15th Annual Computer Security Applications Conference
December 6-10, 1999
Phoenix, Arizona

A Prototype Secure Workflow Server

Douglas L. Long, dougl@oracorp.com
Julie Baker, julie@oracorp.com
Francis Fung, fung@oracorp.com

Odyssey Research Associates
33 Thornwood Dr., Suite 500
Ithaca, NY

Workflow systems provide automated support that enables organizations to efficiently and reliably move important data through their routine business processes. For some organizations, the information processed by their workflow systems is highly valued and in need of protection from disclosure or corruption. Current workflow systems do not help organizations to adequately protect this important data. We describe a prototype secure workflow system that allows users to develop high-level workflow security policies and to automatically execute these policies within the workflow system. These workflow policies can use the workflow context to provide fine-grained, dynamic access control and other security services that enhance the organization's ability to control the information contained in its workflow system. In this paper, we will explain these security policy goals, our prototype policy editor, our prototype workflow server, and our underlying Java-based implementation.

Keywords: workflow, security policy