Towards an attribute-based authorization model with task-role-based access control for WfMS

Over the years, a majority of organizations and enterprises have been successfully performing various workflow management systems (WfMS) to manage their daily workflow. Security still is one of the key challenges for WfMS nowadays. Researchers proposed various secure authorization models for WfMS which mainly focus on the pre-authorization dealing with the outside unauthorized access. However, workflow is dynamic, in which the attributes of subjects or objects could be changed during or after the access process. The situation may lead to the changes of users´ access clearances, which may give rise to the insiders´ threats only through the pre-authorization without further checking. This paper proposes an attribute-based authorization model with task-role-based access control for WfMS that includes the ongoing-authorization (onA) and the pre-authorization (preA).In this model, special administrative access is performed by preA. The normal users´ access is dynamically authorized by onA, and the authorization is closely related to attributes of subjects and objects, separating the access from tasks, roles and users indirectly. According to the authorization mechanism, the model can assign access permissions to users dynamically, then decrease the insiders´ threats throughout the duration of accessing. We evaluated the model by a practical example and a proof-of-concept demonstration.