A framework for access control in workflow systems

Workflow systems are often associated with business process re-engineering (BPR). This paper argues that the functional access control requirements in workflow systems are rooted in the scope of a BPR project. A framework for access control in workflow systems is developed. The framework suggests that existing role-based access control mechanisms can be used as a foundation in workflow systems. The framework separates the administration-tim e and the runtime aspects. Key areas that must be investigated to meet the functional requirements imposed by workflow systems on access control services are identified. user’s activities (an integral part of the `̀ engineering’’ strategy), whilst the `̀ engineering’’ strategy will also investigate the development of systems (the core of the `̀ systems’’ strategy) that support the coordination of the activities. This paper adopts a middle-of-the-road approach by emphasizing the interrelation of these two approaches. Against this backdrop, the existence of a magnitude of methodologies, tools and techniques in BPR (Kettinger et al., 1997) is not surprising. Application of these methodologies, tools and techniques in BPR allows us an extended scope to traditional industrial engineering (Evans et al., 1999). The `̀ width’’ scope of a BPR project is concerned with the flow of products, information and other resources. Its prime objective is to identify the enablers that speed up the flow. The `̀ breadth’’ scope of BPR determines how far reaching the impact is: across work processes, business processes, supply chains and holonic networks (Evans et al., 1999). The `̀ depth’’ scope of the BPR project considers the impact on the roles and responsibilities, the measurements and incentives, the organizational structure, the shared values, the workforce skills and the information technology influencing the people in the business. This three-dimensional scope of BPR is represented in Figure 2 by the three sides of the cube. Workflow systems provide an information technology solution particularly aimed at the `̀ computerized facilitation or automation of a business process, in whole or part’’ (Hollingsworth, 1995). This definition of workflow systems captures the correspondence between the classic concept of `̀ workflow’’ which is understood to be `̀ the set of sequences of activities which represent the functioning of an organization’’ (Khandwalla, 1977) and that of business processes, that is, of `̀ a structured set of activities designed to produce a specific output for a specific market’’ (Davenport, 1995). Business process re-engineering can thus be seen as the conceptual reconstruction of an organization to be more efficient. Workflow systems, in turn, provide part of the technology infrastructure required for the implementing and facilitation of this move towards greater efficiency in the business. In Figure 2 the arrow between the information technology depth scope of BPR and the technical enforcement level of the workflow sphere depicts this relationship. The components of a workflow system are depicted on the technology level of the workflow sphere in Figure 2. The following components can be observed: . Process definition tools are concerned with the defining and modeling of the business process and its constituent tasks. The computerized representation of the business process is called the process definition. A process definition consists of task definitions linked together by business rules. These process definitions may span the entire breadth of the BPR impact, i.e. it may cover internal processes or business processes that span a supply chain. . The workflow enactment service, consisting of one or more workflow engines, is concerned with the management of the business processes in an operational environment. At run-time, the process definition is interpreted by the workflow engine, which is responsible for creating and maintaining process instances. Task instances will be maintained for the tasks that are created based on the process definition and interpretation of the business rules. Tasks will be allocated to users or applications. . User interaction typically occurs through a worklist. The instantiated tasks are communicated to the relevant end-user through a worklist. Other IT applications may be invoked in order to complete the task. The access control sphere BPR is likely to emphasize the importance of an organization’s information resources. This results in a greater awareness of information security. Information security objectives are not only attained through technical controls, but also through operational controls (von Solms, 1999). As far Figure 1 Spheres of interest [ 127 ] Reinhardt A. Botha and Jan H.P. Eloff A framework for access control in workflow systems Information Management & Computer Security 9/3 [2001] 126±133