Capability-Role-Based Delegation in Workflow Systems

Various security models for supporting delegation in workflow systems have been proposed to achieve flexible access control in collaborative business processes. Since workflow systems come into their own when controlling large-scale business processes in a well-structured organization, these models are often based on role-based access control (RBAC). However, to realize a higher level of collaboration enabling users in different organizations to complete a common workflow, it is necessary to support cross-domain delegation of tasks. For this purpose, we propose a delegation model for workflow systems that extends the capability-role-based access control (CRBAC) model introduced in our previous work. The central idea behind our proposed model is that authority to perform tasks, as well as roles, are mapped to capabilities, thereby realizing delegation by capability transfer. By adopting the approach of a capability-based access control mechanism, our model provides both flexibility and reduced administration costs, thus allowing it to cope with unexpected changes in task assignments. We demonstrate these advantages by considering an example.