Specifying Application-level Security in Workflow Systems

Olivier, van de Riet, and Gudes


Citation information

M. S. Olivier, R. P. van de Riet, and E. Gudes. “Specifying Application-level Security in Workflow Systems”. In: Proceedings of the Ninth International Workshop on Security of Data Intensive Applications (DEXA 98). Ed. by R Wagner. IEEE, 1998, pp. 346–351


A workflow process involves the execution of a set of related activities over time to perform a specific task. Security requires that such activities may only be performed by authorised subjects. In order to enforce such requirements, access to the underlying data objects has to be controlled. We refer to such access control as level 1 access control. In addition, when an individual is authorised to perform an activity, access should be limited to the time that the activity is being performed: Access to activity information before an activity commences or after it has terminated may be undesirable. This we will refer to as level 2 security. Finally, applications often specify application-oriented (level 3) security requirements. This paper considers security restrictions in the latter category and proposes a rigorous approach that may be used to specify such policies. Enforcement (implementation) of such policies is also considered. The paper assumes that level 1 and level 2 mechanisms are in place and builds level 3 security mechanisms on these underlying levels.

Full text

A pre- or postprint of the publication is available at https://mo.co.za/ask/appwf.pdf.
Note that a username and password are required to download the full text. (Why?)Please e-mail me and I will send you a username and password.

Definitive version

The definitive version of the paper is available from the publisher.
DOI: 10.1109/DEXA.1998.707423

BibTeX reference

author={Martin S Olivier and van de Riet, Reind P and Ehud Gudes},
title={Specifying Application-level Security in Workflow Systems},
editor={R Wagner},
booktitle={Proceedings of the Ninth International Workshop on Security of Data Intensive Applications (DEXA 98)},
year={1998} )

[Publications] [Home]
Page maintained by Martin Olivier
Record refreshed: October 31, 2019

Beta version of new bibliography database; please report errors (or copyright violations) that may have slipped in.