Analyzing the Performance Impact of AuthorizationConstraints and Optimizing the Authorization

Methods for WorkflowsNadeem Chaudhary and Ligang He

Department of Computer Science, University of Warwick, Coventry, CV4 7AL, United KingdomEmail: liganghe@dcs.warwick.ac.uk

Abstract—Many workflow management systems have beendeveloped to enhance the performance of workflow executions.The authorization policies deployed in the system may restrict thetask executions. The common authorization constraints includerole constraints, Separation of Duty (SoD), Binding of Duty (BoD)and temporal constraints. This paper presents the methods tocheck the feasibility of these constraints, and also determines thetime durations when the temporal constraints will not imposenegative impact on performance. Further, this paper presentsan optimal authorization method, which is optimal in the sensethat it can minimize a workflow’s delay caused by the temporalconstraints. Simulation experiments have been conducted toverify the effectiveness of the proposed authorization method.The experimental results show that comparing with the intuitiveauthorization method, the optimal authorization method canreduce the delay caused by the authorization constraints andconsequently reduce the workflows’ response time.

I. INTRODUCTION

Business processes or workflows are often used to modelenterprise applications [1][2]. A workflow consists of multipleactivities or tasks with precedence constraints. When we de-sign workflow management/scheduling strategies, or evaluatethe performance of workflow execution on target resources, itis often assumed that when a task is allocated to a resource, theresource will accept the task and start the execution once theprocessor becomes available. In reality, however, authorizationpolicies may be deployed in the organisations and used tospecify who is allowed to perform which tasks at what time.When these authorization schemes are taken into account, thesituation can become complex.

A number of authorisation schemes have been presented in[3][4][5]. The RBAC (Role Based Access Control) schemeis one of most popular authorisation schemes. Under theRBAC scheme, users are assigned to certain roles while theroles are associated with prescribed permissions. Therefore,the organisations can control the users permissions throughthese roles. The following example in banking illustrates theeffect of the RBAC scheme on the workflow execution [6]. Abank often uses a variety of computing applications to supportits business; these applications may be deployed in a centralresource pool (e.g., a cluster) of the bank. A workflow mayconsist of tasks such as credit data checks, automated signatureapproval, risk analysis and so on. In each task, a particularapplication has to be launched to perform the corresponding

business functions. Under RBAC, an application may only belaunched by certain users (i.e., the employees in the bank)assuming certain roles (i.e., job positions, such as branchmanager or financial advisor). The following authorisationconstraints are often encountered in such scenarios: 1) Roleconstraints: A task may only be performed by a particular role;2) Temporal constraints: A role or a user is only activatedduring certain time intervals (e.g., a staff member only worksin certain hours of a day); 3) Separation of Duty constraints:If Task A is run by a role (or a user), then Task B mustnot be run by the same role (or user); 4) Binding of Dutyconstraints: If Task A is run by a role (or user), then TaskB must be run by the same role (or user). Since a valid andactivated role has to be assigned to a task before the task canstart execution, these authorisation constraints may delay thestart of a task in a workflow, and consequently have negativeimpact on application performance (e.g. mean response timeof workflows). Similar authorization constraints and situationalso exist in other application domains such as healthcaresystems [7], the manufacturing community [8][9], and so on.

The focus of this paper is to investigate the performanceimpact of the authorization constraints and the authorizationmethod (i.e., the way of selecting the roles to assign to thetasks). This paper starts with investigating the issue of check-ing the feasibility of the authorization constraints designed forworkload management systems. More specifically, this paper1) checks whether all tasks in a workflow can be authorizedso that the authorization constraints deployed in the systemcan be satisfied, 2) determines such time durations in whichthe temporal constraints will not have negative impact on theperformance of workflow executions. Then, the methods aredeveloped to quantitatively determine 1) the time duration forthe arrivals of the workflows within which the authorizationconstraints will not have negative impact on the executionperformance of the workflows, and 2) the delay caused bythe authorization constraints, if a workflow arrives beyondthe above duration. Based on the above analyses, this paperfurther proposes an optimal authorization method under whichthe delay caused by the authorization constraints can beminimized.

The rest of this paper is organized as follows. The relatedwork in this topic is presented in II. Section III presents

the methods to check the feasibility of role, SoD and BoDconstraints deployed in the system. Section IV presents themethod to determine the time durations in which the workflowexecutions will not be delayed by the authorization constraintsin the system. Section V presents an optimal authorizationmethod to assign the roles to the tasks in a workflow. Section Valso proves the method is optimal in the sense that the methodgenerates the minimal delay caused by the authorizationconstraints for workflow executions. Section VII concludes thepaper.

II. RELATED WORK

There is the existing work to check the satisfiability ofthe authorization constraints in a workflow [10][6][11][12].The work in [10] conducted the theoretical analysis about thesatisfiability of the authorization constraints for a workflow.The work conducted theoretical analysis and found out thatin order to check whether there is a valid the workflow au-thorization, it only needs to consider a single linear extension(i.e., a linear ordering) of the tasks in the workflow. Thereexists a valid workflow authorization if and only if there isalso a valid authorization solution for the linear extension.However, the approach proposed in our work is able to obtainall valid authorization solutions. Based on this, our workfurther develops the authorization methods, aiming to reducethe negative impact imposed by the authorization constraints.

