基于角色的工作流授权约束规格说明

摘要/Abstract

摘要： 在工作流管理系统中，数据在工作流任务中流动，执行任务的用户在变化，用户的权限也在变化，现有的授权方法不能很好地描述上述这种职责分离的状态。为此，提出了一个工作流授权约束模型。该模型在工作流应用语境中定义了角色层次函数、任务偏序关系和互斥任务，在此基础上给出了一个基于角色的工作流授权约束语言，它可以准确描述工作流系统的职责分离要求，表达静态、动态授权约束和授权的历史信息，同时，所得到的约束规则集规模相对较小，保证了一致性验证在时间和空间上的可行性。

关键词: 工作流, 工作流管理系统, 角色, 授权约束

Abstract: The existing approaches of authorization constraints cannot describe the separation of duties well in the workflow management systems under which with the data movement from one task to next, and the change of task executors and users access control at any moment. To solve this problem, a model of workflow authorization constraints was proposed. The role level function, the task partial relationship and the conflicting tasks in the context of workflow application were defined in the model. Based on the model, a language named role-task-based Workflow Authorization Language (WAL) was put forward to specify the workflow authorization constraints. The requests on the separation of duties in the workflow system could be correctly described by WAL. Static and authorized historical information could also be expressed. Meanwhile, the size of rules set obtained was relatively smaller. Finally the feasibility of the consistency validation in the time and the space was verified.

Key words: workflow, workflow management systems, role, authorization constraints

中图分类号:

TP311

于万钧,,, 刘大有,, 刘全,, 李嘉菲,. 基于角色的工作流授权约束规格说明[J]. .

YU Wan-jun,,, LIU Da-you,, LIU Quan,, LI Jia-fei,. Specification of role-based authorization constraints in workflow management systems[J]. .

参考文献

［1］ ELISA B, ELENA F, ATLURI V. A flexible model supporting the specification and enforcement of role-based authorizations in workflow management systems［A］. Proceedings of the Second ACM Workshop on Role-Based Access Control\[C\]. New York, NY, USA: ACM Press, 1997. 1-12.

[2] SANDHU R. Separation of duties in computerized information systems. Database Security IV: Status and Prospects. Holland, 1991.179-189.

[3] SANDHU R, COYNE E J, FEINSTEIN H L, et al. Role-based access control models［J］. IEEE Computer,1996, 29(2): 38-47.

[4] JONSCHER D, MOFFET J, DITTRICH K. Complex subjects or the striving for complexity is ruling our world\[A\]. Database Security VⅡ: Status and Prospects\[C\]. Amsterdam, Holland: Elsevier North-Holland, Inc., 1994.19-37.

[5] NYANCHAMA M, OSBORN S. Role-based security, object oriented databases and separation of duty［J］. SIGMOD Record,1993,22(4):45-51.

[6] AHN G J, SANDHU R. Role-based authorization constraints specification［J］. ACM Transactions on Information and System Security,2000,3(4):207-226.

[7] ATLURI V, HUANG W K. An uthorization model for workflows［A］. Proceedings of the 5th European Symposium on Research in Computer Security, Lecture Notes in Computer Science［C］.London,U.K.: Springer-Verlag, 1996. 44-64.

[8] HUANG W K, ATlURI V. Secureflow: a secure Web-enabled workflow management systems［A］. Proceedings of the 4th ACM Workshop on Role-Based Access Control［C］.New York, NY, USA: ACM Press, 1999. 83-94.

[9] ELISA B, ELENA F. The specification and enforcement of authorization constraints in workflow management systems［J］. ACM Transaction on Information and System Security,1999,2(1):65-104.

[10]WU Shengli, SHETH A, LUO Zongwei. Authorization and access control of application data in workflow systems［J］. Journal of Intelligent Information Systems, 2002,18(1): 71-94.

[1]	唐玄昭,余阳,吴荆璞,潘茂林. 基于区块链的业务流程互操作服务框架[J]. 计算机集成制造系统, 2021, 27(9): 2508-2516.
[2]	文一凭,王志斌,刘建勋,许小龙,康国胜. 云际协作环境下能耗与成本感知的工作流调度方法[J]. 计算机集成制造系统, 2021, 27(9): 2583-2591.
[3]	袁友伟,黄锡恺,俞东进,李忠金. 移动边缘计算环境下服务工作流容错调度算法[J]. 计算机集成制造系统, 2021, 27(6): 1693-1702.
[4]	李万清,刘辉,李忠金,袁友伟. 移动边缘计算环境下面向安全和能耗感知的服务工作流调度方法[J]. 计算机集成制造系统, 2020, 26(7): 1831-1842.
[5]	林国丹,黄钦开,余阳,潘茂林. Activiti引擎的无状态云工作流调度算法[J]. 计算机集成制造系统, 2020, 26(6): 1456-1464.
[6]	肖宗水,潘凤薇,张宝晨,钱进,孔兰菊. 基于专业能力评价模型的业务流程角色协同调优算法[J]. 计算机集成制造系统, 2020, 26(6): 1465-1472.
[7]	文一凭,王志斌,刘建勋,许小龙,陈爱民,曹步清. 混合云环境下成本与隐私感知的工作流调度方法[J]. 计算机集成制造系统, 2020, 26(6): 1582-1588.
[8]	齐平,王福成,徐佳,李学俊. 移动边缘计算环境下基于信任模型的可靠多重计算卸载策略[J]. 计算机集成制造系统, 2020, 26(6): 1616-1627.
[9]	姚艳,曹健. 一种成本有效的面向超参数优化的工作流执行优化方法[J]. 计算机集成制造系统, 2020, 26(6): 1628-1635.
[10]	孙晋永,闻立杰,匡增雄,李涛,张展. 基于数据生成—消耗依赖的语义工作流并行化重构方法[J]. 计算机集成制造系统, 2020, 26(6): 1636-1650.
[11]	袁友伟,刘恒初,俞东进,李忠金. 面向边缘侧卸载优化的工作流动态关键路径调度算法[J]. 计算机集成制造系统, 2019, 25(第4): 798-808.
[12]	魏懿,曹健. 基于机器学习的流程异常预测方法[J]. 计算机集成制造系统, 2019, 25(第4): 864-872.
[13]	文一凭,刘建勋,窦万春,陈爱民,周昱昊. 云工作流环境下隐私感知的多租户访问控制模型[J]. 计算机集成制造系统, 2019, 25(第4): 894-900.
[14]	林兵,项滔,陈国龙,陈星. 混合云环境下面向时延优化的科学工作流数据布局策略[J]. 计算机集成制造系统, 2019, 25(第4): 909-919.
[15]	徐佳,李学俊,丁瑞苗,刘晓. 移动边缘计算中能耗优化的多重资源计算卸载策略[J]. 计算机集成制造系统, 2019, 25(第4): 954-961.