Enforcing Mandatory and Discretionary Security in Workflow Management Systems

Workkow management systems (WFMS) support the modeling and coordinated execution of processes within an organization. As advances in workkow management take place, they are also required to support security. This paper makes two major contributions to the area of workkow management. First, it shows how both mandatory and discretionary security can be incorporated into WFMS. Second, it provides a formal framework, based on Petri nets (PNs), for modeling workkows. Such a theoretical model is necessary for a standard conceptual representation as well as for analyzing the workkows. This paper rst presents a Petri Net based model, called Color Timed Petri Net (CTPN), which is capable of modeling the attributes of both multilevel and discretionary security. With respect to the issue of mandatory security, this paper proposes a multilevel secure workkow transaction model and identiies the task dependencies in a workkow that cannot be enforced in order to meet multilevel security constraints. It shows how CTPN can be used to represent various types of task dependencies and shows how the task dependencies violating security can be automatically detected and prevented by building a Secure Petri Net (SPN) from CTPN. With respect to the issue of discretionary access control, this paper proposes a Work-ow Authorization Model (WAM) that is capable of specifying authorizations in such a way that subjects gain access to required objects only during the execution of the task, thus synchronizing the authorization ow with the workkow. To achieve this synchronization, an Authorization Template (AT) is associated with each task that allows appropriate authorizations to be granted only when the task starts and to be revoked when the task nishes. This paper also presents how this synchronization can be implemented using CTPN. We argue that Petri net is a suitable tool for modeling workkows because of its rich set of analysis techniques. Properties such as safety of workkows (i.e. whether a workkow terminates in an acceptable state) and safety of WAM can be tested using the already available analysis techniques of PNs.