The work in [6] conducts the safety analysis, i.e., analyzeswhether a specified authorization state (i.e., the task-roleassignments) can be reached under a set of authorizationconstraints, given an initial authorization state. The work usesthe Color Timed Petri Nets (CTPN) to model roles, SoDand temporal constraints, and then converts the constructedCTPN model to an ordinary Petri-Net (PN) model so that theestablished PN analysis techniques can be applied to generatethe results. The work can generate all possible authorizationsolutions. However, the approach is a bit heavy since it needsto construct the CPTN model, covert the CPTN model toordinary PN models, and analyze the PN models. In thispaper, we model the feasiblity checking problem conciselyas a Constraint Satisfaction Problem (CSP).

There are also studies to investigate the overhead causedby authorization constraints [13][14]. The work in [13] alsoapplies CTPN to model various authorization constraints, andthe interactions between workflow authorization and workflowexecution. Then, the work analyzes and obtains the autho-rization overhead and other associated performance data fromthe constructed CTPN model. The work makes use of themodelling capability to capture the dynamics in the workflowauthorization and execution. The approach is experiment-oriented since the performance data is gathered through run-ning the constructed model in a Petri-Net simulation toolkit,CPN Tools [15]. Also, the CTPN modelling is a heavyapproach, and the construction and running of the modelscould be time consuming. In this paper, we adopt a theoreticalapproach to analyzing the authorization overhead, and revealssome fundamental properties with regards to authorization

overhead (i.e., the delay caused by the authorization con-straints). Based on the theoretical analysis of the overhead,this paper further presents an optimal authorization methodthat is able to minimize the overhead.

III. CHECKING FEASIBILITY OF ROLE, SOD AND BODCONSTRAINTS

S = {s1, . . . , sL} denotes the set of services running on theresource pool.

F = (T,E) denotes a workflow, in which T = {t1, ..., tN}is a set of tasks in the workflow and E = {(ti, tj)|ti, tj ∈ T}is a set of directed edges linking task ti to tj . A task invokesone of the services in S.R = {r1, ..., rM} denotes the set of roles defined in the

authorisation control system. The role constraint specifies theset of roles that are permitted to run a particular service. Cr(si)denotes the role constraint applied to service si. r(si) denotesthe role that is assigned to run si. The Separation of Duty(SoD) and the Binding of Duty (BoD) constraint between siand sj are represented as r(si) 6= r(sj) and r(si) = r(sj),respectively.

In this paper, the problem of checking feasibility of role,SoD and BoD constraints is formulated as a Constraint Sat-isfaction Problem (CSP) [16]. A CSP consists of a triple< V,D,C >, where V = {v1, v2, ..., vn} is a set of variables,D = {Dv1 , Dv2 , ..., Dvn}, where Dvi is the domain of thevalue of vi, C is a set of constraints restricting the valuesthat the variables can take. The Feasibility Checking Problem(FCP) in this paper can be modelled as CSP in the followingway. The services in FCP are regarded as the variables in CSP.The role constraint of a service is regarded as the domainof the value of the service. The BoD and SoD constraintsare regarded as the constraints restricting the values that theservices can take.

An example is given below to illustrate the modelling.Assume there are 7 services, s1 − s7, and 6 roles, r1 − r6in the system. The role constraints of service si, denoted asCr(si), are Cr(s1) = {r1}, Cr(s2) = {r2, r3, r4}, Cr(s3) ={r2, r3, r5}, Cr(s4) = {r2, r3, r5}, Cr(s5) = {r2, r3, r5},Cr(s6) = {r2, r4}, Cr(s7) = {r4, r6}. The SoD constraintsare r(t2) 6= r(t5), r(t2) 6= r(t7), r(t6) 6= r(t7). The BoDconstraints are r(t2) = r(t4), r(t3) = r(t5). Then the problemof checking feasibility of these authorization constraints canbe formulated as CSP as follows.CSP =< V,D,C >,V = {s1, s2, s3, s4, s5, s6, s7},D = {Ds1 , Ds2 , ..., Ds7},C = {C1, C2, C3, C4, C5},Ds1 = {r1},Ds2 = {r2, r3, r4},Ds3 = {r2, r3, r5},Ds4 = {r2, r3, r5},Ds5 = {r2, r3, r5},Ds6 = {r2, r4},Ds7 = {r4, r6},C1 : r(t2) = r(t4);

C2 : r(t2) 6= r(t5);C3 : r(t2) 6= r(t7);C4 : r(t6) 6= r(t7);C5 : r(t3) = r(t5);There are the existing solvers to solve the CSP problem

[16]. The solutions are the feasible role assignments to thetasks so that all SoD, BoD and role constraints are satisfied.

IV. ANALYZING THE COVERAGE OF TEMPORALCONSTRAINTS

A. Calculating the coverage of temporal constraints

Roles have temporal constraints. It is useful to check thecoverage of roles’ temporal availability in a given securitysetting. We can use the CSP solver to obtain all feasible roleassignment solutions for the tasks in a workflow. A denotesthe set of all feasible role assignments for the workflow,and Ak = {(ti, rj)|ti ∈ T} denotes the k-th feasible roleassignment, in which ti is a task in the workflow and rjis the role assigned to ti. In most cases, a role is activatedperiodically. For example, the role of bank manager is onlyactivated from 9am to 12pm, and from 2pm to 4pm in aday. Therefore, the temporal constraint of role ri, denotedas Ct(ri) can be expressed as Eq.1, where Pi is the period,Di = {[ldij , udij ]|i ∈ N} is the time duration when ri isactivated in the period Pi, and Si and Ei are the start and endtime points when this period pattern begins and ends. Ei canbe ∞, meaning the periodic pattern continues indefinitely.

