Professional Documents
Culture Documents
Constraints in BPMN
SAP Research
Vincenz-Priessnitz-Str. 1, 76131 Karlsruhe, Germany
{christian.wolter,andreas.schaad}@sap.com
1 Introduction
G. Alonso, P. Dadam, and M. Rosemann (Eds.): BPM 2007, LNCS 4714, pp. 64–79, 2007.
c Springer-Verlag Berlin Heidelberg 2007
Modeling of Task-Based Authorization Constraints in BPMN 65
allocation patterns. It focuses on the manner in which work is distributed and managed
by human resources associated with a workflow [2].
“The resource perspective centers on the modeling of resources and their interac-
tion with a process-aware information system” [1]. Resources can be differentiated into
human and non-human resources. Resource patterns were investigated with respect to
levering the interaction of humans with the information system beyond the assignment
and execution of tasks in an user’s task list. Especially, so called creation patterns deal
with the specification of task advertisement and allocation restrictions (i.e. who may
claim and execute a task) [2].
Control of work allocation and execution is a recognized fundamental principle of
human interaction in computer security originating from organisational theory enforced
by authorization constraints [3]. One of the earliest authorization constraints for hu-
man work allocation control is the four-eyes principle and first appeared in Saltzer and
Schroeder [4]. Later the term separation of duty was introduced in [5] as a principle
for integrity and a mechanism for error control and preventing fraud. In human-centric
workflows this is done by limiting an user’s work allocation statically and dynamically
[6]. In the former an user’s work allocation is limited a priori for instance by assigning
a role with a fixed set of tasks. In the latter an user’s work allocation is constrained
depending on the tasks the user recently performed. In [7], Botha gives a taxonomy for
different kinds of static and dynamic separation of duty and describes the conflicting
entities paradigm for tasks implying that the risk of fraud increases if the associations
with those tasks are not carefully controlled and monitored.
control [15]. The definition of authorizations that should not be owned by the same user
in order to make fraudulent acts more difficult to commit evolved into the principle
of conflict of interest. Conflict of interest in workflows can be expressed by defining
conflicting tasks in the context of task-based access control [16]. In [7], conflicting tasks
are characterized by an increased risk for potential misuse and fraud if a single user is
authorized to perform them all. Therefore, the authorization to allocate and perform
conflicting tasks has to be constrained carefully.
In [9], Crampton identified and formalized different authorization constraint types
for conflicting tasks in workflows. Namely, entailment constraints for defining autho-
rizations depending on already performed tasks and additional cardinality constraints
to express separation of duty and binding of duty requirements for workflow tasks and
tasks instances. He defined an entailment constraint as: “If the execution of a task t2 is
constrained by the execution of another task t1 , where t1 < t2 , then we say that t2 is an
entailed task of t1 ” [9]. Here “<” denotes a temporal dependence between the execution
of task t1 and t2 , meaning t1 was executed prior to t2 . According to his definition en-
tailment constraints are related to exactly two tasks. In [10], he identified this restriction
and outlined future work to extend the definition of entailment constraints. In what fol-
lows we develop a formalized authorization constraint that builds on previous work of
Crampton, but overcomes the existing limitations. Therefore, our proposed authoriza-
tion constraint specification can be applied to an arbitrary set of conflicting workflow
tasks and task instances, across role boundaries, and beyond simple task sequences.
Task-Role Assignment
Tasks assigned to roles are a first approach to restrict task authorization according to
user roles. If there exists a set of tasks that imply a potential risk of fraud or misuse
when performed by the same user, such task authorizations can be distributed among
different roles at design time of the workflow. Therefore, a task-based assignment of
tasks according to an user’s role enforces separation of duty security requirements as
long as an user is restricted to a single role within a workflow instance. This is com-
monly referred to as static separation of duty [3].
We define T as the set of tasks {t1 , t2 , ..., tl } and R as a set of roles {r1 , r2 , ..., rm }.
We assume the existence of a partially ordered set of relations between roles R, ≤
that can be visualized as a role hierarchy. If r1 , r2 ∈ R and r1 < r2 , then we say r2
dominates r1 with respect to organisational role superiority (e.g., rClerk < rManager ).
