Abstract
Every organization has policies, defined either implicitly or explicitly, that are intended to influence the behavior ofsub jects and objects associated with the organization. A policy is a rule or a set ofcon straints that applies to some scenario in the daily life-cycle of the organization’s activity. Business rules describe terms and conditions, service provisions, contracts and their execution. Typically, a workflow specification in an organization is driven by business rules. On the other hand, security policies set restrictions on access to resources and regulate information flow. Security policies are domain-specific, restricting access to objects in that domain. A workflow specification may cut across different domains, requiring access to objects in different domains. The subjects involved in fulfilling the activities in a business workflow should have certain access rights to the objects in those domains, and should also be granted rights to let the information flow from one subject to another subject. There may exist a potential conflict between security and workflow policies. In this paper we provide a formal specification ofsecur ity policies, business policies, and workdlow schemes. The specification formalism naturally suggests a Hoare style axiomatic verification approach for detecting conflicts and proving security of business transactions.
This work is supported by a grant from Natural Sciences and Engineering Research Council, Canada.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
V. S. Alagar, K. Periyasamy, Specification of Software Systems, Springer-Verlag, New York, 1998. 243
V. Atluri, W. K. Huang, An Authorization Model for Workflows, In Proceedings of the Fourth ESORICS, LNCS: Eds. E. Bertino, H. Kurth, G. Martella, and E. Montolivo, Rome, Italy, 1996, pp. 44–64. 251
E. Bertino, E. Ferrari, V. Atluri, A Flexible Model for the Specification and Enforcement of Role-Based Authorizations in Workflow Management Systems, In Proceedings of the 2 nd ACM Workshop on Role-Based Access Control (RBAC-97), ACM Press, New York, 1997, pp. 6–7. 251
D. Harel, Statecharts: a visual formalism for complex systems, Science of Computer Programming, 8(3):231–274, June 1987. 240, 247
F. Mili, On the Formalization of Business Rules: Generic Rules for Composition, and Containment, In Proceedings of the Second ECOOP Workshop on Precise Behavioral Semantics, June 1998, pp. 122–129. 251
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2002 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Alagar, V.S., Periyasamy, K. (2002). Specification and Verification of Secure Business Transaction Systems. In: Grosky, W.I., Plášil, F. (eds) SOFSEM 2002: Theory and Practice of Informatics. SOFSEM 2002. Lecture Notes in Computer Science, vol 2540. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-36137-5_18
Download citation
DOI: https://doi.org/10.1007/3-540-36137-5_18
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-00145-4
Online ISBN: 978-3-540-36137-4
eBook Packages: Springer Book Archive