Specification and Enforcement of Authorization Constraints in Workflow Management Systems

2 Preliminaries Specification Workflow, constraint base Enforcement Static analysis, pruning, planning, runtime algorithms System architecture

3 Workflow Role Specification, W, is a list of task role specifications [TS i.. TS n ], where, TS i : (T i, (RS i, > i ), act i ) T i : task RS i : set of roles authorized to execute T i > i : local role order relationship act i : number of possible activations of Ti association of roles with tasks

4 Constraint base (CB) constraints specification language Constants: user, role, task, set of constraints Variables: V U, V R, V T, V C, V IN Predicate symbols : Specification, Execution, Planning, Comparison, Aggregate Constraint rules

5 CB Consistency Consistent IFF constraints are satisfiable No PANIC predicate must_execute_u (John, T1) and cannot_do_u (John, T1) should not exist must_execute_r (Manager, T1) and cannot_do_r (Manager, T1) should not exist

6 Constraint Specification Language Specification Predicates Execution Predicates Planning Predicates Aggregate Predicates Constraint Specification Language Rules

7 Specification Predicates role (R,T) : task can be performed by role user (u, T) : user has a role that can perform T belong (u, R) : user belongs to role R glb (R i, T j ) : R i is greatest lower bound of RS j lub (R i,T j ) : R i is least upper bound of RS j > : global order, R 1 > R 2 : R 1 dominates R 2 > k : local order for T k, R 1 > k R 2 : R 1 dominates R 2

8 Execution predicates execute u (u, T, k) : k-th. activation of T is executed by u execute r (R, T, k) : k-th. activation of T is executed by R abort (T, k) : k-th. activation of T is aborted success (T, k) : k-th. activation of T is executed successfully Planning predicates cannot_do u (u, T) : user cannot do task cannot_do r (R, T) : role cannot do task must_execute u (u, T) : user must execute task must_execute r (r, T) : role must execute task statically_checked (C): can be checked without execution panic : if true, there is constraint that is not satisfied

9 Aggregate predicates count avg min max sum Constraints on: Roles, User assignments Types of constraints: Static, Dynamic, Hybrid Constraints Examples: Least privilege, Separation of duty, Time constraints, Resource constraints, Event constraints

10 Constraint Rules Explicit assignment (specification & execution predicates) Static checking ( statically_checked(C) predicate ) Integrity ( panic predicate) Static ( planning / specification predicate) Dynamic ( planning/ specification/ execution predicate)

11 Example Workflow Role Specification, W = [(T1, ({Refund Clerk}, {}), 1), (T2, ({Refund Manager, General Manager}, {}), 2), (T3, ({Refund Manager, General Manager}, {}), 1), (T4, ({Refund Clerk}, {}), 1)]

12 C1: At least 3 roles must be associated with workflow. C2: Task T2 must be executed by a role dominating the roles that execute tasks T1 and T4, unless T1, T2, and T4 are executed by the role General Manager. C3:If a user belongs to role Refund Clerk and has performed task T1, then he cannot perform T4 C4:If a user has performed task T2, then he cannot perform task T3. C5:Each activation of task T2 must be executed by a different user. C6:If more than four activations of task T1, within the same workflow, executed by one single individual abort, then the same person cannot execute task T1 anymore. C7:If Bob executes task T2, then he cannot execute task T4.

13 Consistency analysis and planning Steps Static analysis If fails, back to system security officer Success iff not PANIC and only static subset is consistent Pruning Eliminate redundant rules Planning Schedule generation of roles and users with tasks If no assignment is generated, error report to security officer If number of task activations exceed number stated in WF, planner is re-activated Runtime Phase Executed upon each task activation and termination

14 Static Analysis Phase Input workflow, W CB(W) Output False, if static CB(W) inconsistent Denied_Roles(Ti), Obliged_Roles(Ti), Denied_Users(Ti), Obliged_Users(Ti), Model of static part of CB(W)

15 Pruning Phase Modify workflow specification according to result from static analysis phase, to eliminate redundancy and increase efficiency Example if Obliged_Roles is non empty set, all the roles in the set is removed from specification. if Obliged_Roles is empty set, all the roles in the Denied_Roles set is pruned from the set of roles that can be assigned to the task

16 Planning Phase Generates set of possible assignments of roles and users to tasks, while satisfying all the constraints Two subphases 1. Role planning 2. User planning Role Planning Assumption: all activations of a task must be executed by the same role. Use of CB as hypothetical reasoner Generation of Role Assignment Graph (RAG)

17 Candidate role assignments are built incrementally by recursively calling the role-assignment procedure Each path can contain one and only one node for each task User Planning Similar strategies as role planning Not always efficient due to number of users Need for heuristics to reduce search space URAG(W) is produced

18 Runtime Phase (1) Two subphases 1. Task activation phase 2. Task termination phase To verify and maintain consistency, URAG(W) is pruned after each task activation Task termination phase is performed upon task execution Dynamic SoD is ensured during task termination

19 Time constraints Roles based Task time User based

20 System architecture