) \in TA\}\cup $

$\{t_{u_2t_1}\} \cup \{ t_{ut_2} | t_{ut_2} \in T_{TA} -\{t_{u_2t_2}\} \wedge u \in U \wedge (u, t_2) \in TA\} \cup \ldots \cup $

$\{ t_{u_{j}t_{k}}\} \cup \{t_{ut_l} | t_{ut_l} \in T_{TA} - \{t_{u_jt_l}\} \wedge u \in U \wedge (u, t_l) \in TA\},$

$\dot{F}_{BoD} = $

$\{\langle BoD_{u_1t_1t_2},t_{u_1t_1}\rangle \} \cup \{ \langle BoD_{u_1t_1t_2},t_{ut_2} \rangle | t_{ut_2} \in T_{TA} - \{t_{u_1t_2}\} \wedge u \in U \wedge (u, t_2) \in TA\}\cup $

$\{\langle BoD_{u_2t_1t_2},t_{u_2t_1}\rangle \} \cup \{ \langle BoD_{u_2t_1t_2},t_{ut_2} \rangle | t_{ut_2} \in T_{TA} - \{t_{u_2t_2}\} \wedge u \in U \wedge (u, t_2) \in TA\} \cup \ldots \cup $

$\{\langle BoD_{u_jt_kt_l}, t_{u_{j}t_{k}}\rangle \} \cup \{ \langle BoD_{u_jt_kt_l}, t_{ut_l}\rangle | t_{ut_l} \in T_{TA} - \{t_{u_jt_l}\} \wedge u \in U \wedge (u, t_l) \in TA\}$

and the markings $m_{0,\dot{P}_{C_{BoD}}}=\pi _{\dot{P}_{C_{BoD}}}(m_{0})$ and $M_{f,\dot{P}_{C_{BoD}}} =\pi _{\dot{P}_{C_{BoD}}}([m_0\rangle _{\mathcal {T}})$.

Analogously to the SoD subnet, the basic BoD subnet only contains one place.

Definition 3.55 (BoD Subnet).

For each BoD place $p_{=} \in \dot{P}_{BoD}$ , the subnet $N_{=}=N(p_{=})= \langle \{p_{=}\}, T_{p_{=}},\mathcal {F}_{p_{=}}, m_{0,p_{=}}, M_{f,p_{=}},T_{p_{\ne }},id \rangle $ is obtained, where

$p_{=} = \{BoD_{u_jt_kt_l}\}$,

$T_{p_{=}}= \{ t_{u_jt_k}, t_{ut_l} | t_{ut_l} \in \dot{T}_{C_{BoD}} \wedge \exists \langle BoD_{u_jt_kt_l}, t_{ut_l} \rangle \in \dot{F}_{BoD}\}$,

$F_{p_{=}} = \{\langle BoD_{u_jt_kt_l}, t_{u_{j}t_{k}}\rangle \} \cup \{ \langle BoD_{u_jt_kt_l}, t_{ut_l}\rangle | t_{ut_l} \in T_{p_{=}} - \{ t_{u_jt_k}\} \}$

and the markings $m_{0,p_{=}}=\pi _{p_{=}}(m_{0})$ and $M_{f,p_{=}} =\pi _{p_{=}}([m_0\rangle _{\mathcal {T}})$.

SoD and BoD subnets both represent elementary nets because they contain only one place. Both have a very similar structure because they only have outgoing transitions. In order to keep the language definition as general and simple as possible, SoD and BoD constraint subnets will be subsumed under “constraint subnets”. They allow to encode choice-places with two outgoing user-task transitions affecting the same user (SoD), or one or more outgoing user-task transition(s) affecting different users (BoD).

Definition 3.56 (Constraint Subnet).

Let $\dot{P}_{C} = \{\dot{P}_{SoD} \cup \dot{P}_{BoD}\}$ be the set of places, and $\dot{T}_{C}= \dot{T}_{SoD} \cup \dot{T}_{BoD}$ be the set of transitions of all constraint subnets. For each constraint place $p_{c} \in \dot{P}_{C} $ , the subnet $N_{c}=N(p_{c})= \langle \{p_{c}\}, T_{p_{c}},\mathcal {F}_{p_{c}}, m_{0,p_{c}}, M_{f,p_{c}},T_{p_{\ne }},id \rangle $ is obtained, where

$T_{p_{c}}= \{t_{ut} | \exists \langle p_{c}, t_{ut} \rangle \in \dot{F}_{C}\wedge t_{ut}\in \dot{T}_{C} \}$,

$F_{p_{c}} = \{\langle p_{c}, t_{ut} \rangle | t_{ut} \in T_{p_{c}} \}$,

$m_{0,p_{c}}=\pi _{p_{c}}(m_{0})$ and $M_{f,p_{c}} =\pi _{p_{c}}([m_0\rangle _{\mathcal {T}})$.

Accordingly, Figure 3.31b depicts the constraint subnet $N(p_c )$ for the user $u_1$ and $p_c = p_{SoD_{u_1t_1t_2}}$ from the example SecANet. Its initial marking is $m_{0,p_c}= \{p_{SoD_{u_1t_1t_2}}\}$ and its set of final markings is $M_{f,p_c}= \{\emptyset \}$.

SoD and BoD constraints that are not in force are reflected in marked constraint places (i.e., the final marking set $\{p_c\}$). A constraint that is applied results in an unmarked constraint place (i.e., the final marking set $\emptyset $). Since constraint subnets only consist of one place, the terminal marking of the initial SecANet can result in the maximum number of two possible final marking sets of the constraint subnet. Similarly to the user-task subnet $N(P_{t-+})$, the firing sequences and the corresponding sets of words resulting from these different final markings can be determined according to the definition of the L-Type language $L(N)=\{w\in \Sigma ^{*}|\exists \sigma \in T^{*}\; \exists m_{f}\in M_{f}:m_{0}[\sigma \rangle m_{f}\wedge h(\sigma )=w\}$ (with $\Sigma = T$ and $T=T_{p_{c}}$.

$$\text {For }\{p_c\}[\sigma \rangle \{p_c\}\text {, this results in }\{h(\sigma ) |\sigma = \langle \epsilon \rangle \} = \{w|w = \epsilon \}\text {,}$$

$$\text {and }\{p_c\}[\sigma \rangle \emptyset \text { determines}$$

$$\{h(\sigma ) |\sigma \in \{\langle t_{ut}\rangle | \exists \langle p_{c}, t_{ut} \rangle \in \dot{F}_{C}\wedge t_{ut}\in \dot{T}_{C} \}\} = \{w|w\in \{t_{ut} | \exists \langle p_{c}, t_{ut} \rangle \in \dot{F}_{C}\wedge t_{ut}\in \dot{T}_{C} \} \}.$$

In contrast to the user-task subnets, constraint subnets do not allow to relate their final markings to successful or obstructed executions. On the one hand, in the example SecANet, the final marking set of the constraint is always $\emptyset $, regardless of whether the corresponding firing sequence is satisfiable or obstructed. On the other hand, depending on the number of users that are assigned to tasks affected by a constraint, there may always be constraint places that do take effect and others that do not. In fact, the example “DMV process” rather represents a special case in which the same constraint is applied in every possible firing sequence. The addition of one further user authorized for both tasks would result in terminal markings that would always contain one of the two constraint places. Hence, the set of final markings from all constraint subnets may consist of different combinations of marked constraint places. Analogously to user-task subnets, for each single constraint place and its corresponding subnet, the set of possible markings can be limited as well. In a constraint subnet, the marking $\emptyset $ is always part of the set of final markings. This can easily be understood by considering the initial marking of the SecANet encoding again. Here, the initial marking enables all user-task transitions, including those that are affected by all constraint places. Hence, there is at least one firing sequence for each constraint subnet in which each of its outgoing transitions is fireable at least once (i.e., each transition is simply live). Analogously to the determination of the language of a user-task subnet $L(N(P_{t-+}))$, and to the observation that there are a maximal number of two different final markings, the language of $L(N(p_c))$ can be determined, namely

$$\begin{array}{rr}L(N(p_{c})),M_{f,p_{c}}=\{\{p_c\}) =&{} \{\epsilon \},\\ L(N(p_{c})),M_{f,p_{c}}=\{\emptyset \}) =&{} \{t_{ut} | \exists \langle p_{c}, t_{ut} \rangle \in \dot{F}_{C}\wedge t_{ut}\in \dot{T}_{C} \}.\end{array}$$

If the set of final markings of the constraint subnet contains both possible final markings, the union of these sets of words again constitutes the overall language of the constraint subnet.

Definition 3.57 (Language of Constraint Subnet).

Based on the language definition applied to the constraint subnet, i.e., $L(N)=\{w\in T_{p_c}^{*}|\exists \sigma \in T_{p_c}^{*}\; \exists m_{f}\in M_{f, p_c}:m_{0, p_c}[\sigma \rangle m_{f}\wedge h(\sigma )=w\}$ , the language of a user-task subnet $N(p_c)$ is

$$\begin{array}{rr}L_c =L(N(p_{c})) = \{w \in T_{p_c}^{*}|&{}\exists m_f \in M_{f, p_c}: m_f =\{p_c\}\wedge \epsilon =w\\ {} &{}\vee m_f =\emptyset \wedge w\in \{t_{ut} | \exists \langle p_{c}, t_{ut} \rangle \in \dot{F}_{C}\wedge t_{ut}\in \dot{T}_{C} \} \}\end{array}$$

The alphabet of $L_{c}$ is denoted as $\Sigma _{c}= T_{p_c}$ .

For example, the language of the constraint subnet of the DMV SecANet with the set of final markings $\{\emptyset \}$ is $L(N(p_c))= \{t_{u_1t_1}, t_{u_1t_2}\}$.

Composition of Subnet Languages:

The former introduction of the decomposition and the composition of free nets has revealed that the languages of the nets from which the subnets were decomposed can be obtained by using synchronization. In particular, because all SecANet subnets result from the decomposition of free Petri nets, the languages of a net can be composed from the languages of its subnets by applying the restriction (or shuffle) operator onto those subnets. This composition of languages will be conducted in reverse order to the order of how the subnets were decomposed. That way, the languages of subnets are composed step by step until they constitute the language of the initial SecANet, i.e., the languages of the user-task subnets, the constraint nets, their combination and the overall SecANet net will be obtained.

To begin with, after the language of each user-task subnet has been obtained, the languages of all user-task subnets can be composed. As the synchronization alphabet resulting from the intersection of the transitions of each user-task subnet is empty here, as previously observed, a special case of the restriction can be applied, namely the shuffle. Based on Definition 3.46 of the composition of subnet languages, the composition is conducted step by step such that there are intermediate steps in which the resulting languages represent languages of some further subnets of $N(\dot{P}_{TA})$. When the language of all user-task pairs have been synchronized, the resulting language is the language of $N(\dot{P}_{TA})$. Based on the consideration that at least either $\{p_+\}$ or $\emptyset $ is a final marking of each user-task subnet, it can be concluded that all user-task transitions are in the alphabet of all user-task subnets, namely $\Sigma _{TA}$. However, given the case that there is an obstruction that does not allow to execute the workflow task in any firing sequence (i.e. the workflow is not satisfiable), it is possible that not all workflow tasks are in the alphabet of $\Sigma _{TA}$. This would however also imply that the considered path of the workflow is not satisfiable at all such that affected tasks that are exclusively in the considered path would not be part of the alphabet of the subnet of the workflow itself, namely $\Sigma _{N}$, either.

Definition 3.58 (Language of the User-Task Subnets).

Based on Definition 3.46 , the composition of the languages of all user-task subnets $L(N(P_{t-+}))$ decomposed from $N(\dot{P}_{TA})$ , with $P_{t-+} \in P_{-+}$ and $P_{-+}= \{P_{t-+1}, \ldots , P_{t-+|P_{-+}|}\}$ , $P_{t-+1}\cap \ldots \cap P_{t-+|P_{-+}|}= \emptyset $ , and $P_{t-+1}\cup \ldots \cup P_{t-+|P_{-+}|}= \dot{P}_{TA}$ , which results in the language of all user-task subnets $L(N(\dot{P}_{TA}))$ , can be denoted by means of the shuffle operator, namely

IMAGE

The alphabet of $L_{TA}$ is denoted as $\Sigma _{TA}= \Sigma _{N} \cup \dot{T}_{TA}$ .

The language of all user-task subnets for the example net is then ${L(N(\dot{P}_{TA}))=}$ $IMAGE$ .

The language of constraint subnets is composed by applying the restriction operator. Depending on whether the restriction operator acts on two sets of languages that constrain same elements (e.g., the language of the SoD subnets $\{t_{u_1t_1}, t_{u_1t_2}\}$ and $\{t_{u_1t_1}, t_{u_1t_3}\}$), or disjoints sets (e.g., the language of the SoD subnets $\{t_{u_1t_1}, t_{u_1t_2}\}$ and $\{t_{u_2t_1}, t_{u_2t_2}\}$), it might either restrict the sets of words or only act as a shuffle that allows both sets of words to occur (in case of disjoint sets of transitions), respectively. Because the initial marking allows to fire each user-task transition of a constraint subnet at least once, the alphabet of the resulting language of all constraint subnets encompasses all user-task transitions involved in the constraint subnets.

Definition 3.59 (Language of Constraint Subnets).

Based on Definition 3.46 , the composition of the languages of all constraint subnets $L(N(P_{c}))$ decomposed from $N(\dot{P}_{C})$ , with $P_{c} \in \{P_{c1}, \ldots , P_{c|\dot{P}_C|}\}$ , $P_{c1}\cap \ldots \cap P_{c|\dot{P}_C|}= \emptyset $ , and $P_{c1}\cup \ldots \cup P_{c|P_C|}= \dot{P}_{C}$ , which results in the language of all user-task subnets $L(N(\dot{P}_{C}))$ , can be denoted by means of the restriction operator, namely ^{Footnote 10}

$$\begin{array}{rr} L_{C}=L(N(\dot{P}_{C})) =&{} L(N(p_{c1}))\circledR L(N(p_{c2})) \circledR \ldots \circledR L(N(p_{c{|\dot{P}_{c}|}})\\ =&{} \displaystyle \mathop {\circledR }_{i=1}^{|\dot{P}_{C}|} L(N(p_{ci})).\end{array}$$

The alphabet of $L_{C}$ is denoted as $\Sigma _{C}= \bigcup \limits _{i=1}^{|\dot{P}_{C}|} T_{p_{ci}} = \dot{T}_{C}$ with $\dot{T}_{C} \subseteq \dot{T}_{TA}$ .

For the example SecANet, the language of the single SoD place also represents the language of all constraint subnets because there is only one constraint place, such that $L(N(\dot{P}_{C})) =\{t_{u_1t_1}, t_{u_1t_2}\}$.

To determine the language of all policy-related subnets, the language of the user-task subnets and the language of the constraint subnet can now be composed by means of the restriction operator and can be defined accordingly, namely

IMAGE

Definition 3.60 (Language of Policy Subnet).

The composition of the languages of all policy-related subnets $L_{TA}$ and $L_C$ with the synchronization alphabet $\Sigma = \Sigma _{TA}\cap \Sigma _{C}=\Sigma _{C}$ , which results in the language of all policy subnets $L(N(\dot{P}_{TA+C}))$ , can be denoted by means of the restriction operator, namely

IMAGE

The alphabet of $L_{TA+C}$ is denoted as $\Sigma _{TA+C}= \Sigma _{TA}$ .

In the example SecANet, this results in the previously determined language $IMAGE$ .

After the policy language is known, the net can finally be synchronized with the workflow subnet. Again, because all synchronizations base on subnets that are decomposed from free Petri nets, the restriction operator is used to determine the SecANet language, namely

IMAGE

Definition 3.61 (SecANet Language).

The composition of the languages of all workflow and policy-related SecANet subnets $L_N$ and $L_{TA+C}$ with the synchronization alphabet $\Sigma = \Sigma _{N}\cap \Sigma _{TA+C}=\Sigma _{N}$, which results in the language of the SecANet $L(N(\dot{P}_{N+TA+C}))$ or, equivalently, the language of the initial SecANet $N_{\textsf {SecANet}}$, i.e., $L(\langle P_{TA+C}, T_{TA+C}, F_{TA+C}, m_{0}, [m_{0}\rangle _{\!\mathcal {T}}, T_{TA+C}, id\rangle )$, can be denoted by means of the restriction operator, namely

IMAGE

The alphabet of $L_{N+TA+C}$ is denoted as

$\Sigma _\textsf {SecANet}\,\,= \Sigma _{N+TA+C}= \Sigma _N \cup \Sigma _{TA}$.

For the example SecANet, this definition finally determines the previously identified SecANet language $IMAGE$ .

3.2.4.6 Language Preservation

In the course of the flattening (cf. Definitions 3.30, 3.31 and 3.32), the different process aspects have all been integrated into a single representation, the SecANet. The interpretation of how the policy is applied to the process model follows from these definitions and bases on the considerations on fundamental access control modeling concepts, as examined in Chapters 1 and 2. The definitions of the flattening were defined in a way that they encode certain conditions. For example, a user-task transition has to be executed before the corresponding task of the workflow net can be performed, or, based on a constraint, two user-task transitions for different tasks may be in a choice relation with each other. The SecANet definitions then allowed to define satisfiable and obstructed workflows and its related markings and firing sequences (cf. Definitions 3.33 and 3.34). Afterward, based on these definitions, the language of the SecANet was deduced by its decomposition and composition. The impetus for studying Petri net languages was to consider the behavioral integrity of the process aspects at the subnet level and the level of the overall net.

On the one hand, the decomposition of the SecANet revealed the individual languages of the resulting subnets. Here, each subnet language directly relates to the behavior of its initial input. Moreover, the workflow subnet is structurally identical to the initial WF-net. Only the final markings may differ, such that $L_N$ (cf. Definition 3.47) may limit or extend the words of the language of the initial WF-net $L_{wf}$. This is then also reflected in the possibly different corresponding alphabets $\Sigma _N$ and $\Sigma _{wf}$. For the user-task authorization and constraint language, their letters and words directly allow retracing their initial inputs. More specifically, the user-task authorization language $L_{TA}$ (cf. Definition 3.51 and Definition 3.58) describes only allowed accesses and encodes user-task transition labelings. Each user-task letter $t_{ut_i}$ describes who is assigned to which tasks before the task $t_i$ is (potentially) executed such that it can easily be retraced to the underlying authorization policy. That way, the modeling of policies provides an expressive language whose words allow to retrace which user has executed which task. Moreover, the constraint language $L_C$ (cf. Definition 3.57 and Definition 3.59) determines the user-task transitions that are affected by SoD or BoD constraints. Its words encode the different choices provided by applying the constraints onto the given user-task authorization. Since the modeling of constraints introduces only places constraining the user-task transitions, it does not entail any new letters. For example, the language of an SoD subnet consisting of a place $SoD_{u_1t_1t_2}$ connected to the corresponding outgoing user-task transitions for which the same user $u_1$ can be assigned to either execute $t_1$ or $t_2$ results in the two words $\{t_{u_1t_1}, t_{u_1t_2}\}$. Each input that is processed into the representation remains unchanged in its behavior on the subnet level. This is also reflected in the alphabets of the two languages $\Sigma _{TA}$ and $\Sigma _C$ (cf. Definition 3.61 and 3.59). Hence, the previously identified integrity of inputs (cf. Section 3.2) can directly be observed from the words of the languages of the subnets as well.

On the other hand, the synchronization allowed to recompose the individual subnet languages, namely, the constraint language, the user-task language, and the language of the workflow subnet. The behavior of the overall process in a PAIS, that is, the SecANet language $L_{N+TA+C}$ (cf. Definition 3.61), results from their composition. Here, analogously to the language of each subnet, the SecANet language eventually follows from the definitions of the SecANet flattening (cf. Definitions 3.30, 3.31 and 3.32) as well. However, it is still open whether the integrity of the overall representation is given (cf. Section 3.2), namely, whether the behavior of the different process aspects is also preserved in the overall SecANet representation. This is supposed to be shown in the following by focusing on each of the different process aspects encoded in the SecANet separately and by relating their initial behavior to their behavior in the refined SecANet model. Because the flattening approach incorporates the policy behavior into the workflow, the foremost question is, to what extent the flattening preserves the language of the initial workflow, as depicted in Figure 3.35. It will moreover be considered whether the behavior of the policy is preserved in the overall net as well. The following section will disambiguate and examine language equivalence and language preservation in the given context.

