The specification and enforcement of authorization constraints in workflow management systems

Bertino, Elisa; Ferrari, Elena; Atluri, Vijayalakshmi

doi:10.1145/300830.300837

Cited by 450 publications

(356 citation statements)

References 10 publications

Supporting

Mentioning

349

Contrasting

Unclassified

Order By: Relevance

“…Resource assignment languages (van der Aalst and ter Hofstede 2005; Cabanillas et al 2015b; Bertino, Ferrari, and Atluri 1999; Strembeck and Mendling 2011; Casati et al 1996; Scheer 2000; Du et al 1999; Tan, Crampton, and Gunter 2004; Cabanillas et al 2015a; Wolter and Schaad 2007; Awad et al 2009; Stroppi, Chiotti, and Villarreal 2011) serve the former purpose by enabling the definition of the conditions that the members of an organisation must meet in order to be allowed to participate in the activities of the processes executed in it, e.g., to belong to a specific department or to have certain skills. The outcome is a resource-aware process model .…”

Section: Related Workmentioning

confidence: 99%

A template-based approach for responsibility management in executable business processes

Cabanillas

Resinas

Ruiz–Cortés

2017

Enterprise Information Systems

View full text Add to dashboard Cite

Process-oriented organisations need to manage the different types of responsibilities their employees may have w.r.t. the activities involved in their business processes. Despite several approaches provide support for responsibility modelling, in current Business Process Management Systems (BPMS) the only responsibility considered at runtime is the one related to performing the work required for activity completion. Others like accountability or consultation must be implemented by manually adding activities in the executable process model, which is time-consuming and error-prone. In this paper, we address this limitation by enabling current BPMS to execute processes in which people with different responsibilities interact to complete the activities. We introduce a metamodel based on Responsibility Assignment Matrices (RAM) to model the responsibility assignment for each activity, and a flexible template-based mechanism that automatically transforms such information into BPMN elements, which can be interpreted and executed by a BPMS. Thus, our approach does not enforce any specific behaviour for the different responsibilities but new templates can be modelled to specify the interaction that best suits the activity requirements. Furthermore, libraries of templates can be created and reused in different processes. We provide a reference implementation and build a library of templates for a well-known set of responsibilities.

show abstract

Section: Related Workmentioning

confidence: 99%

A template-based approach for responsibility management in executable business processes

Cabanillas

Resinas

Ruiz–Cortés

2017

Enterprise Information Systems

View full text Add to dashboard Cite

show abstract

“…A number of researchers have looked at the semantics of authorization, delegation, and revocation. Li et al proposed a logic for authorizing delegation in large-scale, open, distributed systems [3,10]. But in their logic, role-based concepts were not fully adopted; neither did they address revocation adequately.…”

Section: Related Workmentioning

confidence: 99%

Role-Based Privilege Management Using Attribute Certificates and Delegation

Ahn

Shin

Zhang

2004

Trust and Privacy in Digital Business

View full text Add to dashboard Cite

Abstract. The Internet provides tremendous connectivity and immense information sharing capability which the organizations can use for their competitive advantage. However, we still observe security challenges in Internet-based applications that demand a unified mechanism for both managing the authentication of users across enterprises and implementing business rules for determining user access to enterprise applications and their resources. These business rules are utilized for privilege management or authorization in a security context. In this paper, we design a role-based privilege management leveraging access control models and X.509 attribute certificate. We attempt to develop an easy-to-use, flexible, and interoperable authorization mechanism. Also, we demonstrate the feasibility of our architecture by providing the proof-of-concept prototype implementation using commercial off-the-shelf technologies.

show abstract

“…Controlled access to its application services as well as to the application objects managed by them (e.g., business processes, documents, resources, or application systems) constitutes an important task for any information system (IS) [4,5,6,7,8]. This results in a large number of access rules covering different system aspects and user privileges [9].…”

Section: Problem Descriptionmentioning

confidence: 99%

“…In the literature numerous approaches have been presented dealing with challenging issues related to access control (e.g., [12,20,21,22]). Most of these approaches apply Role-Based Access Control (RBAC) models for defining and managing user privileges [6,23,20,24], e.g., to control the access to business documents and database objects, or to resolve the set of actors that qualify for a newly activated task in a workflow system [25,4,8,21,26,22].…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

A Formal Framework for Adaptive Access Control Models

Rinderle

Reichert

Journal on Data Semantics IX

View full text Add to dashboard Cite

Abstract. For several reasons enterprises are frequently subject to organizational change. Respective adaptations may concern business processes, but also other components of an enterprise architecture. In particular, changes of organizational structures often become necessary. The information about organizational entities and their relationships is maintained in organizational models. Therefore the quick and correct adaptation of these models is fundamental to adequately cope with organizational changes. However, model changes alone are not sufficient to guarantee consistency. Since organizational models also provide the basis for defining access rules (e.g., actor assignments in workflow management systems or access rules in document-centered applications) this information has to be adapted accordingly (e.g., to avoid dangling references or non-resolvable actor assignments). Current approaches do not adequately address this problem, which often leads to security gaps and delayed change implementation.In this paper we introduce a formal framework for the controlled evolution of organizational models and related access rules. Firstly, we introduce a set of operators with well-defined semantics for defining and changing organizational models. Secondly, we show how to define access rules based on such models. In this context we also define a notion of correctness for access rules. Thirdly, we present a formal framework for the (semi-automated) adaptation of access rules when the underlying organizational model is changed by exploiting the semantics of the applied changes. Altogether the presented approach provides an important contribution for realizing adaptive access control frameworks.

show abstract

The specification and enforcement of authorization constraints in workflow management systems

Cited by 450 publications

References 10 publications

A template-based approach for responsibility management in executable business processes

A template-based approach for responsibility management in executable business processes

Role-Based Privilege Management Using Attribute Certificates and Delegation

A Formal Framework for Adaptive Access Control Models

Contact Info

Product

Resources

About