In recent years, workflow management systems (WFMSs) have gained popularity in both research and commercial sectors. WFMSs are used to coordinate and streamline business processes. Very large WFMSs are often used in organizations with users in the range of several thousands and process instances in the range of tens and thousands. To simplify the complexity of security administration, it is common practice in many businesses to allocate a role for each activity in the process and then assign one or more users to each role—granting an authorization to roles rather than to users. Typically, security policies are expressed as constraints (or rules) on users and roles; separation of duties is a well-known constraint. Unfortunately, current role-based access control models are not adequate to model such constraints. To address this issue we (1) present a language to express both static and dynamic authorization constraints as clauses in a logic program; (2) provide formal notions of constraint consistency; and (3) propose algorithms to check the consistency of constraints and assign users and roles to tasks that constitute the workflow in such a way that no constraints are violated.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Nabil R. Adam , Vijayalakshmi Atluri , Wei-Kuang Huang, Modeling and Analysis of Workflows Using Petri Nets, Journal of Intelligent Information Systems, v.10 n.2, p.131-158, March/April 1998  [doi>10.1023/A:1008656726700]
	2	Piero A. Bonatti , Maria Luisa Sapino , V. S. Subrahmanian, Merging Heterogeneous Security Orderings, Proceedings of the 4th European Symposium on Research in Computer Security: Computer Security, p.183-197, September 25-27, 1996
	3	CADOLI, M. AND SCHAERF, M. 1993. Complexity results for non-monotonic logics. J. Logic Program. 17.
	4	S. K. Chang(1) , Giuseppe Polese(2) , Roshan Thomas (3) , Souvik Das(3), A Visual Language for Authorization Modeling, Proceedings of the 1997 IEEE Symposium on Visual Languages (VL '97), p.110, April 23-26, 1997
	5	CLARK, D. AND WILSON, D. 1987. A comparison of commercial and military computer security policies. In Proceedings of the IEEE Symposium on Research in Security and Privacy (Oakland, CA). IEEE Computer Society Press, Los Alamitos, CA, 184-194.
	6	DAS, S. 1992. Deductive Databases and Logic Programming. Addison-Wesley, Reading, MA.
	7	GELFOND, M. AND LIFSCHITZ, V. 1988. The stable model semantics for logic programming. In Proceedings of the 5th International Conference on Logic Programming (Cambridge, MA). MIT Press, Cambridge, MA, 1070-1080.
	8	Dimitrios Georgakopoulos , Mark Hornick , Amit Sheth, An overview of workflow management: from process modeling to workflow automation infrastructure, Distributed and Parallel Databases, v.3 n.2, p.119-153, April 1995  [doi>10.1007/BF01277643]
	9	Dirk Jonscher , Jonathan D. Moffett , Klaus R. Dittrich, Complex Subjects, or: The Striving for Complexity is Ruling our World, Proceedings of the IFIP WG11.3 Working Conference on Database Security VII, p.19-37, September 12-15, 1993
	10	J. W. Lloyd, Foundations of logic programming, Springer-Verlag New York, Inc., New York, NY, 1984
	11	LOTUS CORPORATION, 1996. Lotus Notes Administrator's Reference Manual, Release 4. Lotus Publ. Corp., Cambridge, MA.
	12	MEDINA-MORA, R., TONG, H., AND FLORES, P. 1993. ActionWorkflow as the enterprise integration technology. IEEE Data Eng. Tech. Bull. 16, 2, 49-52.
	13	Matunda Nyanchama , Sylvia Osborn, Role-based security, object oriented databases and separation of duty, ACM SIGMOD Record, v.22 n.4, p.45-51, Dec. 1993  [doi>10.1145/166635.166652]
	14	Matunda Nyanchama , Sylvia Osborn, Modeling mandatory access control in role-based security systems, Proceedings of the ninth annual IFIP TC11 WG11.3 working conference on Database security IX : status and prospects: status and prospects, p.129-144, January 1996, Rennselaerville, New York, United States
	15	Proceedings of the 1st (1996) ACM Workshop on Role-Based Access Control. ACM Press, New York, NY.
	16	Raghu Ramakrishnan , Divesh Srivastava , S. Sudarshan , Praveen Seshadri, The CORAL deductive system, The VLDB Journal — The International Journal on Very Large Data Bases, v.3 n.2, April 1994
	17	SANDHU, R. 1991. Separation of duties in computerized information systems. In Database Security IV: Status and Prospects. Elsevier North-Holland, Inc., New York, NY, 179-189.
	18	Ravi S. Sandhu, Role Hierarchies and Constraints for Lattice-Based Access Controls, Proceedings of the 4th European Symposium on Research in Computer Security: Computer Security, p.65-79, September 25-27, 1996
	19	Ravi S. Sandhu , Edward J. Coyne , Hal L. Feinstein , Charles E. Youman, Role-Based Access Control Models, Computer, v.29 n.2, p.38-47, February 1996  [doi>10.1109/2.485845]
	20	Roshan K. Thomas , Ravi S. Sandhu, Task-Based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-Oriented Autorization Management, Proceedings of the IFIP TC11 WG11.3 Eleventh International Conference on Database Securty XI: Status and Prospects, p.166-181, August 10-13, 1997
	21	Jeffrey D. Ullman, Principles of database and knowledge-base systems, Vol. I, Computer Science Press, Inc., New York, NY, 1988
	22	Allen Van Gelder , Kenneth A. Ross , John S. Schlipf, The well-founded semantics for general logic programs, Journal of the ACM (JACM), v.38 n.3, p.619-649, July 1991  [doi>10.1145/116825.116838]