Ct(ri) = (Pi, Di, Si, Ei) (1)

Assume that the execution times of the tasks in a DAG andthe scheduling algorithm used to schedule the tasks are known.Therefore, if we know the arrival time of the entry task in theDAG, we can calculate the start time of every task in the DAG.sti denotes the start time of task ti, r(ti, Ak) denotes the roleassigned to task ti in Ak. Assume r(ti, Ak) = rq . Assume t0is the entry task. Given Ak = {(ti, rj)|ti ∈ T}, Ct(r(t0, Ak))represents the temporal constraint of the role assigned to t0.Assume r(t0, Ak) = rp. T (rq) denotes the time durationswhen r(ti) has to be activated to run ti so that ti can startexecution without being delayed by the temporal constraints.Given Ct(rp), T (rq) can be determined by Eq. 2, where Dj

is determined in Eq.3. However, rq is subject to the temporalconstraint, Ct(rq). Therefore, The intersection of T (rq) andCt(rq), denoted by I(ti, Ak) = (P I

ki, DIki, S

Iki, E

Iki), is the

time durations when task ti can start execution immediatelywithout being delayed by the temporal constraints, givena role assignment Ak. P I

ki is lcm(Pp, Pq), i.e., the leastcommon multiple of Pp and Pq . SI

ki = max(Sp, Sq). EIki =

min(Ep, Eq). Let DIki = {[ldIkij , udIkij ]|j ∈ N}.

T (r(ti, Ak)) = (P0, Dj , S0+(sti−st0), E0+(sti−st0)) (2)

Dj = {[ld0k + (sti − st0), ud0k + (sti − st0)]|k ∈ N} (3)

As shown above, we calculate T (r(ti, Ak)) fromCt(r(t0, Ak)), and then calculate I(ti, Ak) from T (r(ti, Ak)).I(ti, Ak) is a subset of T (r(ti, Ak)). This means that onlywhen t0 arrives in a subset of the time durations inCt(r(t0, Ak)), ti’s start time falls into I(ti, Ak). Such asubset of time durations in Ct(r(t0, Ak)) is called r(t0, Ak)’seffective time durations for ti in the role assignmentAk, which is denoted by ETk(t0, ti). ETk(t0, ti) can bedetermined by Eq.4.

ETk(t0, ti) = (P0, {[ldIkij − (sti − st0),udIkij − (sti − st0)]|j ∈ N},S0, E0)

(4)

We can calculate ETk(t0, ti) for every task ti in the DAG.⋂ti∈T ETk(t0, ti) is the time durations in Ct(r(t0, Ak)) that

can ensure the start time of every task ti ∈ T (i 6= 0) in theDAG falls into the times durations specified in Ct(r(ti, Ak)).Only when t0 arrives in these time durations, can every taskin the DAG starts execution without being delayed by theauthorization constraints of the role assigned to run the task inAk.

⋂ti∈T ETk(t0, ti) is called t0’s effective arrival time when

the role assignment is Ak, denoted by EAk(t0). Note thataccording to the calculation method of EAk(t0), EAk(t0) isa subset of Ct(r(t0, Ak)). Therefore, we also call EAk(t0) theeffective temporal constraint of r(t0, Ak) for the DAG in therole assignment Ak. Assume EAk(t0) = {[ld0j , ud0j ]|j ∈ N}.We can further determine the set of time durations for the starttime of ti, denoted by EAk(ti), as in Eq.5 . Note that EAk(ti)is a subset of Ct(r(ti, Ak)). Therefore, we call EAk(ti) theeffective temporal constraint of r(ti, Ak).

EAk(ti) = {[ld0j+(sti−st0), ud0j+(sti−st0)]|j ∈ N} (5)

We can calculate EAk(t0) for every feasible role assign-ment. Assume [S,E] is the time duration for which we wantto check the Coverage of the Temporal Constraints (CTC).If

⋃Ak∈AEAk(t0) cover the entire range of [S,E], then no

matter when the workflow instance is initiated, we can alwaysfind a role assignment so that all tasks in the workflow can startexecution without delay due to the roles’ temporal constraints.Otherwise, [S,E] −

⋃Ak∈AEAk(t0) is the time gap during

which the execution of at least one task in DAG will bedelayed by the current setting of the temporal constraints.

B. A case study

A case study is given in this Subsection to illustrate themethod of calculating the coverage of the temporal constraints.

Fig. 1 shows the workflow in the case study, in which thereare 9 tasks and the execution time of each task is given inTable II.

There are 4 roles in the system, and the temporal constraintof each role is given in Table III and illustrated in Fig. 2 (forbrevity, we assume the temporal constraints of all roles havethe same period P of 8 hours, and only show the elementDi in the temporal constraint of a role). Also for simplicityand without compromising the clarity of the illustration, we

T0 

T2 

T1 

T4 

T3  T

5 

T6 

T7 

T8 

Fig. 1. The workflow in the case study

TABLE IEXECUTION TIMES OF THE WORKFLOW TASKS IN THE CASE STUDY

Task Execution time Task Execution timet0 30 t1 30t2 36 t3 42t4 48 t5 42t6 30 t7 36t8 42

assume the role constraints are applied to tasks directly in thiscase study (in the example in Section III, the tasks call one ofthe services in the system and the role constraints are appliedon services).

