Authorization and access control of application data in Workflow systems

Workflow Management Systems (WfMSs) are used to support the modeling and coordinated execution of business processes within an organization or across organizational boundaries. Although some research efforts have addressed requirements for authorization and access control for workflow systems, little attention has been paid to the requirements as they apply to application data accessed or managed by WfMSs. In this paper, we discuss key access control requirements for application data in workflow applications using examples from the healthcare domain, introduce a classification of application data used in workflow systems by analyzing their sources, and then propose a comprehensive data authorization and access control mechanism for WfMSs. This involves four aspects: role, task, process instance-based user group, and data content. For implementation, a predicate-based access control method is used. We believe that the proposed model is applicable to workflow applications and WfMSs with diverse access control requirements

A Declarative Framework for Specifying and Enforcing Purpose-aware Policies

Purpose is crucial for privacy protection as it makes users confident that their personal data are processed as intended. Available proposals for the specification and enforcement of purpose-aware policies are unsatisfactory for their ambiguous semantics of purposes and/or lack of support to the run-time enforcement of policies. In this paper, we propose a declarative framework based on a first-order temporal logic that allows us to give a precise semantics to purpose-aware policies and to reuse algorithms for the design of a run-time monitor enforcing purpose-aware policies. We also show the complexity of the generation and use of the monitor which, to the best of our knowledge, is the first such a result in literature on purpose-aware policies.Comment: Extended version of the paper accepted at the 11th International Workshop on Security and Trust Management (STM 2015

Process Driven Access Control and Authorisation Approach

Compliance to regulatory requirements is key to successful collaborative business process execution. The review the EU general data protection regulation (GDPR) brought to the fore the need to comply with data privacy. Access control and authorization mechanisms in workflow management systems based on roles, tasks and attributes do not sufficiently address the current complex and dynamic privacy requirements in collaborative business process environments due to diverse policies. This paper proposes process driven authorization as an alternative approach to data access control and authorization where access is granted based on legitimate need to accomplish a task in the business process. Due to vast sources of regulations, a mechanism to derive and validate a composite set of constraints free of conflicts and contradictions is presented. An extended workflow tree language is also presented to support constraint modeling. An industry case Pick and Pack process is used for illustration

A Logic Based Modeling Approach to Managing Workflow Policy Changes

Workflow management systems are becoming increasingly important in the automation of business processes. In order to ensure proper workflow execution, workflow policies must be specified with respect to users, roles, and tasks. In today’s dynamic business environment, successful organizations must be able to respond to new customer demands and market opportunities with flexibility and speed. However, without systematic management of workflow policies, changes in organizational structure and process models can lead to inconsistent workflow specifications. Thus far, research in the change management of workflow policies has been scant. In this paper, we propose a logic-based approach to address this problem. Our contribution is three-fold: 1) a modeling language based on predicate logic is proposed, which is succinct and expressive enough to represent process model, organization model, and workflow polices; 2) workflow policy consistency in a dynamic changing environment is formally defined and analyzed based on the proposed language. 3) two algorithms are developed to check and enforce the policy consistency. To the best of our knowledge, this is the first work focuses on the formal analysis of workflow policy change management