Study On Several Problems Of Workflow Security And Access Control

Workflow is the core technology of realizing the business process modelling, analysis, optimization, management and integration, thus realizing the business process automation finally. With deep research on workflow, as well as fast development of the network and distributed database technology, the workflow technology receives more and more recognition as a method of effective controlling and coordinating complex activities and integrating information. Now the workflow technology is widely applied in the field of manufacture, finance, medical affairs, government management, and so on.With extensive application of the workflow technology, its security problem is given more and more attention. On one hand, along with the popularization of internet, traditional central applications are changed into distributed applications; on the other hand, with the workflow technology applying in some important departments, such as military, police, finance, insurance, and so on, the request of data security is much higher. Therefore, research on the workflow security becomes more and more important. In the workflow security field, access control is an important means of guaranteeing the system safety. It realizes the information and resource conservation by means of suitable access authority management, which prevents the user from illegally visiting the system information. It must guarantee that not only the unauthorized users cannot execute the corresponding tasks, but also the authorized users can carry out the authorized tasks. If the system is insufficient to the security authorizations of these coordinated users, it is inevitable that some persons possibly carry out illegal operations by their convenient duties.The workflow security and access control technology has gradually become the research hotspot in the workflow field. More and more universities and corporations have joined the research field. Now the European and American countries leads the position of this field. In China, institute of software Chinese academy of sciences, Tsinghua University, Nanjing University, Jilin University, and so on, have been engaged in this field.In the background of the workflow security and access control technology, the thesis conducts a research on several key technologies of workflow security, including workflow dynamic constraints, access control, delegation and separation of duties.The main contributions and results included in the thesis are as follows: Firstly, the research of the workflow security and access control technology is surveyed. The thesis introduces the background and evolvement of workflow security and access control, including the concept and reference model of workflow, the concept and terms of access control, the research evolvement of access control model, the security problems of workflow, and the access control models suitable for workflow, discusses the actuality and disadvantages of several key problems in the workflow security and access control field. The contents discussed above are the base of further research of this thesis.Secondly, the problem of workflow dynamic authorization constraint is studied. By comparing some representative workflow authorization constraint methods and analyzing their disadvantages, the thesis presents a variable-based conditional RBAC method based on a simple workflow model SIMWF. The conditional RBAC method builds condition expressions by variables and predefines the authorized role sets for workflow activities under different conditions. At workflow running stage, the condition expressions of current task are evaluated and the authorized role sets of the task are acquired, thus the role-based dynamic authorization is realized. The dynamic authorization procedure of this conditional RBAC method is very simple. It improves the efficiency of the workflow management system and lightens the working load of the workflow engine, so it has good practicability.Thirdly, the constraint problem of coordinated activating the same task by multi-roles and multi-users is studied. For this problem, the existing workflow access control models have not provided effective scheme and algorithm. The thesis presents a weighed-role-based workflow access control model, which can solve the problem. By adding degree weight and order weight to a role, the constraint model supporting coordinated activating the same task by multi-roles is built and an order algorithm is given. By adding level weight to a role, a weighted role synthesis method is given, which providing a feasible method to the problem of coordinated activating the same task by multi-users with one same role.Fourthly, the problem of workflow delegation is studied. By analyzing the disadvantages of the existing workflow delegation model, the thesis presents a weighted-role-based conditional delegation model suitable for workflow. Comparing with some existing models, this model has the following characteristics. First, based on the thinking of conditional RBAC, it has the function of conditional delegation by variables condition expressions; Second, the consistency check of delegation is provided in order to avoid workflow security hidden troubles due to sightless delegation; Third, it supports partial delegation by adding level weight to role, which manifests the least privilege principle of access control; Fourth, by defining the time limit of delegation, it supports the temporal delegation; Fifth, based on the concept of role delegation tree, it supports the revocation operations. Based on the model, the thesis also provides the delegation and revocation algorithms, which has good practicability.Fifthly, the problem of separation of duties of workflow access control is studied. In the workflow systems, data transfer among the workflow tasks, and the users executing tasks and their privileges also change, so separation of duties is an important aspect in workflow access control. By analyzing and comparing the existing methods, the rule-based method can well describe the separation of duties constraints in workflow context. The Bertino language and the WAL language are two rule-based languages for expressing constraints. The Bertino language defines many predicates and functions, and constructs some rules to express various constraints, including the constraint of separation of duties. But the language is complex and the number of rules is big, so the efficiency of rule consistency check is low. The WAL language has made certain simplification and supplement to the Bertino language. Its scale of rule set is relatively small, which raises the efficiency of rule consistency check to a certain extent. By analyzing the WAL language, the thesis improves it in two aspects. First, the rule consistency check conditions and the corresponding algorithm are improved. Second, further consistency check to the obliged and denied roles or users is carried out, which may effectively avoid the possible incompatible problems.Sixthly, combining the practical project, the thesis elaborates the workflow applications in EAM system, including the organization model, the process definition service, the workflow enactment service, the worklist manager and the workflow monitor. Furthermore, partial research results of this paper is applied in this workflow subsystem.The study results of the thesis, especially of workflow dynamic constraints, access control, delegation and separation of duties, are of both theoretical and practical to further researches in workflow security field.