WORKFLOW ACCESS CONTROL FROM A BUSINESS PERSPECTIVE

Dulce Domingos, António Rito-Silva, Pedro Veiga

2004

Abstract

Workflow management systems are increasingly being used to support business processes. Methodologies have been proposed in order to derive workflow process definitions from business models. However, these methodologies do not comprise access control aspects. In this paper we propose an extension to the Work Analysis Refinement Modelling (WARM) methodology, which also enables to determine workflow access control information from the business process model. This is done by identifying useful information from business process models and showing how it can be refined to derive access control information. Our approach reduces the effort required to define the workflow access control, ensures that authorization rules are directly related to the business and aligns access control with the information system architecture that implements the business process.

References

  1. Atluri, V., & Huang, W. (1996). An authorization Model for workflows. In Proceedings of the 5th European symposium on research in computer security. Rome, Italy, pp 44-64.
  2. Bertino, E., Ferrari. E., & Atluri, V. (1999). The specification and enforcement of authorization constraint in workflow management systems. ACM Transactions on Information and System Security, vol. 2, nº1, pp. 65-104.
  3. Bittner, K., Spence, I., & Jacobson, I. (2002). Use Case Modeling. Addison Wesley Professional.
  4. Botha, R.A., & Eloff, J.H.P. (2001a). Designing Role Hierarchies for Access Control In Workflow Systems. In Proceedings of the 25th Annual International Computer Software and Applications Conference (COMPSAC'01), Chicago, Illinois.
  5. Botha, R.A., & Eloff, J.H.P. (2001b). Separation of Duties for Access Control in Workflow Environments. IBM Systems Journal. vol. 40, no. 3, pp. 666-682.
  6. Casati, F., Castano, S. & Fugini, M. (1999). Managing Workflow Authorization Constraints through Active Database Technology. Information Systems Frontiers, 3, 3.
  7. Eriksson, H., & Penker, M. (2000). Business Modeling with UML, Business Patterns at Work. John Wiley & Sons.
  8. Fernandez, E.B., & Hawkins, J.C. (November 1997). Determining role rights from use cases. In Proceedings of the 2nd ACM Workshop on Role-Based Access Control, pp. 121-125.
  9. Foote, B., & Yoder, J. (August 1998). Metadata and Active Objects-Models. In Proceedings of the Fifth Conference on Pattern Languages of Programs (PLOP 98). Illinois, USA.
  10. Holbein, R., Teufel, S., & Bauknecht, K. (1996a). A Formal Security Design Approach for Information Exchange in Organisations. In proceedings of the 9th annual IFIP TC11 WG11.3 working conference on Database security IX : status and prospects. 267-285.
  11. Holbein, R., Teufel, S., & Bauknecht, K. (1996b). The use of business process models for security design in organisations. In Proceedings of 20th International Conference on Information Security (IFIP SEC96 TC 11), Samos, Greece, Chapman & Hall, London, UK, 13-22.
  12. Hollingsworth, D. (1995). The Workflow Reference Model. Document Number TC-00-1003. Issue 1.1.
  13. Kandala, S., & Sandhu, R. (2001). Secure Role-Based Workflow Models. In Proceedings of the 15th Annual IFIP WG 11.3. Canada.
  14. Kang, M., Park, J. & Froscher, J. (2001). Access Control Mechanisms for Inter-Organizational Workflow. In Proceedings of the 6th ACM Symposium on Access Control Models and Technologies, Chantilly, VA, 66- 74.
  15. Manolescu, D. (2001). Micro-workflow: a workflow architecture supporting compositional object-oriented software development. PhD Thesis. University of Illinois at Urbana-Champaign.
  16. Miller, J., Fan, M., Wu, S., Arpinar, I., Sheth, A. & Kochut, K. (1999). Security for the METEOR Workflow Management System. Technical Report #UGA-CS-LSDIS-TR-99-010, University of Georgia, 33 pages.
  17. Nitsche, U., Holbein, R., Morger, O., & Teufel, S. (1998). Realization of a Context-Dependent Access Control Mechanism on a Commercial Platform. In Proceedings of the 14th Int. Information Security Conf. IFIP/Sec'98, part of the 15th IFIP World Computer Congress, pp 160-170.
  18. Sandhu, R., Coyne, E., Feinstein, H. & Youman, C. (1996). 'Role-Based Access Control Models'. IEEE Computer, vol. 29, no. 2.
  19. Sharp, A., & McDermott, P. (2002). Workflow Modeling: Tools for Process Improvement and Application Development. Artech House.
  20. Thomas, R., & Sandhu, R. (1997). Task-based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-oriented Authorization Management. In proceedings of the IFIP WG11.3 Workshop on Database Security, Lake Tahoe, California.
  21. Vieira, P., & Rito-Silva, A. (2003). Work Analysis Refinement Modeling. INESC-ID Technical Report.
Download


Paper Citation


in Harvard Style

Domingos D., Rito-Silva A. and Veiga P. (2004). WORKFLOW ACCESS CONTROL FROM A BUSINESS PERSPECTIVE . In Proceedings of the Sixth International Conference on Enterprise Information Systems - Volume 3: ICEIS, ISBN 972-8865-00-7, pages 18-25. DOI: 10.5220/0002598500180025


in Bibtex Style

@conference{iceis04,
author={Dulce Domingos and António Rito-Silva and Pedro Veiga},
title={WORKFLOW ACCESS CONTROL FROM A BUSINESS PERSPECTIVE},
booktitle={Proceedings of the Sixth International Conference on Enterprise Information Systems - Volume 3: ICEIS,},
year={2004},
pages={18-25},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002598500180025},
isbn={972-8865-00-7},
}


in EndNote Style

TY - CONF
JO - Proceedings of the Sixth International Conference on Enterprise Information Systems - Volume 3: ICEIS,
TI - WORKFLOW ACCESS CONTROL FROM A BUSINESS PERSPECTIVE
SN - 972-8865-00-7
AU - Domingos D.
AU - Rito-Silva A.
AU - Veiga P.
PY - 2004
SP - 18
EP - 25
DO - 10.5220/0002598500180025