標題: | 以角色與工作為基礎的工作流程授權管理 Role and Task Based Authorization Management for Workflows |
作者: | 吳美玉 Mei-Yu Wu 劉敦仁 Duen-Ren Liu 資訊管理研究所 |
關鍵字: | 以角色為基礎的存取控制;工作流程;流程觀;授權管理;權責區分;role-based access control;workflow;process-view;authorization management;separation of duty |
公開日期: | 2004 |
摘要: | Role-based authorizations for assigning tasks of workflows to roles/users are crucial to security management in workflow management systems. The authorizations must enforce Separation of Duty (SoD) constraints to prevent fraud and errors. This work analyzes and defines several duty-conflict relationships among tasks, and designs authorization rules to enforce SoD constraints based on the analysis. A novel authorization model that incorporates authorization rules is then proposed to support the planning of assigning tasks to roles/users, and the run-time activation of tasks. Different from existing work, the proposed authorization model considers the AND/XOR split structures of workflows and execution dependency among tasks to enforce separation of duties in assigning tasks to roles/users. Moreover, this work discusses the authorization management of organizational roles in a process-view. A process-view, an abstracted process derived from a base process, can provide adaptable task granularity to suit different needs of workflows participants. Authorization mechanisms are proposed to derive a role’s permissions on virtual activities based on the role’s permissions on base activities. The proposed authorization mechanisms consider duty-conflict relationships among base activities to enforce SoD. A prototype system is developed to realize the effectiveness of the proposed authorization model. Role-based authorizations for assigning tasks of workflows to roles/users are crucial to security management in workflow management systems. The authorizations must enforce Separation of Duty (SoD) constraints to prevent fraud and errors. This work analyzes and defines several duty-conflict relationships among tasks, and designs authorization rules to enforce SoD constraints based on the analysis. A novel authorization model that incorporates authorization rules is then proposed to support the planning of assigning tasks to roles/users, and the run-time activation of tasks. Different from existing work, the proposed authorization model considers the AND/XOR split structures of workflows and execution dependency among tasks to enforce separation of duties in assigning tasks to roles/users. Moreover, this work discusses the authorization management of organizational roles in a process-view. A process-view, an abstracted process derived from a base process, can provide adaptable task granularity to suit different needs of workflows participants. Authorization mechanisms are proposed to derive a role’s permissions on virtual activities based on the role’s permissions on base activities. The proposed authorization mechanisms consider duty-conflict relationships among base activities to enforce SoD. A prototype system is developed to realize the effectiveness of the proposed authorization model. |
URI: | http://140.113.39.130/cdrfb3/record/nctu/#GT008834801 http://hdl.handle.net/11536/69889 |
顯示於類別: | 畢業論文 |