Wrappers-a mechanism to support state-based authorisation in Web applications
Data & Knowledge Engineering - Data and applications security
Task-Role Based Access Control (T-RBAC): An Improved Access Control Model for Enterprise Environment
DEXA '00 Proceedings of the 11th International Conference on Database and Expert Systems Applications
A Comparison of Two Architectures for Implementing Security and Privacy in Cyberspace
DEXA '00 Proceedings of the 11th International Conference on Database and Expert Systems Applications
Data & Knowledge Engineering - Special jubilee issue: DKE 50
Preventing information leakage within workflows that execute among competing organizations
Journal of Systems and Software - Special issue: Software engineering education and training
DPE/PAC: decentralized process engine with product access control
Journal of Systems and Software
An information flow control model for C applications based on access control lists
Journal of Systems and Software
Managing role relationships in an information flow control model
Journal of Systems and Software
A quest for beauty and wealth (or, business processes for database researchers)
Proceedings of the thirtieth ACM SIGMOD-SIGACT-SIGART symposium on Principles of database systems
Internet-Based e-learning workflow process
CSCWD'05 Proceedings of the 9th international conference on Computer Supported Cooperative Work in Design II
Aspect-Oriented workflow languages
ODBASE'06/OTM'06 Proceedings of the 2006 Confederated international conference on On the Move to Meaningful Internet Systems: CoopIS, DOA, GADA, and ODBASE - Volume Part I
| Hi-index | 0.00 |
A workflow process involves the execution of a set of related activities over time to perform a specific task. Security requires that such activities may only be performed by authorised subjects. In order to enforce such requirements, access to the underlying data objects has to be controlled. We refer to such access control as level 1 access control. In addition, when an individual is authorised to perform an activity, access should be limited to the time that the activity is being performed: Access to activity information before an activity commences or after it has terminated may be undesirable. This we will refer to as level 2 security. Finally, applications often specify application-oriented (level 3) security requirements. This paper considers security restrictions in the latter category and proposes a rigorous approach that may be used to specify such policies. Enforcement (implementation) of such policies is also considered. The paper assumes that level 1 and level 2 mechanisms are in place and builds level 3 security mechanisms on these underlying levels.