Secure Role-Based Workflow Models [chapter]

Savith Kandala, Ravi Sandhu
2002 Database and Application Security XV  
In this paper we introduce aseries of reference models for Secure Role-Based Workflow systems. We build our models over the well-known RBAC96 framework. The RBAC96 model supports the notion of abstract permissions. The nature of permissions is highly dependent upon the implementation details of the system, so we interpret the permissions for a Workflow system in terms of its components such as tasks, instances of the tasks and operations on them like execute, commit, abort etc. With this
more » ... etation, we show that most of the components of RBAC96 still remain intact. The only components that change are the nature of permissions and their assignment to roles. The models are developed using the recently introduced four-Iayer OM-AM framework (comprising objective, model, architecture and mechanism layers). In this paper, we focus on the top two layers of OM-AM. We systematically describe our security objectives and construct our models to address these objectives. We also formally describe the models in terms of their components and their interactions. The main purpose for proposing these models is to articulate requirements for building Secure Role-Based Workflow Systems. DATABASE AND APPLICATION SECURITY XV within the organization. Users in turn are assigned appropriate roles based on their qualifications and responsibilities. [2] RBAC96 [7] is a general model for role-based access control (RBAC). It treats permissions as un-interpreted symbols. The nature of permissions in the RBAC96 model is highly dependent upon the implementation details of a system and the general kind of system that it iso For example, an operating system protects files, directories, devices, ports, etc., with operations such as read, write, execute, etc., a relational database management system on the other hand protects relations, tupies, attributes, views, etc., with operations such as SELECT, UPDATE, DELETE, INSERT, etc. More generally, RBAC96 allows for abstract permissions specific to applications such as CREDIT and DEBIT in an accounting application. The nature of perrnissions in a WFMS can also be interpreted sirnilarly, as a WFMS should control access to the tasks and instances of these tasks in the system with operations such as execute, comrnit, abort etc. Prelirninary ideas for Secure Role-Based Workflow models were presented in Transaction Control Expressions (TCEs) [6] . The TCE model is very natural and intuitive, and in fact reflects the world of forms and books in a Computer-Based System. However, TCEs were proposed much before RBAC96 was conceptualized and as such does not have all the components and specifications of RBAC96. The Task-Based Authorization Control (TBAC) [12] model was introduced to provide the notion of just-in-time permissions. It enables the granting, usage tracking and revoking of permissions to be automated and coordinated with the progression of various tasks. From a conceptual standpoint, TBAC focuses on the processing states and life cycle of authorizations and therefore cannot be directly compared to RBAC96. Bertino, Ferrari and Atluri (BFA) [2] have recently proposed a model for specifying and enforcing authorization constraints for WFMS. The model emphasizes on constraint specification and enforcement and as such does not encompass all the concepts of RBAC96. The main contribution of this paper is that it shows, by aptly defining the nature of permissions RBAC96 can be extended to model Secure Role-Based Workflows. A consequential contribution is that it shows the OM-AM framework is a useful tool for modeling secure systems. The main purpose for proposing these models is to articulate the requirements for building secure role-based workflow systems. The rest of the paper is organized as folIows. Section 2 of the paper briefly describes the OM-AM framework, which was used to construct our Secure Role-Based Workflow models. Section 3 of the paper describes the RBAC96 model. Section 4 of the paper introduces our first model for Secure Role-Based Workflows with very simple security objectives. Section 5, Section 6, Section 7 introduce the models for Secure Role-Based Workflows
doi:10.1007/978-0-387-35587-0_4 fatcat:ekfwoqtjhvbdzjneefjjm6sbq4