Authorization algorithms for permission-role assignments

Permission-role assignments (PRA) is one important process in Role-based access control (RBAC) which has been proven to be a flexible and useful access model for information sharing in distributed collaborative environments. However, problems may arise during the procedures of PRA. Conflicting permissions may assign to one role, and as a result, the role with the permissions can derive unexpected access capabilities. This paper aims to analyze the problems during the procedures of permission-role assignments in distributed collaborative environments and to develop authorization allocation algorithms to address the problems within permission-role assignments. The algorithms are extended to the case of PRA with the mobility of permission-role relationship. Finally, comparisons with other related work are discussed to demonstrate the effective work of the paper

Integrating Users in Object-aware Process Management Systems: Issues and Challenges

Despite the increasing maturity of contemporary Workflow Management Systems (WfMS), there still exist numerous process-aware application systems with more or less hard-coded process logic. This does not only cause high maintenance efforts (e.g. costly code adaptions), but also results in hard-coded rules for controlling the access to business processes, business functions, and business data. In particular, the assignment of users to process activities needs to be compliant with the rights granted for executing business functions and for accessing business data. A major reason for not using WfMS in a broader context is the inflexibility provided by their activity-centered paradigm, which also limits the access control strategies offered by them. This position paper discusses key challenges for a process management technology in which processes, data objects and users are well integrated in order to ensure a sufficient degree of flexibility. We denote such technology as Object-Aware Process Management System and consider related research as fundamental for the further maturation of process management technology

PHILharmonicFlows: towards a framework for object-aware process management

Companies increasingly adopt process management systems (PrMS) that offer promising perspectives for more flexible and efficient process execution. However, there still exist many processes in practice which are not adequately supported by contemporary PrMS. We believe that a major reason for this deficiency stems from the unsatisfactory integration of processes and data in existing PrMS. Despite emerging approaches that address this integration, a unified and comprehensive understanding of object-awareness in connection with process management is still missing. To remedy this deficiency, we extensively analyzed various processes from different domains which are not adequately supported by existing PrMS. As a major insight we learned that in many cases comprehensive process support requires object-awareness. In particular, process support has to consider object behavior as well as object interactions, and should therefore be based on two levels of granularity. Besides this, object-awareness requires data-driven process execution and integrated access to processes and data. This paper presents the basic properties of objectaware processes as well as fundamental requirements for their operational support. It further introduces our PHILharmonicFlows framework which addresses these requirements and enables object-aware process management in a comprehensive manner. Finally, we evaluate this framework along several process scenarios. We believe that a holistic approach integrating data, processes and users offers promising perspectives in order to overcome the numerous limitations of contemporary PrMS

Herausforderungen bei der Integration von Benutzern in Datenorientierten Prozess-Management-Systemen

Im Projekt PHILharmonic Flows entwickeln wir ein datenorientierten Prozess-Management-System der nächsten Generation. In Vorarbeiten haben wir fünf Herausforderungen diskutiert, die eine generische Komponente zur Unterstützung datengetriebener Prozesse mit einer integrierten Sicht auf Daten und Prozesse erfüllen sollte. In diesem Aufsatz betrachten wir zusätzlich die Integration von Benutzern. Dazu stellen wir vier weitere Herausforderungen für die Zugriffskontrolle in datenorientierten Prozess-Management-Systemen vor. Letztgenannte stellen obligatorische und optionale Aktivitäten zur Verfügung. Obligatorische Aktivitäten müssen für den Fortschritt einer Prozessinstanz zwingend ausgeführt werden, optionale Aktivitäten ermöglichen dagegen die Pflege und Verwaltung von Daten unabhängig von der Ausführung eines bestimmten Prozesses. Die Bearbeiterzuordnung für obligatorische Aktivitäten ist dabei nicht nur von der Aktivität an sich abhängig, sondern auch von den Berechtigungen eines Benutzers zur Durchführung der innerhalb der Aktivität erforderlichen Datenänderungen. Berechtigungen für Datenänderungen müssen dazu für verschiedene Objektinstanzen eines Objekttyps jeweils unterschiedlich vergeben werden können. Gleichzeitig darf bei der Ausführung optionaler Aktivitäten die Durchführung von Prozessinstanzen nicht fehlerhaft beeinflusst werden. Weiter erweist sich eine getrennte Verwaltung von Anwendungsdaten und Organisationsmodell als zu unflexibel für eine feingranulare Vergabe von Rechten mit möglichst geringem Administrationsaufwand. Insgesamt bieten datenorientierte Prozess-Management-Systeme eine integrierte Sicht auf Prozesse, Daten und Benutzer, und eröffnen daher völlig neue Anwendungsfelder für Prozess- Management-Technologie