While, in general, the question of language equivalence of two nets is not decidable, it is decidable for bounded nets [167].

Definition 3.62 (Language Equivalence).

Two Petri nets $N_1$, $N_2$, where $L(N_1) = L(N_2)$, are called language equivalent.

For example, the languages from the initial example DMV workflow net, denoted as $N_{wf}$, and its SecANet version are $L_{wf}=\{\mathbf {t_1 t_2}\}$ with $\Sigma _{wf} =\{t_1,t_2\}$ and $IMAGE$ with $\Sigma _{\textsf {SecANet}} = \{t_1,t_2,u_1t_2,u_2t_1,u_1t_2\}$, respectively (to highlight the difference, $t_1$ and $t_2$ are printed in bold). Although the behavior of the initial inputs can be observed by the letters of the WF-net in the overall SecANet to some extent here, the language $L_\textsf {SecANet}\,\,$ is not equivalent to the language of the initial workflow net $L_{wf}$, that is, $L_{wf} \ne L_{\textsf {SecANet}}$. However, besides this strict language equivalence, it can be observed that there are words of the language of the SecANet that contain all letters of the word of the language of the original WF-net in the same order. Such a word whose letters occur in the same order of some word but not necessarily one after another represents a so-called subword (sometimes also called “scattered” subword). Because this points to the intended idea behind the preservation of behavior, subwords and related concepts will now be considered in more detail.

A (scattered) subword u of some word v is a word obtained from v by removing any number of letters from arbitrary positions in v. Symmetrically, a superword v is obtained by inserting letters in arbitrary positions of u, or, more formally [174]:

Definition 3.63 (Subword, Superword and Closure).

Let $\Sigma $ be some alphabet. A word $u = a_1a_2 \ldots a_m$ with $a_1, a_2, \ldots , a_m \in \Sigma $ is a subword of a word $v \in \Sigma ^*$ if there are words $v_0, v_1, \ldots , v_m \in \Sigma ^*$ with $v = v_0a_1v_1a_2v_2 \ldots a_mv_m$ . This case is denoted as $u \sqsubseteq v$ . If, in addition, $u \ne v$ , it is denoted as $u \sqsubset v$ and u is called a proper subword of v . The subword relation can also be understood as the embeddability of one word into another, such that, in case that $u \sqsubseteq v$ , it can be said that u embeds in v . Moreover, v then represents a superword of u as well. The subword property can be used to describe the downward closure of a language L, denoted by $L\downarrow = \{u \in \Sigma ^*|\exists v \in L: u\sqsubseteq v\}$ . It is the set of all subwords, i.e., all words that can be obtained from words in L by deleting letters. On the other hand, the upward closure of L , denoted by $L\uparrow = \{v \in \Sigma ^*|\exists u \in L: u\sqsubseteq v\}$ , is the set of all superwords, i.e., all words that can be obtained from words in L by inserting letters.

For the word $t_{u_2t_1} t_1 t_{u_1t_2} t_2$ of $L_\textsf {SecANet}\,\,$ and the word $t_1 t_2$ of $L_{wf}$ from the example, $t_1 t_2 \sqsubset t_{u_2t_1} t_1 t_{u_1t_2} t_2$. Hence, the behavior of the word $t_1 t_2$ of the initial language is embedded in this word of the language of the SecANet. In this sense, the behavior of the word of the original net is preserved in the refined net. Based on this observation, the question is, whether for all subwords of the SecANet language, i.e., $IMAGE$ , the word of the language of the initial WF-net is a subword, that is, $t_1 t_2 \sqsubset w$. If the word of $L_{wf}$, namely $t_1 t_2$ embeds in all the words in $L_{\textsf {SecANet}}$, it then means that the behavior of the whole SecANet $L_\textsf {SecANet}\,\,$ completely preserves that of $L_{wf}$. In this case, the initial WF-net language would represent a scattered sublanguage (i.e., a language consisting only of (scattered) subwords) of the SecANet language. The language $L_{wf}$ considered as the “subword language” is only a subset of possible subwords of $L_{\textsf {SecANet}}$. Hence, the aim is not to investigate subword-related properties within one language (e.g., the downward closure) but to compare two languages with regards to the subword property.

This idea of behavioral preservation will be examined more thoroughly by means of the example SecANet and its initial WF-net in the following. Based on the definition of the flattening, it is known that the SecANet introduces new letters. The set of all words of which $t_1 t_2$ is a scattered subword can be overgeneralized as $\{\Sigma ^*{t_1}\Sigma ^*{t_2}\Sigma ^*\}$, with $\Sigma =\{t_1,t_2,t_{u_1t_1},t_{u_2t_1},t_{u_1t_2}\}$. However, in order to obtain the words in $L_{wf}$ (and, thus, to not change the behavior of the initial workflow net), only the letters that do not occur in the original language must be deleted. Hence, in order to only consider the order of letters that are given from the initial WF-net language (i.e., $\{t_1 t_2\}$), all user-task transitions that are not in the initial net are not taken into account, (i.e., the underlined letters $IMAGE$ ). Therefore, these (underlined) letters are relabeled with silent transitions (which is depicted with black $\tau $-labeled transitions in Figure 3.36). That way, all user-task letters are transformed into the empty word. Such a deletion of only the letters that are not in the words of $L_{wf}$ is supposed to result into proper subwords of the words of $L_{\textsf {SecANet}}$. If the flattening has not changed the behavior of the initial WF-net, these subwords are supposed to be equivalent to all the words of the language of the initial workflow net. Concerning the example, this silencing of all letters that are not in the language of the initial WF-net results in the language $IMAGE$ . Here, only the first created subword $IMAGE$ , which represents a satisfiable execution, is actually the word of the WF-net, i.e., $ t_1 t_2$^{Footnote 11}. The other subword $\{ t_1\}$, which relates to the obstruction, is not in the WF-net language $\{ t_1 t_2\}$. In contrast, this last word represents a subword of the words in the initial WF-net itself. Thus, it must be noted that the SecANet language with terminal markings, which has been considered for the example so far, does not fully preserve the behavior of the WF-net. Although all words in $L_{wf}$ are subwords of words in $L_{\textsf {SecANet}}$, they are not subwords of all the SecANet words, as required initially. More specifically, the resulting subword $t_1$ of $L_\textsf {SecANet}\,\,$ is not a superword of $t_1 t_2$, and $t_1 t_2$ is not a subword of the word $t_1$. Thus, it is not sufficient to require that all words of $L_{wf}$ are subwords of words of $L_{\textsf {SecANet}}$. In order to achieve a kind of mutual correspondence between the words of the two languages, it must therefore additionally be required that all words in $L_\textsf {SecANet}\,\,$ must be superwords of words from $L_{wf}$ as well.

In summary, in order to have a refined language (i.e., the SecANet language) that truly preserves the behavior of an original language (i.e., the language of the original workflow net), all words in the original language need to be subwords of the refined language, but symmetrically, all words in the refined language are supposed to be superwords of the original language as well. The latter condition then just expresses that the subword property must apply for all words in the SecANet language. It is therefore not a question of language equivalence in the original sense, but a matter as to whether behavior encoded by subwords or superwords finds its respective counterpart in the original (e.g., WF-Net) or refined (SecANet) language respectively. In order to express this more formally, the notion of “complete subword-preservation” will be introduced in the following.

Definition 3.64 (Complete Subword-Preservation).

Given two languages $L_1$ and $L_2$ with the same alphabet $\Sigma $ . If $L_1$ only contains subwords of $L_2$ and $L_2$ only contains superwords of $L_1$ , $L_1$ completely embeds in $L_2$ . As the behavior of $L_1$ is then completely embedded in $L_2$ , it is said that $L_2$ completely preserves the behavior of the words in $L_1$ . For this case, the subword notation is extended for languages: $L_1 \sqsubset L_2$ means all words $w\in L_1$ are proper subwords of words in $v\in L_2$ such that $w \sqsubset v$ , and all words $v\in L_2$ are proper superwords of the words $w\in L_1$ such that $w \sqsubset v$ .

Thus, the behavior of a language $L_1$ is only completely preserved in $L_2$ if the words of $L_2$ do not allow behavior that is not embedable from the words of $L_1$. Consequently, $L_2$ represents a subset of the upward closure of $L_1\uparrow $ and, $L_1$ is a subset of the downward closure of $L_2\downarrow $. For a specific set of deletion letters, typically $\delta _\Sigma $ with $\Sigma =\Sigma _{L_2}-\Sigma _{L_1}$, the two languages are then equivalent. Since the notion of language preservation does not focus on language equivalence but on complete subword-preservation, the envisaged examination on subword-preservation is supposed to carefully consider which SecANet language to take into account. In this regard, in order to investigate the preservation of workflow behavior in the SecANet, the language of the initial workflow net can fully be embedded in the SecANet language only in case of no obstruction. Specifically, this is because the SecANet encoding is not intended to impair satisfiable workflow executions. If there are user-task assignments that do not obstruct the initial workflow, the language of the SecANet in which the corresponding user-task transitions are silenced, is then supposed to be equivalent to the language of the initial workflow net. On the other hand, the SecANet encoding exactly intends to manipulate the behavior of the original WF-net in case of an obstruction. Then, the user-task assignments conflict with the WF-net such that its initial behavior is narrowed down. Therefore, the WF-net behavior can not be preserved in obstruction words of the SecANet. Instead, complete subword-preservation of the workflow language can only be required for satisfiable executions. Hence, in order to exclude obstructions, the set of terminal markings that defines the SecANet language additionally needs to involve $p_o$ (i.e., only satisfiable words are possible).

Definition 3.65 (Satisfiable SecANet Language).

The satisfiable SecANet language is denoted as $L_\text {sat} = L(\langle P, T, F, m_{0}, [m_0\rangle _{\!\mathcal {T}\text {sat}}, T, id_T\rangle )$, with the set of satisfiable terminal markings $[m_0\rangle _{\!\mathcal {T}\text {sat}}=\{m|m\in [m_0\rangle _{\!\mathcal {T}} \wedge m\ge p_o\}$.

That way, the language of the example SecANet can be reduced to only the first set of words, that is, $IMAGE$ such that only complete executions are considered and obstructions are excluded. Silencing the user-task-transitions then results in the set of words $\{(\epsilon \mathbf {t_1}\epsilon ) \mathbf {t_2}\}$. Thus, in case of not reaching obstructions, the flattening preserves the behavior of the initial control flow aspect of the example net. Moreover, $(\Sigma _{\textsf {SecANet}}-\Sigma _N)^*{t_1}(\Sigma _{\textsf {SecANet}}-\Sigma _N)^*{t_2}(\Sigma _{\textsf {SecANet}}-\Sigma _N)^*$ can be denoted as the subset of the upward or the downward closure of the SecANet language that illustrates the possibly deleted or filled up words in $(\Sigma _{\textsf {SecANet}}-\Sigma _N)^*$. Interestingly, this can equivalently be expressed by the shuffle operator, namely $IMAGE$ . This again highlights the intended idea of subword-preservation because the shuffle just encodes that the letters of the words involved in the shuffle can appear in any order but letters of the same word, in particular of the original word $t_1t_2$, remain in the same order.

Based on these considerations, the complete subword-preservation is now supposed to be shown for the general SecANet language. Analogously to the deleted letters in the example, the selection of letters to be deleted can be generalized as well. This deletion will subsequently be essential to prove the integrity of the behavior of each process aspect in the overall SecANet. As the focus of this thesis lies on reaching the end of the process, the first step is to prove that the language of the original workflow net is not changed by the SecANet encoding. After that, analogously to the WF-net, it will also be shown that the behavior of the policy is preserved by the SecANet encoding. The subsequent theorem relates the language of the original workflow net to the language of the SecANet, which encodes the policy too.

Theorem 3.1 (SecANet Workflow Subword-Preservation).

Let

$N^{pol} = \langle N_{wf}, U, TA, C\rangle $ be a policy-aware workflow net with the

WF-net $N_{wf} = (P_{wf}, T_{wf}, F_{wf}, m_0, \{p_o\},T_{wf},id )$^{Footnote 12} and

$N_{\textsf {SecANet}}=\langle P_{TA+C}, T_{TA+C}, F_{TA+C}, m_{TA+C_0}, [m_{TA+C_0}\rangle _{\!\mathcal {T}\text {sat}}, T_{TA+C}, id\rangle $ be the corresponding SecANet.

Then, given that $L_\text {sat}(N_{\textsf {SecANet}})\ne \emptyset $, the SecANet completely preserves the behavior of the WF-net $L(N_{wf})$, such that the words of $L(N_{wf})$ are subwords that are completely preserved in the words of $L_\text {sat}(N_{\textsf {SecANet}})$, i.e., $L_{wf} \sqsubset L_{\text {sat}\textsf {SecANet}}$.

Here, the rather elaborate determination of the SecANet language is finally paying off. With its help, the complete subword-preservation can now be proven by simply silencing all transitions that are not in the net under investigation. The deletion homomorphism (cf. Definition 3.37) will be used to assign the empty word to the respective letters, in particular all letters that are not in the WF-net, that is, $\delta _{\Sigma _{\textsf {SecANet}}-\Sigma _{wf}}$. Because only the satisfiable SecANet language is regarded, the languages and alphabets of the SecANet subnets are determined by the satisfiable terminal markings as well. For better readability, the subscripted “$\text {sat}$” is here only used for clarification in the beginning. Since, as explained before, the different words can result for obstructed, satisfiable, but also simply exclusive branches, all of the subnet languages defined above (cf. Section 3.2.4.5) basically remain unchanged. The consideration of the satisfiable SecANet language will only make a difference for the language of the workflow subnet and its alphabet. Hence, the investigation of complete workflow subword-preservation can be broken down into the following equation. For this step, all letters in $\Sigma _{TA}- \Sigma _{wf}$ are deleted from the SecANet language:

IMAGE

(*) $L_C = \epsilon $, because deleting the user-task letters from the language of a single constraint subnet

$$\begin{array}{rr} L_c = \{w \in T_{p_c}^{*}|&{}\exists m_f \in M_{f, p_c}: m_f =\{p_c\}\wedge \epsilon =w\\ {} &{}\vee m_f =\emptyset \wedge w\in \{t_{ut} |\exists \langle p_{c}, t_{ut} \rangle \in \dot{F}_{C}\wedge t_{ut}\in \dot{T}_{C} \} \}\\ {} &{}\text {results in}\\ \delta _{\Sigma _{TA}- \Sigma _{wf}}(L_{c}) = \{w \in T_{p_c}^{*}|&{}\exists m_f \in M_{f, p_c}: m_f =\{p_c\}\wedge \epsilon =w\\ {} &{}\vee m_f =\emptyset \wedge \epsilon =w \}\\ &{} =\{\epsilon \},\\ \text {such that}&{}L_{C}=\displaystyle \mathop {\circledR }_{i=1}^{|\dot{P}_{C}|} L(N(p_{ci}))=\displaystyle \mathop {\circledR }_{i=1}^{|\dot{P}_{C}|} \delta _{\Sigma _{TA}- \Sigma _{wf}}(L_{c})=\displaystyle \mathop {\circledR }_{i=1}^{|\dot{P}_{C}|} \{\epsilon \} = \{\epsilon \}.\end{array}$$

(**) Because $IMAGE$ . Deleting the user-task assignment transitions from the language of a single user-task subnet

(***) Depending on whether the workflow net contains exclusive branches or not, two cases can be distinguished: (1) In sequential workflows, all tasks need to be executed to complete the workflow, such that $L_{wf}=\{t_1 \ldots t_{|T_{wf}|}\}$, that means, the execution order of each task involved in the workflow is unconstrained. Hence, for a corresponding $L_{TA}$, deleting the user-task letters results in the set of words $IMAGE$ (based on Definition 3.30, it directly follows that the number of place pairs $|P_{-+}|$ results from the number of tasks $|T_{wf}|$). In parallel workflows, all tasks occur as well. However, concurrent tasks may occur in different orders, such that $L_{TA}$ would involve all the task as well, namely $IMAGE$ . Hence, given that every task may only occur once, $IMAGE$ is the least restrictive order in which the tasks of the workflow may occur because all tasks are shuffled arbitrarily. Consequently, it can directly be observed that $L_{TA}$ contains all the words of $L_{wf}$ as well, wherefore the intersection of $L_{wf}$ with $L_{TA}$ is just $L_{wf}$ itself. (2) In workflows that additionally involve exclusive branches, a workflow can be completed even though not all of its tasks are involved. For example, a workflow of three tasks may have the language $L_{wf}=\{t_1 t_2 t_3, t_1 t_3\}$ (i.e., $t_2$ may be executed or not). With regards to the subsequent language of $L_{TA}$, this can be subsumed as $L_{wf}= \{t_1 \cdot \{\epsilon ,t_2\} \cdot t_3\}$ and would then also be reflected in the corresponding $IMAGE$ . In other words, if $\epsilon $ is additionally given for a task t, it corresponds to the possibility given by the workflow to leave out this task (or letter). When it comes to tasks in exclusive branches, the languages of the corresponding user-task subnets $L_{t-+}$ is $\{t, \epsilon \}$ (i.e., the branch in which the task t occurs is chosen or not). In a rather theoretic workflow in which all tasks are in mutually exclusive branches this would then result in $IMAGE$ . Similarly to (1), for workflows that involve exclusive branches, it can directly be observed that $L_{TA}$ contains all the words of $L_{wf}$ as well because all task that may (or may not) occur can be arbitrarily shuffled. $L_{TA}$ then contains all possible combinations of occurrence and non occurrence of the tasks given by the initial workflow. For example, the fictive workflow would involve all words from $IMAGE$ . Thus, the intersection of $L_{wf}$ with $L_{TA}$ is just $L_{wf}$ itself again. Hence, for both cases (1) and (2), because $L_{TA}$ does not correspond to the workflow structure encoded in $L_N$ but provides all possible combination of (optional or exclusive) tasks, it represents a less restrictive language than $L_{wf}$. Moreover, because only satisfiable executions are considered, namely all possible terminal firing sequences of the initial workflow, the language of the workflow subnet and its alphabet are identical to the language and alphabet of the initial workflow, such that $L_{N}=L_{wf}$ and $\Sigma _{N}=\Sigma _{wf}$. Thus, the words of $L_{wf}$ completely embed in the words of $L_{\text {sat}\textsf {SecANet}}$, such that $L_{wf}$ is a scattered sublanguage of the $L_{{\text {sat}}\textsf {SecANet}\,\,}$ and $L_{wf}\sqsubset L_{\text {sat}\textsf {SecANet}}$. Hence, concerning satisfiable executions, the behavior of the original workflow net is completely preserved in the behavior of the SecANet.

In order to investigate whether the policy behavior is preserved in the SecANet, now, the workflow related transitions will now be removed instead. As the focus does not lie on the original WF-net here, it is sufficient to delete only those workflow tasks that actually occur in the language of the net, such that the deletion homomorphism is $\delta _{\Sigma _{N}}$. Whereas the policy behavior has been flattened into the initial workflow net, there are no initial policy nets into which the WF-net is incorporated. The integrity of the policy behavior can thus not be examined directly because there is no initial net model of the policy and no initial language of a policy-net, in particular, of an authorization or a constraint net comparable to the initial WF-net. Therefore, this behavioral preservation can be shown to a limited extent only. It will only be examined whether the languages of the subnets, which, as previously determined, fully represent their inputs, are retained in the overall SecANet language if the workflow tasks are neglected. Because satisfiability corresponds to the complete execution of the initial workflow, considering only policy parts that lead to satisfiable executions would limit policy behavior here. Therefore, all possible terminal SecANet executions need to be regarded. That way, the policy behavior is still fully reflected, notwithstanding the consequences for the workflow, namely its satisfiability or obstructability. This is supposed to show that at least the languages of the subnets that encode the policy are fully preserved in the language of the SecANet.

Theorem 3.2 (SecANet Policy Subword-Preservation).

