skip to main content
research-article

Satisfiability and Resiliency in Workflow Authorization Systems

Published:01 December 2010Publication History
Skip Abstract Section

Abstract

We propose the role-and-relation-based access control (R2BAC) model for workflow authorization systems. In R2BAC, in addition to a user’s role memberships, the user’s relationships with other users help determine whether the user is allowed to perform a certain step in a workflow. For example, a constraint may require that two steps must not be performed by users who have conflicts of interests. We study computational complexity of the workflow satisfiability problem, which asks whether a set of users can complete a workflow. In particular, we apply tools from parameterized complexity theory to better understand the complexities of this problem. Furthermore, we reduce the workflow satisfiability problem to SAT and apply SAT solvers to address the problem. Experiments show that our algorithm can solve instances of reasonable size efficiently. Finally, it is sometimes not enough to ensure that a workflow can be completed in normal situations. We study the resiliency problem in workflow authorization systems, which asks whether a workflow can be completed even if a number of users may be absent. We formally define three levels of resiliency in workflow systems and study computational problems related to these notions of resiliency.

References

  1. Ahn, G.-J. and Sandhu, R. S. 1999. The RSL99 language for role-based separation of duty constraints. In Proceedings of the 4th Workshop on Role-Based Access Control. 43--54. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Ahn, G.-J. and Sandhu, R. S. 2000. Role-Based authorization constraints specification. ACM Trans. Inf. Syst. Secur. 3, 4, 207--226. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Atluri, V. and Huang, W. 1996. An authorization model for workflows. In Proceedings of the 4th European Symposium on Research in Computer Security (ESORICS). 44--64. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Bertino, E., Ferrari, E., and Atluri, V. 1999. The specification and enforcement of authorization constraints in workflow management systems. ACM Trans. Inf. Syst. Secur. 2, 1, 65--104. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Chen, F. and Sandhu, R. S. 1996. Constraints for role-based access control. In Proceedings of the 1st ACM Workshop on Role-Based Access Control (RBAC’95). ACM, New York, 14. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Chen, H. and Li, N. 2006. Constraint generation for separation of duty. In Proceedings of the 9th ACM Symposium on Access Control Models and Technologies (SACMAT). 130--138. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Clark, D. D. and Wilson, D. R. 1987. A comparision of commercial and military computer security policies. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 184--194.Google ScholarGoogle Scholar
  8. Crampton, J. 2003. Specifying and enforcing constraints in role-based access control. In Proceedings of the 8th ACM Symposium on Access Control Models and Technologies (SACMAT’03). 43--50. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Crampton, J. 2005. A reference monitor for workflow systems with constrained task execution. In Proceedings of the 10th ACM Symposium on Access Control Models and Technologies (SACMAT’05). 38--47. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Downey, R. and Fellows, M. 1999. Parameterized Complexity. Springer. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Du, D., Gu, J., and Pardalos, P. M. Eds. 1997. Satisfiability Problem: Theory and Applications. DIMACS Series in Discrete Mathematics and Theoretical Computer Science, vol. 35, AMS Press.Google ScholarGoogle Scholar
  12. Gligor, V. D., Gavrila, S. I., and Ferraiolo, D. F. 1998. On the formal definition of separation-of-duty policies and their composition. In Proceedings of IEEE Symposium on Research in Security and Privacy. 172--183.Google ScholarGoogle Scholar
  13. Jaeger, T. 1999. On the increasing importance of constraints. In Proceedings of the ACM Workshop on Role-Based Access Control (RBAC). 33--42. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Jaeger, T. and Tidswell, J. E. 2001. Practical safety in flexible access control models. ACM Trans. Inf. Syst. Secur. 4, 2, 158--190. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Le Berre D. (project leader). 2006. SAT4J: A satisfiability library for Java. http://www.sat4j.org/.Google ScholarGoogle Scholar
  16. Li, N., Tripunitara, M. V., and Bizri, Z. On mutually exclusive roles and separation of duty. ACM Trans. Inf. Syst. Secur. In press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Li, N., Tripunitara, M. V., and Wang, Q. 2006. Resiliency policies in access control. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Li, N., Wang, Q., and Tripunitara, M. 2009. Resiliency policies in access control. ACM Trans. Inf. Syst. Secur. 12, 4, 1--34. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Sandhu, R. S., Coyne, E. J., Feinstein, H. L., and Youman, C. E. 1996. Role-Based access control models. IEEE Comput. 29, 2, 38--47. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Simon, T. T. and Zurko, M. E. 1997. Separation of duty in role-based environments. In Proceedings of the 10th Computer Security Foundations Workshop. IEEE Computer Society Press, 183--194. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Stoller, S. D., Yang, P., Ramakrishnan, C. R., and Gofman, M. I. 2007. Efficient policy analysis for administrative role based access control. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS’07). ACM, New York, 445--455. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Tan, K., Crampton, J., and Gunter, C. 2004. The consistency of task-based authorization constraints in workflow systems. In Proceedings of the 17th IEEE Computer Security Foundations Workshop (CSFW). 155--169. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Tidswell, J. and Jaeger, T. 2000. An access control model for simplifying constraint expression. In Proceedings of ACM Conference on Computer and Communications Security. 154--163. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Warner, J. and Atluri, V. 2006. Inter-Instance authorization constraints for secure workflow management. In Proceedings ACM Symposium on Access Control Models and Technologies (SACMAT). 190--199. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Satisfiability and Resiliency in Workflow Authorization Systems

              Recommendations

              Comments

              Login options

              Check if you have access through your login credentials or your institution to get full access on this article.

              Sign in

              Full Access

              • Published in

                cover image ACM Transactions on Information and System Security
                ACM Transactions on Information and System Security  Volume 13, Issue 4
                December 2010
                412 pages
                ISSN:1094-9224
                EISSN:1557-7406
                DOI:10.1145/1880022
                Issue’s Table of Contents

                Copyright © 2010 ACM

                Publisher

                Association for Computing Machinery

                New York, NY, United States

                Publication History

                • Published: 1 December 2010
                • Revised: 1 July 2010
                • Accepted: 1 July 2010
                • Received: 1 January 2010
                Published in tissec Volume 13, Issue 4

                Permissions

                Request permissions about this article.

                Request Permissions

                Check for updates

                Qualifiers

                • research-article
                • Research
                • Refereed

              PDF Format

              View or Download as a PDF file.

              PDF

              eReader

              View online with eReader.

              eReader
              About Cookies On This Site

              We use cookies to ensure that we give you the best experience on our website.

              Learn more

              Got it!