Assume that all feasible authorization solutions are asin Table IV, after applying the feasibility checking methodpresented in Section III.

Let us first show how to calculate EA1(t0). Since 1) t0is authorized to r1 in A1, 2) r1 is activated during [09 :00, 17 : 00], and 3) t0s execution time is 30 minutes (thereforest1 − st0 = 30 minutes), the possible start time of t1 canbe calculated as below after applying Eq.2, which is also theduration when the role assigned to t1 in A1 (i.e., r3) has to

Fig. 2. The temporal constraints of the roles in the case study, the shadedarea is the duration when the roles are not activated

TABLE IITEMPORAL CONSTRAINTS OF THE ROLES IN THE CASE STUDY

Role Temporal Role Temporal constraintr1 {[09:00, 17:00]} r2 {[12:00, 17:00]}r3 {[11:00, 17:00]} r4 {[09:00, 12:00], [14:00, 17:00]}

TABLE IIIALL FEASIBLE AUTHORIZATION SOLUTIONS IN THE CASE STUDY

A1 A2 A3 A4 A5 A6 A7 A8

t0 r1 r1 r1 r1 r1 r1 r1 r1t1 r3 r3 r3 r3 r4 r4 r4 r4t2 r1 r1 r2 r2 r1 r1 r2 r2t3 r1 r1 r1 r1 r1 r1 r1 r1t4 r2 r2 r2 r2 r2 r2 r2 r2t5 r3 r3 r3 r3 r4 r4 r4 r4t6 r2 r2 r2 r2 r2 r2 r2 r2t7 r2 r3 r2 r3 r2 r3 r2 r3t8 r2 r2 r2 r2 r2 r2 r2 r2

TABLE IVTHE VALUES OF ET1(t0, ti) IN THE CASE STUDY

ET1(t0, t1) {[10 : 30, 16 : 30]} ET1(t0, t2) {[09 : 00, 16 : 30]}ET1(t0, t3) {[09 : 00, 16 : 00]} ET1(t0, t4) {[10 : 54, 15 : 54]}ET1(t0, t5) {[09 : 54, 15 : 54]} ET1(t0, t6) {[10 : 06, 15 : 06]}ET1(t0, t7) {[10 : 12, 15 : 12]} ET1(t0, t8) {[09 : 36, 14 : 36]}

be activated in order for t1 to start execution without beingdelayed by the temporal constraints (i.e., T (r3)).

T (r(t1, A1)) = T (r3) = {[09 : 30, 17 : 30]}

However, r3s temporal constraint is

Ct(r3) = [11 : 00, 17 : 00].

Consequently,

I(t1, A1) = Ct(r3)⋂T (r3) = {[11 : 00, 17 : 00]}.

Then,

ET1(t0, t1) = {[11 : 00− 30mins, 17 : 00− 30mins]}= {[1030, 1630]}

Similarly, t2 is authorized to run under r1 in A1.

T (r1) = {[09 : 30, 17 : 30]},

I(t2, A1) = Ct(r1)⋂T (r1) = {[09 : 30, 17 : 00]}.

Therefore,

ET1(t0, t2) = {[09 : 00, 16 : 30]}.

Similarly, ET1(t0, ti) for tasks t3-t8 can also be calculated,which are all summarized in Table V.

Then, the effective arrival time of t0 (i.e., the arrival timeof the workflow), EA1(t0), can be calculated as follows.

EA1(t0) =⋂ti∈T

ETk(t0, ti) = {[10 : 54, 14 : 36]}

This means that if the workflow arrives during [10 : 54, 14 :36] and A1 is used as the authorization solution, all tasks inthe workflow can start execution without being delayed by thetemporal constraints.

TABLE VTHE VALUES OF ETk(t0) IN THE CASE STUDY

EA1(t0) {[10 : 54, 14 : 36]} EA2(t0) {[10 : 54, 14 : 36]}EA3(t0) {[11 : 30, 14 : 36]} EA4(t0) {[11 : 30, 14 : 36]}EA5(t0) {[14 : 00, 14 : 36]} EA6(t0) {[13 : 30, 14 : 36]}EA7(t0) {[13 : 30, 14 : 36]} EA8(t0) {[13 : 30, 14 : 36]}

Similarly, we can calculate the value of EAk(t0), (2k8)(i.e., other authorization solutions A2-A8), which are summa-rized in Table VI.⋃

Ak∈A

EAk(t0) = {[10 : 54, 14 : 36]}

This suggests that whenever the workflow arrives in the timeduration of [10:54, 14:36], there exists an authorization solu-tion under which all tasks in the workflow can start executionwithout being delayed by the authorization constraints.

V. THE WORKFLOW AUTHORIZATION METHODS

Section IV calculates the time durations when the executionsof all tasks in a workflow will not be delayed by the authoriza-tion constraints, which is

⋃Ak∈AEAk(t0). The delay caused

by the authorization constraints for a task is defined as thetime that a ready task (a task in a workflow is ready when allof its predecessors have been completed) has to wait until therole assigned to the task become activated. The delay causedby the authorization constraints for a workflow (denoted bytd) is defined as the total delay caused by the authorizationconstraints for the workflow. When a workflow arrives beyond⋃

Ak∈AEAk(t0), it is useful to quantitatively determine td.Further, it is desired to develop an authorization method thatcan minimize td. This section strives to achieve these.