Let $N^{pol} = \langle N, U, TA, C\rangle $ be a policy-aware workflow net with the WF-net $N = (P, T, F, m_0, \{p_o\},T,id )$, the set of users U, the user-task authorization $ TA\subseteq \mathcal {U}\times T$ and the set of constraints C and let $N_{\textsf {SecANet}}=\langle P_{TA+C}, T_{TA+C}, F_{TA+C}, m_{TA+C_0}, [m_{TA+C_0}\rangle _{\!\mathcal {T}}, T_{TA+C}, id\rangle $ be the corresponding SecANet. Then, the SecANet completely preserves the behavior of the policy, such that it completely embeds the policy-related words of the languages $L_{TA}$ and $L_C$, which encode the user-task authorization TA and the constraints C, i.e., $\delta _{\Sigma _N}(L_{TA}) \sqsubset L_\textsf {SecANet}\,\,$ and $\delta _{\Sigma _N}(L_{TA})(L_{C}) \sqsubset L_{\textsf {SecANet}}$.

The deletion of the WF-task letters in $\Sigma _{N}$ from the SecANet language

IMAGE

IMAGE

(*) $L_C$ is not affected by the deletion because it does not contain any workflow task letter and, thus, remains unchanged. The language that encodes user-task assignments

$$\begin{array}{rr} L_{{t-+}} =\{w \in T_{P_{t-+}}^{*}|&{} \exists m_f \in M_{f, P_{t-+}}: m_f =\{p_-\}\wedge \epsilon =w\\ &{}\vee m_f =\{p_+\}\wedge w\in \{t_{u_1t}, {t_{u_2t},\ldots ,t_{u_jt}}\} \\ {} &{}\vee m_f = \emptyset \wedge w \in \{\{t_{u_1t}, {t_{u_2t}, \ldots ,t_{u_jt}}\} \cdot t\}\}\}\text { results in}\\ \delta _{\Sigma _N}(L_{{t-+}}) =\{w \in T_{P_{t-+}}^{*}|&{} \exists m_f \in M_{f, P_{t-+}}: m_f =\{p_-\}\wedge \epsilon =w\\ &{}\vee m_f =\{p_+\}\wedge w\in \{t_{u_1t}, {t_{u_2t},\ldots ,t_{u_jt}}\} \\ {} &{}\vee m_f = \emptyset \wedge w \in \{\{t_{u_1t}, {t_{u_2t}, \ldots ,t_{u_jt}}\} \cdot \epsilon \}\}\}.\end{array}$$

such that, $\overset{\curvearrowleft }{t}_{S_1}$ when its comes to user-task transitions that always occur, $\delta _{\Sigma _N}(L_{{{t-+}}})=\{t_{u_1t},\ldots ,t_{u_jt}\}$, and $ \delta _{\Sigma _N}(L_{{{t-+}}})=\{\epsilon , \{t_{u_1t}, {t_{u_2t},\ldots ,t_{u_jt}}\}\}$ concerning user-task transitions that are in exclusive relation with user-task transitions for other tasks (due to some constraints). Hence, the behavior of the authorization is still encoded in the name of the transition directly resulting from the construction rule (cf. Definition 3.30), and all these transitions together still constitute the complete picture of the initial authorization policy. The constraints operating on it are still encoded directly in the respective constraint places and the associated outgoing transitions. Thus, the words in $L_{TA}$ still allow drawing direct conclusions on the underlying initial authorization policy. As explained before, with regard to $L_C$, this is only possible if there are user-task authorizations for which the existing constraints can actually be applied as well.

(**) It can directly be observed that the policy-related behavior encoded in $L_{TA}$ and $L_C$ is not changed if only the policy-related user-task transitions of the SecANet language are regarded. The composition of both languages $\delta _{\Sigma _T}(L_{TA})$ and $L_C$ that results in the overall policy-behavior is realized by the Kleene closure of the user-task transitions not involved in any constraints. If the transitions of the constraints exactly correspond to the transitions in the language of the user-task assignments, it is empty and results in $\epsilon $ . With the help of the shuffle operator, the Kleene closure provides the missing links such that the constraint language and user-task language can be intersected. In particular, based on $L_C$, words can be built that are also in $L_{TA}$, whereby the intersection operator limits these words to exactly those words which also occur in $L_{TA}$. That way, the language that encodes the policy combines the user-task language and the constraint language and fully embeds in the SecANet language, such that its behavior is completely preserved as well, i.e., $\delta _{\Sigma _N}(L_{TA}) \sqsubset L_\textsf {SecANet}\,\,$ and $\delta _{\Sigma _N}(L_{TA})(L_{C}) \sqsubset L_{\textsf {SecANet}}$. $\square $

In conclusion, it has been shown that the behavior of all process aspects is embedded in the overall SecANet, which means that the integrity of the overall representation is preserved. In this regard, the words encoding workflow or policy behavior represent a subset of the downward closure of the SecANet language. In turn, the SecANet language represents a subset of the upward closure of the words encoding the initial inputs. Just as, in general, the upward closure offers an over-approximation of system behavior [137], the SecANet behavior can be seen as an over-approximation of the behavior of the initial inputs. The results of this language-related examination can directly be used to interpret the words of different language types. For example, in terms of a terminal language, one can immediately conclude from the SecANet property of complete subword-preservation that words that can be embedded from the language of the initial WF-net are satisfiable words. In the opposite case, if there are SecANet words that are not superwords of words from the language of the initial workflow net, they do not encode complete process executions and, thus, represent obstructions.

3.2.5 Cyclic Behavior and Policy Re-Enactment

The SecANet encoding presented so far is designed in such a way that each user can be assigned only once and each task can be executed only once. The tokens that enable user-task assignments can be consumed but not produced, hence the overall number of tokens at the end of execution is smaller than the number of tokens in the initial marking. If a workflow execution were to enter a loop in an as-yet-acyclic encoding of a SecANet, the net constructs encoding the policy would lack the tokens to continue to provide its desired functionality. Thus for a comprehensive workflow structure with cyclic behavior, how can the encoding remain functional if its tasks are supposed to be executed multiple times?

First of all, simply restoring the initial tokens would fall short, since there would be a danger of manipulating the original encoding and behavior of a SecANet. This can be illustrated for the places of constraints as well as the places of user-task subnets. It can be observed that constraint places always become empty in the course of a user-task assignment, that is, a firing of a user-task transition. Thus the number of empty constraint places always corresponds to the number of executed user-task assignments to which these constraints apply. Even if all tasks of a workflow were affected by constraints and all tasks were executed, the number of constraint places containing no tokens could not exceed the number of tasks. Hence in cases where the number of constraint places is greater than the number of tasks for which the constraint places were encoded, there are always some marked constraint places left after the tasks are executed. In user-task subnets, there may be cases in which a task is not finally assigned at all, although the user-task assignment has already been executed (cf. Section 3.2.4.5). Therefore, there may be leftover tokens in places of user-task constructs as well. Hence for all places of the policy subnets, it must always be assumed that there are leftover tokens when entering a loop before the initial marking is created again. To restore the initial marking, moreover, one could consider bounding the capacity of the initially marked places to 1, and in that way ensure safeness. However, although this would reduce the possible combinations of places containing leftover tokens (because the initially marked places could be neglected), it would cause other problems. Up to now, the SecANet encoding allows each place to contain an unlimited number of tokens. Such a Petri net is referred to as an infinite-capacity net. A finite-capacity Petri net, in contrast, is one in which there is a maximum number of tokens defined for each place. For such Petri nets, there is an additional firing rule which says that after firing a transition the numbers of tokens in its output places must not exceed their maximum capacities. Since the firing rule then needs to consider the outgoing places, this would change the desired condition-event principle. A condition that is fulfilled would not imply enabledness, which would confuse the interpretation of the behavior of a SecANet. Moreover, such an additional firing rule represents an extension that is comparable, for instance, to the introduction of further tokens in colored Petri nets (which also implies further firing rules or arc weights). Hence to keep the intuitive understanding of the SecANet model and sustain the possibility of applying rather efficient techniques to it, additional firing rules are avoided, as elaborated earlier. Moreover, each pure finite-capacity net can be transformed into an infinite-capacity net [155]. As depicted in Section 3.2.3.1, the user-task construct represents an example of such a transformation. Therefore, a slightly higher modeling complexity is preferred in order to keep the Petri nets as simple as possible and yet preserve the established properties.

Thus all possible token distributions in the parts of the policy subnets that are affected by a loop have to be considered before the initial markings can be restored. For this, the concept of “policy re-enactment” will subsequently be presented. Such a measure aims to restore the initial functionality of the (affected part of the) policy, that is, to “re-enact” it. To ensure this, all leftover tokens in policy places are supposed to be consumed before the initially marked policy places are marked again. Although this encoding will be more complex than the encoding for acyclic nets, it will preserve the concept of an encoding described in the acyclic case. Thus in order not to compromise the established SecANet properties, the re-enactment constructs must be constructed of safe, plain, and pure infinite-capacity P/T net parts as well. In this process, the idea is to ensure only the desired functionality but not to interfere with the behavior of the SecANet. The focus will thus not be on the looping behavior, the transitions, or the language of the loops, but instead on how the initial marking for the policy parts affected by a loop can be obtained again, hence the possible states (or token distributions) will be crucial. Accordingly, the re-enactment constructions are designed in such a way that they eventually act only for routing purposes, so that all transitions involved in the re-enactment constructions could actually be silenced and yet cyclic SecANet behavior would still be supported.

To some extent, the basic idea of the net constructions discussed below can be compared to so-called “start, run, clear” Petri net constructions. They control the execution of a Petri net and can be used to obtain the previously mentioned normal forms, for example always with the same initial and end markings [167]. The objective of the re-enactment constructions will not be an entire net, but only the parts of the subnets that involve user-task authorizations and constraints. As such, it will focus only on the potential end markings and initial markings in the specific context of the SecANet encoding. (A “run” place controlling each transition of the entire execution is not necessary, and in fact would represent an undesired self-loop.) In all of this, it is key to recall that the process models considered for this approach are well-structured and have clean constructions that avoid “short circuits” between loops. In this regard, as explained earlier, single-entry and single-exit points are assumed for the loops in a net [110] (cf. Section 3.1.2.4 on block-structured models). Because of the many existing techniques, approaches, and tools for identifying cycles in Petri nets, the question here is not how to identify cycles, but rather which parts of the policy should be reset—and in which way—if a cycle is entered.

In what follows, first the general idea of re-enactment, and how such a “re-enactment block” can be nested will be presented. Then this idea will be generalized and formalized in the course of the “flattening of policy re-enactment” into a SecANet. Since the previous modeling steps of a SecANet already encode certain information, the modeling of re-enactment for constraints and authorizations focuses on the SecANet, and not on the policy states in the original policy-aware WF-net. This allows for building on the knowledge already encoded in the acyclic modeling.

3.2.5.1 Points and Scopes of Policy Re-Enactment

From a control-flow perspective, cycles or loops are self-explanatory. In contrast to acyclic workflow structures, cyclic workflows typically contain workflow tasks that lie on cyclic paths and can therefore occur multiple times. From an organizational point of view, however, this raises the question of what effects cycles in the control flow can have on policy aspects and vice versa. Here, the current policy encoding in a SecANet would allow execution of each task only once, so that it would block tasks that are to be executed again. Therefore, a cyclic path demands that the parts of the policy involved in it be re-enacted in such a way that users can eventually be assigned again after a cycle is entered. For this, the concept of “re-enactment points” will be introduced. This supports “forgetting” previous user assignments and re-assigning users to tasks that lie in the scope of a cyclic path for a specific policy part.

A “re-enactment point” is considered as an event in the workflow execution that triggers the re-enactment of the policy for a specific scope of tasks. It allows fine-grained modeling and control of the position in the workflow at which the re-enactment is triggered. Figure 3.37 proposes the notation of such an event in the context of a BPMN notation of the DMV process. Thus a re-enactment could even be triggered for acyclic nets in order to force policy enactment to forget user-task assignment decisions that had already been made, for example on certain exclusive paths. In this regard, the proposed policy re-enactment can be related to the notion of “release points” [24], which intends to erase the execution history for certain constraints as well. Release points are defined directly within the SoD or BoD constraints. Re-enactment points, in contrast, focus on the tasks affected by the policy and are not part of the constraint definition. This allows them to easily be considered for the authorization policy as well. Just as with a release point, a re-enactment point explicitly defines its scope, while a loop only implicitly defines the scope to which it applies. Hence for cyclic behavior a re-enactment point can be used to explicitly state the loop-entry point for the entire block of tasks involved in the loop. Indeed, it is assumed that re-enactment points are explicitly stated and defined in the course of the model and policy design, because there are many approaches that can be used to identify the entry and exit point of a loop, or the looping block. These approaches address the identification of (the smallest) cycles, cyclicity, and repetitiveness in Petri nets or WF nets—for example, with the help of the reachability graph, the so-called T-invariant, or more sophisticated techniques [22, 74, 75, 155]. Since the boundedness of a net is decisive in the identification of cycles, for unbounded nets becomes more complex. For free-choice nets, in contrast, cycles can be identified efficiently. Based on the results of the identification of cycles, the re-enactment points involving the scopes of workflow tasks covered by each cycle could then be added right after the entry point of the cycle. Thus re-enactment points provide different possibilities for steering and control of the execution of a security-aware workflow. On the one hand, a re-enactment point could be used to explicitly trigger a policy re-enactment for the scope of a cycle when its loop entry point is passed. On the other hand, a conscious omission of a re-enactment point after loop entry could be used to force taking a path that executes tasks that have not yet been assigned.

Thus re-enactment points are characterized by their position and the scope they define, which determines the tasks that are to be re-enacted. Here, to preserve the basic functionality of a SecANet, it is assumed that the definitions of the re-enactment points are reasonable. For example, if a re-enactment point is entered after loop entry, it should cover all tasks involved in the loop in order to prevent manipulation of workflow behavior. Since the actual position of such a point in the workflow structure has an impact on the execution [39], the position of the re-enactment point is assumed to be reasonable. For example, if a loop is entered, the corresponding re-enactment point is supposed to occur right after loop entry. If a re-enactment point is intended to release a certain scope of tasks, it needs to be triggered right before that scope. Otherwise, re-enactment points at arbitrary positions may negatively impede the behavior of the SecANet, since they quickly become confusing and may cause unintended dependencies between the positions of the re-enactment points and the workflow execution. Thus to ensure a clear structure and preserve the encoding, a re-enactment point for acyclic SecANet (parts) may occur only right before or right after the scope to which it applies.

Re-Enactment Transitions:

Analogously to the general concept of a “re-enactment point” in a process, “re-enactment transitions” for Petri nets are introduced. The workflow net in Figure 3.38 depicts the WF-net of the BPMN example in Figure 3.37. It contains the re-enactment transition $\overset{\curvearrowleft }{t}_{\{t_1,t_2\}}$, which defines the re-enactment point and the scope of tasks that are to be re-enacted. In general, $\overset{\curvearrowleft }{t}_{S}$ denotes a transition that triggers re-enactment of a given scope of tasks $S \subseteq T$.

Definition 3.66 (Re-Enactment Transitions and Scopes).

Given a SecANet N, let $\overset{\curvearrowleft }{t}_{S}$ be a transition that represents a re-enactment point, and let $S \subseteq T$ be the corresponding scope that defines a set of tasks for which the policy is supposed to be re-enacted. Then the set of all re-enactment transitions in a WF-net is denoted by $\overset{\curvearrowleft }{T}_{\mathcal {S}}$. The non-empty set of all scopes $\mathcal {S}$ of all transitions triggering re-enactment is denoted by a family of sets, $\mathcal {S}_{\overset{\curvearrowleft }{T}} = \{S_1,\ldots ,S_{|\mathcal {S}|}\}$.

For example, given the three different scopes $S_1=\{t_1,t_2\}$, $S_2=\{t_3,t_4\}$, and $S_3=\{t_1,t_2,t_3,t_4,t_5\}$, the three re-enactment tasks can be denoted by ${\overset{\curvearrowleft }{t}_{S_1}}$, ${\overset{\curvearrowleft }{t}_{S_2}}$, and ${\overset{\curvearrowleft }{t}_{S_3}}$ (equivalently, as ${\overset{\curvearrowleft }{t}_{\{t_1,t_2\}}}$, ${\overset{\curvearrowleft }{t}_{\{t_3,t_4\}}}$, and ${\overset{\curvearrowleft }{t}_{\{t_1,t_2,t_3,t_4,t_5\}}}$), hence ${\mathcal {S}_{\overset{\curvearrowleft }{T}} = \{\{t_1,t_2\},\{t_3,t_4\},\{t_1, t_2, t_3, t_4, t_5\}\}}$.

Cancellation and Enactment:

Based on such a re-enactment transition, an example of a Petri net construction for two tasks $t_i$ and $t_j$, similar to the example DMV SecANet, is used to sketch the idea of how the policy for a certain scope can be re-enacted. As soon as re-enactment is triggered, tokens are supposed to be consumed and produced in such a way that the initial state of the considered policy encoding is restored. The bright upper part in Figure 3.39 shows the idea of how the re-enactment is implemented. First, an “enter re-enactment” transition produces a token in the “cancellation control” place. In order to avoid self-loops, the cancellation transitions are connected to a further place whose outgoing transition also produces a token in “cancellation control.” It is assumed that there is no obstruction, since that would block the execution of the tasks and no loop could be carried out. Therefore, both user-task assignments are considered to be executed, hence in this example there are no leftover tokens in the places of the user-task encodings. Thus the cancellation needs to consider only the SoD-related encoding here. For every SoD place, a transition that can consume leftover tokens is added (cf. the “cancel” transitions). After all leftover tokens in the regarded places are erased, the “enact” transition can be fired to put one token back into the initially marked SoD and user-task assignment places. To ensure that this “enactment” can be performed only when all corresponding SoD places are empty and to avoid having two tokens in an SoD place, their capacity needs to be explicitly bounded by 1. Based on the previously introduced “complementary-place transformation” [155], complementary places can be used to achieve this. They are labeled with the place they are complementing, followed by “_c1c” (capacity-1 complement). Moreover, arcs are added to the transitions which are connected to the regarded places. Here, the sum of tokens for each pair that consists of an SoD place and its place-complement is always equal to the capacity (which is 1 in this case) before and after executing the regarded transitions. While the purpose of Figure 3.39 is to explain the basic idea of re-enactment, the idea of cancellation and enactment will be formalized in a more fine-grained way. For example, the fulfillment of the condition that all leftover tokens are erased before the “enact” transition can produce tokens in the initially marked places will be partitioned into multiple steps. This higher modularity will allow the cancellation and enactment to be controlled separately and will increase the traceability of the individual steps of the net execution.

Besides the points of re-enactment and its encoding with Petri net elements, it is key to consider the bigger picture that takes all re-enactment points and scopes defined for a workflow into account. More precisely, the creation of Petri net elements that realize re-enactment (i.e., the creation of “re-enactment constructs”) needs to consider the cancellation and enactment, as well as the fact that scopes may potentially be part of other scopes. Here, straightforward construction of the re-enactment encoding for each of these scopes could result in multiple constructions of re-enactment encodings that involve the same scope, so that parts of the re-enactment constructs would be built multiple times for the same user-task authorizations or constraints. On the one hand, in order to keep the modeling complexity as low as possible, unnecessary, redundant constructions must be avoided. On the other hand, such multiple constructions could interfere with each other in an unintended way and manipulate the overall re-enactment encoding. For example, based on an SoD place, as in Figure 3.39, if there were multiple cancellation constructs for the cancellation of the same SoD place, the firing of the cancellation transition would then depend on tokens in the cancellation control in both constructs. The cancellation would in turn depend on the triggering of both re-enactment points at the same time, which may not be the case in the control flow. Hence the construction of a re-enactment must be done in a way that preserves the initial net behavior and does not result in such unintended manipulations. Here, creating re-enactment constructs for each user-task authorization and each constraint separately may avoid this. Re-enactment points could then trigger these individual constructs according to their scope of tasks. However, then all net elements controlling each cancellation and enactment would entail a high modeling complexity. Therefore, the re-enactment encoding needs to consider the interdependencies between scopes as well. Analogously to the block structure of the workflow net—in particular, block-structured loops—the scopes of re-enactment relate to blocks. Hence besides demanding an appropriate position of the re-enactment points, it is reasonable to ensure that their scopes are block structured as well. Here, there arises the question of how the creation of the re-enactment construct can be used by multiple re-enactment points such that nested scopes can be re-enacted. Moreover, how must the creation of the re-enactment constructs take place in order to successively allow for nesting of all scopes according to the block structure?

