Vijayalakshmi Atluri

The specification and enforcement of authorization constraints in workflow management systems

In recent years, workflow management systems (WFMSs) have gained popularity in both research and commercial sectors. WFMSs are used to coordinate and streamline business processes. Very large WFMSs are often used in organizations with users in the range of several thousands and process instances in the range of tens and thousands. To simplify the complexity of security administration, it is common practice in many businesses to allocate a role for each activity in the process and then assign one or more users to each role—granting an authorization to roles rather than to users. Typically, security policies are expressed as constraints (or rules) on users and roles; separation of duties is a well-known constraint. Unfortunately, current role-based access control models are not adequate to model such constraints. To address this issue we (1) present a language to express both static and dynamic authorization constraints as clauses in a logic program; (2) provide formal notions of constraint consistency; and (3) propose algorithms to check the consistency of constraints and assign users and roles to tasks that constitute the workflow in such a way that no constraints are violated.

Modeling and Analysis of Workflows Using Petri Nets

A workflow system, in its general form, is basically a heterogeneous and distributed information system where the tasks are performed using autonomous systems. Resources, such as databases, labor, etc. are typically required to process these tasks. Prerequisite to the execution of a task is a set of constraints that reflect the applicable business rules and user requirements.In this paper we present a Petri Net (PN) based framework that (1) facilitates specification of workflow applications, (2) serves as a powerful tool for modeling the system under study at a conceptual level, (3) allows for a smooth transition from the conceptual level to a testbed implementation and (4) enables the analysis, simulation and validation of the system under study before proceeding to implementation. Specifically, we consider three categories of task dependencies: control flow, value and external (temporal).We identify several structural properties of PN and demonstrate their use for conducting the following type of analyses: (1) identify inconsistent dependency specifications among tasks; (2) test for workflow safety, i.e. test whether the workflow terminates in an acceptable state; (3) for a given starting time, test whether it is feasible to execute a workflow with the specified temporal constraints. We also provide an implementation for conducting the above analyses.

An Authorization Model for Workflows

Workflows represent processes in manufacturing and office environments that typically consist of several well-defined activities (known as tasks). To ensure that these tasks are executed by authorized users or processes (subjects), proper authorization mechanisms must be in place. Moreover, to make sure that authorized subjects gain access on the required objects only during the execution of the specific task, granting and revoking of privileges need to be synchronized with the progression of the workflow. A predefined specification of the privileges often allows access for more than the time required, thus, though a subject completes the task or have not yet begun the task, it may still possess privileges to access the objects, resulting in compromising security.

RoleMiner: mining roles using subset enumeration

Role engineering, the task of defining roles and associating permissions to them, is essential to realize the full benefits of the role-based access control paradigm. Essentially, there are two basic approaches to accomplish this: the top-down and the bottom-up. The top-down approach relies on a careful analysis of the business processes to define job functions and then specify appropriate roles from them. While this approach can aid in defining roles more accurately, it is tedious and time consuming since it requires that the semantics of the business processes be well understood. Moreover, it ignores existing permissions within an organization and does not utilize them. On the other hand, the bottom-up approach starts with existing permissions and attempts to derive roles from them, thus helping to automate role definition. In this paper, we present an unsupervised approach called RoleMiner that mines roles from existing user-permission assignments. Since a role is nothing but a set of permissions, when no semantics are available, the task of role mining is essentially that of clustering users that have same (or similar) permissions. However, unlike the traditional applications of data mining that ideally require identification of non-overlapping clusters, roles will have overlapping permission needs and thus permission sets that define roles should be allowed to overlap. It is this distinction from traditional clustering that makes the problem of role mining non-trivial. Our experiments with real and simulated data sets indicate that our role mining process is quite accurate and efficient.

Optimal Boolean Matrix Decomposition: Application to Role Engineering

A decomposition of a binary matrix into two matrices gives a set of basis vectors and their appropriate combination to form the original matrix. Such decomposition solutions are useful in a number of application domains including text mining, role engineering as well as knowledge discovery. While a binary matrix can be decomposed in several ways, however, certain decompositions better characterize the semantics associated with the original matrix in a succinct but comprehensive way. Indeed, one can find different decompositions optimizing different criteria matching various semantics. In this paper, we first present a number of variants to the optimal Boolean matrix decomposition problem that have pragmatic implications. We then present a unified framework for modeling the optimal binary matrix decomposition and its variants using binary integer programming. Such modeling allows us to directly adopt the huge body of heuristic solutions and tools developed for binary integer programming. Although the proposed solutions are applicable to any domain of interest, for providing more meaningful discussions and results, in this paper, we present the binary matrix decomposition problem in a role engineering context, whose goal is to discover an optimal and correct set of roles from existing permissions, referred to as the role mining problem (RMP). This problem has gained significant interest in recent years as role based access control has become a popular means of enforcing security in databases. We consider several variants of the above basic RMP, including the min-noise RMP, delta-approximate RMP and edge-RMP. Solutions to each of them aid security administrators in specific scenarios. We then model these variants as Boolean matrix decomposition and present efficient heuristics to solve them.

