Performance analysis and optimization for workflow authorization

doi:10.1016/j.future.2016.09.011

Future Generation Computer Systems

Volume 67, February 2017, Pages 194-205

https://doi.org/10.1016/j.future.2016.09.011 Get rights and content

Highlights

•
Propose the methods to investigate the performance impact of authorization constraints.
•
Propose the optimal authorization methods to minimize the delay caused by authorization constraints.
•
Propose a probability-based authorization method to handle stochastic workflows.

Abstract

Many workflow management systems have been developed to enhance the performance of workflow executions. The authorization policies deployed in the system may restrict the task executions. The common authorization constraints include role constraints, Separation of Duty (SoD), Binding of Duty (BoD) and temporal constraints. This paper presents the methods to check the feasibility of these constraints, and also determines the time durations when the temporal constraints will not impose negative impact on performance. Further, this paper presents an optimal authorization method, which is optimal in the sense that it can minimize a workflow’s delay caused by the temporal constraints. The authorization analysis methods are also extended to analyze the stochastic workflows, in which the tasks’ execution times are not known exactly, but follow certain probability distributions. Simulation experiments have been conducted to verify the effectiveness of the proposed authorization methods. The experimental results show that comparing with the intuitive authorization method, the optimal authorization method can reduce the delay caused by the authorization constraints and consequently reduce the workflows’ response time.

Introduction

Business processes or workflows are often used to model enterprise applications [1], [2], [3], [4]. A workflow consists of multiple activities or tasks with precedence constraints. When we design workflow management/scheduling strategies, or evaluate the performance of workflow execution on target resources, it is often assumed that when a task is allocated to a resource, the resource will accept the task and start the execution once the processor becomes available. In reality, however, authorization policies may be deployed in the organizations and used to specify who is allowed to perform which tasks at what time. When these authorization schemes are taken into account, the situation can become complex.

A number of authorization schemes have been presented in [5], [6], [7]. The RBAC (Role Based Access Control) scheme is one of most popular authorization schemes. Under the RBAC scheme, users are assigned to certain roles while the roles are associated with prescribed permissions. Therefore, the organizations can control the users permissions through these roles. The following example in banking illustrates the effect of the RBAC scheme on the workflow execution [8]. A bank often uses a variety of computing applications to support its business; these applications may be deployed in a central resource pool (e.g., a cluster) of the bank. A workflow may consist of tasks such as credit data checks, automated signature approval, risk analysis and so on. In each task, a particular application has to be launched to perform the corresponding business functions. Under RBAC, an application may only be launched by certain users (i.e., the employees in the bank) assuming certain roles (i.e., job positions, such as branch manager or financial advisor). The following authorization constraints are often encountered in such scenarios: (1) Role constraints: A task may only be performed by a particular role; (2) Temporal constraints: A role or a user is only activated during certain time intervals (e.g., a staff member only works in certain hours of a day); (3) Separation of Duty constraints: If Task A is run by a role (or a user), then Task B must not be run by the same role (or user); (4) Binding of Duty constraints: If Task A is run by a role (or user), then Task B must be run by the same role (or user). Since a valid and activated role has to be assigned to a task before the task can start execution, these authorization constraints may delay the start of a task in a workflow, and consequently have negative impact on application performance (e.g. mean response time of workflows). Similar authorization constraints and situation also exist in other application domains such as healthcare systems [9], the manufacturing community [10], [11], and other business processes [12], [13].

The focus of this paper is to investigate the performance impact of the authorization constraints and the authorization method (i.e., the way of selecting the roles to assign to the tasks). This paper starts with investigating the issue of checking the feasibility of the authorization constraints designed for workload management systems. More specifically, this paper (1) checks whether all tasks in a workflow can be authorized so that the authorization constraints deployed in the system can be satisfied, (2) determines such time durations in which the temporal constraints will not have negative impact on the performance of workflow executions. Then, the methods are developed to quantitatively determine (1) the time duration for the arrivals of the workflows within which the authorization constraints will not have negative impact on the execution performance of the workflows, and (2) the delay caused by the authorization constraints, if a workflow arrives beyond the above duration. Based on the above analyses, this paper further proposes an optimal authorization method under which the delay caused by the authorization constraints can be minimized. The methods of analyzing the authorization behavior are then extended to handle stochastic workflows, in which the tasks’ execution times are not exactly known, but follow certain probability distributions.

