Abstract:
Workflows are used in numerous domains, including order processing, healthcare, and various management tasks. Workflow authorization systems manage access control in workflows. As a natural next step of the popular role-based access control (RBAC) model, we propose the role-and-relation-based access control (R2BAC) model for workflow authorization systems. In R2BAC, in addition to a user's role membership, the user's relationship with other users helps determine whether the user is allowed to perform a certain step in a workflow. For example, a security constraint may require that two steps in the workflow must not be performed by users who have conflicts of interests.

We study how computationally expensive it is to answer the workflow satisfiability problem, which asks whether a set of users can complete a workflow. In particular, we apply tools from parameterized complexity theory to better understand the complexities of this problem. Furthermore, delegation is an important mechanism to provide resiliency and flexibility in access control systems. We study the impact of delegation on the security of workflow authorization systems. We formally define the notion of security with respect to delegation and propose mechanisms to enforce delegation security in workflow authorization systems.

Biography:
Qihua Wang is a PhD candidate in the Department of Computer Science at Purdue University. He is affiliated with the Center for Education and Research in Information Assurance and Security (CERIAS). He is interested in information security in general, with focus on access control policy specification and analysis, database security, and security and privacy in social networks. He is a recipient of the Bilsland Dissertation Fellowship at Purdue University. During his graduate study, he spent about a year as a research intern at IBM Research, working on projects on access control policy technology and user-collaboration systems. Qihua received his MS degree at Purdue University and his BS degree at the University of Science and Technology of China.