Aspect-based approach to modeling access control policies, An

Department Head: L. Darrell Whitley.2007 Spring.Includes bibliographical references (pages 119-126).Access control policies determine how sensitive information and computing resources are to be protected. Enforcing these policies in a system design typically results in access control features that crosscut the dominant structure of the design (that is, features that are spread across and intertwined with other features in the design). The spreading and intertwining of access control features make it difficult to understand, analyze, and change them and thus complicate the task of ensuring that an evolving design continues to enforce access control policies. Researchers have advocated the use of aspect-oriented modeling (AOM) techniques for addressing the problem of evolving crosscutting features. This dissertation proposes an approach to modeling and analyzing crosscutting access control features. The approach utilizes AOM techniques to isolate crosscutting access control features as patterns described by aspect models. Incorporating an access control feature into a design involves embedding instantiated forms of the access control pattern into the design model. When composing instantiated access control patterns with a design model, one needs to ensure that the resulting composed model enforces access control policies. The approach includes a technique to verify that specified policies are enforced in the composed model. The approach is illustrated using two well-known access control models: the Role- Based Access Control (RBAC) model and the Bell-LaPadula (BLP) model. Features that enforce RBAC and BLP models are described by aspect models. We show how the aspect models can be composed to create a new hybrid access control aspect model. We also show how one can verify that composition of a base (primary) design model and an aspect model that enforces specified policies produces a composed model in which the policies are still enforced

Supporting Relationships in Access Control Using Role Based Access Control

The Role Based Access Control (RBAC) model and mechanism have proven to be useful and effective. This is clear from the many RBAC implementations in commercial products. However, there are many common examples where access decisions must include other factors, in particular, relationships between entities, such as, the user, the object to be accessed, and the subject of the information contained within the object. Such relationships are often not efficiently represented using traditional static security attributes centrally administered. Furthermore, the extension of RBAC models to include relationships obscures the fundamental RBAC metaphor. This paper furthers the concept of relationships for use in access control, and it shows how relationships can be supported in role based access decisions by using the Object Management Group’s (OMG) Resource Access Decision facility (RAD). This facility allows relationship information, which can dynamically change as part of normal application processing, to be used in access decisions by applications. By using RAD, the access decision logic is separate from application logic. In addition, RAD allows access decision logic from different models to be combined into a single access decision. Each access control model is thus able to retain its metaphor

Supporting Relationships in Access Control Using Role Based Access Control

The Role Based Access Control (RBAC) model and mechanism have proven to be useful and effective. This is clear from the many RBAC implementations in commercial products. However, there are many common examples where access decisions must include other factors, in particular, relationships between entities, such as, the user, the object to be accessed, and the subject of the information contained within the object. Such relationships are often not efficiently represented using traditional static security attributes centrally administered. Furthermore, the extension of RBAC models to include relationships obscures the fundamental RBAC metaphor. This paper furthers the concept of relationships for use in access control, and it shows how relationships can be supported in role based access decisions by using the Object Management Group's (OMG) Resource Access Decision facility (RAD). This facility allows relationship information, which can dynamically change as part of normal application p..