Based on the discussions above, it is worth noting the relation between workflow scheduling and authorization method. Workflow scheduling typically refers to deciding the execution order and the resource allocation of workflow tasks, namely, in which order the workflow tasks should be run and which computer node should be allocated to run a particular task. Authorization method refers to deciding which authorization roles should be assumed to run individual workflow tasks. From the processing order, the authorization method is enacted before workflow scheduling. However, if authorization method and workflow scheduling are treated separately, the authorization method may have negative impact on the workflow performance. This is because after the authorization method decides to run a task under a particular role, it is possible that the role is not activated when the task itself is ready to run from the scheduling point of view, namely when the task is at the head of the queue and the allocated computer node becomes available. Consequently, the task has to wait for the assigned role to be activated and its performance is then jeopardized. So a better strategy is that when the authorization method makes the authorization decisions, it takes the scheduling process into account and tries to mitigate the above situation. In order to achieve this, it is necessary to investigate the possible negative impact that the authorization constraints and the authorization method may impose on the workflow execution. This is the motivation and essence of the work presented in this paper.

The rest of this paper is organized as follows. The related work in this topic is presented in 2. Section 3 presents the methods to check the feasibility of role, SoD and BoD constraints deployed in the system. Section 4 presents the method to determine the time durations in which the workflow executions will not be delayed by the authorization constraints in the system. Section 5 presents an optimal authorization method to assign the roles to the tasks in a workflow. Section 5 also proves the method is optimal in the sense that the method generates the minimal delay caused by the authorization constraints for workflow executions. Section 7 concludes the paper.

Section snippets

Related work

There is the existing work to check the satisfiability of the authorization constraints in a workflow [14], [15], [8], [16], [17]. The work in [15] conducted the theoretical analysis about the satisfiability of the authorization constraints for a workflow. The work conducted theoretical analysis and found out that in order to check whether there is a valid the workflow authorization, it only needs to consider a single linear extension (i.e., a linear ordering) of the tasks in the workflow.

Checking feasibility of role, SoD and BoD constraints

$S = {s_{1}, \dots, s_{L}}$ denotes the set of services running on the resource pool.

$F = (T, E)$ denotes a workflow, in which $T = {t_{1}, \dots, t_{N}}$ is a set of tasks in the workflow and $E = {(t_{i}, t_{j}) | t_{i}, t_{j} \in T}$ is a set of directed edges linking task $t_{i}$ to $t_{j}$ . A task invokes one of the services in $S$ .

$R = {r_{1}, \dots, r_{M}}$ denotes the set of roles defined in the authorization control system. The role constraint specifies the set of roles that are permitted to run a particular service. $C^{r} (s_{i})$ denotes the role constraint applied to service $s_{i}$

Calculating the coverage of temporal constraints based on exact values of execution times

Roles have temporal constraints. It is useful to check the coverage of roles’ temporal availability in a given security setting. We can use the CSP solver to obtain all feasible role assignment solutions for the tasks in a workflow. $A$ denotes the set of all feasible role assignments for the workflow, and $A_{k} = {(t_{i}, r_{j}) | t_{i} \in T}$ denotes the $k$ th feasible role assignment, in which $t_{i}$ is a task in the workflow and $r_{j}$ is the role assigned to $t_{i}$ . In most cases, a role is activated periodically. For

