Affiliations: [a] Department of Computer Science, Institute of Information Security, ETH Zurich, Zurich, Switzerland. E-mail: basin@inf.ethz.ch | [b] Schindler Elevators Ltd, Ebikon, Switzerland. E-mail: samuel.burri@ch.schindler.com | [c] IBM Research – Zurich, Rüschlikon, Switzerland. E-mail: karjoth@acm.org
Correspondence:
[*]
Corresponding author: David Basin, Department of Computer Science, Institute of Information Security, ETH Zurich, 8092 Zurich, Switzerland. E-mail: basin@inf.ethz.ch.
Abstract: Access control is fundamental in protecting information systems but it can also pose an obstacle to achieving business objectives. We analyze this tradeoff and its avoidance in the context of systems modeled as workflows restricted by authorization constraints, including those specifying Separation of Duty (SoD) and Binding of Duty (BoD). To begin with, we present a novel approach to scoping authorization constraints within workflows with loops and conditional execution. We formalize workflows, authorization constraints, and their enforcement using the process algebra CSP and visualize our constraints by extending the workflow modeling language BPMN. Afterwards, we consider enforcement's effects on business objectives. We identify the notion of obstruction, which generalizes deadlock within a system where access control is enforced, and we formulate the existence of an obstruction-free enforcement mechanism as a decision problem. We present complexity bounds for this problem and give an approximation algorithm that performs well when authorizations are evenly distributed among users. We provide tool support for our constraints in an extension of the modeling platform Oryx and report on the performance of our algorithms' implementation.
Keywords: Authorizations, separation of duty, binding of duty, workflows, obstruction, deadlock, release