In this section, we first propose an intuitive policy ofauthorizing the tasks in a workflow, called the EAF (EarliestActivation First) method. Then we conduct quantitative anal-ysis about the delay caused by temporal constraints. Based onthe delay analysis, we further propose a optimized method ofauthorizing the tasks in a workflow, called the GAA (GlobalAuthorization-Aware) method. The GAA method is optimal inthe sense that the method can minimize the delay caused bythe temporal constraints.

A. The EAF authorization method

The EAF method is intuitive. Its fundamental idea is thatwhen a task in the workflow is ready to run (i.e., all pre-decessors of the task have completed the executions), butall roles that can be assigned to the task (i.e., satisfy theauthorization constraints) are not activated, a role with theearliest activation time will be assigned. The EAF method isoutlined in Algorithm 1.

The workflows with different arrival times may have dif-ferent delay caused by the authorization constraints for aworkflow, td. td(τ) denotes the delay experienced by theworkflow whose arrival time is τ . tdEAF (τ) denotes the delayexperienced by all tasks in the workflow whose arrival time isτ when the EAF authorization method is applied.

Algorithm 1. The EAF authorization method1 for a ready task ti in the workflow2 Apply the role constraints, BoD and SoD to obtain

a set of roles (denoted by CA(ti)) that canbe assigned to ti;

3 if all roles in CA(ti) are not activated,4 Assign to ti a role with the earliest activation

time;5 if there are the roles in CA(ti) that are activated,6 A role is randomly selected and assigned to ti;

Algorithm 2. The GAA authorization method1 In all feasible authorization solution, find such a

authorization solution, Ak, that Ak generatesthe minimal value of (EAk(t0).next(τ)− τ);

2 The tasks in the workflow are authorized asdesignated in Ak;

B. The GAA authorization methodAssume a workflow arrives at time τ . EAk(t0).next(τ)

denotes the beginning of the next duration after τ in EAk(t0).If the workflow waits for (EAk(t0).next(τ)−τ), then Ak canbe used as the authorization solution of the workflow and theworkflow execution can progress without further delay causedby the temporal constraints.

The GAA authorization method is proposed based on theabove discussion. In the GAA method, the authorizationsolution that has the least value of (EAk(t0).next(τ) − τ)is used to assign the roles to the tasks in a workflow. TheGAA method is outlined in Algorithm 2. tdGAA(τ) denotesthe delay caused by the temporal constraints for a workflowwhose arrival time is τ under the GAA method, which equalsto (EAk(t0).next(τ)− τ).

Assume that a workflow arrives at the time point τ , andassume that it turns out that Ak is the authorization solutionused for the workflow under the EAF method. We can provethat the delay caused by the temporal constraints for the work-flow under the EAF method equals to (EAk(t0).next(τ)−τ),as shown in Theorem 1.

Theorem 1. If a workflow arriving at time τ is authorizedusing the EAF method and the outcome is that the roles areassigned to the tasks in the workflow as in the authorizationsolution Ak, then Eq.6 holds.

tdEAF (τ) = (EAk(t0).next(τ)− τ) (6)

Proof: If the role assigned to t0 in Ak (i.e., r(t0))is only activated at time EAk(t0).next(τ), then t0 startsexecution at EAk(t0).next(τ) under the EAF method. Con-sequently, the delay caused by the temporal constraints ont0 is EAk(t0).next(τ) − τ , and according to the definitionof EAk(t0).next(τ), all successors of t0 can start executionwithout further delay caused by the temporal constraints. Then

tdEAF (τ) = (EAk(t0).next(τ)− τ).

Therefore, Eq.6 holds. We call EAk(t0).next(τ) t0’s effec-tive start time (denoted by est0).

When t0 starts at EAk(t0).next(τ), we can calculate thestart time of t0’s any successor ti, which is called ti’s effectivestart time (denoted by esti) because if ti starts at time esti, allsuccessors of ti can start execution without being delay by thetemporal constraints of the roles assigned to the successors inAk. esti equals est0 plus the length of the longest path fromt0 to ti in the workflow.

If task t0 starts execution at time τ ′0 when the role assignedto t0 in Ak becomes activated, then the delay caused by thetemporal constraints on t0 is τ ′0 − τ . Assume tk is t0’s child.If t0 starts execution at τ ′0, then tk can be ready for execution(tk’s ready time is denoted by τk) at time τ ′0 plus the lengthof the longest path from t0 to tk (i.e., all its predecessors havebeen completed), that is, τ ′0 + (estk − est0), only subject tothe availability of role r(tk).

If r(tk) is activated only at estk, then tk’s delay causedby r(tk)’s temporal constraints is estk − (τ ′0 + (estk −est0))=est0− τ ′0, and all successors of tk can start executionswithout being delayed by temporal constraints. Therefore,tdEAF (τ) can be calculated as

tdEAF (τ) = (est0 − τ ′0) + (τ ′0 − τ)= est0 − τ= EAk(t0).next(τ)− τ

It shows Eq.6 holds.If r(tk) is activated at time τ ′k (τ ′k < estk), then tk starts

execution at τ ′k in the EAF method. We can repeat the analysissimilar as above only replacing t0 with tk, τ with τk and est0with estk. Similarly, we can recursively conduct the analysisfor the rest of all tasks in the workflow. It can be shown thatEq.6 holds.

