A Role and Task-Based Workflow Dynamic Authorization Modeling and Enforcement Mechanism

Current workflow products can support more complex modeling of business processes, workflow engine mechanism is well researched, but the link between organizational elements and process activities is less well understood. In access control, most products can only support fixed role-based task assignment, not enough in considering more complex security policies, such as DSOD, task binding of duties, and temporal constraints, that important in dynamic workflow system. This paper examines workflow access control requirement in practice, analyzes WFMC workflow meta-model, and adopts the R&TBAC approach to separate role-based organization and task-based authorization-step modeling, and especially designs an agent-based dynamic policy enforcement mechanism to bridge the gap. The intelligent task assigning agent to be defined as a virtual participant in workflow process definition, and creating within workflow engine controlled available task instance, acts as to evaluate task dynamic authorization policy to provide eligible task participant role-set based on its information model. This paper gives a formal specification of the workflow authorization model, and designs the agent information model, assigning policy model, and function model in detail. The modeling approach can widely adapt to various existing workflow systems and can automatically change policy as enterprise organization or business process definition need changing.