Nesting of Re-Enactment Scopes:

Based on the block structure of the workflow, it is assumed that re-enactment scopes are nested only blockwise. Accordingly, Figure 3.40 extends the CEW workflow with re-enactment points and three scopes: $S_1= \{t_1, t_2\}$, $S_2= \{t_3, t_4\}$, and $S_3= \{t_1, t_2, t_3, t_4, t_5\}$. It can be observed that the scopes that are nested are proper subsets of larger scopes; for example, $S_3= S_1 \cup S_2 \cup \{t_5\}$. Figure 3.41 illustrates the structural idea of how a re-enactment of nested subscopes is embedded into the re-enactment of a scope. Here, the marked place $\overset{\curvearrowleft }{p}_{S}$ indicates the state in which re-enactment has been triggered. A completed re-enactment for a given scope is indicated by a complete circle in which the symbol of the scope is embedded, hat is, a marked place $p_\circledS $. Accordingly, $t_\circledS $ finishes the re-enactment for scope S. Based on this, Figure 3.41 illustrates how to connect the “re-enactment construction” for a given re-enactment transition. For this, the “enter re-enactment” transition is extended by producing a token in each place of the re-enactment constructs for some subscope Y of S. Similarly, each place of the connected subscopes is connected to the “leave re-enactment” transition, hence the re-enactment is not allowed to be finished until after all parts of the scopes are finished. Thus all “re-enactment blocks” that are involved in the transitions of the regarded scope are embedded in parallel. Then placing tokens in the places that trigger re-enactment for their scopes initiates different cancellations and enactment blocks. Moreover, this construction allows for checking whether a block is already nested, namely, if $\overset{\curvearrowleft }{t}_S$ isn’t the only incoming transition of the place $\overset{\curvearrowleft }{p}_S$, that is, $|^\bullet \!\overset{\curvearrowleft }{p}_S|>1$. Analogously to the idea of cancellation and enactment, Figure 3.41 only the basic idea. In order to allow for higher modularity and clear execution steps, these steps will be formalized in a more fine-grained manner below.

Creation of Re-Enactment Constructs:

There is not only the question of how to structure and nest blocks, but also how to conduct the creation of all the Petri net re-enactment elements so as to reflect and preserve the block structure. Analogously to the block structure, scopes can be seen as blocks that nest each other. A scope that nests another scope represents a superscope. A scope that is embedded in a larger scope represents a subscope. Again, depending on which scope is chosen to begin the creation of re-enactment constructs, a scope could be built before its subscope elements are built. The creation of a re-enactment construct for the subscopes either would result in multiple re-enactment constructs from the same policy parts or would require restructuring of the re-enactment constructs already created. To avoid such a cumbersome approach, a systematic procedure for building and connecting the scopes of re-enactment one after the other will be subsequently developed. Here, it is worthwhile to consider the effects of the block structure on the individual scopes—in particular, how they nest each other. The nesting implies that the nested scopes represent proper subsets of a superscope; for example, $S_3= S_1 \cup S_2 \cup \{t_5\}$ (as indicated before). Obviously, the set of scopes over some set of workflow tasks represents a subset of the power set of these tasks, that is, $\mathcal {S} \subset \mathscr {P}(T)$. Here, the block structure of the affected models represents a subset of the standard partial order on the power set of T. For instance, the power set of the set of five tasks with the set of scopes $\mathcal {S} \subset \mathscr {P}(T)$ from Figure 3.40 highlighted in bold is

$$\begin{aligned} \mathscr {P}(T)= \{&\emptyset , \\ {}&\{t_1\}, \{t_2\}, \{t_3\}, \{t_4\}, \{t_5\}, \\&\mathbf {\{t_1, t_2\}}, \{t_1, t_3\}, \{t_1, t_4\}, \{t_1, t_5\}, \{t_2, t_3\}, \\ {}&\{t_2, t_4\}, \{t_2, t_5\}, \mathbf {\{t_3, t_4\}}, \{t_3, t_5\},\{t_4, t_5\}, \\&\{t_1, t_2, t_3\}, \{t_1, t_2, t_4\}, \{t_1, t_2, t_5\}, \{t_1, t_3, t_4\}, \\ {}&\{t_1, t_3, t_5\}, \{t_1, t_4, t_5\}, \{t_2, t_3, t_4\}, \{t_2, t_3, t_5\}, \\ {}&\{t_2, t_4, t_5\}, \{t_3, t_4, t_5\}, \{t_1, t_2, t_3, t_4\}, \{t_1, t_2, t_3, t_5\},\\ {}&\{t_1, t_2, t_4, t_5\}, \{t_1, t_3, t_4, t_5\}, \{t_2, t_3, t_4, t_5\}, \\ {}&\mathbf {\{t_1, t_2, t_3, t_4, t_5\}}\}. \end{aligned}$$

It can be seen directly that only scopes of smaller cardinality, for example $|S_1|=2$, can be part of scopes of higher cardinality, for example $|S_3|=5$. Hence if a scope is nested in another scope, this automatically implies that its superscope must have a higher cardinality. For example, if a block of a task $t_1$ is nested in another scope, this scope must contain $t_1$ but also at least one additional element. Otherwise, it would constitute just the scope $t_1$ itself. Consequently, scopes with the same cardinality cannot be subsets of each other, that is, scopes cannot nest other scopes of the same cardinality. Moreover, the nesting excludes the possibility that some smaller scope is directly nested in multiple scopes of higher cardinality. (Equivalently, scopes of the same cardinality cannot nest the same subscope.) Also, a task cannot be directly nested in more than one scope of the next higher cardinality. For example, the scopes $\{t_1, t_2\}$ and $\{t_2, t_3\}$ would have the overlapping task $t_2$ and would not adhere to the considered block structure. Such overlapping scopes are problematic, since they could allow for re-enactment of a single scope to be triggered multiple times at once from different re-enactment points that involve the same subscope. If that were to happen, multiple tokens would be placed into the re-enactment construct, which would contradict the condition-event principle on which the safe SecANet encoding is built, diffuse the meaning of markings and the firing of transitions, and manipulate the intended behavior of the re-enactment constructs. Hence scopes may not overlap with other scopes. In case some scope contains a task of another scope, it must completely nest the scope in which this task occurs, hence a scope can be directly nested in only a single superscope. Such a superscope can then itself be embedded in a single scope of higher cardinality.

These considerations on the block structure, which manifest in the cardinality of scopes, will be useful in the construction of the policy re-enactment. Accordingly, the creation of re-enactment constructs will be built with increasing cardinality of scopes, that is, from the minimal to the maximal set of the family of sets $\mathcal {S}$. For each cardinality, the corresponding re-enactment constructs are supposed to be created and potentially to nest smaller scopes. After the maximal sets of scopes have been considered, the creation of the re-enactment constructs is completed, hence all re-enactment points will be flattened into the SecANet step by step.

3.2.5.2 Flattening Policy Re-Enactment

Algorithm 3.1 encodes the overall framework of policy re-enactment and controls the creation of the policy re-enactment constructs. Thereby, the order in which the re-enactment is encoded is given by the increasing cardinality of the scopes (see line 7).

The subsequent definitions will relate to a re-enactment transition of a SecANet N that contains all re-enactment transitions and their corresponding scopes (as specified on line 5). The following is an overview of these definitions.

Creation and Nesting of Re-Enactment Controls (Definitions 3.67 and 3.68)
- Cancellation and Enactment (Definition 3.69)
  - User-Task Cancellation and Enactment (Definition 3.70)
  - Constraint Cancellation and Enactment (Definition 3.71)

First, the basic Petri net elements that control the beginning and the end of re-enactment for a certain scope will be created.

Definition 3.67 (Creation of Re-Enactment Controls)

Based on a re-enactment transition $\overset{\curvearrowleft }{t}_{S}$ and its scope S, the re-enactment for S is controlled by placing the following net elements into the SecANet N, where

$N = \langle P\cup P_S, T \cup T_S, F \cup F_S, m_0 \rangle $ with

$P_S=\{\overset{\curvearrowleft }{p}_{S}, p_{S_\text {Re-Enacting}}, p_{S_\text {Canceling}}, p_{S_\text {Canceled}}, p_{S_\text {Enacting}}, p_\circledS \}$,

$T_S=\{t_{S_\text {EnterCancellation}}, t_{S_\text {LeaveCancellation}}, t_{S_\text {EnterEnactment}}, t_{S_\text {LeaveEnactment}}, t_\circledS \}$,

$F_S= \{\langle t_\circledS , p_\text {PostRe-Enact}\rangle | p_\text {PostRe-Enact} \in \overset{\curvearrowleft }{t}_{S}^\bullet \}\cup $

$\{\langle \overset{\curvearrowleft }{t}_{S}, p_{S_\text {Re-Enacting}} \rangle ,\langle p_{S_\text {Re-Enacting}}, t_\circledS \rangle , \langle \overset{\curvearrowleft }{t}_{S}, \overset{\curvearrowleft }{p}_{S} \rangle ,\langle \overset{\curvearrowleft }{p}_{S}, t_{S_\text {EnterCancellation}}\rangle ,$

$\langle t_{S_\text {EnterCancellation}}, p_{S_\text {Canceling}}\rangle ,\langle p_{S_\text {Canceling}}, t_{S_\text {LeaveCancellation}}\rangle ,$

$ \langle t_{S_\text {LeaveCancellation}}, p_{S_\text {Canceled}}\rangle , \langle p_{S_\text {Canceled}}, t_{S_\text {EnterEnactment}}\rangle , \langle t_{S_\text {EnterEnactment}}, p_{S_\text {Enacting}} \rangle ,$

$\langle p_{S_\text {Enacting}}, t_{S_\text {LeaveEnactment}}\rangle , \langle t_{S_\text {LeaveEnactment}}, p_\circledS \rangle , \langle p_\circledS , {t}_{\circledS } \rangle \}$.

Note that $\{\langle {t}_{\circledS }, p_\text {PostRe-Enact}\rangle | p_\text {PostRe-Enact} \in \overset{\curvearrowleft }{t}_{S}^\bullet \}$ is supposed to take over the initial outgoing arcs of $\overset{\curvearrowleft }{t}_{S}$ , hence that now $\overset{\curvearrowleft }{t}_{S}^\bullet = \{p_\text {Re-Enacting}, \overset{\curvearrowleft }{p}_{S}\}$ . The figure below shows the graphical representation of these net elements: ^{Footnote 13}

As indicated before, it must be checked whether there are nested subscopes for the scope under consideration. Because of the incremental construction method, which is based on the increasing cardinality of scopes, it must be ensured that the block structure is gradually built into the re-enactment construct already created in N. Here, based on the re-enactment control created for each transition $\overset{\curvearrowleft }{t}_{S}$, it must be checked whether its scope S involves other scopes.

Definition 3.68 (Nesting of Re-Enactment Controls).

Based on the re-enactment control created for a transition $\overset{\curvearrowleft }{t}_{S}$ from Definition 3.67 , for each place of N of the form $\overset{\curvearrowleft }{p}_{Y} \in P$ where $Y \in \mathcal {S}$ it must be checked whether its scope Y is a subset of the considered scope of S of $\overset{\curvearrowleft }{t}_{S}$ , that is, $Y \subset S$ . Based on the nesting defined in this definition, if $|^\bullet \!\overset{\curvearrowleft }{p}_Y|>1$ then Y is already embedded in another block. Since scopes may not be nested in more than one block, the construction described in this definition may be built only if $|^\bullet \!\overset{\curvearrowleft }{p}_Y|=1$ . Then the scope Y is not only triggered by its corresponding re-enactment transitions $\overset{\curvearrowleft }{t}_{Y}$ but also controlled with the help of arcs pointing from the current scope S to $\overset{\curvearrowleft }{p}_Y$ and back, that is, the set of arcs of N is extended by $IMAGE$ . The figure below shows the graphical representation of this nesting of re-enactment controls: ^{Footnote 14}

In this way, the basic framework in which the cancellation and enactment of the specific policy parts can take place is built. In the next step, the construction that controls the cancellation and enactment for a specified scope of tasks is explained. It will be controlled by firing the respective “enter” and “leave” transitions for the cancellation and enactment. Accordingly, the subsequent Petri net construct will be the frame which is used to control cancellation and enactment.

Definition 3.69 (Cancellation and Enactment).

Let S be a scope of transitions, and let $T_{S_{cancel}} =\{t_{S_{EnterCancellation}},t_{S_{LeaveCancellation}} \}$ and $T_{S_{enact}}=\{ t_{S_{EnterEnactment}}, t_{S_{LeaveEnactment}}\}$ be the sets of transitions in N that trigger cancellation and enactment, respectively. The cancellation and enactment are controlled by adding the following net elements to the SecANet N, where $N = \langle P\cup P_S, T \cup T_S, F \cup F_S, m_0 \rangle $ with

$P_S=\{p_{S_\text {ToCancel}}, p_{S_\text {CancellationRunning}}, p_{S_\text {CancellationPerformed}}, p_{S_\text {Canceled}}, p_{S_\text {ToEnact}}, p_{S_\text {Enacted}}\}$,

$T_S=\{t_{S_\text {StartCancellation}}, t_{S_\text {ProceedWithCancellation}}, t_{S_{FinishCancellation}}, t_{S_\text {Enact}}\}$,

$F_S= \{ \langle t_{S_\text {EnterCancellation}},p_{S_\text {ToCancel}} \rangle , \langle p_{S_\text {ToCancel}},t_{S_\text {StartCancellation}} \rangle ,$

$\langle t_{S_\text {StartCancellation}}, p_{S_\text {CancellationRunning}} \rangle , \langle t_{S_\text {CancellationPerformed}}, p_{S_\text {ProceedWithCancellation}} \rangle ,$

$\langle t_{S_\text {ProceedWithCancellation}}, p_{S_\text {CancellationRunning}} \rangle , \langle p_{S_\text {CancellationRunning}},t_{S_\text {FinishCancellation}} \rangle ,$

$\langle t_{S_\text {FinishCancellation}}, p_{S_\text {Canceled}} \rangle , \langle \rangle , \langle p_{S_\text {Canceled}}, t_{S_\text {LeaveCancellation}} \rangle , \langle t_{S_\text {EnterEnactment}}, p_{S_\text {ToEnact}} \rangle ,$

$\langle p_{S_\text {ToEnact}}, t_{S_\text {Enact}} \rangle , \langle t_{S_\text {Enact}}, p_{S_\text {Enacted}} \rangle , \langle p_{S_\text {Enacted}}, t_{S_\text {LeaveEnactment}} \rangle \}$.

The figure below shows the graphical representation of these net elements:

The “cancellation running” and “cancellation performed” places will be the incoming and outgoing places, respectively, for each transition that will actually allow canceling (i.e., consuming) of leftover tokens, which will be illustrated in Definitions 3.70 and 3.71. Moreover, if all involved places that indicate a completely cleared policy construct are marked, they are supposed to enable the transition that produces a token in a place that indicates that the cancellation is completed. The enactment-related Petri net elements will then need to put only the initial tokens into the places of the corresponding policy net elements.

The example in Figure 3.42 applies the definitions given so far to the re-enactment transition in a DMV SecANet. Since up to now only the control flow of the DMV example is affected by the re-enactment elements, the SecANet constructs that encode user-task authorization and the SoD constraints are omitted for better readability.

The constructed re-enactment-related Petri net elements now constitute the complete framing in which the actual re-enactment is supposed to occur. The next definitions will connect the elements of this frame with the policy-related parts of the SecANet—in particular, with the cancellation and enactment of user-task authorization and constraints, respectively.

Given a user-task authorization, indicated by its initially marked place $p_{t-}$ from a SecANet, the cancellation is as follows: First, a place that indicates whether the task has been executed, that is, an outgoing place $p_t$ of the transition t, is added. Thus it is now possible to cover all three possible states that can occur in the course of a user-task assignment by the three places $t_-$, $t_+$, and $p_t$. As previously observed, in the course of the language-related initial and final markings, and because of the given sequential order, it is always the case that only one of the three places can be marked. Here, for each such state a cancellation transition is needed. All three cancellation transitions have the same outgoing place, indicating that all places related to the user-task authorization are empty. The following definition represents the general encoding of how to clear all possible token distributions in a user-task authorization construct and how to enact it. Analogously to the nesting, it will be checked whether this construct already exists, based on the existence of incoming transitions for the place $p_-$ that indicate user-task unassignment. If such incoming transitions exist, this means that the corresponding user-task construct already exists and is part of another scope in which its re-enactment is supposed to be nested.

Definition 3.70 (User-Task Cancellation and Enactment).

For each $t \in S$, let $P_{t-+} = \{p_{t-},p_{t+}\}$ be a set of pairs of the user-task authorization of the SecANet, where $P_{t-+} \subseteq \dot{P}_{TA}$. If $^\bullet \!p_{t-} = \emptyset $, the subsequent elements are added to the SecANet N to cancel the state of the user-task authorization and to enact it. Otherwise (if $|P_{t-}|>0$), the construct has already been added in a nested scope. Specifically,

$N = \langle P\cup P_S, T \cup T_S, F \cup F_S, m_0 \rangle $ with

$P_S=\{p_{t_\text {Executed}}, p_{ut_\text {Canceled}}\}$,

${T_S=\{t_{\text {Cancel}_{t-}}, t_{\text {Cancel}_{t+}}, t_{\text {Cancel}_{t_\text {Executed}}}\}}$,

$F_S= \{ \langle p_{t-}, t_{\text {Cancel}_{t-}} \rangle , \langle t_{\text {Cancel}_{t-}}, p_{ut_\text {Canceled}} \rangle , p_{t+}, t_{\text {Cancel}_{t+}} \rangle , \langle t_{\text {Cancel}_{t+}},$

$p_{ut_\text {Canceled}} \rangle , \langle t, p_{t_\text {Executed}}\rangle , \langle p_{t_\text {Executed}},t_{\text {Cancel}_{t_\text {Executed}}} \rangle , \langle t_{\text {Cancel}_{t_\text {Executed}}}, p_{ut_\text {Canceled}} \rangle ,$

$\langle p_{S_\text {CancellationRunning}}, t_{\text {Cancel}_{t-}} \rangle , \langle t_{\text {Cancel}_{t-}}, p_{S_\text {ProceedWithCancellation}}\rangle , \langle p_{S_\text {CancellationRunning}},$

$t_{\text {Cancel}_{t+}} \rangle , \langle t_{\text {Cancel}_{t+}}, p_{S_\text {ProceedWithCancellation}}\rangle , \langle p_{S_\text {CancellationRunning}}, t_{Cancel_{t_\text {Executed}}} \rangle ,$

$\{\langle t_{Cancel_{t_\text {Executed}}}, p_{S_\text {ProceedWithCancellation}}\rangle , \langle p_{ut_\text {Canceled}}, t_{S_\text {FinishCancellation}}\rangle , \langle t_{S_\text {Enact}}, p_{t-}\rangle \}$

The figure below shows the graphical representation of these net elements: ^{Footnote 15}

It is important to note that, based on the re-enactment construction, user-task transitions could occur in a firing sequence in which they are not followed by their respective tasks. For the interpretation of the encoding, therefore, it is important to note that only the last user-task assignment before the corresponding task execution encodes the actual user that executes the task.

Regarding constraints, for a given constraint place C in a SecANet, the cancellation is as follows: First, a complement place for C is created. Then each outgoing transition from the constraint place C needs to be connected to the new complementary place as its incoming transition. Moreover, a new transition that has the constraint place as the incoming place and the complementary place as the outgoing place is created. Thus if during workflow execution the constraint is taking effect, this state is captured by the complementary place. Otherwise, the cancellation transition may erase leftover tokens during execution of the loop. Since both of these cases result in an empty constraint place C, only one place is used to document this. For example, Figure 3.44 depicts such a cancellation construct for an SoD place. Hence a marked complementary place represents the state in which the corresponding constraint place is empty, which may result from the application of the constraint in the course of a user-task assignment or may indicate cancellation.

Definition 3.71 (Constraint Cancellation and Enactment).

