Authorization and access control of application data in Workflow systems

Workflow Management Systems (WfMSs) are used to support the modeling and coordinated execution of business processes within an organization or across organizational boundaries. Although some research efforts have addressed requirements for authorization and access control for workflow systems, little attention has been paid to the requirements as they apply to application data accessed or managed by WfMSs. In this paper, we discuss key access control requirements for application data in workflow applications using examples from the healthcare domain, introduce a classification of application data used in workflow systems by analyzing their sources, and then propose a comprehensive data authorization and access control mechanism for WfMSs. This involves four aspects: role, task, process instance-based user group, and data content. For implementation, a predicate-based access control method is used. We believe that the proposed model is applicable to workflow applications and WfMSs with diverse access control requirements

A Logic Based Modeling Approach to Managing Workflow Policy Changes

Workflow management systems are becoming increasingly important in the automation of business processes. In order to ensure proper workflow execution, workflow policies must be specified with respect to users, roles, and tasks. In today’s dynamic business environment, successful organizations must be able to respond to new customer demands and market opportunities with flexibility and speed. However, without systematic management of workflow policies, changes in organizational structure and process models can lead to inconsistent workflow specifications. Thus far, research in the change management of workflow policies has been scant. In this paper, we propose a logic-based approach to address this problem. Our contribution is three-fold: 1) a modeling language based on predicate logic is proposed, which is succinct and expressive enough to represent process model, organization model, and workflow polices; 2) workflow policy consistency in a dynamic changing environment is formally defined and analyzed based on the proposed language. 3) two algorithms are developed to check and enforce the policy consistency. To the best of our knowledge, this is the first work focuses on the formal analysis of workflow policy change management

An Approach for Supporting Ad-hoc Modifications in Distributed Workflow Management Systems

Supporting enterprise-wide or even cross-organizational business processes is a characteristic challenge for any workflow management system (WfMS). Scalability at the presence of high loads as well as the capability to dynamically modify running workflow (WF) instances (e.g., to cope with exceptional situations) are essential requirements in this context. Should the latter one, in particular, not be met, the WfMS will not have the necessary flexibility to cover the wide range of process-oriented applications deployed in many organizations. Scalability and flexibility have, for the most part, been treated separately in the relevant literature thus far. Even though they are basic needs for a WfMS, the requirements related with them are totally different. To achieve satisfactory scalability, on the one hand, the system needs to be designed such that a workflow instance can be controlled by several WF servers that are as independent from each other as possible. Yet dynamic WF modifications, on the other hand, necessitate a (logical) central control instance which knows the current and global state of a WF instance. For the first time, this paper presents methods which allow ad-hoc modifications (e.g., to insert, delete, or shift steps) to be performed in a distributed WfMS; i.e., in a WfMS with partitioned WF execution graphs and distributed WF control. It is especially noteworthy that the system succeeds in realizing the full functionality as given in the central case while, at the same time, achieving extremely favorable behavior with respect to communication costs

A Taxonomy of Data Grids for Distributed Data Sharing, Management and Processing

Data Grids have been adopted as the platform for scientific communities that need to share, access, transport, process and manage large data collections distributed worldwide. They combine high-end computing technologies with high-performance networking and wide-area storage management techniques. In this paper, we discuss the key concepts behind Data Grids and compare them with other data sharing and distribution paradigms such as content delivery networks, peer-to-peer networks and distributed databases. We then provide comprehensive taxonomies that cover various aspects of architecture, data transportation, data replication and resource allocation and scheduling. Finally, we map the proposed taxonomy to various Data Grid systems not only to validate the taxonomy but also to identify areas for future exploration. Through this taxonomy, we aim to categorise existing systems to better understand their goals and their methodology. This would help evaluate their applicability for solving similar problems. This taxonomy also provides a "gap analysis" of this area through which researchers can potentially identify new issues for investigation. Finally, we hope that the proposed taxonomy and mapping also helps to provide an easy way for new practitioners to understand this complex area of research.Comment: 46 pages, 16 figures, Technical Repor

Survey on detecting and preventing web application broken access control attacks

Web applications are an essential component of the current wide range of digital services proposition including financial and governmental services as well as social networking and communications. Broken access control vulnerabilities pose a huge risk to that echo system because they allow the attacker to circumvent the allocated permissions and rights and perform actions that he is not authorized to perform. This paper gives a broad survey of the current research progress on approaches used to detect access control vulnerabilities exploitations and attacks in web application components. It categorizes these approaches based on their key techniques and compares the different detection methods in addition to evaluating their strengths and weaknesses. We also spotted and elaborated on some exciting research gaps found in the current literature, Finally, the paper summarizes the general detection approaches and suggests potential research directions for the future