Authorization model in workflow management system

Abstract

Authorization model is the foundation of every access control mechanism, which defines relationship between users and permissions. Nowadays, there are existing models designed for authorization, but most of them either inflexible or static in nature, which means they never consider any dynamic determinant. So, in a workflow environment, these kinds of authorization models fail to meet the collaborative and dynamic needs. In a collaborative environment (e.g. a workflow), different kinds of participants (e.g. clerks and managers) work together to achieve an overall business goal. However, before the ultimate target can be met, the participants would need to go through all constituent tasks of the workflow. Since tasks dependencies may be defined, so, before any user can be authorized by the system, the system must need to ensure all the task dependencies are conflict-free (e.g. no deadlock), otherwise it is non-sense to authorize an user to a workflow that will end up with deadlock situation. Furthermore, due to the amount and kind of users involved in a workflow are large, so scalability and flexibility are two of the crucial concerns. However, very few authorization models have considered all these collaborative needs. Also, most of the existing authorization models are not dynamic. That means they only provide access control based on the permission setting defined in the build time, but never consider any dynamic determinants (e.g. task dependencies) in the run time. To maintain the least privilege rule, active security approach is required, which means permissions will neither be granted “too early” nor revoked “too late” by synchronizing users access right with task dependencies dynamically. So, the aim of this project is to design and implement a dynamic authorization framework for workflow environment. Furthermore, in order to help administrator to define a conflict-free workflow environment for authorization, a workflow intelligent engine is developed. At the end, graphs will be used to compare the number of steps saving in defining different task dependencies (1-to-1, 1-to-many, many-to-1 and many-to-many) with and without the use of the workflow intelligent engine. It is found that the intelligent engine can achieve towards 100% step saving in defining tasks dependencies.