Let $C_{ut_kt_l}$ be a constraint place abstracting from $SoD_{u_jt_kt_l}$ or $BoD_{u_jt_kt_l}$. For each $C_{ut_kt_l}$ where $t_k,t_l \in S$ and $t_k\ne t_l$, the cancellation of the state of the constraint enforcement and its enactment is provided by adding the net elements indicated below. Again, only if $^\bullet \!C_{ut_kt_l} = \emptyset $ are the subsequent elements are added to the SecANet N to cancel the state of the constraint and to enact it. (Otherwise, i.e., if $|^\bullet \!C_{ut_kt_l} |>0$, this indicates that the construct has already been added in a nested scope.) Specifically,

$N = \langle P\cup P_S, T \cup T_S, F \cup F_S, m_0 \rangle $ with

$P_S=\{p_{C_{ut_kt_l}\text {Complement}}\}$,

$T_S=\{t_{\text {Cancel}C_{ut_kt_l}}\}$,

$F_S= \{ \{\langle t_{ut},p_{C_{ut_kt_l}\text {Complement}} \rangle |t_{ut}\in C_{ut_kt_l}^\bullet \} \cup $

$\{\langle C_{ut_kt_l}, t_{\text {Cancel}C_{ut_kt_l}} \rangle , \langle t_{\text {Cancel}C_{ut_kt_l}},p_{C_{ut_kt_l}\text {Complement}} \rangle ,\langle p_{\text {CancellationRunning}},$

$t_{\text {Cancel}C_{ut_kt_l}} \rangle ,\langle t_{\text {Cancel}C_{ut_kt_l}}, p_{\text {ProceedWithCancellation}}\rangle , \langle p_{C_{ut_kt_l}\text {Complement}},$

$t_{S_{\text {FinishCancellation}}}\rangle , \langle t_{S_\text {Enact}}, C_{ut_kt_l}\rangle \}$

The figure below shows the graphical representation of these net elements: ^{Footnote 16}

Based on Algorithm 3.1 and the definitions embedded therein, it is now possible to fully construct the net elements that provide policy re-enactment. Figure 3.43 illustrates the policy re-enactment for the example DMV SecANet. It must be admitted that, for this simple example, the effort for re-enactment seems rather disproportionate. However, this is considered as the “price to pay” to obtain a general and clear encoding for larger nets as well. Here, based on the systematic, incremental construction, the elements of the control constructs increase linearly with the number of re-enactment points and their scopes. Although the overall construct could be simplified (e.g., see Figure 3.39), the aim has been to keep the construction clean and as clearly arranged as possible. Moreover, this general modular construction will allow further usage in other respects (see Section 3.2.6.3). Also, the concept of re-enactment points offers the possibility for refinement. Although re-enactment has applied thus far to tasks in general, it could be refined in terms of policy type or users. In order to prevent multiple access by the same person during particularly critical activities, for example, one could exclude constraints from re-enactment and retain only the SoD constraints that have already been put into effect.

Comprehensive SecANet Example of the Collateral Evaluation Process:

To show the applicability of the flattening for a larger comprehensive net structure involving cycles, the example of a workflow net for collateral evaluation in Figure 3.20 which is based on the BPMN model that involves release points from Figure 3.19 will be used. The SoD and BoD constraints are noted right in the BPMN model. The release points (see $o_1,o_2,o_3$) allow these constraints to be considered in the scope of each loop separately. In order to illustrate that the SecANet encoding is applicable to different models, the intention is to leave the model as is and interpret the release points as re-enactment points for their corresponding scopes, where $S_{o_1}=\{t_1,t_2\}$, $S_{o_2}=\{t_3,t_4\}$, and $S_{o_3}=\{t_1,t_2, t_3,t_4, t_5\}$. Figure 3.45 depicts an example of a corresponding user-task assignment. According to the mapping in Figure 3.18 from Dijkman et al. [78], the BPMN model is first transformed into a P/T net. Then the user-task assignment, the two SoD constraints, and one BoD constraint are flattened into the net according to the theory presented above. Finally, the policy re-enactment constructs for the release points are added. Figure 3.46 depicts the resulting SecANet, with different shades highlighting the individual parts of the net. It is displayed to give an impression of the overall system that results from the flattening. To increase readability, the policy re-enactment considers only simplified re-enactment constructs without user-task cancellation (as, for instance, in Figure 3.39). As previously indicated, if all the tasks are executed, user-task cancellation can be neglected for re-enactment, since the tokens in all user-task assignment places of the form $p_{t-}$ and $p_{t+}$ are consumed in the course of execution. However, this net also contains obstructions, which will be treated in more detail in the subsequent chapters, where approaches that solve obstructions based on the presented flattening are presented.

3.2.6 SecANet Analysis: Satisfiability and Obstructability

Based on Definitions 3.30, 3.31, and 3.32 and Algorithm 3.1, a SecANet can encode a policy-aware WF-net with a comprehensive block structure involving cyclic, exclusive, and parallel paths. Moreover, based on Definitions 3.33 and 3.34, markings that encode obstructed and satisfiable firing sequences are provided. Thus a SecANet can encode security properties and can be interpreted with regard to satisfiability and obstructability. Specifically, the related liveness security property of process completion can be checked by considering all possible execution sequences (or events), which in the end constitute sequences (or traces) that may or may not have that property. As previously illustrated, satisfiable execution sequences may reach markings that contain $p_o$, that is, the output place of the initial WF-net is marked. If this occurs, it means that there is a full firing sequence (equivalently, that there is a valid plan) such that the workflow is satisfiable. On the other hand, obstructed execution sequences reach terminal markings that do not contain the output place $p_o$. Hence the liveness security property of process completion can also be checked by examining whether final markings (or states) that either involve $p_o$ or not are reachable.

Hence satisfiability and obstructability are both concerned with reachability in the first place. Satisfiability is concerned with whether there is a marking greater than $p_o$ which is reachable in a SecANet. Obstructability is concerned with whether there is a marking that neither contains $p_o$ nor enables any further transitions. The most basic method for determining satisfiability and reachability would be to play the token game until a desired marking is reached, that is, until the net reaches the obstruction marking or the marking containing $p_o$. While this is a feasible endeavor for the DMV example, larger net structures demand more systematic approaches. Here, the most straightforward way would be to build the marking graph of the net. The reaching of the end marking would then resolve the workflow as satisfiable, and the reaching of a terminal marking without $p_o$ would reveal an obstructed state. Moreover, as elaborated at the beginning of this chapter, there are many additional techniques which may be used to examine reachability more efficiently. Those techniques will also be highlighted in Chapter 4, which introduces the so-called marking equation and uses integer linear programming techniques to answer questions related to reachability. Next, it is shown how to transform a SecANet in such a way that deadlock detection and liveness analysis can be applied to it, the main objective being to relate the notion of soundness to the SecANet encoding. Thus the analysis of SecANet soundness will subsume the analysis of satisfiability and obstructability.

3.2.6.1 SecANet Soundness

A sound SecANet is considered to be satisfiable and obstruction-free. For a consistent evolution of existing terminology and definitions from the literature, the notion of SecANet soundness will be built upon the definitions of soundness of a workflow net. As mentioned in Section 3.1.2.4, a sound workflow represents a workflow that is able to reach the output place from every reachable marking (i.e., it has the “option to complete,” meaning that every task is involved in the processing of a case). Moreover, all of its tasks need to be executable at least once (referred to as the “no dead transitions” condition). Finally, when the output place is marked, no other places are supposed to be marked (denoted as “proper completion”). From the perspective of access control, an obstruction is also a case that cannot be processed to its completion because the policy is blocking further progress. Satisfiability relates to the executability of each task. If a certain workflow task is not executable in any possible execution sequence, the workflow path that involves this workflow task is not satisfiable. Here, this means that the policy does not allow the firing of a user-task assignment that would enable the regarded workflow task. Hence in order to check satisfiability and obstructability, the notion of “soundness” of a workflow will be tailored to soundness of a SecANet. Since, as previously elaborated, it cannot be ensured that the marking in $p_o$ is the only marked place left after a SecANet execution, the “proper completion” property will be neglected for the moment.

The subsequent interpretation of the “option to complete” and the “no dead transitions” property will assume that the workflow for which a SecANet is created is block structured and sound (cf. Section 3.1.2.4). This implies that the workflow net within the SecANet fulfills the “option to complete” and has no dead transitions. Thus it suffices to analyze whether a sound workflow net is still sound in the context of the SecANet encoding surrounding it. If the SecANet encoding cannot fulfill the conditions or soundness, the reason for this has to lie in the net elements created in the course of the flattening that encode the policy.

Similarly to the definition from workflow soundness, the “option to complete” is supposed to check whether it is possible to reach a marking that involves $p_o$. Thus the “option to complete” condition for a sound SecANet encodes obstruction-freeness for every possible execution sequence (or case). If a case is not completable, it represents an obstructed case, that is, the “option to complete” of the initially sound workflow is no longer fulfilled in the SecANet.

As examined before, obstructions describe individual process executions (or cases) that are not completable. They may occur in satisfiable or unsatisfiable workflows. If all possible cases for a specific path of workflow tasks result in an obstruction (i.e., the path is not completable for any of the possible user-task assignments), this means that the path is not satisfiable at all. Hence if the “option to complete” is not fulfilled at least once for a certain path, the transitions that are always blocked never become enabled, that is, they are dead. Thus the question of whether a workflow is satisfiable at all can be answered by checking for dead workflow tasks in a SecANet. Put differently, if all WF tasks are simply live (equivalently, quasi-live), the workflow is satisfiable. For workflows with sequential or parallel paths, a dead task then implies that the entire workflow is unsatisfiable. In workflows with exclusive branching, a dead task means that only the path on which this task occurs is unsatisfiable. They may also include satisfiable executions. Regardless of the actual structure of the workflow, therefore, the SecANet workflow will be considered unsatisfiable as soon as there are dead workflow tasks, since the policy does not allow full execution of all possible paths given by the initially sound workflow. It is assumed that the “no dead transitions” property for a SecANet has to hold only for the workflow tasks, not for user-task assignments (which are all simply live based on the initial marking) or for transitions that serve only functional routing purposes. This is because, on the one hand, the original “no dead transitions” condition concerns only the workflow tasks. On the other hand, the question of satisfiability is ultimately also answered by looking at the workflow tasks, namely by determining whether a task is executable or not.

A sound SecANet is thus defined to be obstruction-free and satisfiable if it fulfills the “option to complete” and has “no dead transitions.” These two conditions will directly allow observing the connections and implications between satisfiability and obstructability in the context of a specific net. The subsequent definition will adapt the definition of the properties from workflow soundness (cf. Definition 3.72) to the SecANet encoding. Based on the assumption that the underlying workflow net is sound, a SecANet is sound if and only if the following two requirements are satisfied:

Definition 3.72 (Soundness of a SecANet)

A SecANet N with workflow input place i and workflow output place o is sound if the following conditions are met:

(i)
Obstruction-Freeness (or Option to Complete): For each case and every marking reached from the initial marking, it is possible to reach a state that marks the end place o; that is, $\forall m \in R(N, i)$, $m(o) \in R(N, m)$.
(ii)
Satisfiability (or No Dead WF Task): It is possible to execute an arbitrary WF task by following the appropriate firing sequence through the WF-net; that is, $\forall t\in T,\; \exists m\in R (N, i)$ such that $(N,\ m)[t\rangle $.

In the example, the previously identified obstruction marking in Figure 3.24 indicates that it is not always possible to complete the DMV SecANet workflow (i.e., the “option to complete” is not fulfilled). However, the DMV SecANet does not contain dead WF transitions, which underlines its previously identified satisfiability. Here, removing $u_2$ from the user-task permissions for $t_1$, for example, would render the last WF-task($t_2$) dead because the workflow would not be satisfiable.

In this regard, Figure 3.47 illustrates the potential pitfalls of the interpretation and interconnections between the conditions of SecANet soundness. Supposedly small differences in the interpretation of workflows on the Petri net level can impact the obstructability analysis. At the same time, the Figure underlines the importance of exactly how gateways are modeled as well as how rather coarse-grained modeling may cause a loss of important security-related information. Figure 3.47 depicts a SecANet that has the option to complete the workflow but contains a dead transition, $t_2$. The ensuing interpretation that the workflow is obstruction-free but not satisfiable would, however, contradict the identified relationships between satisfiability and obstructability. In this regard, a closer look at the net reveals that it implements forks and joins in a rather reduced, implicit way. For instance, firing transition $t_1$ or $t_5$ at the beginning of the net determines which path to take and, at the same time, executes the actual task following this decision. If transition $t_1$ is obstructed, the other path (the one that starts with $t_5$) can be chosen instead. Because of the unconstrained user-task assignment represented by $t_{u_4t_5}$, the latter is a path that obviously cannot obstruct. For this reason, the obstruction does not block the process. However, it still reduces the option of which path to choose and restricts the behavior of the initial workflow. Hence in order to have full control over the net in a fine-grained way and avoid such “hidden” obstructions, a workflow has to be modeled according to the block structure and the common transformation from BPMN into Petri nets (cf. Figure 3.18). Each fork and join is supposed to be resolved as a separate construct that does not involve tasks. Figure 3.48 encodes the workflow with explicit joins and forks according to the common transformation of gateways into Petri nets (e.g., from BPMN). Checking the net in Figure 3.48 for the two soundness conditions reveals the dead transition $t_2$ too, but the related obstructions at transitions $t_1$ and $t_2$ come to light as well. This is thus consistent with the identified implications between the “option to complete” and “no dead transitions” condition and their relations to obstructability and satisfiability. First, the decision to take a certain path has to be made irrespective of any user-task assignment. After this decision, a potential obstruction cannot be circumvented. Thus potential constellations in which certain tasks cannot be performed because of authorization constraints cannot be undermined in such a way that weak spots of the policy can be identified again. Therefore, the workflow involved in a SecANet must explicitly encode forks and joins for parallel and exclusive gateways that do not depend on any user-task assignments of the policy encoding. The user-task encoding in a SecANet must be created only for actual workflow tasks that are supposed to be executed by users. Then an unsatisfiable workflow cannot be obstruction-free, since the explicit modeling of gateways implies that it must be possible to explicitly choose the path that involves the dead transition, and thus to obstruct the execution.

Hence a workflow may have “no dead transitions” and no “option to complete,” so that it is satisfiable but obstructive, or it may have “no dead transitions” and the “option to complete,” in which case it is satisfiable and obstruction-free. A dead transition means that, somewhere on the path before the transition, there is an obstruction that does not allow the transition to be enabled. Hence in a SecANet the option to complete cannot be fulfilled in the face of dead transitions. Either there is an obstruction that directly causes the workflow transition to be dead, or there may be an obstruction at some earlier point in the execution that deadens all succeeding tasks. In regard to the latter, and regardless of whether a user can be assigned to a task or not, the control-flow token needed to enable the workflow task would then be missing for the succeeding tasks. A SecANet that neither has the option to complete nor has no dead transitions is neither satisfiable nor obstructionfree.

3.2.6.2 SecANet Reversibility and Deadlock Analysis

Both of the soundness conditions can again be represented as typical questions of reachability. “No dead transitions” asks if there is a transition that is not fireable from any reachable marking, while “option to complete” asks whether the final marking is reachable from any reachable marking. Because of the structural complexity of a SecANet, which, as previously explained, belongs at least to the class of asymmetric choice nets, it may be intractable to make a decision on its soundness [7, 136]. In contrast to reachability, as elaborated before, the computation of liveness as well as the identification of deadlocks can potentially be done more efficiently.

In a SecANet deadlocks are used to indicate the two crucial states. A satisfiable full firing sequence reaches a deadlock marking that contains $p_o$. A SecANet that encodes an obstructed execution reaches a deadlock marking without $p_o$. Thus the idea is to exclude from deadlock analysis the desirable end marking that encodes process completion and contains $p_o$. This is done by allowing the end marking to restore the initial marking, so that the net becomes reversible. Thus similarly to the WF-net extension related to the investigation of the strong-connectedness of a WF-net in Definition 3.22, an additional transition that connects the output place with the input place needs to be added. Since the reaching of the output place can no longer represent a deadlock, a deadlock is then supposed to indicate an obstruction. In a sense, the “option to complete” can thereby be “included” in the structure of the net. This inclusion allows searching for deadlocks beyond the desired deadlock of the marked output place. In such an extended net, the identification of deadlocks then becomes synonymous with the search for obstructions, thereby allowing for the use of typical existing methods for deadlock analysis—for example, checking for the siphon/trap property (cf. Definition 3.15 and Definition 3.16).

Because of the simplicity of the DMV SecANet example, it can be used to illustrate the intended extension, which is depicted in Figure 3.49. It is realized by adding a transition $t^*$ whose outgoing transition is the input place of the SecANet. It can now be reset to its initial marking by firing $t^*$. Moreover, $t_{start}$ is added to enact the policy. Now, the siphon-trap property can be analyzed to identify deadlocks within the extended net, that is, whenever each siphon contains a trap the net is deadlock-free. The siphons and traps for the extended DMV SecANet are indicated with different-shaded bars. Without the extension, the siphons and traps would trivially be the source and sink places, respectively. Hence it can be observed that, concerning the workflow net and its user-task authorization, each siphon contains a trap. The related siphons and traps are completely in cover (which is highlighted by the dashed lines). However, the siphon that involves the SoD place does not contain the trap that contains the SoD place. The SoD-related trap encompasses all elements of the siphon but additionally contains $p_o$ and $p_3$. Based on this observation, it can be checked whether the SoD-related siphon can indeed become empty, namely if there is a marking m where $m(p_0)=0$ and $m(p_3)=0$. This is just the case with the obstruction marking. The trap property is fulfilled here too, because either place of the SoD-related trap ($p_1$ or $p_3$) is still marked. Moreover, the extended example SecANet could be used to assess the liveness of the extended net, and hence check its soundness as well. Liveness checks typically first check for no dead transitions, and then check whether each transition is reachable from some reachable marking. If there are no dead transitions and the option to complete is fulfilled, each transition can be reached by any transition in the extended net, that is, the entire net is live.

As for the marking that contains the output place, it is important to note that the example net has an advantage in regard to deadlock and liveness analysis: As soon as the output place of the workflow is marked by a token, all other places of the example SecANet are empty. However, this is usually not the case in a SecANet. For example, in case there was another user authorized for both tasks, one of the SoD places would inevitably remain marked at the end of execution. Therefore, for a SecANet in general, before the net would be reinitialized with its initial marking, care must be taken to ensure that all places are empty again. Otherwise, leftover tokens could manipulate the results of the deadlock or liveness analysis. This can be achieved by introducing an additional construction, which uses the re-enactment constructs introduced in Section 3.2.5. If, at the end of execution, eventually only $p_o$ is marked, that is, it is properly completed, this will then allow for an easy transition from this place directly to $p_i$ through a single transition $t^*$.

3.2.6.3 SecA-WF-Net: Security-Aware Workflow Net

While thus far only the “option to complete” and “no dead transitions” conditions could be related to a SecANet, the modular definition of the re-enactment constructs will subsequently allow for fulfilling the “proper completion” property as well. Since these three conditions exactly constitute the soundness of a WF-net, the SecANet will be extended to a so-called SecA-WF-Net, which represents a general way to extend a SecANet that contains the SecANet encoding as well as a WF-net structure. Moreover, with the help of the additional transition $t^*$, a SecA-WF-Net can then easily be extended in order to use it for the analysis of deadlocks or liveness.

Figure 3.50 depicts this overall frame of a SecA-WF-Net and how it is supposed to encapsulate a SecANet. It places the SecANet into a further frame that is supposed to enact and cancel the entire policy. The workflow structure demands that there be only one input place and one output place, and that the input place be the only marked place in the initial marking. Therefore, the enactment construction from before is used here to generate the initial tokens of a SecANet based on the initially marked source place $p_i$. Moreover, in order to allow for “proper completion” the final cancellation construct of the re-enactment modeling above can now be used to reach the final marking in which only $p_o$ is marked. Figure 3.50 also indicates the optional additional transition $t^*$ that allows for extension of the net in order to use it for deadlock or liveness analysis. This extension makes the net reversible, since the SecANet system can then get initial settings after it is executed, that is, the initial marking $m_{0}$ is reachable from every marking of $[m_0\rangle $ (cf. Definition 3.14).