Besides the EAF method, other authorization method canbe used to assign the roles to the tasks in a workflow. Basedon Theorem 1, however, we can prove that no matter whatauthorization method is used to authorize the workflow, if itturns out that the workflow is authorized as in the authorizationsolution Ak, then the delay caused by the authorization con-straints under the authorization method will be no less thanthe delay when using the EAF method to assign the rolesto the tasks as in Ak. This relation is stated in Theorem 2.The proof of the theorem takes the similar steps as those inTheorem 1. The difference is that when using the EAF methodto authorize the tasks as Ak, a task is authorized as soon asthe role assigned to the task in Ak becomes activated, whileunder other authorization method, a task may be authorized(therefore start execution) later than the role’s activation time.

Theorem 2. No matter what authorization method is used toassign the roles to the tasks in a workflow, if the outcome isthat the tasks are authorized as in the authorization solutionAk, then the delay caused by the authorization constraintsunder the authorization method is no less than the delay whenusing the EAF method to authorize the tasks as in Ak.

Proof: Assume that a workflow arrives at time τ . Similarto Theorem 1, we can determine esti for every task in theworkflow.

If r(t0) in Ak is activated at time EAk(t0).next(τ), thenthe minimal delay caused by the authorization constraints isEAk(t0).next(τ) − τ , which equals to the delay generatedwhen using the EAF method to authorize t0. Any method thatauthorizes t0 later than EAk(t0).next(τ) will generate a delaygreater than that generated by the EAF method. The theoremholds.

If r(t0) becomes activated at time τ ′0, but under the au-thorize method, task t0 is authorized and starts execution ata later time τ ′0 + δ0 (δ0 > 0), then the delay caused by theauthorization constraints on t0 is τ ′0 + δ0 − τ .

Assume tk is t0’s child. If t0 starts execution at τ ′0+δ0, thentk can be ready for execution at time τk=τ ′0+δ0+(estk−est0).

Assume τ ′0 + δ0 + (estk − est0) ≥ estk. Then tk canbe authorized and start execution immediately and further,all successors of tk can be authorized and start executionimmediately when they are ready for execution. Therefore,the minimal delay for the workflow is τ ′0 + δ0 − τ . Sinceτ ′0 + δ0 + (estk − est0) ≥ estk, we can have δ0 > est0 − τ ′0.Then the following inequality holds, which shows that the EAFmethod generates the minimal delay.

τ ′0 + δ0 − τ > est0 − τ= EAk(t0).next(τ)− τ= tdEAF (τ)

Assume τ ′0 + δ0 + (estk − est0) < estk. We can repeat thesame analysis on tk as that on t0, only replacing t0 with tk,τ with τk and est0 with estk. Similarly, we can recursivelyconduct the analysis for the rest of all tasks in the workflow.It can be shown that the theorem holds.

Based on Theorem 1 and 2, we can further prove that theGAA method is the optimal authorization method, as shownin Theorem 3.

Theorem 3. The GAA authorization method is optimal in thesense that under the GAA method, the delay caused by theauthorization constraints for a workflow is not more than thatunder any other authorization method.

Proof: Given an authorization method and a workflowarriving at time τ , assume that the method authorizes the tasksas in the authorization solution Ak. From Theorem 2, weknow that the delay generated by the authorization methodis no less than the delay when using the EAF method toauthorize the tasks as in Ak. From Theorem 1, we know thatthe delay generated by the EAF method can be calculatedas EAk(t0).next(τ) − τ . Therefore, the given authorizationmethod generates a delay greater than EAk(t0).next(τ)− τ .According to the algorithm of the GAA method, the GAAmethod selects the authorization solution Aj that has the leastvalue of (EAj(t0).next(τ)−τ) from all possible authorizationsolutions. Therefore, the theorem holds.

VI. SIMULATION EXPERIMENTS

This section conduct the simulation experiments to evaluatethe performance of the GAA method against that of the EAF

method. The performance metrics evaluated in the experimentsinclude the delay caused by the authorization constraints for aworkflow (i.e., td defined in the first paragraph of Section V)and the response time of a workflow (denoted as rt), which isdefined as the duration between the time when a first task ofthe workflow arrives and the time when the last tasks of theworkflow is completed.

In the experiments, the workflow is randomly generated.Each workflow containing TNUM tasks and each task ina workflow having the maximum of MAX DG children.RNUM roles are assume to exist in the system. The tasks’role constraints (i.e., the set of roles that a task can assume)are set in the following fashion. The simulation sets a max-imum number of roles that any task can assume in the roleconstraints, denoted as MAX RCST , which represents thelevel of restrictions imposed on the role assignment for tasks.When setting the role constraint for task ti, the number of rolesthat can run ti is randomly selected from [1, MAX RCST ],and then that number of roles are randomly selected from therole set.NUM SoD and NUM BoD denote the number of tasks

that are associated with SoD and BoD constraints, respectively.Duty constraints were set as follows. Each time, two tasks arerandomly selected from the workflow to establish the BoDconstraint between them until NUM BoD tasks are covered.And then the same procedure is applied to establish the SoDconstraints among tasks. In this process, the method presentedin Section III is used to make sure that the designatedduty constraints on these selected tasks can be satisfied. Weassume that the tasks execution times follow an exponentialdistribution. The average execution time of the tasks is theEX H time units. In order to examine the delay causedby the authorization constraints, a workflow instance is onlyissued after the previous instance has been completed in theexperiments. Unless otherwise stated, the value of dt or rtdepicted in the figure is the value averaged over all workflowinstances issued within the period of the temporal constraints,which are set below.

