基于权限集的工作流管理系统研究与实现
|
摘要
随着计算机应用技术的发展和网络技术的普及,工作流管理系统作为办公自动化的工具愈加普遍,工作流技术已经逐步成为企业流程定义和管理的核心技术,具有广阔的发展前景。
工作流管理系统是完成工作流的定义、管理和推进工作流执行的软件系统,主要包括四个部分:工作流建模工具,工作流引擎,客户应用程序和工作流管理工具。工作流技术在各个领域的广泛应用,使得越来越复杂的流程与执行限定对工作流的表述能力提出了更高的要求。现有的工作流描述,集中于针对组织机构和以及角色的任务分配和执行对象指定,对执行权限没有进一步的约束,削弱了工作流的描述能力,在应对复杂流程要求时需要引入大量外部数据进行控制,影响了工作流安全性。工作流的任务分配是工作流管理的核心技术之一,任务分配策略就是描述如何将正确的任务在合适的执行时间,分配给合适的执行者。传统的工作流以用户作为任务分配的最小单元,而以角色作为权限的最小单元。在实际的工作流程中,会存在分配给指定活动的执行者权限不足,或是在流程中产生权责冲突的情况。这样的情况既可能发生在流程设计阶段,也可能发生在流程运行中动态修改组织机构和角色用户权限时。
为了解决以上问题,本文提出了权限集的概念。工作流中的角色都具有一个权限集,其中包含了该角色可以执行的动作,相对于组织结构的静态性,角色的权限集在流程执行中动态变化。因此,工作流活动对执行者的指定转化为对所需权限的描述。通过对活动执行者指定划分为权限、用户、角色三个层次,提高了工作流流程的描述能力,并且可以解决权限不足,权责冲突等一系列任务分配问题。
论文设计并实现了一个基于XML的工作流管理系统引擎,能够解析遵守XPDL规范的工作流流程定义,与工作流管理系统的其他部分交互以完成流程解析与运转。系统通过解析权限集语法描述扩展了任务分配能力,实现了更细粒度的任务分配和执行对象指定,解决了传统的工作流管理系统任务分配中的诸多问题。
With computer and network technology generalized and extended, workflow management system becomes more and more popular as office automation. The workflow technology has become the core technology of company's processes define and management, which has great future.
Workflow management system is a software system used to accomplish workflow process definition, management and running the instance. Workflow management system includes four main part:workflow definition tool, workflow engine, client UI and workflow management plate. As the generally adaption of workflow at many fields, more and more complicate process needs more advantage of the ability of workflow describe. Workflow management systems focus on task assignment by specify to users and roles in the organization nowadays, which are lack of the ability of specify single and multi authorities to describe the task assignment. So the workflow management systems need to use lots of outside data to control the route of process goes, which do harm to the security of workflow.
The task assignment is one of the most important technologies of workflow management; the strategy of task assignment is to describe how to assign the right task and the right time. In the traditional workflow, the user is the minimum unit of task assignment, and the role is the minimum unit of task authority. In real workflow process, the executer which is assigned to specify activity may don't have enough permissions to finish the task, or there may be problem about SoD(seprate of duty).These situations occur when process is designed and when organization and user/role permissions are dynamically modified in process running state.
Besides, the complex real workflow process needs greater ability of describing. The advantage of this paper is to present the concept of authority set to solve these problems. The role in workflow has an authority set, which contains actions the role can finish. Organization is static, while the authority set can be changed dynamic. Therefore, the task assignment can specify certain authority set, user or role. By doing this, the descriptive abilities of workflow are improved and authorized limitations and conflicts of duty can be solved.