Further, we define U as the set of users {u1 , u2 , ..., un }. Let T R ⊆ (T × R) be a
many-to-many task-role assignment relation and let U R ⊆ (U × R) be a many-to-
many user-role assignment relation. This means, users are associated with roles using
the user-role assignment relation and tasks are associated with roles using the task-role
68 C. Wolter and A. Schaad
assignment relation. Further, we will assume that a task is an atomic action within the
context of a workflow. According to [9] we define:
R(t) = {rm ∈ R : ∃(tl , rm ) ∈ T R(t)}
U (t) = {un ∈ U : ∃(un , rm ) ∈ U R, rm ∈ R(t)}.
In other words R(t) is the set of roles authorized to allocate a task tl . Thus, U (t) is
the set of users authorized to allocate and perform the task tl .
Conflicting Tasks
In some cases conflicting tasks cannot be assigned to different roles without segmenting
the existing roles in such a way that they become unmanageable with respect to the re-
ferred organisational role model. In addition, role hierarchies can be used to act in two
previously separated roles and thus regaining the authorization to allocate conflicting
tasks, e.g. a manager may act as a clerk and as his own supervisor. Hence, we have
to define additional constraints between tasks that do not depend on potential task-role
assignments.
For this reason we define a workflow model N as a tuple (T, ci , co , F ). A workflow
consists of a set of tasks T . Let ci be the start condition and co the end condition of the
workflow. The control flow relation (i.e., task sequence, splits, and joins) of all tasks in
T is defined by the relation F ⊆ (ci × T ) ∪ (T × co ) ∪ (T × T ). That means every task
in the workflow (T, F ) is on a directed path from ci to co .
We define a set of conflicting tasks of a workflow N as Tc ⊆ T . According to [9]
the set Tc contains tasks whose allocation depends on the allocation of previously per-
formed tasks of Tc . Such dependencies are described as an entailment between the tasks
of Tc [9]. We define tn ∈ Tc as an entailed task of tm ∈ Tc , when the allocation of tn
is constrained by the allocation of task tm , where tm < tn (i.e. on a direct path from ci
to co , tm is performed before tn ).
In this section we present an example workflow inspired and in parts derived from
the banking application workflow that is given in [3]. We discuss several conflicting
tasks and their related task allocation constraints for this example workflow. For each
70 C. Wolter and A. Schaad
The following set of task assignment constraints is a subset of properties that were
discussed in [3] with SAP Banking solution architects:
1. A Clerk must interact with the customer
This constraint describes the role definition of a clerk according to task-role and
user-task assignment. There exists a direct relationship to the Role-Based Alloca-
tion discussed in [1]. This requirement can be expressed with the role definition:
T Rclerk = {t1 , t2 , t3 , t4 , t5 , t6 , t8 } (Role-Based)
2. A bank manager must sign the form as a clerk’s supervisor and can act as a clerk
regarding any other task
This is another role definition related to the Role-Based Allocation. Here, the
role manager inherits the set of task authorizations of the role clerk and extends
the set with task t7 . This requirement can be expressed with the role definition of a
manager:
T Rmanager = {T Rclerk ∪ t7 } (Role-Based)
Modeling of Task-Based Authorization Constraints in BPMN 71
3. An user must not check the credit worthiness and rating for the same customer.
A separation of duty requirement that is related to the Separation of Duty resource
allocation pattern describing that the same user must not perform two conflicting
tasks [1]. In this example the resulting authorization constraint would be:
c3 = ({t3 , t4 }, 2, 1) (Separation of Duty, Role-Based, History-Based)
4. A bank manager may act as a clerk, but must not sign his own form.
This requirement is similar to the previous constraint, but this time the set of con-
flicting tasks spans two different roles (e.g. the role clerk and the role manager).
Thus, the same user capable of acting in two different roles for the same workflow
instance would still violate this requirement. For example, an user acts in the role
of a clerk and later changes to the manager role in order to sign his own form.
Therefore, the resulting authorization constraint preventing the exploitation of the
role hierarchy would be:
5. An user acquiring the customer data must identify the customer’s account.
This requirement is related to the binding of duty principle discussed in [9]. This
means the same user performing a previous task is automatically assigned to all
other tasks of the same set. In [1], additional patterns are discussed, such as Case
Handling, History-based Allocation, and Retain Familiar patterns. They are based
on the idea that further allocation is done automatically due to some previous activ-
ities. Hence, binding of duty requirements are related to those resource allocation
pattern. The resulting constraint is:
6. For a single customer an user must not perform more than five tasks.
This is a dynamic separation of duty constraint allowing a clerk to allocate any tasks
as long as he does not allocate more than five tasks for the same workflow. This
constraint is more flexible than the previous separation of duty constraints, because
it cannot be determined in advance which tasks an user will allocate, depending on
his allocation behaviour his authorized tasks vary for each workflow instance. The
according authorization constraint would be:
c6 = (T Rclerk , 2, 5) (History-Based)
The Business Process Modeling Notation (BPMN) has a general look-and-feel that
makes it easy to be understood by diagram modelers and any viewer of the diagram.