In order to allow for enactment and cancellation of the entire policy, two different cases must be considered. The first is the possibility that there already exist re-enactment constructs, at least for parts of the policy. Similarly to the re-enactment construction above, here again creation of multiple enactments or cancellation constructs must be avoided. Therefore, all places that trigger and document enactment and cancellation need to be connected to the respective “enter/leave enactment” transitions and cancellation transitions, respectively. However, the existence of re-enactment points does not mean that their scopes cover all WF tasks. It could even be the case that the WF-net of the SecANet contains no re-enactment points. Hence for all WF tasks that are not covered by re-enactment constructs, the corresponding construct needs to be created for the respective policy parts. If the SecANet contains no re-enactment points, the construct will need to be created for the entire policy. The modularity of the re-enactment constructions introduced before allows for simply re-using the existing re-enactment definitions for the given sets of enter/leave enactment transitions and cancellation transitions, respectively. Accordingly, the subsequent definition is supposed to generate the workflow structure surrounding a SecANet in order to obtain a SecA-WF-Net.

Definition 3.73 (WF-Structure Generation and SecA-WF-Net)

Let N be a SecANet that contains a WF-net with an input place $p_i$ and an output place $p_o$, and let S be its scope involving all WF tasks. In order to control the enactment and cancellation of the policy for the set of all WF tasks $S\subseteq T$ according to the WF structure, the following net elements are added to the SecANet N, where $N = \langle P\cup P_S, T \cup T_S, F \cup F_S, m_0 \rangle $ with

$P_S=\{p_{EnactingPolicy}, p_{PolicyEnacted}, p_{ExecutionCompleted}, p_{CancelingPolicy}\}$,

$T_S=\{t_{S_{EnterEnactment}}, t_{S_{LeaveEnactment}}, t_{S_{EnterCancellation}}, t_{S_{LeaveCancellation}}\}$,

$F_S= \{\langle p_{PolicyEnacted}, t_{PostInputPlace}\rangle | t_{PostInputPlace} \in p_i^\bullet \}\cup $

$\{\langle t_{PreOutputPlace}, p_{ExecutionCompleted}\rangle | t_{PreOutputPlace} \in ^\bullet \!\!\!\!p_o\}\cup $

$\langle p_i, t_{S_{EnterEnactment}}\rangle , \langle t_{S_{EnterEnactment}}, p_{EnactingPolicy} \rangle , \langle p_{EnactingPolicy},$

$t_{S_{LeaveEnactment}}\rangle , \langle t_{S_{LeaveEnactment}}, p_{PolicyEnacted} \rangle ,\{\langle p_{ExecutionCompleted},$

$t_{S_{EnterCancellation}}\rangle , \langle t_{S_{EnterCancellation}}, p_{CancelingPolicy}\rangle , \langle p_{CancelingPolicy},$

$ t_{S_{LeaveCancellation}}\rangle , \langle t_{S_{LeaveCancellation}}, p_o\rangle \}$ , and $m_0 = \{p_i\}$ (i.e., the initial markings of all policy encodings are set to 0).

Note that $\{\langle p_{PolicyEnacted}, t_{PostInputPlace}\rangle | t_{PostInputPlace} \in p_i^\bullet \}$ is supposed to take over the initial outgoing arcs of $p_i$ , and ${\{\langle t_{PreOutputPlace}, p_{ExecutionCompleted}\rangle | t_{PreOutputPlace} \in ^\bullet \!\!\!\! p_o\}}$ is supposed to take over the initial incoming arcs of $p_o$ , where now ${p_i^\bullet = \{t_{S_{EnterEnactment}}\}}$ and ${^\bullet \!p_o = \{t_{S_{LeaveCancellation}}\}}$ . The figure below shows the graphical representation of these net elements:

Based on this, all enactment and cancellation places are connected with the enter/leave enactment and cancellation transitions, where the set of arcs of N is ${\{\langle t_{S_{EnterEnactment}}, p_{Y_{ToEnact}}\rangle , \langle p_{Y_{Enacted}}, t_{S_{LeaveEnactment}} \rangle , \langle t_{S_{EnterCancellation}}, p_{Y_{ToCancel}}\rangle , \langle p_{Y_{Canceled}}, t_{S_{LeaveCancellation}}\rangle | p_{Y_{ToEnact}}, p_{Y_{Enacted}}, p_{Y_{ToCancel}}, p_{Y_{Canceled}} \in P,\; Y \subseteq T \} \cup F}$. The figure below shows the graphical representation of this enactment and cancellation of the different scopes for which there are re-enactment constructs in N:

For the set of WF tasks for which there is no enactment and cancellation place, that is, the scope $\{S-\bigcup _{p_{Y_{Enacted}} \in P} Y | Y \subseteq T\}$, the re-enactment-related net elements need to be created and added to N by successively applying Definitions 3.69, 3.70, and 3.71, which results in the SecA-WF-Net N.

The example in Figure 3.51 illustrates the SecA-WF-Net of the DMV SecANet. Again, similarly to the loop and re-enactment constructs, the workflow-structure-generating construction is intended only to provide the structure of a WF-net and, at the same time, preserve the given functionality and encoding of a SecANet. Hence again, the intention in these constructions is that the related transitions could be set to silent, and yet the basic behavior, meaning, and interpretation of the SecANet would remain. Based on this workflow-structuredness, the soundness of a SecA-WF-Net can now be defined in relation to all three workflow soundness conditions. In addition to SecANet soundness, now the “proper completion” condition can also be included. In a SecA-WF-Net, “proper completion” means the extinction of all tokens in all places except the token in $p_0$. Accordingly, the soundness of a SecA-WF-Net that contains a sound workflow net can be defined.

Definition 3.74 (Soundness of a SecA-WF-Net)

A SecA-WF-Net N with input place i and output place o is sound if the following conditions are met:

(i)
Obstruction-Freeness (or Option to Complete): For each case and any marking reached from the initial marking, it is always possible to reach a state that marks the end place o; that is, $\forall m \in R(N, i)$, $m(o) \in R(N, m)$;
(ii)
Proper Completion: If o is marked, all other places of the SecA-WF-Net are empty for a given case; that is, $\forall m\in R(N, i)$, if $o\in m$ then $m = \{o\}$;
(iii)
Satisfiability (or No Dead WF Tasks): It is possible to execute an arbitrary WF task by following the appropriate firing sequence through the WF-net; that is, $\forall t\in T,\; \exists m\in R (N, i)$ such that $(N,\ m)[t\rangle $.

Analogously to SecANet soundness, the soundness of a SecA-WF-Net then implies obstruction-freeness and satisfiability. For the extension of the SecA-WF-Net, the transition $t^*$ is added as the outgoing transition of $p_o$ and as the incoming transition of $p_i$, hence there are two additional arcs, $\langle p_o, t^* \rangle $ and $\langle t^*, p_i \rangle $ (as indicated in Figure 3.50). The extended SecA-WF-Net can be used to check for deadlock-freeness or liveness of the workflow tasks. Analogously to the findings in [7], a SecA-WF-Net is sound if the extended SecA-WF-Net is live and bounded. Since the boundedness of a SecANet—specifically, its safeness—has been considered in all modeling steps so far, a SecA-WF-Net is assumed to be safe as well. A SecA-WF-Net that is not bounded violates the SecANet encoding and is not interpretable as such. Moreover, it is assumed that the WF-net encapsulated in a SecANet is a sound (and safe) workflow net.

Hence in order to determine the soundness of a SecA-WF-Net, first and foremost its liveness has to be determined. It is important to note that so far, liveness could be considered only for the actual workflow tasks. Moreover, a SecANet can contain cancellation transitions that never become enabled (i.e., they are dead). For example, the cancellation of a user-task assignment may never require the cancellation of the unassigned place $p_{u-}$ or the assigned place $p_{u+}$, since the corresponding task is always executed. In contrast to that, liveness of the overall net results from the fact that the net has no dead transitions, that is, every transition is live. This means that every transition of a net can be infinitely enabled through some feasible sequence of firings from any marking in $[m_0\rangle $ (cf. Definition 3.11). Figure 3.52 illustrates how a SecA-WF-Net could be extended to allow checking for the liveness of the entire net. Thus methods of analysis of workflow soundness could be applied to SecANet soundness more easily. The liveness of the extended SecA-WF-Net could then be checked with no restrictions and without having to consider workflow tasks only.

Applicability of Reachability, Deadlock, and Liveness Analysis:

A SecA-WF-Net can be analyzed by applying methods from WF-net-related analysis and tools examining WF-net soundness—or, more generally, from reachability analysis. Moreover, the extended SecA-WF-Net allows the use of rather efficient methods that investigate the liveness of its workflow tasks as well as the deadlock-freeness of the entire net. Thus similarly to WF-nets, an extended SecA-WF-Net allows for the use of standard Petri-net-based analysis tools to decide its soundness [7]. For example, off-the-shelf model checkers can be used to analyze the liveness of its workflow tasks.

3.2.7 Experimental Evaluation

This section will demonstrate the applicability of Petri net analysis tools to the SecANet approach and compare the results to a typical existing approach for solving the workflow satisfiability problem (WSP). The SecANet model will be used to show how Petri net tools can be applied to examine obstructability as well. Thus it will be possible to determine SecANet soundness and draw potential benefits from using Petri nets to analyze satisfiability and obstructability.

Since it is difficult to acquire real-world WSP instances [48, 206], the random-instance generator described by Cohen et al. [48] was adapted in order to obtain instances of workflows and their policies. The generator considers a number of tasks t, a number of users u, a number of SoD constraints s, and a random-generator seed value. Here, since WSP instances usually do not contain exclusive or cyclic paths (cf. Chapter 2), each instance also requires that all tasks be performed in order to complete the workflow execution. Therefore, for the sake of simplicity, the t tasks of each instance are assumed to be performed in sequential order. For each user, the generator creates a uniformly random authorization list TA(u) such that the number of permissions per user, |TA(u)|, is selected uniformly from $\{1,\ldots ,\lceil \frac{t}{2}\rceil \}$ at random. It also generates s distinct not-equals constraints uniformly at random [48]. Then for these instances the SecANet is generated according to the definitions in Section 3.2.2. Note that the WSP instance generator does not explicitly consider BoD constraints. Although the SecANet encoding allows the encoding of BoD constraints, for purposes of comparability, BoD constraints will not be considered here. As indicated before, SoD constraints are sufficient to cause obstructed states.

To sketch the runtime behavior of analyzing satisfiability or obstructability, different example nets with an increasing number of tasks, users, and SoD constraints are generated. Figures 3.53 and 3.54 give rough impressions of the smaller instances encoded in the net SecANet representation. A graphical display of larger instances quickly exceeds paper size. In a suitable zoomable digital frame (or on larger paper), a more extensive SecANet is still graphically more intuitive than a purely textual description, since it facilitates understanding of the interdependencies that lead to obstructions.

The experiments were conducted on a MacBook Pro machine, with 8 GB RAM and an Intel Core i7 3 GHz CPU. In order to analyze the WSP instances with a common satisfiability analysis technique, they were encoded using pseudo-Boolean (PB) constraints based on Wang et al. [207] and then solved by the PB solver SAT4J [29]. In a SecANet, satisfiability can be examined by checking whether all WF tasks are not dead (cf. Section 3.2.6.1 on SecANet soundness). For this, the Low Level Petri Net Analyzer (LoLa) was used. That is a well-established, state-of-the-art Petri net analysis tool, which constantly participates in the Petri net Model Checking Contest (MCC)^{Footnote 17} and demonstrates its competitiveness with other Petri net verification tools. In order to illustrate the time needed to analyze obstructability, the “option to complete” was considered in the test as well. Table 3.1 shows the results of checking different instances for satisfiability and obstructability^{Footnote 18}. The cells with an ${\checkmark }$ indicate that the PB formula or the respective soundness condition could be satisfied. Cells with an ✗ highlight unsatisfiable or obstructable instances. In their solutions, both tools offer witness assignments (SAT4J) or witness firing sequences (LoLa) that encode satisfying user-task assignments or cause obstructions. Moreover, since LoLa kills the computation when the computation of the “option to complete” exceeds about 20 minutes, the results for some instances are unknown (the respective results are indicated by a hyphen). It can be seen that the SecANet encoding of the first and fifth WSP instances are sound as well. In terms of computation time, Table 3.1 suggests that the Petri-net-based satisfiability analysis outperforms the analysis of the SAT4J solver by a factor of at least 10. In this regard it should be noted that the SecANet allows examination of the “no dead tasks” property by checking only whether the last task in the execution is not dead. Based on the sequential task order and the considerations regarding the “no dead WF tasks” condition of SecANet soundness, a fireable last WF task renders the entire workflow satisfiable. For the obstructability analysis, the overall rapidly growing time consumption indicates exponential (hence non-polynomial) run-time behavior, which is typical for questions concerning reachability. Checking the “option to complete” condition in a SecANet means a significantly higher level of effort is needed, since from each reachable state it has to be checked whether some marking m that contains the output place, that is, $m\ge p_o$, is reachable.

Table 3.1 The runtime (in seconds) for analysis of example WSP instances is displayed after the result (i.e., ${\checkmark }$ or ✗). Satisfiability was computed with the SAT4J solver and LoLa, which checked the “no dead transitions” (NDT) condition. For obstructability, LoLa checked the “option to complete” (O2C)

Full size table

In conclusion, the tests suggest that the SecANet approach is useful for analyzing satisfiability and that it performs better than the SAT4J alternative. Since there are more elaborate specialized tools for analyzing satisfiability, further approaches could be considered here as well. Moreover, the decreasing runtime for checking the option to complete for the 10/12/22 instance suggests a more detailed investigation of how a higher number of constraints tends to lower the computational runtime. However, the foremost intention of running the displayed experiment was to show the applicability of Petri net analysis tools to the SecANet approach. To the best knowledge of the author, there is no other approach that solely uses Petri nets to solve satisfiability or obstructability.

3.2.8 Discussion

The SecANet approach provides a holistic basis not only for solving questions concerning satisfiability and obstructability but also for resolving obstructions, which will be examined in subsequent chapters. This chapter has introduced the SecANet encoding, which allows flattening of a security-aware process specification containing the workflow, its corresponding user-task assignments, and its authorization constraints into one Petri net such that obstructions can be captured and analyzed. Therefore, the requirements concerning the obstructability analysis set up in Chapter 2 have been addressed to a large extent. The SecANet encoding integrates common constraints (ROA-4) and a comprehensive workflow structure (ROA-2) and allows for encoding and capture of the state of obstruction (ROA-7). Thus it is possible to do ordered assignments of users, as well as pre-assignments (ROA-1). The SecANet encoding is also able to map costs to each of its elements (ROA-6). Execution sequences of the SecANet can be used to generate satisfiable or obstructed partial plans (ROA-5). Thereby, the modeling and encoding have been done in such a way that rather efficient techniques—for example, to check the soundness of a net or an extended net—are applicable (ROA-3). Here in particular, the method used in modeling the constraints, the effort to use efficient techniques, and the question of how additional constraints could be taken into account leave room for discussion.

3.2.8.1 Method of Modeling

In general, it can be observed that the modeling of the different elements of the policy integrated onto the control flow manifests itself as “permissive” or “restrictive” modeling. Whereas the modeling of authorization explicitly states what is allowed (permissive), the modeling of constraints implicitly determines what is not allowed (restrictive). In the context of language, analogously to permissive or restrictive modeling, one can also speak of language-extending and language-restricting modeling. For example, the modeling of authorizations adds behavior by adding new letters, while the modeling of constraints restricts existing behavior. Thus the question of whether an added net construct is permissive or restrictive can also be identified by observing its impact on the language.

This distinction between permissive and restrictive modeling also allows for explanation of the differences in the traceability of the policy elements. Whereas the user-task assignment would directly provide reconstruction or retracing of the authorization policy by the user-task transitions, this is possible to only a limited extent for constraints. The proposed method of modeling assumes a set of users and a corresponding user-task assignment such that a constraint can be applied only to user-task assignments that are affected by that particular constraint. A constraint is encoded and retraceable only if there are user-task assignments to which the constraint applies. If there are no user-task assignments affected by a constraint, the SecANet approach does not allow for direct representation of such a constraint in the model. Still, the constraint is implicitly given and does not cause unwanted behavior. This situation is also known as static SoD or static BoD [93]. Hence the visibility and the traceability of constraints in the SecANet model depend on the specific user-task assignments. Analogously, the distinction between “permissive” and “restrictive” applies to the existence or absence of the free-choice property. If a choice between transitions is indeed free, then the choice is explicit, and it is permitted to choose between the options provided. When a choice between transitions is not free, there are further conditions that may restrict the choices. The options can then differ depending on whether these further conditions are fulfilled or not.

3.2.8.2 Time, Space, and Output Memory Requirements

Regarding the computational complexity, in particular, the acyclic SecANet encoding is of interest. The input of the cyclic encoding, in turn, is the output SecANet obtained by the acyclic approach and a set of re-enactment transitions that indicate cycles (cf. Algorithm 3.1). In enhancing the acyclic SecANet with loop-related functionality, the cyclic approach benefits from the net structure already computed by the acyclic encoding. Here, especially the more complex computational compartments of the acyclic approach concerning constraint-related elements will be essential. Moreover, the consideration of acyclic policy-aware workflow nets will allow comparability since related approaches (e.g., regarding the WSP) are typically based on similar input parameters.

For the acyclic SecANet approach that runs on an instance of a policy-aware workflow net $\langle N,U,TA,C\rangle $ (cf. Definitions 3.29, 3.30, 3.31, and 3.32), the upper bound complexity will be measured in terms of $n = |U|$, $k = |T|$ (i.e., the tasks encoded by transitions in the workflow net N), and $m = |C|$. The set of user-task assignments TA and its corresponding set of assignment list $\mathcal{T}\mathcal{A}$ corresponds to k lists each of size at most n (which is, for example, comparable to the WSP instances considered by Cohen et al. [50]).

