Research On Technology Of Access Control Under Workflow

Workflow management technology is the core technology of achieving enterprise business process modeling, analyzing and simulating of enterprise business process, business process automatization. Nowadays, workflow management has been widely used in Electronic Business, Electronic Government and Enterprise informatization. A workflow separates the various activities of a given business process into a set of well-defined tasks. These tasks should be carried out by legitimate users or programs on behalf of these users according to organization's management policies. Among these management policies, security policies areimportant ones for ensuring the organization's security objectives. They are could be implemented by various security models and mechanisms. Access control is such a security mechanism. It can control the legal users to sensitive resources effectively and ensure users to access relative resource. It provides availability, integrity and confidentiality services for information systems. Access control has attracts many interests from both academia and industry.Access control is essential in supporting secure workflow. The distributed, heterogeneousand dynamic characteristics of workflow bring many new challenges to the access control technology. Besides the basic demands of information security, access control under workflow environment had to fulfill fine granularity authorized, context-aware authorized, dynamic authorized, the least privilege and separate of duty special requires. In theory, workflow access control is used to formally describe the system elements, prove the system security and precisely express the security policy etc. In practice, workflow access control can directly improve the utility, feasibility and security of workflow management system. Therefore, it is extremely important to research the access control technology under workflow not only for theory but also in practice.On the basis of analyzing the requirement of workflow access control and existing work, this thesis studies the workflow access control model, delegate authorization, visual description and the technology of Service-Oriented workflow access control. The main work focuses on the following points: (1) The related research works are reviewed. Through consulting a lot of correlative researches, we review the current researches on the access control and workflow access control model, authorization constraints, delegation authorization and visual describe.(2) The access control model and authorization constraints problem is studied according to the characteristics of workflow access control. A Task-Oriented access control model for workflow is put forward, in which the idea of authorized task in order to separate the relation between roles and permissions. An authorization task is introduced to make the executive roles in no relation to authority, where the authority and the role are both the attributes of task authorization. Besides meet the access control's requirements of dynamic authorization, authority least approved and separation of responsibility from duty, in the proposed model the separation of authority from executive role cancels the coupling of organizational model with workflow model. By analyzing the authorization constraints of workflow, three types of authorization constraints are identified: permission constraints, task constraints, and constraint transfer, then the authorization constraint rule sets which verify the reasonability of authorization upon them were constructed. The verification algorithm of Workflow Authorization Reasonability (WAR) is presented. Finally, an example of process is provided to verify the feasibility of the WAR method.(3) The delegation in the context of workflow systems is studied. In the context of workflow systems, delegation amounts to transfer of duties for executing a task within a workflow. One reason workflow systems have been criticized as being inflexible is that they lack support for delegation. According to the characteristics of workflow systems, the characteristics of delegation authorization in workflow system are analyzed, and a delegation mechanism that supports non-monotonic, multi-step and bilateral agreement is presented. Its implementation is independence of the existing workflow authorization models. To supporting the delegation and revocation of execute task privileges, several definitions for delegation condition, delegation relation, delegation constraint, delegation acceptance and revocation rules are provided, and an algorithm is given for delegation execution. Finally, implementation architecture for this mechanism is described.(4) To provide an intuitive and precise description for workflow access control, the problem of visual description is studied. Using graph and graph transformation that provide a formal basis for proving the semantic correctness an access control model for workflow systems is developed based on graph and graph transformation. A formal description of the model and describe the algorithms to implement the model are given. In this model a type graph is specified to represents the type information of elements in the graph transformation for workflow access control, a set of rules with variable are build to express the transformation of system authorization states and a series of positive and negative constraints are set up to depict wanted and unwanted framework in authorization graph. The verification algorithm of constraints consistency is given. Using termination which a formal properties of graph transformation we discussed the reachable of workflow authorization. Finally, an application demonstration is provided to verify the feasibility of the model.(5) Adopted Service-Oriented principles, the access control for Service-Oriented workflow system is studied. An attribute and role based access control model for Service-Oriented workflow is presented. The model is provided the foundation by the Task-Oriented access control model for workflow. In the model, service is the abstraction of a task and the unit for applying access control. Therefore, access control of tasks is replaced with access control on services. Substituting invoking methods of services for privileges, attributes of subjects and objects instead of identifies of subjects to build security policies in this model. Architecture is designed for access control for Service-Oriented workflow system. The interactions of services in running stage were described of this architecture. Adopted security services and policy-driven security approaches, this architecture can decouple security logic from applications and guarantee interoperability and manageability of systems.(6) Based on the above study results, an access control for workflow system in the PDM is established. The system is analysed and designed, including system use case, class and architecture. Finally, the system is developed and implemented.