Besides its strong visual expressiveness, another important aspect of BPMN is its ex-
tensibility capabilities as stated by the creators of BPMN [12]. When extending BPMN
it is important to neither change the general footprint of any existing flow element, such
as events, activities and gateways. Nor should any new flow element be added, because
no specification will be available describing how it will be connected to existing flow
elements. Therefore, BPMN provides the concept of artifacts to extend the expressive-
ness of BPMN without affecting the basic sequence or message flow of a process model
or the mapping to execution languages, such as BPEL. The artifacts are designed to be
open to allow annotations and makers to convey specialized information [12].
To model task allocation constraints within the workflow model, according to our
formal definition, we need to express manual tasks and their assigned roles. It must
be possible to define a partial role order with respect to role hierarchies. Further, we
need the possibility to define groups of manual tasks we can apply constrains to. As
a last step, it is necessary to express the authorization constraint we discussed in the
last section. Most of the requirements can be already fulfilled in BPMN with an ex-
isting graphical element and we need to extend its semantic. In the case of the au-
thorization constraint itself we derive a new artifact from the textual annotation
element.
The entity relationship diagram depicted in Figure 2 shows an extract of the BPMN
metamodel [20] and highlights the entities, named according to the BPMN specifica-
tion, necessary to express authorization constraints within BPMN.
Grouping of Tasks
Grouping of activities does not affect the sequence flow. Groups can be used for docu-
mentation or analysis purposes. They can be defined by using the group artifact, lanes,
or multiple and looped tasks. Unlike lanes, groups do not map to roles or groups in the
context of rights management systems, but are used to define a group of activities and
assign a dedicated authorization constraint to this group. We consider multiple instance
tasks and looped tasks as a group with exactly one task, but an arbitrary number of task
instances. Therefore, the following Figure 4 shows BPMN elements that we consider
as a mechanism to define groups of tasks:
derive the authorization constraint from the textual annotation as a new entity. Text
annotations are a mechanism for a modeler to provide additional information for the
reader of a BPMN diagram. The authorization constraints contains the two values of
our formal authorization constraint definition, namely nu and mth :
A single allocation constraint can be associated with a group artifact defining a set
of (manual) tasks, a lane (i.e., a special kind of task group), and as a third option, an
allocation constraint can be added to a single manual task. This is necessary in the
case of multiple instances or loops. Because an organisational role is defined by a lane,
the complete set of authorization constraints for each lane is based on the assigned
constraints for this lane, nested lanes, and all constraints assigned to groups and single
manual tasks embedded within the corresponding lane.
4 Related Work
In the area of security constraint and requirement modeling most work concentrates
on the expression of application security and access control for their exposed services.
There exists little related work in the domain of specifying task-based authorization
constraints within the context of workflow models. This observation is supported by
research done by Aalst et al. in [1,2] outlining that existing modeling notations only
Modeling of Task-Based Authorization Constraints in BPMN 75
sparsely support the resource perspective, especially the Separation of Duty pattern
that is directly related to the expression of task-based authorization constraints within
process and workflow models. Therefore, most related work in the area of security
modeling can be found in the extension of UML-based notations:
Jürjens presented in [21] the UMLSec extension for UML to express security rel-
evant information within a system specification diagram. The focus of UMLSec lies
primarily on the modeling of communication-based security requirements for software
rather than on the modeling of authorization constraints for task-based access control
in workflow environments.
Dobmeier and Pernul defined an UML-based model for modeling attribute-based au-
thorization constraints. They provided an expressive fine-grained access control model
for accessing services in open systems, such as Web Services. Because their model lack
the specification of dependencies between service calls, it is not possible to express en-
tailment constraints for workflows, such as we follow in our task-based approach with
a direct relation to workflow tasks and their flow relation.
