Specification and Enforcement of Authorization Constraints in Workflow Management Systems

1. Specification and Enforcement of Authorization Constraints in Workflow Management Systems

2. Preliminaries • Specification • Workflow, constraint base • Enforcement • Static analysis, pruning, planning, runtime • algorithms • System architecture

3. Workflow Role Specification, W, is a list of task role specifications [TSi.. TSn], where, • TSi : (Ti, (RSi, >i), acti) • Ti : task • RSi : set of roles authorized to execute Ti • >i : local role order relationship • acti : number of possible activations of Ti • association of roles with tasks

4. Constraint base (CB) • constraints specification language • Constants: user, role, task, set of constraints • Variables: VU, VR, VT, VC, VIN • Predicate symbols : Specification, Execution, Planning, Comparison, Aggregate • Constraint rules

5. CB Consistency • Consistent IFF constraints are satisfiable • No PANIC predicate • must_execute_u (John, T1) and cannot_do_u (John, T1) should not exist • must_execute_r (Manager, T1) and cannot_do_r (Manager, T1) should not exist

6. Constraint Specification Language • Specification Predicates • Execution Predicates • Planning Predicates • Aggregate Predicates • Constraint Specification Language Rules

7. Specification Predicates • role (R,T) : task can be performed by role • user (u, T) : user has a role that can perform T • belong (u, R) : user belongs to role R • glb (Ri, Tj) : Ri is greatest lower bound of RSj • lub (Ri,Tj) : Ri is least upper bound of RSj • > : global order, R1 > R2: R1 dominates R2 • >k : local order for Tk, R1 >k R2: R1 dominates R2

8. Execution predicates • executeu(u, T, k) : k-th. activation of T is executed by u • executer(R, T, k) : k-th. activation of T is executed by R • abort (T, k) : k-th. activation of T is aborted • success (T, k) : k-th. activation of T is executed successfully • Planning predicates • cannot_dou (u, T): user cannot do task • cannot_dor (R, T): role cannot do task • must_executeu (u, T) : user must execute task • must_executer(r, T) : role must execute task • statically_checked (C): can be checked without execution • panic : if true, there is constraint that is not satisfied

9. Aggregate predicates • count • avg • min • max • sum • Constraints on: Roles, User assignments • Types of constraints: Static, Dynamic, Hybrid • Constraints Examples: • Least privilege, Separation of duty, Time constraints, Resource constraints, Event constraints

10. Constraint Rules • Explicit assignment (specification & execution predicates) • Static checking (statically_checked(C) predicate) • Integrity (panic predicate) • Static (planning / specification predicate) • Dynamic (planning/ specification/ execution predicate)

11. Example • Workflow Role Specification, W = [(T1, ({Refund Clerk}, {}), 1), (T2, ({Refund Manager, General Manager}, {}), 2), (T3, ({Refund Manager, General Manager}, {}), 1), (T4, ({Refund Clerk}, {}), 1)]

12. C1: At least 3 roles must be associated with workflow. • C2: Task T2 must be executed by a role dominating the roles that execute tasks T1 and T4, unless T1, T2, and T4 are executed by the role General Manager. • C3: If a user belongs to role Refund Clerk and has performed task T1, then he cannot perform T4 • C4: If a user has performed task T2, then he cannot perform task T3. • C5: Each activation of task T2 must be executed by a different user. • C6: If more than four activations of task T1, within the same workflow, executed by one single individual abort, then the same person cannot execute task T1 anymore. • C7: If Bob executes task T2, then he cannot execute task T4.

13. Consistency analysis and planning • Steps • Static analysis • If fails, back to system security officer • Success iff not PANIC and only static subset is consistent • Pruning • Eliminate redundant rules • Planning • Schedule generation of roles and users with tasks • If no assignment is generated, error report to security officer • If number of task activations exceed number stated in WF, planner is re-activated • Runtime Phase • Executed upon each task activation and termination

14. Static Analysis Phase • Input • workflow, W • CB(W) • Output • False, if static CB(W) inconsistent • Denied_Roles(Ti), Obliged_Roles(Ti), Denied_Users(Ti), Obliged_Users(Ti), • Model of static part of CB(W)

15. Pruning Phase • Modify workflow specification according to result from static analysis phase, to eliminate redundancy and increase efficiency • Example • if Obliged_Roles is non empty set, all the roles in the set is removed from specification. • if Obliged_Roles is empty set, all the roles in the Denied_Roles set is pruned from the set of roles that can be assigned to the task

16. Planning Phase • Generates set of possible assignments of roles and users to tasks, while satisfying all the constraints • Two subphases • Role planning • User planning • Role Planning • Assumption: all activations of a task must be executed by the same role. • Use of CB as hypothetical reasoner • Generation of Role Assignment Graph (RAG)

17. Candidate role assignments are built incrementally by recursively calling the role-assignment procedure • Each path can contain one and only one node for each task • User Planning • Similar strategies as role planning • Not always efficient due to number of users • Need for heuristics to reduce search space • URAG(W) is produced

18. Runtime Phase (1) • Two subphases • Task activation phase • Task termination phase • To verify and maintain consistency, URAG(W) is pruned after each task activation • Task termination phase is performed upon task execution • Dynamic SoD is ensured during task termination

19. Time constraints • Roles based • Task time • User based

20. System architecture