The temporal constraints on roles are set in the followingway. For each role, a time duration is selected from a period ofP time units. The selected time duration occupies the specifiedpercentage of the P time units, which is denoted as TEMP. Thestarting time of the selected duration is chosen randomly fromthe range of [0, P × (1 − TEMP )]. For example, if P=100and TEMP=10%, the starting point is randomly selected from0 to 90%× 100.

Unless otherwise stated, the parameters are set to be thevalues shown in Table VII.

A. Temporal constraints

Fig. 3 shows the change of td as the temporal constraints(TEMP) changes. It can be seen from this figure that in allcases the GAA method achieves smaller td than EAF. Forexample, when TEMP is 10%, td is 0 under GAA whileit is about 10 under EAF. The discrepancy becomes evenbigger when TEMP increases. These results verify that the

TABLE VIEXPERIMENTAL SETTINGS

Parameter Value Parameter ValueTNUM 15 MAX DG 3EXH 5 RNUM 5MAX RCST 3 NUM SoD 4NUM BoD 4 P 480TEMP 20%

10 % 20 % 30 % 40 %0

50

100

150

TEMP

td

GAA

EAF

Fig. 3. td under different TEMP

authorization method indeed matters and the GAA method issuperior to the intuitive EAF method.

Fig. 4 compares rt achieved by GAA and EAF underdifferent TEMP. It can be seen that GAA achieves the shorterrt than EAF in all cases. This is because GAA causes lessdelay and therefore achieves less response time than that underEAF.

B. Arrival times of workflows

The work in this paper presents the method to determinethe duration of the time for workflow arrivals within which theauthorization constraints will not have negative performanceimpact. This shows that the arrival time of a workflow hasimpact on workflow performance. Fig. 5 shows the value oftd for different workflow arrival times under GAA and EAF. Inthese experiments, we set the period of all roles (i.e., P) as 480time units, and then issue the workflow instances at the timepoints from 0 to 300 time units with increment of 60. It can beseen that once again, GAA incurs less tdthan EAF in all cases,except when the arrival time is 300 (whose will be explainedlater). Further, when the workflows arrive after 120, the GAAmethod does not cause any delay on workflow executions.These results verify that there indeed exist the durations forthe workflow arrivals when the authorization constraints willnot delay the workflow executions. The method proposed in

10 % 20 % 30 % 40 %0

100

200

300

400

TEMP

rt

GAA

EAF

Fig. 4. rt under different TEMP

0 60 120 180 240 3000

50

100

150

Workflow Arrival Time

td

EAF

GAA

Fig. 5. td under different workflow arrival times

0 60 120 180 240 3000

100

200

300

400

Workflow Arrival Time

rt

EAF

GAA

Fig. 6. rt under different workflow arrival times

this paper is able to theoretically calculate such durations. Apoint to note is that when the arrival time is 300, no delay iscaused under the EAF method either. This is because the timepoint 300 happens to be within the intersection of EAk(t0)of all feasible authorization solutions. Therefore, the systemcan always find an activated role for any task to enable itsexecution.

Fig. 6 shows that rt of the workflows with different arrivaltimes. Again, GAA outperforms EAF in all cases. The rt trendis consistent with the td trend shown in Fig. 5.

C. Execution times of the workflow tasks

Obviously, increasing the execution times of the tasks in aworkflow will increase the schedule length of the workflow.But do the execution times affect the authorization-relateddelay? Fig.7 shows the impact of the average execution timeof the tasks in a workflow on the coverage of the temporalconstraints (CTC), i.e.,

⋃Ak∈AEAk(t0). As can be seen from

this figure, CTC decreases as the average execution timeincreases. A reasonable explanation for this is that given aset of temporal constraints, the bigger the execution timeof the tasks in a workflow is, the less likely the durationof the workflow execution fits into the temporal constraints.Therefore, CTC may become shorter. This result suggests thatgiven a set of temporal constraints, a workflow with longertasks may be more likely to be delayed by the temporalconstraints that a workflow with shorter tasks, which can beverified by the results presented in Fig. 8.

Fig. 8 demonstrates td under different average executiontime of workflow tasks. Again, GAA causes less delay thanEAF in all cases. It can also be observed from this figurethat td increases as the average execution time of workflowtasks increases. The results coincides with the results in Fig.7.Indeed, When the execution times increases, CTC decreases.

5 15 25 35200

220

240

260

280

300

Average Execution Time of Workflow Tasks

CT

C

Fig. 7. rt under different average execution times of workflow tasks

5 15 25 350

50

100

150

Average Execution Time of Workflow Tasks

td

EAFGAA

Fig. 8. The coverage of temporal constraints (CTC) under different averageexecution times of workflow tasks

Then more workflow instances issued in the period of thetemporal constraints will experience td. Consequently, td,which is the delay averaged over all workflow instances issued,is bigger.

Fig. 9 shows rt generated by the GAA and the EAF methodunder different average execution time of workflow tasks. Ascan be observed, the GAA method generates shorter rt thanEAF in all cases. This again verifies GAA causes less delaythan EAF.

VII. CONCLUSIONS

This paper investigates the issue of feasibility checking forauthorization constraints deployed in workflow managementsystems. In this paper, the feasibility checking problem ismodelled as a constraint satisfaction problem. Further, thispaper presents the method to determine the time durationswhen the deployed temporal constraints do not have negativeimpact on performance of workflow executions. Moreover,an optimal method is proposed to authorize a workflow, sothat the delay caused by the authorization constraints for theworkflow executions is minimized.

