Enforcing mandatory and discretionary security in workflow management systems*

Abstract

Workflow management systems (WFMS) support the modeling and coordinated execution of processes within an organization. As advances in workflow management take place, they are also required to support security. This paper makes two major contributions to the area of workflow management. First, it sh ows how both mandatory and discretionary security can be incorporated into WFMS. Second, it provides a formal framework, based on Petri nets (PNs), for modeling workflows. Such a theoretical model is necessary for a standard conceptual representation as well as for analyzing the workflows. This paper first presents a Petri Net based model, called color timed Petri net (CTPN), which is capable of modeling the attributes of both multilevel and discretionary security. With respect to the issue of mandatory security, this paper proposes a multilevel secure workflow transaction model and identifies the task dependencies in a workflow that cannot be enforced in order to meet multilevel security constraints. It shows how CTPN can be used to represent various types of task dependencies and shows how the task dependencies violating security can be automatically detected and prevented by building a secure Petri net (SPN) from CTPN. With respect to the issue of discretionary access control, this paper proposes a workflow authorization model (WAM) that is capable of specifying authorizations in such a way that subjects gain access to required objects only during the execution of the task, thus synchronizing the authorization flow with the workflow. To achieve this synchronization, an authorization template (AT) is associated with each task that allows appropriate authorizations to be granted only when the task starts and to be revoked when the task finishes. This paper also presents how this synchronization can be implemented using CTPN. We argue that Petri net is a suitable tool for modeling workflows because of its rich set of analysis techniques. Properties such as safety of workflows (i.e., whether a workflow terminates in an acceptable state) and safety of WAM can be tested using the already available analysis techniques of PNs.