工作流管理系统是完成工作流的定义、管理和推进工作流执行的软件系统,主要包括四个部分:工作流建模工具,工作流引擎,客户应用程序和工作流管理工具。工作流技术在各个领域的广泛应用,使得越来越复杂的流程与执行限定对工作流的表述能力提出了更高的要求。现有的工作流描述,集中于针对组织机构和以及角色的任务分配和执行对象指定,对执行权限没有进一步的约束,削弱了工作流的描述能力,在应对复杂流程要求时需要引入大量外部数据进行控制,影响了工作流安全性。工作流的任务分配是工作流管理的核心技术之一,任务分配策略就是描述如何将正确的任务在合适的执行时间,分配给合适的执行者。传统的工作流以用户作为任务分配的最小单元,而以角色作为权限的最小单元。在实际的工作流程中,会存在分配给指定活动的执行者权限不足,或是在流程中产生权责冲突的情况。这样的情况既可能发生在流程设计阶段,也可能发生在流程运行中动态修改组织机构和角色用户权限时。
为了解决以上问题,本文提出了权限集的概念。工作流中的角色都具有一个权限集,其中包含了该角色可以执行的动作,相对于组织结构的静态性,角色的权限集在流程执行中动态变化。因此,工作流活动对执行者的指定转化为对所需权限的描述。通过对活动执行者指定划分为权限、用户、角色三个层次,提高了工作流流程的描述能力,并且可以解决权限不足,权责冲突等一系列任务分配问题。
论文设计并实现了一个基于XML的工作流管理系统引擎,能够解析遵守XPDL规范的工作流流程定义,与工作流管理系统的其他部分交互以完成流程解析与运转。系统通过解析权限集语法描述扩展了任务分配能力,实现了更细粒度的任务分配和执行对象指定,解决了传统的工作流管理系统任务分配中的诸多问题。
With computer and network technology generalized and extended, workflow management system becomes more and more popular as office automation. The workflow technology has become the core technology of company's processes define and management, which has great future.
Workflow management system is a software system used to accomplish workflow process definition, management and running the instance. Workflow management system includes four main part:workflow definition tool, workflow engine, client UI and workflow management plate. As the generally adaption of workflow at many fields, more and more complicate process needs more advantage of the ability of workflow describe. Workflow management systems focus on task assignment by specify to users and roles in the organization nowadays, which are lack of the ability of specify single and multi authorities to describe the task assignment. So the workflow management systems need to use lots of outside data to control the route of process goes, which do harm to the security of workflow.
The task assignment is one of the most important technologies of workflow management; the strategy of task assignment is to describe how to assign the right task and the right time. In the traditional workflow, the user is the minimum unit of task assignment, and the role is the minimum unit of task authority. In real workflow process, the executer which is assigned to specify activity may don't have enough permissions to finish the task, or there may be problem about SoD(seprate of duty).These situations occur when process is designed and when organization and user/role permissions are dynamically modified in process running state.
Besides, the complex real workflow process needs greater ability of describing. The advantage of this paper is to present the concept of authority set to solve these problems. The role in workflow has an authority set, which contains actions the role can finish. Organization is static, while the authority set can be changed dynamic. Therefore, the task assignment can specify certain authority set, user or role. By doing this, the descriptive abilities of workflow are improved and authorized limitations and conflicts of duty can be solved.
引文
[1]CHEN CHUANBO, ZHAO WEIWEI. Strategy for a Task Assignment of Workflow System[J]. Journal of Huazhong University of Science and Technology (Nature Science),2005,Vol5:20-22.
[2]DUAN YONGQIANG, CAO JIAN. Dynamic Task Scheduling Method for Workflow Management [J]. China Mechanical Engineering,2002, Vol.13:233-235,241.
[3]XIAO ZHANGJIN, XIAOQINMING, CHEN QI. A Multilevel Model of Task Assignment in Fuzzy Situations of Workf low[J]. Journal of Computer Research and Development,2007, Vol.44: 302-309.
[4]WANG TAO, TAN QINGPING, CHEN HUOWANG. The Status-quo and Trends of Workflow Task Assignment[J]. Journal of Computer Science,2008, No.9:48-60.
[5]ZHANG XIAOGUANG, ZHANG SHESHENG, CAO JIAN. Team-and-Role-Enabled Task Distribution under Policy Constraints in Adaptive WFMS[J]. Journal of Computer Research and Development,2002, Vol.39:1556-1563.
[6]KNORR K, STORMER H. Modeling and analyzing separation of duties in workflow environments[J]. Proc. of 16th IFIP/SEC,2001,199-212.