The workflow authorization methods

Section 4.1 calculates the time durations when the executions of all tasks in a workflow will not be delayed by the authorization constraints, which is $⋃_{A_{k} \in A} {EA}_{k} (t_{0})$ . The delay caused by the authorization constraints for a task is defined as the time that a ready task (a task in a workflow is ready when all of its predecessors have been completed) has to wait until the role assigned to the task becomes activated. The delay caused by the authorization constraints for a workflow (denoted by $t d$ )

Simulation experiments

We conducted the simulation experiments to evaluate the performance of the GAA method against that of the EAF method. The performance metrics evaluated in the experiments include the delay caused by the authorization constraints for a workflow (i.e., $t d$ defined in the first paragraph of Section 5) and the response time of a workflow (denoted as rt), which is defined as the duration between the time when a first task of the workflow arrives and the time when the last tasks of the workflow is

Conclusions

This paper investigates the issue of feasibility checking for authorization constraints deployed in workflow management systems. In this paper, the feasibility checking problem is modeled as a constraint satisfaction problem. Further, this paper presents the method to determine the time durations when the deployed temporal constraints do not have negative impact on performance of workflow executions. Moreover, an optimal method is proposed to authorize a workflow, so that the delay caused by

Acknowledgment

The preliminary version of this work has been published in the 20th International Conference on High Performance Computing (HiPC-2013) [28]. This work is partially supported by the Priority Academic Program Development of Jiangsu Higer Education Institutions (PAPD), Jiangsu Collaborative Innovation Center on Atmospheric Environment and Equipment Technology (CICAEET), the Natural Science Foundation of China (NSFC) under Grant Nos. 61472370 and 61672469, and the open project of State Key

Cheng Chang is a Ph.D. student in School of Computer Science and Electronic Engineering, Hunan University, China. His research area is parallel and distributed computing, Cloud computing.

References (28)

E. Deelman et al.
Workflows and e-science: An overview of workflow system features and capabilities
Future Gener. Comput. Syst.
(2009)
A. Sfrent et al.
Asymptotic scheduling for many task computing in big data platforms
Inform. Sci.
(2015)
M.-A. Vasile et al.
Resource-aware hybrid scheduling algorithm in heterogeneous distributed computing
Future Gener. Comput. Syst.
(2015)
D. Zou et al.
Crbac: Imposing multi-grained constraints on the rbac model in the multi-application environment
J. Netw. Comput. Appl.
(2009)
M. Stuit et al.
Multi-view interaction modelling of human collaboration processes: A business process study of head and neck cancer care in a dutch academic hospital
J. Biomed. Inform.
(2011)
T. Hara et al.
Service cad system to integrate product and human activity for total value
CIRP J. Manuf. Sci. Technol.
(2009)
L. He et al.
Modeling and analyzing the impact of authorization on workflow executions
Future Gener. Comput. Syst.
(2012)
S.C. Brailsford et al.
Constraint satisfaction problems: Algorithms and applications
European J. Oper. Res.
(1999)
X. Tang et al.
A stochastic scheduling algorithm for precedence constrained tasks on grid
Future Gener. Comput. Syst.
(2011)
J. Gu et al.
A novel parallel quantum genetic algorithm for stochastic job shop scheduling
J. Math. Anal. Appl.
(2009)

D. Chakraborty, V. Mankar, A. Nanavati, Enabling runtime adaptation ofworkflows to external events in enterprise...

G.-J. Ahn et al.

Role-based authorization constraints specification

ACM Trans. Inf. Syst. Secur.

(2000)

J.B.D. Joshi et al.

A generalized temporal role-based access control model

IEEE Trans. Knowl. Data Eng.

