Abstract
We propose the role-and-relation-based access control (R2BAC) model for workflow authorization systems. In R2BAC, in addition to a user’s role memberships, the user’s relationships with other users help determine whether the user is allowed to perform a certain step in a workflow. For example, a constraint may require that two steps must not be performed by users who have conflicts of interests. We study computational complexity of the workflow satisfiability problem, which asks whether a set of users can complete a workflow. In particular, we apply tools from parameterized complexity theory to better understand the complexities of this problem. Furthermore, we reduce the workflow satisfiability problem to SAT and apply SAT solvers to address the problem. Experiments show that our algorithm can solve instances of reasonable size efficiently. Finally, it is sometimes not enough to ensure that a workflow can be completed in normal situations. We study the resiliency problem in workflow authorization systems, which asks whether a workflow can be completed even if a number of users may be absent. We formally define three levels of resiliency in workflow systems and study computational problems related to these notions of resiliency.
- Ahn, G.-J. and Sandhu, R. S. 1999. The RSL99 language for role-based separation of duty constraints. In Proceedings of the 4th Workshop on Role-Based Access Control. 43--54. Google Scholar
Digital Library
- Ahn, G.-J. and Sandhu, R. S. 2000. Role-Based authorization constraints specification. ACM Trans. Inf. Syst. Secur. 3, 4, 207--226. Google Scholar
Digital Library
- Atluri, V. and Huang, W. 1996. An authorization model for workflows. In Proceedings of the 4th European Symposium on Research in Computer Security (ESORICS). 44--64. Google Scholar
Digital Library
- Bertino, E., Ferrari, E., and Atluri, V. 1999. The specification and enforcement of authorization constraints in workflow management systems. ACM Trans. Inf. Syst. Secur. 2, 1, 65--104. Google Scholar
Digital Library
- Chen, F. and Sandhu, R. S. 1996. Constraints for role-based access control. In Proceedings of the 1st ACM Workshop on Role-Based Access Control (RBAC’95). ACM, New York, 14. Google Scholar
Digital Library
- Chen, H. and Li, N. 2006. Constraint generation for separation of duty. In Proceedings of the 9th ACM Symposium on Access Control Models and Technologies (SACMAT). 130--138. Google Scholar
Digital Library
- Clark, D. D. and Wilson, D. R. 1987. A comparision of commercial and military computer security policies. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 184--194.Google Scholar
- Crampton, J. 2003. Specifying and enforcing constraints in role-based access control. In Proceedings of the 8th ACM Symposium on Access Control Models and Technologies (SACMAT’03). 43--50. Google Scholar
Digital Library
- Crampton, J. 2005. A reference monitor for workflow systems with constrained task execution. In Proceedings of the 10th ACM Symposium on Access Control Models and Technologies (SACMAT’05). 38--47. Google Scholar
Digital Library
- Downey, R. and Fellows, M. 1999. Parameterized Complexity. Springer. Google Scholar
Digital Library
- Du, D., Gu, J., and Pardalos, P. M. Eds. 1997. Satisfiability Problem: Theory and Applications. DIMACS Series in Discrete Mathematics and Theoretical Computer Science, vol. 35, AMS Press.Google Scholar
- Gligor, V. D., Gavrila, S. I., and Ferraiolo, D. F. 1998. On the formal definition of separation-of-duty policies and their composition. In Proceedings of IEEE Symposium on Research in Security and Privacy. 172--183.Google Scholar
- Jaeger, T. 1999. On the increasing importance of constraints. In Proceedings of the ACM Workshop on Role-Based Access Control (RBAC). 33--42. Google Scholar
Digital Library
- Jaeger, T. and Tidswell, J. E. 2001. Practical safety in flexible access control models. ACM Trans. Inf. Syst. Secur. 4, 2, 158--190. Google Scholar
Digital Library
- Le Berre D. (project leader). 2006. SAT4J: A satisfiability library for Java. http://www.sat4j.org/.Google Scholar
- Li, N., Tripunitara, M. V., and Bizri, Z. On mutually exclusive roles and separation of duty. ACM Trans. Inf. Syst. Secur. In press. Google Scholar
Digital Library
- Li, N., Tripunitara, M. V., and Wang, Q. 2006. Resiliency policies in access control. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). Google Scholar
Digital Library
- Li, N., Wang, Q., and Tripunitara, M. 2009. Resiliency policies in access control. ACM Trans. Inf. Syst. Secur. 12, 4, 1--34. Google Scholar
Digital Library
- Sandhu, R. S., Coyne, E. J., Feinstein, H. L., and Youman, C. E. 1996. Role-Based access control models. IEEE Comput. 29, 2, 38--47. Google Scholar
Digital Library
- Simon, T. T. and Zurko, M. E. 1997. Separation of duty in role-based environments. In Proceedings of the 10th Computer Security Foundations Workshop. IEEE Computer Society Press, 183--194. Google Scholar
Digital Library
- Stoller, S. D., Yang, P., Ramakrishnan, C. R., and Gofman, M. I. 2007. Efficient policy analysis for administrative role based access control. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS’07). ACM, New York, 445--455. Google Scholar
Digital Library
- Tan, K., Crampton, J., and Gunter, C. 2004. The consistency of task-based authorization constraints in workflow systems. In Proceedings of the 17th IEEE Computer Security Foundations Workshop (CSFW). 155--169. Google Scholar
Digital Library
- Tidswell, J. and Jaeger, T. 2000. An access control model for simplifying constraint expression. In Proceedings of ACM Conference on Computer and Communications Security. 154--163. Google Scholar
Digital Library
- Warner, J. and Atluri, V. 2006. Inter-Instance authorization constraints for secure workflow management. In Proceedings ACM Symposium on Access Control Models and Technologies (SACMAT). 190--199. Google Scholar
Digital Library
Index Terms
Satisfiability and Resiliency in Workflow Authorization Systems
Recommendations
Satisfiability and resiliency in workflow systems
ESORICS'07: Proceedings of the 12th European conference on Research in Computer SecurityWe propose the role-and-relation-based access control (R2BAC) model for workflow systems. In R2BAC, in addition to a user's role memberships, the user's relationships with other users help determine whether the user is allowed to perform a certain step ...
Resiliency policies in access control
CCS '06: Proceedings of the 13th ACM conference on Computer and communications securityWe introduce the notion of resiliency policies in the context of access control systems. Such policies require an access control system to be resilient to the absence of users. An example resiliency policy requires that, upon removal of any s users, ...
Resiliency Policies in Access Control
We introduce the notion of resiliency policies in the context of access control systems. Such policies require an access control system to be resilient to the absence of users. An example resiliency policy requires that upon removal of any s users, ...






Comments