5 15 25 350

100

200

300

Average Execution Time of Workflow Tasks

rt

EAF GAA

Fig. 9. rt under different average execution times of workflow tasks

ACKNOWLEDGMENT

This work is supported by the Leverhulme Trust (grantnumber RPG-101).

REFERENCES

[1] D. Chakraborty, V. Mankar, and A. Nanavati, “Enabling runtime adapta-tion ofworkflows to external events in enterprise environments,” in WebServices, 2007. ICWS 2007. IEEE International Conference on, july2007, pp. 1112 –1119.

[2] E. Deelman, G. Singh, M. Livny, B. Berriman, and J. Good, “The Costof Doing Science on the Cloud: The Montage Example,” in Proc. of the2008 ACM/IEEE conference on Supercomputing, 2008, p. paper No. 50.

[3] G.-J. Ahn and R. Sandhu, “Role-based authorization constraints speci-fication,” ACM Trans. Inf. Syst. Secur., vol. 3, no. 4, pp. 207–226, Nov.2000. [Online]. Available: http://doi.acm.org/10.1145/382912.382913

[4] J. B. D. Joshi, E. Bertino, U. Latif, and A. Ghafoor, “A generalizedtemporal role-based access control model,” IEEE Trans. on Knowl. andData Eng., vol. 17, no. 1, pp. 4–23, Jan. 2005. [Online]. Available:http://dx.doi.org/10.1109/TKDE.2005.1

[5] D. Zou, L. He, H. Jin, and X. Chen, “Crbac: Imposing multi-grained constraints on the rbac model in the multi-applicationenvironment,” Journal of Network and Computer Applications,vol. 32, no. 2, pp. 402 – 411, 2009. [Online]. Available:http://www.sciencedirect.com/science/article/pii/S1084804508000520

[6] V. Atluri and W. kuang Huang, “A petri net based safety analysis ofworkflow authorization models,” 1999.

[7] M. Stuit, H. Wortmann, N. Szirbik, and J. Roodenburg, “Multi-view interaction modelling of human collaboration processes:A business process study of head and neck cancer carein a dutch academic hospital,” J. of Biomedical Informatics,vol. 44, no. 6, pp. 1039–1055, Dec. 2011. [Online]. Available:http://dx.doi.org/10.1016/j.jbi.2011.08.007

[8] T. Hara, T. Arai, Y. Shimomura, and T. Sakao, “Service cad system tointegrate product and human activity for total value,” CIRP Journal ofManufacturing Science and Technology, vol. 1, no. 4, pp. 262 – 271,2009, ¡ce:title¿Life Cycle Engineering¡/ce:title¿. [Online]. Available:http://www.sciencedirect.com/science/article/pii/S1755581709000078

[9] J. Y. Choi and S. Reveliotis, “A generalized stochastic petri net modelfor performance analysis and control of capacitated reentrant lines,”Robotics and Automation, IEEE Transactions on, vol. 19, no. 3, pp.474 – 480, june 2003.

[10] J. Crampton, “A reference monitor for workflow systems withconstrained task execution,” in Proceedings of the tenth ACMsymposium on Access control models and technologies, ser. SACMAT’05. New York, NY, USA: ACM, 2005, pp. 38–47. [Online]. Available:http://doi.acm.org/10.1145/1063979.1063986

[11] Q. Wang and N. Li, “Satisfiability and resiliency in workflowauthorization systems,” ACM Trans. Inf. Syst. Secur., vol. 13,no. 4, pp. 40:1–40:35, Dec. 2010. [Online]. Available:http://doi.acm.org/10.1145/1880022.1880034

[12] Y. Lu, L. Zhang, and J. Sun, “Using colored petri nets to modeland analyze workflow with separation of duty constraints,” TheInternational Journal of Advanced Manufacturing Technology, vol. 40,pp. 179–192, 2009, 10.1007/s00170-007-1316-1. [Online]. Available:http://dx.doi.org/10.1007/s00170-007-1316-1

[13] L. He, C. Huang, K. Duan, K. Li, H. Chen, J. Sun,and S. A. Jarvis, “Modeling and analyzing the impact ofauthorization on workflow executions,” Future Gener. Comput.Syst., vol. 28, no. 8, pp. 1177–1193, Oct. 2012. [Online]. Available:http://dx.doi.org/10.1016/j.future.2012.03.003

[14] L. He, N. Chaudhary, S. Jarvis, and K. Li, “Allocating resources forworkflows running under authorization control,” in Grid Computing(GRID), 2012 ACM/IEEE 13th International Conference on, 2012, pp.58–65.

[15] K. Jensen, L. M. Kristensen, and L. Wells, “Coloured petri nets andcpn tools for modelling and validation of concurrent systems,” Int. J.Softw. Tools Technol. Transf., vol. 9, no. 3, pp. 213–254, May 2007.[Online]. Available: http://dx.doi.org/10.1007/s10009-007-0038-x

[16] S. C. Brailsford, C. N. Potts, and B. M. Smith,“Constraint satisfaction problems: Algorithms and applica-tions,” European Journal of Operational Research, vol.119, no. 3, pp. 557 – 581, 1999. [Online]. Available:http://www.sciencedirect.com/science/article/pii/S0377221798003646