AT is comprised of the static parameters of the authorization that can be defined during the design of the workflow. ATs are attached to tasks. A task may have more than one authorization template attached to it.
Example:
Consider for example a travel reimbursement processing workflow. This workflow consists of three tasks: preparing a claim (T1), approving the claim (T2), issuing a check (T3).
Consider once again the workflow in example 1. For the sake of simplicity, we haveomitted T4. Suppose the associated subjects for performing these processes are John, Mary, and
Ken, respectively. Now, instead of granting all the required privileges for every involved staff in
advance, they potential authorizations are specified by means of the authorization templates.
Appropriate authorizations to perform these tasks are not enforced until the tasks are actually
processed.
AT(T1) = (employee, (claim,--), prepare)
AT(T2) = (Supervisor,(claim,--),approve)
AT(T3) = (clerk, (check,--), issue)
John receives the authorization to prepare it. Assume he starts this at time 40. At this point, John is granted the authorization to prepare the claim. Suppose he finishes it and sends it to his supervisor at time 47.
The authorization template then generates the authorization (John, claim1, prepare, [40,47]), which means the authorization is revoked as soon as he finishes his task. When the claim (the instance is claim1) arrives to Mary at 47, an authorization to approve is given to Mary. However, John no longer holds the authorization on this instance of the claim any more. When Mary finishes the approval task, say at 82, her authorization is revoked, thus generating (Mary, claim1, approve, (47,82)). In this fashion, WAM synchronizes the authorization flow with the progression of the workflow.
Resource:
Security for Workflow Systems, Vijay Atluri, Rutgers University, 2002.
No comments:
Post a Comment