[7]SANDHU R, BHAMIDIPATI V. Role-based administration of user-role assignment:The URA97 model and its oracle implementation[J]. Journal of Computer Security,1999,7(4): 317-323.
[8]WEN YAN, LIANG YUN. Research on extension to role based access control mechanism on workflow platform[J]. IEEE Computer,2007(7):361-364. [9] Stormer H, Knorr K, Jan E.A model for security in agent-based workflows. Informatik Informatique,2000,6(1):24-29.
[9]邢光林,洪帆.基于角色和任务的工作流访问控制模型[J].计算机工程与应用,2005,41(2):210-214.
[10]邢光林,洪帆.基于角色和任务的工作流授权模型及约束描述[J].计算机研究与发展,2005,42(11):1946-1954.
[11]林颖莹,曹奇英,周晶晶等.基于角色的工作流多层访问控制安全模型[J].计算机工程与设计,2007,28(10):2306-2308.
[12]HYUNGHYO L, SEUNGYONG L, BONGNAM N. A new role-based authorization model in a corporate workflow system[J]. Proceedings of 1st International Conference on Computational Science, Krakow,2004:701-710.
[13]SEUNGYONG L, HYUNGHYO L. A new authorization model for workflow management system using the RPI-RBAC model[J]. Proceedings of 4th International Conference on Computational Science,Assisi,2004:639-643.
[14]BERTINO E, BONATTI P. TRBAC:a temporal role-based access control model[J]. ACM Transactions on Information and System Security,2001,4(3):191-223.
[15]BAOYI W, SHAOMIN Z. The research on role-based access control mechanism for workflow management system[J]. Proceedings of 3rd International Conference on Computational Science, Wuhan,2004:729-736.
[16]BAOYI W, SHAOMIN Z. The application research of role-based access control mechanism in workflow management system[J]. Proceedings of 2nd International Workshop on Grid and Cooperative Computing, Shanghai,2004:1034-1037.
[17]HUI Z, ZHIYI F, PENG X. An improved role-based workflow access control model[J].IEEE Computer,2008(4):551-556.
[18]JIAN Z, JIGUI S, NIYA L. A conditioned secure access control model based on multi-weighted roles in workflow system[J]. IEEE Computer,2005(3):1068-1073.
[19]范玉顺.工作流管理技术基础[M].北京:清华大学出版社,2001.
[20]KIPUSZEWSKI B, HOFSTEDE A H M, ASLST A. Fundamentals of control flow in workflows [J]. ActaInform,2003,39(3):143-209.
[21]KARAMANOLIS C, GIANNAKOPOULOU D, Magee J. Formal verification of workflow schemas [M].USA:C3DS Technology Republisher,2000.
[22]SADIQ W, ORLOWSKA M. Analyzing process models using graph reduction techniques [J]. Information System,2000,25(2):117-134.
[23]YEHIA T K, ESSAMEDDIN B. Synchronization among Activities in a Workflow Using Extended Workflow Petri Nets [C]//Proceedings of the Seventh IEEE International Conference on E-Commerce Technology. Washington,2005:548-551.
[24]MACIAS E J, DE L A PARTE M P. Simulation and optimization of logistic and production systems using discrete and continuous Petri nets [J]. ISSN 0037-5497,2004, 80(19):143-152.
[25]CAI J, ZHAO W, ZHANG S K, et al. Correctness verification of synchronization based workflow model [C]//Proceedings of the 2005 IEEE International Conference on e-Business Engineering. Beijing,2005:527-530.
[2]DUAN YONGQIANG, CAO JIAN. Dynamic Task Scheduling Method for Workflow Management [J]. China Mechanical Engineering,2002, Vol.13:233-235,241.
[3]XIAO ZHANGJIN, XIAOQINMING, CHEN QI. A Multilevel Model of Task Assignment in Fuzzy Situations of Workf low[J]. Journal of Computer Research and Development,2007, Vol.44: 302-309.
