关键词: 工作流, 委托, 授权, 访问控制, 模型

Abstract: Most existing studies on delegation for workflow system were adding delegation and revocation functions in authorization models, there were no detail discussion on delegation and revocation mechanism. By analyzing deligation authorization characteristics of workflow systems, a delegation authorization mechanism which supported non-monotonic, multi-step and bilateral agreement was presented. Then, the delegation implementation process which consisted of delegation relationship definition, assertion, execution and revocation was discussed in detail. Several formal definitions for delegation condition, delegation relationship, delegation chain, delegation constraint, delegation acceptance and revocation rules were provided, and a delegation execution algorithm was put forward. Finally, implementation architecture and the various interfaces among modules and existing workflow system for this mechanism were described. This delegation mechanism could realize delegation and revocation separating from workflow authorization model.

Key words: workflow, delegation, authorization, access control, models