An Authorization Model for Supporting the Speciication and Enforcement of Authorization Constraints in Workkow Management Systems

In recent years, workkow management systems (WFMSs) have gained popularity both in research as well as in commercial sectors. WFMSs are used to coordinate and streamline business processes of an organization. Often, very large WFMSs are used in organizations with users in the range of several thousands and number of process instances in the range of tens of thousands. To simplify the complexity of security administration, it is a common practice in many business organizations to allocate a role to perform each activity in the process and then assign one or more users to each role, and granting an authorization to roles rather than to users. Typically the security policies of the organization are expressed as constraints (or rules) on users and roles; a well-known constraint is separation of duties. Unfortunately, current role-based access control models are not adequate to model such constraints. To address this issue, in this paper, (1) we present a language to express both static and dynamic authorization constraints as clauses in a logic program, (2) provide formal notions of constraint consistency, and (3) propose algorithms to check for the consistency of the constraints and to assign users and roles to tasks that constitute the workkow in a such a way that no constraints are violated.