Databases Reference
In-Depth Information
workflow could be done. Their solution allow each organization to have their
policies apply to their own tasks. Task access control is thus distributed and
autonomous. In the case where constraints need to be set between tasks ex-
ecuted by different organization, a workflow monitor is defined. The monitor
records workflow-specific events during runtime and responds to queries from
the task-specific access control modules at the various organizations involved
in the distributed inter-organizational workflow.
7 Workflow Safety Analysis
Safety analysis refers to ensuring that rights are not propagated unintention-
ally either directly or indirectly through the granting of permission to some
other resource. The safety problem, first identified by Harrison, Ruzzo and
Ullman [17], can be stated as the following question: “Is there a reachable
state in which a particular subject possesses a particular privilege for a spe-
cific object?”
Atluri and Huang [6] showed how colored Petri nets can be used to analyze
the safety of the WAM. Petri nets provide a combination of specification and
modeling tools to depict the system behavior (thorough its graphical represen-
tation), and formal verification tools (through its rich theoretical foundation).
Thus, using Petri nets allows a smooth transition from the conceptual level
to an implementation of a workflow. In addition, as a graphical tool, Petri
nets have the advantage of visually depicting properties, relationships and
restrictions among tasks of a given work. Analysis of workflows using Petri
nets helps one to understand the implications of the authorization policies.
Although each policy may appear innocent in isolation, their cumulative ef-
fect may lead to an undesirable authorization state. Their process determines
given an initial authorization state and a set of security policies specified by
authorization rules, all the reachable authorization states.
Safety analysis becomes especially important when task authorizations
may be delegated and revoked as discussed by Schaad et al. [25]. To address
the issue, they proposed a model-checking based approach for automated anal-
ysis of delegation and revocation functionalities in the context of a workflow
requiring static and dynamic separation of duty properties. Using finite state
machine to represent the workflow to which they applied a definition of pos-
sible delegation and revocation scenarios. The analysis on the state machine
will determine whether a set of delegations and/or revocations may be safely
accepted.
8OpenIssues
Interoperability and integration are the main research areas of concentra-
tion for workflow security. Workflow management systems are maturing but
