Logo der Universität Wien

SPRINT- Responsibilities: Design and Development of Security Policies in Process-aware Information Systems


Process-Aware Information Systems (PAIS) enable the de?nition, execution, and management of business processes. Typically, processes are speci?ed by control ?ow, data ?ow, and users or services, authorized to execute process tasks. During process execution, it is often necessary to access sensitive data such as patient or customer information. To secure this con?dential data, the use of security policies becomes an essential factor for the application of PAIS in practice. In general, PAIS security policies are speci?ed based on access rules and authorization constraints. On top of these rules, context policies referring to data, location, or time might pose restrictions. Over the years, several approaches for modeling and enforcing security policies in PAIS have appeared. Many of them restrict security policy speci?cation to access rules and authorization constraints, but neglect additional properties such as context information. As a further limitation, security policies are often de?ned in a heterogeneous way: whereas access rules are mostly de?ned at process task level leading to a merge of process logic and security aspects, additional policies such as authorization constraints are de?ned separately from the process logic. Consequently, security policies are not stored and managed centrally, but are rather distributed over different PAIS components, for example, the process model repository or the organizational model manager. In this paper, we introduce the formal concepts behind our SPRINT approach that aims at the consequent separation of security policies and process logic. Speci?cally, the SPRINT security policy data model and design methodology based on the concepts of responsibilities, permissions, and constraints will be provided. The concepts are evaluated based on a comparison with existing PAIS and a demonstration of the SPRINT prototype. The goal is to unify diverse security policies in different PAIS subsystems, to make security policies independent of these subsystems in order to restrain complexity from process modeling and evolution, and to allow for comprehensive security policy development and maintenance.

Grafik Top
Journal Paper
Workflow Systems and Technology
Journal or Publication Title
Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications (JoWUA)
Innovative Information Science
Place of Publication
Seoul, Republic of Korea
Page Range
pp. 4-26
December 2011
Official URL
Grafik Top
Contact us
Faculty of Computer Science
University of Vienna

Währinger Straße 29
A-1090 Vienna