Time Complexity:

Based on the assumption that each task has at least a single user assigned, that is, $|TA|\ge |T|$, a marked place $P_{t-}$, an unmarked place $P_{t+}$, and a flow relation $\langle P_{t+},t\rangle $ are created for each task—which is considered as three computational steps. Analogously, based on each entry in the task-assignment list TA(t), a user-task transition is created together with two arcs that connect $P_{t-}$ and $P_{t+}$ as incoming and outcoming places, respectively, which results in three computing steps for each user-task permission. That way, the complexity to encode the authorization policy is $3*\big (|T|+|TA|\big )$. All possible pairwise combinations of tasks determine the maximal number of constraints, that is, $|C|=\Sigma _{i=1}^{|T|-1}i=\frac{1}{2}(-1 + |T|)*|T|$. The variable $s\in \left[ 0;1\right] $ determines the percentage share of SoD constraints of the total number of constraints, such that $|C_{SoD}|=s*|C|$. The proportion of BoD constraints b thus results from $b=1-s$, accordingly $|C_{BoD}|=(1-s)*|C|$. Finding a match between users in the user lists for the two tasks affected by a constraint creates a constraint place and corresponding arcs. In terms of SoD constraints, this means creating the marked SoD place $P_{SoD}$ and the arcs for its two outgoing user-task transitions, thus three steps. It is assumed that the same number of users is assigned to each tasks such that all lists have the same length $\frac{|TA|}{|T|}$. That way, multiplying the number of steps required for comparing each user of each task list with each user of the other task list by the maximal number of constraints |C| also maximizes complexity for the overall search for matches. For a BoD constraint, a marked constraint place $P_{BoD}$, a single arc connecting the BoD place with the user-task transition from the user from the list of the one task, and $|\frac{|TA|}{|T|}|-1$ arcs that connect the BoD place with the user-task transitions from all the other users from the list of the other task are created—so $1+1+\frac{|TA|}{|T|}-1=1+\frac{|TA|}{|T|}$ steps. If there exist matches for all users in the lists, this means that $\frac{|TA|}{|T|}=|U|$, such that the number of steps needed to find each pair is $\Sigma _{i=1}^{\frac{|TA|}{|T|}}i=\frac{1}{2}*\frac{|TA|}{|T|}*\big (\frac{|TA|}{|T|}+1\big )$. In case no match is found, the comparison of each entry of one list with each entry of the other list requires $\big (\frac{|TA|}{|T|}\big )^2$ steps. However, because of $n=|U|$, finding no matches would imply different users assigned to each task (i.e., only $\frac{|U|}{|T|}=\frac{|TA|}{|T|^2}$ users for each task). Then, the comparison of each entry of one list with each entry of the other list only demands $\big (\frac{|TA|}{|T|^2})^2$ steps. Thus, as the input size increases, the search complexity to find no pairs is less than the complexity required to find matches only. The maximal number of steps for the flattening of all BoD constraints, therefore, results in $\frac{1}{2}*\frac{|TA|}{|T|}*\big (\frac{|TA|}{|T|}+1\big )+\big (\frac{|TA|}{|T|}*\big (1+\frac{|TA|}{|T|}\big )\big )=\frac{3}{2}*\big (\frac{|TA|}{|T|}\big )^2 + \frac{3}{2}*\frac{|TA|}{|T|}$, and $\frac{1}{2}*\frac{|TA|}{|T|}*\big (\frac{|TA|}{|T|}+1\big )+\big (\frac{|TA|}{|T|}*3\big )=\frac{1}{2}*\big (\frac{|TA|}{|T|}\big )^2 + \frac{7}{2}*\frac{|TA|}{|T|}$ for SoD constraints, respectively. The runtime complexity of the SecANet encoding for the overall policy (i.e., the authorization policy and the constraints) results in:

$$\begin{aligned}&(1-s)*|C|*\bigg (\frac{3}{2}*\bigg (\frac{|TA|}{|T|}\bigg )^2 + \frac{3}{2}*\frac{|TA|}{|T|}\bigg ) \\ {}&\quad + s*|C|*\bigg (\frac{1}{2}*\bigg (\frac{|TA|}{|T|}\bigg )^2 + \frac{7}{2}*\frac{|TA|}{|T|}\bigg ) + 3*\big (|T|+|TA|\big ) \end{aligned}$$

Although this formula allows considering different $\frac{|TA|}{|T|}$-ratios, the worst-case assumes that the maximal number of steps is obtained by $\frac{|TA|}{|T|}=|U|$, which results in:

$$\begin{aligned} (1-s)*|C|*\bigg (\frac{3}{2}*|U|^2 + \frac{3}{2}*|U|\bigg ) + s*|C|*\bigg (\frac{1}{2}*|U|^2 + \frac{7}{2}*|U|\bigg ) + 3*\big (|T|+|T|*|U|\big ) \end{aligned}$$

$$\begin{aligned} \Leftrightarrow (1-s)*m*\bigg (\frac{3}{2}*n^2 + \frac{3}{2}*n\bigg ) + s*m*\bigg (\frac{1}{2}*n^2 + \frac{7}{2}*n\bigg ) + 3*\big (k+k*n\big ) \end{aligned}$$

That way, |U| determines both the number of users and the number of users assigned to each task. Moreover, assuming $\frac{|TA|}{|T|}=|U|$ takes care of the case that |TA| must not be smaller than |T|. Because encoding BoD constraints requires more steps, the complexity is maximal if $s=0$ (or $|C|=|C_{BoD}|$), which results in $m* (\frac{3}{2}*n^2 + \frac{3}{2}*n) + 3*k*(1 + n)$. Hence, the acyclic SecANet encoding is in the class of efficient algorithms that run in quadratic time $O(m* n^2)$. Thus, it belongs to the class of FPT-algorithms $O(f(k)*n^c)$ (cf. Chapter 2). Based on the worst-case assumption that the maximal number of constraints is $m=f(k)=(\frac{1}{2}*(k-1)*k)$, this results in $(\frac{1}{2}*(k - 1) *k)*(\frac{3}{2}*n^2 + \frac{3}{2}*n) + 3*k*(1 + n)$ which is in $O(n^2*k*(k-1) + (k^2*n))$. From practice, it can be assumed that the number of tasks usually is an order of magnitude smaller than the number of users [50]. Even the case that $n=k$ results in $\frac{3}{4}*n^4 + \frac{9}{4}*n^2 + 3*n$ and still is in quartic complexity in the number of users (i.e., $O(n^4)$).

Space Complexity:

For all steps, a constant number of iteration variables can be assumed. The authorization-related elements can directly be created by iterating over the task-assignment lists in $\mathcal{T}\mathcal{A}$, which gives the list of users assigned to each task. Moreover, based on each constraint in C involving a pair of tasks, the corresponding lists of users can be obtained again based on the given input. Hence, besides a fixed number of iteration variables, no additional input-dependent space is required to iterate over the lists for two tasks. All generated elements are directly written to the output (which is not read again). Hence, the acyclic encoding is in constant space complexity O(1).

Input/Output Ratio:

If one compares, for example, the XES log format mentioned in Chapter 2 with the older MXML log format, the MXML format requires about four times the memory for identical log content. Similarly, based on the memory required for the policy-related part in a policy-aware workflow net, which constitutes the inputs of WSP problem instances, a comparison is possible to the output memory used by the SecANet. However, such a comparison must take into account that the SecANet brings a significant added value compared to the plain input contained in a policy-aware workflow net. First, in a SecANet, there is a place pair $|P_{-+}|=2$ for each task, thus $|\dot{P}_{TA}|=2*|TA|$. Moreover, the number of user-task assignments |TA| in the policy determines the user-task transitions $|\dot{T}_{TA}|$ in a SecANet. Additionally, for each user-task transition, two arcs connect it to the places indicating unassignment and assignment, and there is an arc that connects the corresponding task, which sums to $\dot{F}_{TA}=|TA|*2+|T|$. Hence, all Petri net elements related to |TA| result in:

$$|\dot{P}_{TA}|+|\dot{T}_{TA}|+|\dot{F}_{TA}|=2*|TA|+|TA|+|TA|*2+|T|=5*|TA|+|T|$$

Similarly to the maximal runtime complexity, the maximal number of elements is assumed if all users are assigned to all tasks ($\frac{|TA|}{|T|}=|U|$). Then, for large $n=|U|$, the input/output ratio for the authorization-related input $|TA|+|T|=|U|*|T|+|T|$ converges to the factor:

$$\begin{aligned} \lim _{n\rightarrow \infty } \frac{k + 5*n*k}{k + n*k} =5 \end{aligned}$$

Analogous to the runtime complexity, the worst-case assumption for the output is that all users assigned to the two tasks involved in a constraint are also affected by the constraint. This results in the number of constraint places $|\dot{P}_C|=|C|*\frac{|TA|}{|T|}$ for both cases $\dot{P}_C=\dot{P}_{SoD}$ and $\dot{P}_C=\dot{P}_{BoD}.$ The difference here lies in the number of arcs, namely $|\dot{F}_{SoD}| = 2*|\dot{P}_{SoD}|$ and $|\dot{F}_{BoD}| = \frac{|TA|}{|T|}*|\dot{P}_{BoD}|$, respectively. Hence, the worst-case output memory required for all policy-related elements of the SecANet results in:

$$\begin{aligned} \Big (\big (\frac{|TA|}{|T|}+1\big )*(|C_{BoD}|*\frac{|TA|}{|T|})\Big )+\Big (3*|C_{SoD}|*\frac{|TA|}{|T|}\Big ) +\Big (5*|TA|+|T|\Big ) \end{aligned}$$

Here, the worst-case assumption again is that every user is assigned to every task:

$$\begin{aligned} (1-s)*|C|*\big (|U|^2+ |U|\big ) + 3*s*|C|*|U| + 5*|U|*|T| + |T| \end{aligned}$$

$$\begin{aligned} \Leftrightarrow (1-s)*m*(n^2+n) + s*m*3*n+ 5*k*n +k \end{aligned}$$

Hence, while the output of authorization-related elements is approximately five times the input size only, the encoding of constraints significantly increases the input size $m=|C|$ by factor $\frac{m*(n^2+n)}{m}=n^2+n$ (only BoD) and $\frac{m*3*n}{m}=3*n$ (only SoD), respectively. Still, in the face of both the pessimistic worst-case assumptions and the added value of the SecANet output—in particular, its graph-based policy visualization, its execution semantics, and its applicability to Petri net-related analysis—the increased output memory requirements can be regarded as moderate.

3.2.8.3 More Efficient Analysis

Although the SecANet has important properties for fostering an efficient computation—for example, the overall net still represents a safe P/T net—the exponential growth of the runtime in obstructability analysis indicated by the example in Table 3.1 underlines the necessity to strive for more efficient techniques. Here, for a more efficient analysis of the obstructability of a SecANet, the repeatedly discussed endeavor of achieving the free-choice (FC) property could be pursued further. The rationale is that the satisfiability and obstructability of a live, safe, and reversible free-choice SecANet may be efficiently solvable as well. The previously explained transformations for arbitrary Petri nets into free-choice nets [124, 187, 188] can be used for that purpose. However, making a net “free choice” would be accompanied by a further increase in the structural complexity of the net. More precisely, assuming a SecANet that contains a free-choice WF-net, the free-choice transformation has to be done for all other net constructs, that is, the user-task assignments, constraints, and re-enactment-related constructions would have to be transformed accordingly.

Because of the structural properties of the SecANet modeling and the assumed block structure, the non-free-choice (NFC) elements of a net that have been considered here are indeed not so “arbitrary.” They already show such a structural limitation that they can be transformed into a free-choice net by only a few modifications. Figure 3.55 depicts a method by which the example DMV can be transformed into a free-choice net. For each user-task assignment, a single transition and a single place are added. Moreover, for each user-task assignment affected by the SoD constraint, a place and transition are inserted as well, hence each choice must be made explicitly. For example, not only does the SoD place restrict the execution of user tasks, but it has to be explicitly decided whether the SoD place is to be put into action as well as for which user-task assignment it should take effect. The free-choice-related elements, therefore, allow a more detailed breaking down of the decisions taken during the process. Currently, the transitions are silent and do not add behavior to the net. However, one could also consider labeling them—for example, in order to explicitly encode the choices made in the execution sequences as well.

Hence although the increase in the structural complexity of the example DMV which is caused by the transformation into a free-choice net remains moderate, the transformation extends the state space and creates intermediate transitions. Both the new states and the new transitions demand interpretation. In this regard, the marking in Figure 3.56 relates to the obstruction marking of the DMV SecANet. Figures 3.57 and 3.58 display new variants of terminal markings that seem to obstruct as well.

On the one hand, the results of a free-choice SecANet can be interpreted with regard to the initial SecANet. Here, the markings in Figures 3.56 and 3.57 could be interpreted as “false-positive” obstruction markings, since they have no obvious relation to any marking of the underlying SecANet. In fact, in Figure 3.58 it looks as though the SoD constraint is fired “the wrong way,” and that it is even more restrictive. Such false-positive obstructions could be filtered out by backward firing the leftover tokens in the FC places (directly above the user-task transitions) of the terminal marking.Thus the firing is first reversed such, so that the corresponding user-task assignment or constraint place is marked again. Then if some firing sequences allow escaping the deadlock, the marking is not a “real” obstruction. For example, the deadlock in Figure 3.58 could be resolved by backward firing the SoD-related token in the free-choice place and then firing the right-hand SoD transition of the free-choice-related nodes. Thus $t_{u_1t_2}$ would be enabled in such a way that the deadlock would be resolvable. If SoD places do not affect a workflow execution, it would not matter if the left-hand or right-hand FC-SoD-transition is fired. Based on this backward-firing method, all example deadlock markings can be avoided, except for the marking in Figure 3.56, which is the one that represents the SecANet obstruction.

On the other hand, these new markings could also be re-interpreted with regard to the initial SecANet. For example, the free-choice-related Petri net elements could be interpreted as a sort of assignment reservation, anticipation, pre-assignment, or pre-decision, and as such could encode further states. Moreover, these elements could be related to costs. In an SoD constraint, for example, costs could be assigned to the FC elements to determine which of the user-task assignment should preferably be enabled.

Hence a free-choice SecANet would require some filtering of the results or at least some rules of interpretation, but it seems as though the effort needed for such a transformation would be manageable. Moreover, there seem to be only false-positive obstructions and no false-negative ones. Thus in case of doubt, the result of an analysis of a free-choice SecANet may be too restrictive, but at least it would not overlook obstructions. Regardless of the chosen interpretation, by such a “free-choice preprocessing” the analysis of SecANet soundness may be done more efficiently. Therefore, it would be interesting to compare the potential increase in efficiency with the increase in net elements (i.e., the structural complexity) caused by the free-choice transformation and how the computation of the initial NFC SecANet compares to it. Here, the free-choice transformation of the re-enactment constructions for a cyclic SecANet or a SecA-WF-Net seems to be structurally much more complex.

Besides the effort to make a SecANet free choice, SecANet-specific analysis could be refined and certainly optimized. Based on the well-defined SecANet construction rules elaborated in this chapter, the SecANet offers the possibility for further structural analysis, property-preserving reductions, or simplification of the nets. For example, in order to reduce search space, only places or transitions which are of interest in regard to the occurrence of an obstruction could be considered. Then, for example, the question of whether every transition related to re-enactment is live could be ignored. Furthermore, the identification of typical obstruction patterns could facilitate the search for obstructions.

3.2.8.4 Common and Further Constraints

The applicability of the SecANet approach has been illustrated for common constraints, namely user-task assignments and SoD/BoD constraints. Thus far, in order to cause obstructions, SoD constraints have been of greatest interest. The neglect of BoD constraints is not unusual in WSP research. There, BoD constraints are eliminated during preprocessing, before solving a WSP instance [48]. On the one hand, the relation of BoD constraints to obstructability depends on how consistently a BoD is actually defined and whether it is considered in the authorization policy as well. Since a BoD constraint binds two tasks to the same user, if a certain user is not authorized for both tasks and executes one of them, the other task is not trivially executable. For example, Figure 3.26b displays an encoding of a BoD constraint, which may indeed cause such an obstruction, namely, if $t_{u_2t_1}$ is executed. Because of the missing assignment of user $u_2$ to $t_2$, this part of the BoD constraint cannot be trivially fulfilled. Here, one could indeed consider eliminating the assignment encoded by $t_{u_2t_1}$. On the other hand, even if such contradictions between BoD constraints and the authorizations are avoided, the BoD constraints can still foster obstructions, since they basically restrict possible user-task assignments. This can in turn restrict the user-task assignments that satisfy the SoD constraints. As an example, Figure 3.59 shows a variation of the DMV SecANet that can obstruct because of the interplay between the SoD and BoD constraints. In that case, the workflow offers the additional possibility that the person who will later control the market value is first asked to compute an independent market value without bias. This could be done on a random basis—or, for example, if the calculated market value exceeds a certain threshold. Figure 3.60 shows the corresponding obstruction marking, which occurs after $t_{u_1t_1}$, $t_1$, $t_{u_1t_3}$, and $t_3$ are fired. Here, on the one hand a BoD constraint obstructs the execution of $t_{u_3t_4}$, and on the other hand an SoD constraint obstructs $t_{u_1t_4}$.

In general, the constraints considered so far in the SecANet modeling represent entailment constraints that are sufficient to obstruct the process. The basic assumption for SecANet modeling is that the scope of the constraint entails two tasks. However, if one or both sides of a binary constraint encompass sets of tasks, this can be encoded with several choice places where each place models a separate conflict between two user-task assignments. Thus the entailment constraints that encompass sets of tasks can be broken down into several conflicting user-task pairs. The flattening does not restrict these entailment constraints in terms of the cardinalities of the involved sets of tasks. However, the focus is on the basic constraint on two singletons, which allows for straightforward application and explanation of the approach. However, beyond SoD or BoD constraints, there are further constraints (cf. Section 2.1.2.4), such as counting constraints, that could contribute to the occurrence of obstructions but are not yet covered by the approach. Moreover, role-based access control models could be integrated as well.

In general, the policy encoded in the SecANet can also be seen as a conflict between the allocation of resources, where the resource is the token that allows assignment. The notion of resource allocation becomes even more apparent in the modeling of the availability of resources or users. In this regard, one could think of how a task-specific subnet could be modeled that encodes resilience and and then incorporates it into the given net. In order to address such extensibility, in the final section of this chapter an extension of the SecANet approach will be presented, namely SecANet+. That can be seen as the epilogue of this chapter and suggests a general extensible framework for modeling of security-aware Petri nets that incorporates the policy elements considered so far as well as further constraints or restrictions that may impede the process execution.

3.3 SecANet+: Extension of the SecANet Approach

SecANet+ generalizes the SecANet approach with a deliberate focus on extensibility and modularity. Still, the preceding description of the SecANet approach is necessary to understand the idea, meaning, and purpose of the SecANet+ approach in context. The SecANet approach integrates all net elements directly into the workflow net. Then the decomposition of the SecANet allows for the determination of the language of its subnets and the composition of its overall language (cf. Section 3.2.4.5). SecANet+ , in contrast, aims to build the individual (sub)nets first and then combine these nets. Therefore, the properties and languages can be directly determined for each net separately and for the combined nets, so that there is no need for an elaborate decomposition and recomposition. Again, the use of Petri nets will be rewarding, since the previously introduced net synchronization operator (subsequently indicated by $sy_{\varSigma }$) will play a central role. Although the composition of languages will need to consider the prefix language, the nets and languages resulting from the SecANet and SecANet+ are the same for the same input and modeling method. Because of its modular setup, the SecANet+ approach builds the basis for further extensions—for example, for further constraints or to model further behavior that in some way constrains or restricts the workflow execution.

The overall framework of the SecANet+ approach is depicted in Figure 3.61. As with SecANet, the intuition behind SecANet+ is to capture every input in a process-oriented way—in particular, by including further inputs that in some way restrict the execution of tasks, such as counting not only the constraints but also user absences. The SecANet+ approach is twofold:

1.
Creating nets for each input: The arrows in Figure 3.61 indicate these separate modeling steps for each of the considered inputs. Here, it is key to consider how the different inputs that contribute to the overall process in some way relate to each other. For example, a user-task authorization and the workflow may overlap with their tasks, or an SoD constraint and a user-task authorization may overlap in their user-task assignments. Those overlapping areas contain the “common denominator” of the transitions that build the interfaces that will be used to synchronize the individual nets. This explicit transition-oriented modeling also provides the basis for further extensions. Here, the examples in Figure 3.61 indicate only the broad range of inputs that may restrict the process execution in some way. User-activity assignments can, for instance, also be related to the availability of users, which could be used to glue together models that encode resilience. In order to create the nets of further inputs, searching for the intersections of transitions must be done in more than just a formal (theoretical) sense. Some thought must be put into the modeling and behavior of the inputs. Their execution semantics and states need to consider the other inputs as well as the overall process.
2.
Combining the nets. The “common denominator” builds the interface that combines the transitions of each modeled net. Therefore, in this step the resulting nets are successively combined into one representation by using the synchronization net operator (indicated by $sy_{\varSigma }$ in Figure 3.61). As previously explained, the synchronization operator can synchronize two nets with each other by using the activity or transition labelings that are in both nets (i.e., their “common denominator”).

By this modular, twofold approach, the SecANet+ provides higher modularity and flexibility in choosing the constraints that affect process execution in some way as well as in combining them into a single representation. Elements of the encoded policy can be stored and kept available. For example, the policy nets and workflow nets could be created and maintained independently of each other in a kind of construction kit which could be combined (or synchronized) only when required. This could save repeated modeling effort, since, for example, the same policy element can be applied to different workflow constellations or only slight adjustments in transition labeling would be required to re-use a modeled net, for example, because of changes in activity names. Moreover, changes that affect only parts of the policy may be done in a better way, without recomputing the entire encoding. Thus it could be possible to remove unused parts of an already existing policy.

In order to explain the SecANet+ approach, this section will first show how to create the building blocks that represent the different process-specific inputs and then later show how to compose them. Since much of this is similar to the SecANet approach, only the key points will be examined more closely, and they will be explained only by way of example, in order to show the applicability. For this reason, first the creation of the policy-related nets that consider the authorization policy and SoD constraints that are comparable with the SecANet approach are described. Then the combination of the resulting nets is described and exemplified with the DMV SecANet. As a final example of an extension of the approach, user availability will be modeled in a way that encodes resilience.

3.3.1 Create and Combine Policy Nets for Workflows

Figure 3.62 depicts the application of the SecANet+ approach to the considered security-aware process specification, namely a WF-net, a user-task authorization, and SoD constraints. What the processes, the authorization, and the constraints all have in common is their consideration of the activities in some way. More precisely, the “common denominator” of the inputs considered so far consists of the process tasks or the user-activity assignments, as depicted in Figure 3.62. Here, modeling of the individual inputs is indicated by separate rectangles. Then these individual nets are combined by synchronizing the net on their common transitions (i.e., $\Sigma _{input_1}\cap \Sigma _{input_2}$). Note that, in contrast to the decomposition of the SecANet, the terminal markings resulting from the overall composition of the different nets cannot be determined prior to the synchronization. If, for instance, the only final marking which was assumed for a net that models user-task authorization is $\emptyset $, this would then exclude other terminal markings that would result from synchronization. Therefore, the final marking is assumed to contain all reachable markings. Accordingly, the final marking determines the prefix language of the net (cf. Definition 3.41).

