Business Process Access Control (BPAC): workflow-based authorisation for complex systems

Newton, Derrick (2012). Business Process Access Control (BPAC): workflow-based authorisation for complex systems. University of Birmingham. Ph.D.

PDF - Accepted Version

Download (1MB)


Segregation of duties and least privilege are two business principles that protect an organisation’s valuable data from information leak. In this thesis we demonstrate how these business principles can be addressed through workflow-based access control. We present Business Process Access Control (BPAC), a workflow-based access control modelling environment that properly enacts the key business principles through constraints and we implement BPAC in the applied pi calculus. We ensure that constraints are correctly applied within our BPAC implementation by introducing the concept of stores. We propose a selection of security properties in respect of the business principles and we develop tests for these properties. The collusion metric is introduced as a simple indicator as to the resistance of a workflow-based access control policy to fraudulent collusion. We identify an anonymity property for workflows as the inability of an outside observer to correctly match agents to workflow tasks and we propose that anonymity provides protection against collusion. We introduce a lightweight version of labelled bisimilarity: the abstraction test and we apply this test to workflow security properties. We develop a test for anonymity using labelled bisimilarity and we demonstrate its application through simple examples.

Type of Work: Thesis (Doctorates > Ph.D.)
Award Type: Doctorates > Ph.D.
College/Faculty: Schools (1998 to 2008) > School of Computer Science
School or Department: Department of Computer Science
Funders: None/not applicable
Subjects: Q Science > QA Mathematics > QA76 Computer software


Request a Correction Request a Correction
View Item View Item


Downloads per month over past year