A model for the enforcement of history-based separation of duty in heterogeneous workflow environments

The current business world is becoming more and more dependent on electronic business. Many paper documents have been made obsolete by electronic documents, as they are easier to automate and track than paper documents. The increased use of computers within organizations has therefore, lead to an in...

Full description

Bibliographic Details
Main Author: Papenfus, Carl
Format: Others
Language:English
Published: Port Elizabeth Technikon 2001
Subjects:
Online Access:http://hdl.handle.net/10948/69
Description
Summary:The current business world is becoming more and more dependent on electronic business. Many paper documents have been made obsolete by electronic documents, as they are easier to automate and track than paper documents. The increased use of computers within organizations has therefore, lead to an increase in use of workflow software products. The increased use of computer-based workflow has allowed organizations to conduct more types of electronic business. This has lead to electronic business crossing organizational boundaries and subsequently a need for heterogeneous workflow systems. For organizations to use heterogeneous workflow systems they must perform their duties in a seamless and secure manner. It is the author’s belief that History-based Separation of Duty principles can be used to formulate access control strategies that reflect the dynamic nature of heterogeneous workflow systems. History-based Separation of Duties relies on the workflow history of a workflow object to determine the access permissions of a particular user to that workflow object. The required workflow history data must be stored in an easily accessible manner. Although this can be achieved through a centralized approach, it is difficult to achieve in a heterogeneous workflow environment where many unrelated workflow systems are interacting across various computer platforms. The model proposed by this dissertation suggests that the workflow history data of a workflow object travels with it in the form of an electronic document, from one heterogeneous workflow environment to another, as a type of “workflow baggage”. In order for this workflow baggage to be easily accessible to all workflow systems in the heterogeneous workflow environment, it must be stored in a universal format, which is structured to allow it to be easily queried. The Extensible Markup Language (XML) is adopted as an appropriate format for representing workflow baggage. The proposed model hinges on the expression of Separation of Duty requirements in a way that is removed from the application programs. A policy-driven approach is thus adopted. The implementation of the model involves the utilization of four steps: policy expression, baggage evaluation, document processing and baggage collection. The policy expression step is responsible for developing the Separation of Duty constraints to be enforced within the workflow system. During the baggage evaluation step the baggage of the workflow object is evaluated according to the constraints of the Separation of Duty policy. Only users who do not violate any of the Separation of Duty constraints are allowed to process the workflow object. After the workflow object has been processed the information regarding the processing is recorded in the baggage collection step. The proposed model enables heterogeneous workflow systems to share access control information in a flexible and portable way.