[4]WANG TAO, TAN QINGPING, CHEN HUOWANG. The Status-quo and Trends of Workflow Task Assignment[J]. Journal of Computer Science,2008, No.9:48-60.
[5]ZHANG XIAOGUANG, ZHANG SHESHENG, CAO JIAN. Team-and-Role-Enabled Task Distribution under Policy Constraints in Adaptive WFMS[J]. Journal of Computer Research and Development,2002, Vol.39:1556-1563.
[6]KNORR K, STORMER H. Modeling and analyzing separation of duties in workflow environments[J]. Proc. of 16th IFIP/SEC,2001,199-212.
[7]SANDHU R, BHAMIDIPATI V. Role-based administration of user-role assignment:The URA97 model and its oracle implementation[J]. Journal of Computer Security,1999,7(4): 317-323.
[8]WEN YAN, LIANG YUN. Research on extension to role based access control mechanism on workflow platform[J]. IEEE Computer,2007(7):361-364. [9] Stormer H, Knorr K, Jan E.A model for security in agent-based workflows. Informatik Informatique,2000,6(1):24-29.
[9]邢光林,洪帆.基于角色和任务的工作流访问控制模型[J].计算机工程与应用,2005,41(2):210-214.
[10]邢光林,洪帆.基于角色和任务的工作流授权模型及约束描述[J].计算机研究与发展,2005,42(11):1946-1954.
[11]林颖莹,曹奇英,周晶晶等.基于角色的工作流多层访问控制安全模型[J].计算机工程与设计,2007,28(10):2306-2308.
[12]HYUNGHYO L, SEUNGYONG L, BONGNAM N. A new role-based authorization model in a corporate workflow system[J]. Proceedings of 1st International Conference on Computational Science, Krakow,2004:701-710.
[13]SEUNGYONG L, HYUNGHYO L. A new authorization model for workflow management system using the RPI-RBAC model[J]. Proceedings of 4th International Conference on Computational Science,Assisi,2004:639-643.
[14]BERTINO E, BONATTI P. TRBAC:a temporal role-based access control model[J]. ACM Transactions on Information and System Security,2001,4(3):191-223.
[15]BAOYI W, SHAOMIN Z. The research on role-based access control mechanism for workflow management system[J]. Proceedings of 3rd International Conference on Computational Science, Wuhan,2004:729-736.
[16]BAOYI W, SHAOMIN Z. The application research of role-based access control mechanism in workflow management system[J]. Proceedings of 2nd International Workshop on Grid and Cooperative Computing, Shanghai,2004:1034-1037.
[17]HUI Z, ZHIYI F, PENG X. An improved role-based workflow access control model[J].IEEE Computer,2008(4):551-556.
[18]JIAN Z, JIGUI S, NIYA L. A conditioned secure access control model based on multi-weighted roles in workflow system[J]. IEEE Computer,2005(3):1068-1073.
[19]范玉顺.工作流管理技术基础[M].北京:清华大学出版社,2001.
[20]KIPUSZEWSKI B, HOFSTEDE A H M, ASLST A. Fundamentals of control flow in workflows [J]. ActaInform,2003,39(3):143-209.
[21]KARAMANOLIS C, GIANNAKOPOULOU D, Magee J. Formal verification of workflow schemas [M].USA:C3DS Technology Republisher,2000.
[22]SADIQ W, ORLOWSKA M. Analyzing process models using graph reduction techniques [J]. Information System,2000,25(2):117-134.
[23]YEHIA T K, ESSAMEDDIN B. Synchronization among Activities in a Workflow Using Extended Workflow Petri Nets [C]//Proceedings of the Seventh IEEE International Conference on E-Commerce Technology. Washington,2005:548-551.
[24]MACIAS E J, DE L A PARTE M P. Simulation and optimization of logistic and production systems using discrete and continuous Petri nets [J]. ISSN 0037-5497,2004, 80(19):143-152.
[25]CAI J, ZHAO W, ZHANG S K, et al. Correctness verification of synchronization based workflow model [C]//Proceedings of the 2005 IEEE International Conference on e-Business Engineering. Beijing,2005:527-530.