A content-based authorization model for digital libraries

Digital libraries (DLs) introduce several challenging requirements with respect to the formulation, specification and enforcement of adequate data protection policies. Unlike conventional database environments, a DL environment is typically characterized by a dynamic user population, often making accesses from remote locations, and by an extraordinarily large amount of multimedia information, stored in a variety of formats. Moreover, in a DL environment, access policies are often specified based on user qualifications and characteristics, rather than on user identity (e.g. a user can be given access to an R-rated video only if he/ she is more than 18 years old). Another crucial requirement is the support for content-dependent authorizations on digital library objects (e.g. all documents containing discussions on how to operate guns must be made available only to users who are 18 or older). Since traditional authorization models do not adequately meet the access control requirements typical of DLs, we propose a content-based authorization model that is suitable for a DL environment. Specifically, the most innovative features of our authorization model are: (1) flexible specification of authorizations based on the qualifications and (positive and negative) characteristics of users, (2) both content-dependent and content-independent access control to digital library objects, and (3) the varying granularity of authorization objects ranging from sets of library objects to specific portions of objects.

SecureFlow: a secure Web-enabled workflow management system

The objective of this paper is to present a web-based Workflow Management System (WFMS), called SecureFlow that can serve as a framework for specification and enforcement of complex security policies within a workflow, such as separation of duties. The main advantage of SecureFlow is that it uses a simple 4GL language such as SQL to specify authorization constraints, thereby improving flexibility and user-friendliness. Due to the modular nature of the SecureFlow architecture, the security specification and enforcement modules can be layered on top of existing workflow systems that do not provide adequate support for security. SecureFlow relies on the Workflow Authorization Model (WAM) recently proposed by Atluri and Huang.

Supporting conditional delegation in secure workflow management systems

Workflows model and control the execution of business processes in an organization. A workflow typically comprises of a set of coordinated activities, known as tasks. Typically, organizations establish a set of security policies, that regulate how the business process and resources should be managed. While a simple policy may specify which user (or role) can be assigned to execute a task, a complex policy may specify authorization constraints, such as separation of duties. Users may delegate the tasks assigned to them. Often such delegations are short-lived and come into play when certain conditions are satisfied. For example, a user may want to delegate his task of check approval only when going on vacation, when a check amount is less than a certain amount, or when his workload exceeds a certain limit.In this paper, we extend the notion of delegation to allow for such conditional delegation, where the delegation conditions can be based on time, workload and task attributes. When workflow systems entertain conditional delegation, different types of constraints come into play, which include authorization constraints, role activation constraints and workflow dependency requirements. We address the problem of assigning users to tasks in a consistent manner such that none of the constraints are violated.

A Chinese wall security model for decentralized workflow systems

Workflow systems are gaining importance as an infrastructure for automating inter-organizational interactions, such as those in Electronic Commerce. Execution of inter-organiz-ational workflows may raise a number of security issues including those related to conflict-of-interest among competing organizations. Moreover, in such an environment, a centralized Workflow Management System is not desirable because: (i) it can be a performance bottleneck, and (ii) the systems are inherently distributed, heterogeneous and autonomous in nature. In this paper, we propose an approach to realize decentralized workflow execution, in which the workflow is divided into partitions called self-describing workflows, and handled by a light weight workflow management component, called workflow stub, located at each organizational agent. We argue that placing the task execution agents that belong to the same conflict-of-interest class in one self-describing workflow may lead to unfair, and in some cases, undesirable results, akin to being on the wrong side of the Chinese wall. We propose a Chinese wall security model for the decentralized workflow environment to resolve such problems, and a restrictive partitioning solution to enforce the proposed model.

A flexible model supporting the specification and enforcement of role-based authorization in workflow management systems

In recent years, workflow management systems (WFMSs) have gained popularity both in research as well as in commercial sectors. WFMSs are used to coordinate and streamline business processes of an organization. Often, very large WFMSs are used in organizations with users in the range of several thousands and number of process instances in the range of tens of thousands. To simplify the complexity of security administration, it is a common practice in many business organizations to allocate a role to perform each activity in the process and then assign one or more users to each role, and granting an authorization to roles rather than to users. Typically the security policies of the organization are expressed as constraints on users and roles. a well-known constraint is separation of duties. Unfortunately, current role-based access control models are not adequate to model such constraints. To address this issue, in this paper, (1) we present a language to express authorization constraints as clauses in a logic program, (2) provide formal notions of constraint consistency, and (3) propose algorithms to check for the consistency of the constraints and to assign roles and users to the workflow tasks in such a way that no constraints are violated.