Basin et al. proposed SecureUML a model-driven security approach for process-
oriented system in [22]. They characterized a process by its possible states and specify
authorization constraints for allowed state transitions. Their security constraints are not
directly defined within a process model, but rather on potential states. Within their UML
constraint model a process is included as an abstract stereotype and the security spe-
cialist has to know all potential process states, while we provide an intuitive perspective
on the model and define authorization constraints in the model itself.
76 C. Wolter and A. Schaad
Chang et al. [23] proposed VTBAC, a visual business centric task-based security
specification language to express authorization constraints for hyperlink paradigm
based e-Business workflows. While VTBAC could be used to express authorization
constraints within the workflow model itself, it is not possible to express entailment
constraints, such as separation of duty or binding of duty.
In [24], Huang and Atluri presented SecureFlow, an implementation of their Work-
flow Authorization Model with a browser-based interface. Authorizations can be de-
fined for users, roles, and workflow tasks. In contrast to our worfklow model approach
they do not use a graph notation. Instead, tasks are selected from a list of tasks, thus
the flow relation between the tasks is getting lost resulting in a less intuitive approach
compared to ours.
Knorr and Stromer presented in [18] an approach for modeling separation of duty
constraints for Petri-Net-based workflow descriptions. They developed a modeling en-
vironment for defining an organisational model with roles and users, a workflow de-
scription as a Petri Net, and authorization constraints. Unlike our proposed approach,
the organisational model, the workflow model and the constraints were defined sepa-
rately in three different perspectives at the cost of transparency of dependencies be-
tween the different models. In addition, their Petri-Net notation is rudimentary and has
a weak visual expression.
One aspect of the European research project Serenity [25] is the definition of secu-
rity patterns for workflows and the development of security tools. The provision of a
graphical interface for security analysis and design, the use of formal verification meth-
ods, and the ability to handle complex workflows are desired properties. Unlike our
approach, their current focus lies on the specification of security pattern and constraints
for automatic business processes. In contrast, it seems the description of authorization
constraints for manual tasks is not a primary concern in Serenity.
Hoagland et al. developed LaSCO [8] a graph-based specification language of se-
curity policies. In LaSCO, a security policy is stated by specifying that if a system is
in a certain state, a specific access constraint must hold for that system. LaSCO poli-
cies are specified as expressions in logic and as directed graphs, giving a visual view
of the policy. A LaSCO specification can be automatically translated into executable
code that checks an invocation of a Java application with respect to a policy. LaSCO
can be used to define task authorizations in a graph-based notation. Nevertheless, the
application domain of the graphical notation is restricted to the specification of au-
thorization controls without considering any control flow related modeling aspects for
workflows.
There exist a broad area of business rules languages that define the behaviour of
processes within a company. Such rules can be divided into dispositive rules affect-
ing the design of processes, for instance according to compliance regulations, and
operative rules describing and steering the process flow itself. Nevertheless, business
rules are mainly applied in the context of automated business processes [26]. Their
practicability in the context of human-centric workflows needs some further
investigation.
Modeling of Task-Based Authorization Constraints in BPMN 77
5 Conclusion
References
1. Russell, N., van der Aalst, W.M.P., ter Hofstede, A.H.M., Edmond, D.: Workflow Resource
Patterns: Identification, Representation and Tool Support. In: Pastor, Ó., Falcão e Cunha, J.
