The paper is by Vijay Atluri, from Rutgers University. published in 2002.
the paper started by defining what is Workflow, and what are the workflow systems.
then went in to explaining the security requirements for a workflow and define them in a BPM terminology.
then the paper explained in details what the other thought are the most important security requirements in regards to the BPM. The paper explained Authorization and Access Control. Then talked about Separation of Duties. Authentication and Anonymity where the last 2 security requirements that where explained in how to integrate in the BPM.
The paper described that most commercial workflow systems provide minimal security features such as user authentication, and most of them have to implement an ad-hoc manner through a script type language. where such ad-hoc implementation makes specification, analysis and maintenance of security policies more difficult.
There treatment of authorization emphasizes the need for synchronization of authorization flow with the workflow, and it is missing some features such as assigning different roles to tasks based on the outcome of the prior task, granting different permissions to roles based on the outcome of the task, capability to specify different authorizations for different instances of the same workflow, ability to specify authorizations based on the context and based on the responsibilities to be performed by individuals, and delegating the responsibility to other users and roles.
The paper highlight the security requirements of workflow systems and discuss authorization, separation of duties, authentication and anonymity at length.
No comments:
Post a Comment