Databases Reference
In-Depth Information
9
Security for Workflow Systems
Vijayalakshmi Atluri
1
and Janice Warner
2
1
Rutgers University, Newark, NJ
atluri@cimic.rutgers.edu
2
Rutgers University, Newark, NJ
janice@cimic.rutgers.edu
Summary.
Workflow technology is often employed by organizations to automate
their day-to-day business processes. The primary advantage of adopting workflow
technology is to separate the business policy from the business applications so that
flexibility and maintainability of business process reengineering can be enhanced.
Today's workflows are not necessarily bound to a single organization, but may span
multiple organizations where the tasks within a workflow are executed by different
organizations.
In order to execute a workflow in a secure and correct manner, one must ensure
that only authorized users should be able to gain access to the tasks of the workflow
and resources managed by them. This can be accomplished by synchronizing the
access control with the specified control flow dependencies among tasks. Without
such synchronization, a user may still hold privileges to execute a task even after its
completion, which may have adverse effects on security. In addition, the assignment
of authorized users to tasks should respect the separation of duty constraints speci-
fied to limit the fraud. Another challenging issue in dealing with workflows spanning
multiple organizations is to ensure their secure execution while considering conflict-
of-interest among these organizations. Another issue that is of theoretical interest is
the safety analysis of the proposed authorization models and their extension in this
area. In this topic chapter, we review all the above security requirements pertaining
to workflow systems, and discuss the proposed solutions to meet these requirements.
1 Introduction
Organizations constantly reengineer and optimize their business processes to
reduce costs, deliver timely services, and enhance their competitive advan-
tage in the market. Reengineering involves assessment, analysis, and redesign
of business processes, including introducing new processes into existing sys-
tems, eliminating redundant processes, reallocating sharable resources, and
optimizing the process. Business processes are supported via information sys-
tems that include databases that create, access, process and manage business
information.
