Enforcing workflow authorization constraints using triggers

Workflow design involves modeling different aspects of a business process. Among these aspects, workflow design should consider also security requirements. These relate to the authorizations for the users in the organization to execute workflow tasks according to the security policies about handling business processes and workflow data. This paper presents an approach based on triggers to specify and enforce workflow authorization constraints for a flexible assignment of tasks to roles and agents. The approach has been conceived in the framework of the WIDE Workflow Management System. Authorization triggers specify when and how the set of authorizations for a given workflow should be changed and which actions should be taken by the system or by the administrator. A basic set of triggers is provided enforcing security policies common to workflow systems, such as need-to-know and task confinement. Methodological issues related to trigger design for a given workflow application are discussed and an approach based on authorization patterns is illustrated. The paper shows how authorization patterns can be instantiated into triggers and briefly discusses aspects related to the analysis of a set of authorization triggers defined for a given workflow application.