(eds.) CAiSE 2005. LNCS, vol. 3520, Springer, Heidelberg (2005)
2. Wohed, P., van der Aalst, W.M.P., Dumas, M., ter Hofstede, A.H.M., Russell, N.: On the
Suitability of BPMN for Business Process Modelling. In: Proceedings of the 4th International
Conference on Business Process Management (BPM) (2006)
3. Schaad, A., Lotz, V., Sohr, K.: A Model-checking Approach to Analysing Organisational
Controls in a Loan Origination Process. In: SACMAT ’06: Proceedings of the eleventh ACM
symposium on Access control models and technologies
4. Saltzer, J.H., Schroeder, M.D.: The Protection of Information in Computer Systems. In: 4th
ACM Symposium on Operating System Principles (1975)
5. Clark, D., Wilson, D.: A Comparison of Commercial and Military Security Policies. In: IEEE
Symposium on Security and Privacy (1987)
6. Nash, M., Poland, K.: Some Conundrums Concerning Separation of Duty. In: IEEE Sympo-
sium on Security and Privacy, Oakland, CA pp. 201-209 (1990)
7. Botha, R.A., Eloff, J.H.P.: Separation of duties for access control enforcement in workflow
environments (2001)
8. Hoagland, J.A., Pandey, R., Levitt, K.N.: Security Policy Specification Using a Graphical
Approach. Technical Report (1998)
9. Tan, K., Crampton, J., Gunter, C.: The consistency of task-based authorization constraints
in workflow systems. In: CSFW ’04: Proceedings of the 17th IEEE workshop on Computer
Security Foundations (2004)
10. Bertino, E., Crampton, J., Paci, F.: Access control and authorization constraints for WS-
BPEL. In: Proceedings of IEEE International Conference on Web Services (2006)
11. Kloppmann, M., Koenig, D., Leymann, F., Pfau, G., Rickayzen, A., von Riegen, C., Schmidt,
P., Trickovic, I.: WS-BPEL Extension for People - BPEL4People (2005)
12. Object Management Group: Business Process Modeling Notation Specification (2006),
http://www.bpmn.org
13. Stephen, A.: White. Using BPMN to Model a BPEL Process. BPTrends (2005)
14. Recker, J., Mendling, J.: On the translation between bpmn and bpel: Conceptual mismatch
between process modeling languages
15. Ahn, G., Sandhu, R.: Role-based authorization constraints specification. ACM Trans. Inf.
Syst. Secur. 3(4), 207–226 (2000)
16. Thomas, R.K., Sandhu, R.S.: Task-Based Authorization Controls (TBAC): A Family of Mod-
els for Active and Enterprise-Oriented Autorization Management. In: IFIP Workshop on
Database Security, pp. 166–181 (1997)
17. Bertino, E., Ferrari, E., Atluri, V.: The Specification and Enforcement of Authorization Con-
straints in Workflow Management Systems. ACM Transactions on Information and System
Security 2, 65–104 (1999)
18. Knorr, K., Stromer, H.: Modeling and Analyzing Separation of Duties in Workflow Environ-
ments. In: Sec ’01: Proceedings of the 16th international conference on Information security:
Trusted information, pp. 199–212 (2001)
19. Dobmeier, W., Pernuk, G.: Modellierung von Zugiffsrichtlinien für offene Systeme.
In: Tagungsband Fachgruppentreffen Entwicklungsmethoden für Informationssysteme und
deren Anwendung (EMISA ’06) (2006)
20. Kalnins, A., Vitolins, V.: Use of UML and Model Transformations for Workflow Process
Definitions. TECHNIKA 3 (2006)
Modeling of Task-Based Authorization Constraints in BPMN 79
21. Jürjens, J.: UMLsec: Extending UML for Secure Systems Development. In: UML ’02: Pro-
ceedings of the 5th International Conference on The Unified Modeling Language, pp. 412–
425 (2002)
22. Basin, D., Doser, J., Lodderstedt, T.: Model Driven Security for Process-Oriented Systems.
In: SACMAT ’03: Proceedings of the eighth ACM symposium on Access control models and
technologies, pp. 100–109 (2003)
23. Chang, S.K., Polese, G., Cibelli, M., Thomas, R.: Visual Authorization Modeling in E-
commerce Applications. IEEE MultiMedia 10(1), 44–54 (2003)
24. Huang, W.-K., Atluri, V.: SecureFlow: A Secure Web-enabled Work ow Management Sys-
tem. In: Proceedings of the fourth ACM workshop on Role-based access control (1999)
25. Kostaki, P., Kokolakis, S., Pandolfo, C.: Serenity - System Engineering for Security & De-
pendability WP A2.D4.1 (2006), http://www.serenity-project.org
26. Iwaihara, M.: Access Control of XML Documents and Business Rule Processing for Ad-
vanced Information Exchange. In: Second International Conference on Informatics Research
for Development of Knowledge Society Infrastructure (ICKS’07), pp. 177–184 (2007)
27. Schaad, A.: An Extended Analysis of Delegating Obligations (2004)
28. Shapiro, R., Marin, R.N.M.: XML Process Definition Language Version 2.0. Workflow Man-
agement Coalition (2005)
29. Kleppe, A., Warmer, J., Bast, W.: MDA Explained: The Model Driven Architecture: Practice
and Promise. Addison Wesley, Reading (2003)
30. Moses, T.: eXtensible Access Control Markup Language Version 2.0. OASIS Standard
(2005)