3.3.1.1 Creating Policy Nets

The generalized encoding of acyclic nets is described here, and it will be illustrated by the example DMV process in Figure 3.21. As mentioned in the first step of the approach, it must first be known which of the nets are to be combined later. Hence the first step of the approach is to model the policy with Petri nets. Thus the policy modeling presented in Section 3.2.2 can now be adapted to the creation of individual processes, independent of the process model, so each Petri net can be regarded separately (cf. Figure 3.62). In order to avoid confusion with previous definitions of the SecANet encoding, “tasks” will now be termed “activities.”. Therefore, in the SecANet+ approach, the user-task authorization TA will be replaced with user-activity authorization UA, where the set of activities A is used analogously to the set of tasks T. In order to have common transitions in the two nets, a user-activity Petri net models the activity for which it describes the given authorizations.

User-Activity Petri Net:

Since the actual user-activity assignment and the subsequent access to the activity shall be modeled, the activity needs to be involved as well. Equivalently to the SecANet, “$-$” stands for the “unassigned” state, and “$+$” stands for the “assigned” state.

Definition 3.75 (User-Activity Petri Net).

Let $a \in A$ be an activity such that there exists a user $u \in U$ where $(u,\ a)$ is an element of the user-activity relation $ U\!A\subseteq U\times A$ , that is, user u is mapped to activity a . Hence the set of all users authorized for activity a can be denoted by

$U_{a} = \{u | u \in U,\; (u,a)\in U\!A\} = \{u^a_1, u^a_2, \ldots , u^a_n | n= |U_a |\} $.

Based on this, the language-generating Petri net for activity a,

$N^{U\!A}_a= \langle P,T,\mathcal {F},m_{0}, [m_{0}\rangle , T,\ id_T\rangle $ , is defined with

$P_{a-+}= \{p^-_a, p^+_a\}$ ,

$T= \{t_{a}\}\cup \{ t_{ua} | u \in U_a \}$ ,

$\mathcal {F} = \{\langle p^-_a, t \rangle , \langle t, p^+_a \rangle | t \in T - \{t_a\}\} \cup \{\langle p^+_a, t_a \rangle \}$ , and

$m_o= \langle 1,0 \rangle $ . The figure below shows the graphical representation of such a net $N^{U\!A}_a$ :

Figure 3.63 shows an example of the encoding of the user-activity assignment for the activity “compute market value” of the DMV process. Given that user $u_1$ and user $u_2$ are authorized for activity $a_1$ and user $u_1$ is authorized for $a_2$, this is formalized with the activity set $A=\{a_1,a_2\}$, the user set $U = \{u_1, u_2\}$, and the user-activity assignment $U\!A = \{ (u_1 ,a_1), (u_2,a_1), (u_1,a_2) \}$. Then for $a_1$ the user-activity Petri net $N^{U\!A}_{a_1}=\langle P,T,\mathcal {F},m_{0} \rangle $ consists of the components

$P= \{p^-_{a_1}, p^+_{a_1}\}$,

$T= \{t_{a_1}, t_{{u_1}a_1}, t_{{u_2}a_1}\}$,

$\mathcal {F} = \{\langle p^+_a, t_{a_1} \rangle ,\langle p^-_a, t_{{u_1}a_1} \rangle , \langle p^-_a, t_{{u_2}a_1} \rangle , \langle t_{{u_1}a_1}, p^+_a \rangle , \langle t_{{u_2}a_1}, p^+_a \rangle \}$,

$m_o= \langle 1,0 \rangle $.

The graphical representation of the Petri net $N^{U\!A}_{a_1}$ is depicted in Figure 3.63. The properties of such a net, as well as its language, are directly observable. User-activity Petri nets are safe (i.e., 1-bounded) and free choice. Compared to the language of a user-task subnet in Definition 3.51, the language of a user-activity net is easier to determine, namely $L(N^{U\!A}_{a})=Pre\, \{t_{u_1a},t_{u_2a},\ldots ,t_{u_na}\}\cdot \{t_a\}$. For the example, the set of possible words of the language of the net is $L(N^{U\!A}_{a_1}) = Pre\, \{ t_{u_1a_1}\; t_{a_1}, t_{u_2a_1}\; t_{a_1} \}$.

Modeling of SoD Constraints:

Analogously to the user-activity assignments, the SoD constraints can be defined as an elementary choice construct, given the type of relation ($\ne $) and the involved activities. In order to allow the combination with the given authorizations, as indicated in Figure 3.62, what needs to be considered are the user-activity authorizations which will later build the common denominator that will combine them with the user-activity nets.

Definition 3.76 (User-Specific SoD Petri Net).

Let $u \in U$ be a user, and let $a, b \in A$ be two activities such that there exists an SoD constraint $c_{SoD}\in C$ of the form $(a, b, \ne )$ , that is, activities a and b may not be executed by the same user, and the user-activity relations $ (u,\ a), (u,\ b) \in U\!A $ . The language-generating user-specific SoD Petri net is defined as $N^{(a, b, \ne )}_u = \langle P,T,\mathcal {F},m_{0}, [m_{0}\rangle ,T, id_T \rangle $ with

$P= \{p^{sod}_{uab}\}$,

$T= \{t_{ua},t_{ub}\}$,

$\mathcal {F} = \{\langle p^{sod}_{uab}, t_{ua} \rangle , \langle p^{sod}_{uab}, t_{ub} \rangle \}$ , and

$m_o= \langle 1 \rangle $. The figure below shows the general graphical representation of such a net $N^{(a, b, \ne )}_u$:

Figure 3.64 is the graphical representation of the SoD net $N^{(a_1, a_2, \ne )}_{u_1}$ of the DMV example and consists of the components

$P= \{p^{sod}_{u_1a_1a_2}\}$,

$T= \{t_{u_1a_1},t_{u_1a_2} \}$,

$\mathcal {F} = \{\langle p^{sod}_{u_1a_1a_2}, t_{u_1a_1} \rangle , \langle p^{sod}_{u_1a_1a_2}, t_{u_1a_2} \rangle \}$, and

$m_o= \langle 1 \rangle $.

It can directly be seen that SoD Petri nets are safe and free choice. The language of such a user-specific SoD net can be denoted by $L(N^{(a, b, \ne )}_{u}) = Pre\, \{ t_{ua}, t_{ub}\}$. Hence the language of the example net is $L(N^{(a_1, a_2, \ne )}_{u_1}) = Pre\, \{ t_{u1a1}, t_{u2a1}\}$.

3.3.1.2 Combining Policy-Related Nets and the Workflow

After these components are created, they are combined by using the net synchronization operator (cf. Definition 3.45). For the sake of clarity, it is recommended hat the respective net types be synchronized first with themselves and then with the other net types, analogously to the order of composition in Sections 3.2.4.5 and 3.2.4.4. Moreover, in order to consider the full behavior of the nets, their prefix languages must be determined. Therefore, all reachable markings represent the final markings. Since the final markings are again transformable into normal form and all nets are free, the language of the combined nets can again be determined with the help of the restriction operator—or, if the synchronization alphabet is empty, by the shuffle operator. For the user-activity assignments and the SoD constraints, the combination of the individual nets ultimately results in the same net as in the SecANet approach. An example of this will now be used to demonstrate the applicability of the approach.

Similarly to the composition in Section 3.2.4.4, the synchronization alphabet for the synchronization of the user-activity nets is empty, since each user-activity net is created separately. Figure 3.65 gives the net of the combined example activity nets, namely $N^{U\!A}_A=N^{U\!A}_{a_1} \; sy_ \emptyset \; N^{U\!A}_{a_2}$. Moreover, analogously to Section 3.2.4.4, its language can be directly deduced, specifically $IMAGE$ . This modular combination allows for direct observation of the properties of the combined net constructs. For example, it can be seen that when the user-activity nets are combined, the resulting nets are safe and free choice. This contrasts with synchronization of user-specific SoD nets, as in Section 3.2.4.4, where the restriction operator $\circledR $ needs to be applied to determine their language. Since in the example there is only one user-specific SoD net, the language of all user-specific SoD nets is $L(N^{SoD}) = Pre\, \{ t_{u1a1}, t_{u2a1}\}$. Figure 3.66 shows the graphical net that results from the synchronization of all net elements for the example net. The synchronized activities are highlighted by “sy.”

Language Composition:

The separate modeling allows for direct examination of the language of the generated nets. Since it is not known beforehand which terminal markings will ultimately result from the synchronization of the nets, the prefix language has to be assumed for the individual nets here. Otherwise, words that might result from later combinations would be excluded from the beginning. Thus the prefix language of each individual net first includes all possible words. In the course of the synchronization, every prefix or word that becomes impossible will be “cut out” step by step. The terminal language of the composed net can then be derived by considering the full prefixes only. Here, the last letter of a word indicates that a terminal marking has been reached. Such a full word sequence of a prefix language ends when there are no further letters that could be appended, that is, when no further markings are reachable. If the words that encode the terminal firing sequences of the combined net contain all the letters of the full prefix words of the prefix language of the WF-net, they represent satisfiable words; otherwise, they represent obstructed words.

To illustrate this, the language of the DMV SecANet+ will be determined. The prefix language of the workflow net $N_{wf}$ that encodes the DMV control flow is $L(N_{wf})= Pre\, (\{t_{a_1}\;t_{a_2}\})$. The synchronization of the prefix language is advantageous, since the intersection operator may easily consider prefixes and not only full words. For example, because of the prefix notation, the word $t_{a_1}$ is already included as a prefix in $L_{wf}=Pre\, (\{t_{a_1}\;t_{a_2}\})$. Thus the prefix notation can be used to determine the (terminal) language of the DMV SecANet more elegantly. First, the languages of the two policy-related nets can be combined.

IMAGE

Analogously, the synchronization of the prefix languages of the policy net and the WF-net is as follows:

IMAGE

Note that, similar to the example decomposition and composition DMV SecANet, the full prefix words $IMAGE$ and $t_{u_1a_1} t_{a_1}$ encode the satisfiable and obstructed words, respectively.

3.3.2 Resilience Extension: Modeling User Absence

The elements of the SecANet+ approach could now also be further refined, so that, for example, it is ensured that there are no leftover tokens in the places of the newly combined nets after execution. Also, cycles could be encoded in isolated nets and combined in such a way that canceling and enacting the policy is possible. However, in order to illustrate the extensibility of the SecANet+ approach beyond the net constructions given so far, we sketch a net that could be used to encode user absence. As indicated in Chapter 2, user availability can be used to determine the resilience, and it plays an important role in the WSP context as well.

Figure 3.67 gives the graphical representation of an idea for a user-availability net that is supposed to take all three resilience levels introduced by Wang and Li [207] into account and the related initial markings.

First, for static resilience, the idea is to create a place that indicates user presence (e.g., $p_{u1Present}$) that is bidirectionally connected to all user-activity transitions of the same user. If this place does not have a token, which is then a precondition for the user-activity transition to be executable, it means that this user is not available. The self-loop could easily be avoided by adding a further place and transition (analogously to the “cancellation control” in Definition 3.69). The self-loop is neglected, because here only the basic idea of modeling is to be conveyed. Hence static resilience is represented in the state of the corresponding place, that is, the presence or absence of a token in the corresponding place directly encodes whether a user is present or absent.
Decremental resilience means that a given user who was initially authorized and available to execute an activity becomes unavailable for that activity. Here, a transition that indicates a change in user availability needs to be introduced that disallows all related transitions of that user to be assigned to a given activity. For this, a further net transition (e.g., $t_{u1A}$) that consumes the token of the place that indicates user presence is introduced and produces a token in a new place that indicates user absence (e.g., $p_{u1Absent}$). If this transition is fired, the user-activity transition is no longer fireable. Thus the firing of the “absence transition” encodes the fact that the user becomes absent for the rest of the execution.
Finally, dynamic resilience allows making the users come back. For this, a newly introduced “presence transition” (e.g., $t_{u_1P}$) is produced at the place that indicates user-absence conditions. This transition can produce the token in the place that indicates a return to availability (e.g., u1Present).

Thus the net in Figure 3.67 would explicitly allow encoding of a user being available, being unavailable), or having come back. The transitions encoding user presence or absence would be represented in the language of the net as well. For instance, in order to encode a typical notion concerning resilience, namely k-resilience, where k is the number of absent users, the “absence transition” would have to be triggered for two users in the corresponding user-availability nets for $u_1$ and $u_2$, for example, $t_{u1A}$ and $t_{u2A}$. Based on the user-activity transitions, user-availability nets, as in Figure 3.67, could easily be integrated into a SecANet. They could then be combined with each user-activity assignment and the overall process by using the net synchronization operator.

In conclusion, SecANet+ allows not only taking constraints resulting from regulatory requirements or corporate governance into account but also considering restrictions resulting from the context or environment of a business, for example, user unavailability. When it comes to resilience, user availability also demands authorization, since not having access control would mean that any person would be allowed to execute the workflow tasks. Then the presence of a single user would trivially always suffice to execute the workflow.

Notes

1.
For more complex BPMN elements, there are some issues in their mapping towards a formal execution semantics such as Petri nets or other modeling languages such as the Business Process Execution Language (BPEL) [170].
2.
For the sake of clarity, the added tokens, the three places $p_1$, $p_2$ and $p_3$ (from left to right), are not labeled with their names here.
3.
Because multi-sets are essentially vectors with natural numbers as components (cf. Definition 3.1), they can be used for calculation component by component and to compare them in the same way as it is usual for Petri net vector markings.
4.
S stands for the word “Stellen” (“places” in English) whose use goes back to Petri’s dissertation, written in German.
5.
The transitions in a WF-net typically represent tasks, which is why, for syntactic simplicity and legibility, the notation t is overloaded for both transitions and tasks (or T for the respective sets).
6.
This implies that trivial cases of unsatisfiability are avoided.
7.
Again, both sets of firing sequences consider a “lazy” workflow-oriented execution that pursues to execute WF-tasks in the first place.
8.
The restriction of a language must not be confused with the restriction for two languages, for which a special operator will subsequently be introduced as well.
9.
$\top $ represents the transpose and allows a row-based notation of the column vector.
10.
This synchronization with an empty synchronization alphabet is similar to the binary merge net operator ||, which juxtaposes two marked and labeled Petri nets with disjoint nodes [99].
11.
In contrast to the language of TA, constraint subnets may in fact restrict each other because there may be multiple constraints that affect the same user-task transitions.
12.
Note that not all subwords may embed in the same SecANet words. For example, in workflows with exclusive branching, different subwords embed in different words of the corresponding SecANet.
13.
In order to avoid confusion with the workflow subnet $L_N$, $N_{wf}$ and $L_{wf}$ explicitly describe the initial WF-Net and its corresponding language. $L_N$ relates to the workflow subnet from the SecANet.
14.
For better clarity and readability, the naming of the depicted nodes is simplified compared to their written notation; for example, the scope S is omitted in the naming of the transition.
15.
The scopes nested in the scope under consideration are triggered by the arcs containing $\overset{\curvearrowleft }{p}_Y$. All subscope-related re-enactment constructs that are not already nested in other re-enactment constructs are nested in parallel to the re-enactment construct of the scope under consideration.
16.
For better clarity and readability, the naming of the depicted nodes is somewhat simplified compared to their written notation; for example, the scope S is not subscripted.
17.
$C^\bullet $ denotes all user-task transitions affected by a constraint. After all the transitions are connected as incoming transitions of $C_{ut_kt_lComplement}$, the last step is to add the cancellation transition as an outgoing transition of C and an incoming transition of $C_{ut_kt_lComplement}$.
18.
For further information and tools, see mcc.lip6.fr at the computer-science lab at Sorbonne University, Paris.
19.
The generated process models can be consulted at https://doi.org/10.6094/UNIFR/228177. The archive file generated$\_$secanets.zip includes a manual on how to reproduce the results.

Author information

Authors and Affiliations

University of Freiburg, Freiburg im Breisgau, Germany
Julius Holderer

Authors

Julius Holderer
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Julius Holderer .

Rights and permissions

Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

Reprints and permissions

Copyright information

About this chapter

Cite this chapter

Holderer, J. (2022). Obstruction Modeling. In: Obstructions in Security-Aware Business Processes. Springer Vieweg, Wiesbaden. https://doi.org/10.1007/978-3-658-38154-7_3

Download citation

DOI: https://doi.org/10.1007/978-3-658-38154-7_3
Published: 24 July 2022
Publisher Name: Springer Vieweg, Wiesbaden
Print ISBN: 978-3-658-38153-0
Online ISBN: 978-3-658-38154-7
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Obstruction Modeling

Abstract

3.1 Ways to Model Processes

3.1.1 Petri Nets: The Method

3.1.1.1 Petri Net

Definition 3.1 (Petri Net and Marking).

Definition 3.2 (Paths and Cycles).

Definition 3.3 (Strong Connectedness).

Definition 3.4 (PT-handle and TP-handle [90]).

Definition 3.5 (Pre-set, Post-set).

Definition 3.6 (Enabledness and Firing Rule).

Definition 3.7 (Reachability and Feasible Sequences).

Definition 3.8 (Transition System).

Definition 3.9 (Reachability Graph).

Definition 3.10 (Boundedness and Safeness).

Definition 3.11 (Liveness).

Definition 3.12 (Well-Formedness).

Definition 3.13 (Deadlock-Freeness).

Definition 3.14 (Reversibility).

Definition 3.15 (Siphon).

Definition 3.16 (Trap).

3.1.1.2 Basic Modeling Examples

Causality:

Concurrency:

Choice:

3.1.2 Petri Net Subclasses

3.1.2.1 Place- and Transition-Related Systems

Definition 3.17 ( State Machine or S-System).

Definition 3.18 (Marked Graph or T-System).

3.1.2.2 Choice-Related Nets

Definition 3.19 (Free-Choice Nets).

Definition 3.20 (Extended Free-Choice Net).

Definition 3.21 (An Asymmetric Choice Net).

3.1.2.3 Workflow Net

Definition 3.22 (WF-Net).

Definition 3.23 (System Net, Full and Terminal Firing Sequences).

3.1.2.4 Workflow Soundness

Definition 3.24 (Soundness of a Workflow Net).

Block-Structure:

Definition 3.25 (Well-Handled).

Definition 3.26 (Well-Structured).

Block-Structured Free-Choice WF-Nets:

3.1.2.5 Policy-Aware Workflow Net

User-Task Authorization:

Definition 3.27 (User-Task Authorization).

Constraints:

Definition 3.28 (Constraints).

Definition 3.29 (Policy-aware Workflow Net).

3.2 The SecANet Solution

3.2.1 The Principle of “Flattening”

3.2.1.1 Modeling Authorization

3.2.1.2 Modeling Constraints

3.2.1.3 Example SecANet Analysis

Satisfiability:

Capturing Obstructions:

Obstructability:

3.2.2 Generalizing Flattening

3.2.2.1 Flattening of User-Task Authorization

Definition 3.30 (Flattening User-Task Authorization).

3.2.2.2 Flattening of SoD Constraints

Definition 3.31 (Flattening SoD Constraints).

3.2.2.3 Flattening of BoD Constraints

Definition 3.32 (Flattening BoD Constraints).

3.2.2.4 SecANet Obstructions

Definition 3.33 (Obstruction Marking, Obstructed Task).

Definition 3.34 (Obstructed and Satisfiable Firing Sequences).

3.2.2.5 Capturing Indicators by Costs

3.2.3 SecANet Properties

3.2.3.1 Net Properties of Modeled User-Task Authorization

3.2.3.2 Net Properties of Modeled Constraints

3.2.4 Language-Based SecANet Properties

3.2.4.1 Language-Related Operators and Nets

Definition 3.35 (Word and Language).

Definition 3.36 (Language Operations).

Definition 3.37 (Homomorphism).

Definition 3.38 (Shuffle ( IMAGE )).

Definition 3.39 (Restriction Operator ( \(\circledR \) )).

Definition 3.40 (Language-Generating Petri Net).

Definition 3.41 (Petri Net Language).

3.2.4.2 SecANet Language Types

Definition 3.38 (Shuffle ( $IMAGE$ )).