Study On Workflow Role-Based Access Control Model

Workflow management products are deployed increasingly in almost all business activities and domains, and resource is shared in different business procedure, so security is key features of workflow system. The access control service that is one part of security mechanism in workflow systems is focused on. Workflow Role-Based Access Control model (WfRBAC) is presented to satisfy for static features and dynamic features of workflow system. User, role, task, object, privilege, constraint are involves in WfRBAC and constraint includes static constraint and dynamic constraint.Managing number of roles effectively is a formidable task in RBAC. The organization structure is adopted in workflow systems for better role hierarchy management, because organization structure is a tree structure and indirect supervise relation of organization units is a strict partial order. The concept of task is introduced to WfRBAC to extend dynamic characteristics of RBAC. Task represents a unit of work in the workflow; the workflow is regarded as a series of tasks. In WfRBAC, permissions to access exogenous data and historical data adopt static authorization. Administrative role which takes charge of user's management, user-role administration, role-permission administration etc. also adopts static authorization. Static authorization relates to static constraint. Dynamic authorization associate with task. A user involves in a task, then the user automatically acquired the privilege of the task's resources; the task is completed, then the user doesn't possess the privilege. Dynamic authorization relates to dynamic constraint. Permissions to access current data adopt dynamic authorization. Concepts of conflicting permissions, conflicting tasks, and conflicting roles are proposed to describe the separation of duty. A formal description and an analysis of WfRBAC are given.Workflow management system based on web which adopts WfRBAC has applied in Central-China Electric Power Dispatching and Communication Center successfully which testifies that WfRBAC can satisfy workflow access control requirement.