(2005)

V. Atluri, W. kuang Huang, A petri net based safety analysis of workflow authorization models,...

Cited by (4)

Agent-based dynamic optimization for managing the workflow of the patient's pathway
2019, Simulation Modelling Practice and Theory
Citation Excerpt :
This study includes the impact of the other hospital units on the ED. In [8], authors consider the workflow model as a network service to reduce response time significantly, especially when it is connected to optimization algorithms [9]. Other research works focus on healthcare processes optimization.
The emergency department (ED) is an important health care service representing the bottleneck of the hospital. The ED often faces overcrowding problems in many countries around the world. One of the causes of the ED overcrowding is the permanent interference between three types of arriving patients: already programmed patients, non-programmed patients and urgent non-programmed patients. This interference, which is subjected to stochastic behaviors of consultation time and to patients’ random arrival flows, makes the ED more complex to manage, which prevents any prior planning. Overcrowding situations are not easy to control and cause problems to patients and medical staff, implying the deterioration of several performance indicators such us waiting times, quality of care, treatment time, length of stay, etc. This paper aims to study and develop an orchestration architecture that drives the patient's pathway workflow in real time, thus improving the Performance Indicators step by step during the execution. This architecture uses a multi-agent system in order to ensure the coordination between the medical staff so as to provide the best patient care. Thanks to the agents’ behavior and communication protocols, the proposed system establishes a direct real-time link between the required performances and the effective actions in order to reduce the overcrowding impact. In this study, we discuss the relevance of each metric in order to select those that best match with a given study context (environment, type of patients, objective, etc.). We focus then on three performance indicators: the Remaining Patient Care Load (RPCL) which gives an estimation of what remains in care within the complete patient care process, the Cumulative Waiting Time (CWT) and the Length of Stay (LOS). Experimental results indicate that improvements of the performance indicators are achievable thanks to the agents’ driven patient pathway workflows during their execution through the dynamic re-orchestration.
Low-latency orchestration for workflow-oriented service function chain in edge computing
2018, Future Generation Computer Systems
Citation Excerpt :
The form of network services is not limited to SFC. Some researchers have abstracted network service, which is made up of several VNFs, into a service function graph (SFG) [21]. Inspired by SFG, this paper considers that a workflow [22–30] can also be regarded as one network service to greatly reduce response time, especially in edge computing [31–33]. Before starting the implementation of the algorithm proposed in this paper, we investigated a significant amount of research to confirm the feasibility of WFR and edge computing.
To realize a cost-efficient, affordable, economical, flexible, elastic and innovative network service, the concepts of Network Function Virtualization (NFV) and Software-Defined Network (SDN) have emerged in edge computing. In the case of NFV deployment, most research regards the deployment of Service Function Chaining (SFC), which is composed of several series-connected Virtual Network Functions (VNFs). Current NFV deployment approaches concern how to efficiently deploy the chaining service requests. They do not consider the possible form of the service requests in edge computing. Furthermore, the study regarding response latency in NFV is limited to the chaining service requests. Most studies consider the deployment of several VNFs in one SFC onto the same substrate node to reduce the total latency and resource consumptions. In this paper, we first propose a novel workflow-like service request (WFR), which is completely different from the chaining service request. Then, a Dynamic Minimum Response Time considering Same Level (DMRT_SL) has been proposed to efficiently map the workflow-like requests in edge computing. We use a randomly generated topology as our underlying network. It can be seen from the data obtained from a large number of simulation experiments that DMRT_SL not only is particularly outstanding in terms of response time delay but that blocking rate and deploy time behavior are also particularly surprising.
Beacon-Based Firing Control for Authorization Security in Workflows
2023, IEEE Transactions on Reliability
A Paradigm-Shifting from Domain-Driven Data Mining Frameworks to Process-Based Domain-Driven Data Mining-Actionable Knowledge Discovery Framework
2020, IEEE Access

Cheng Chang is a Ph.D. student in School of Computer Science and Electronic Engineering, Hunan University, China. His research area is parallel and distributed computing, Cloud computing.

Ligang He received the Ph.D degree in Computer Science at the University of Warwick, United Kingdom, and worked as a post-doctoral researcher at the University of Cambridge, UK. From 2006, he worked in the Department of Computer Science at the University of Warwick as Assistant Professor and then Associate Professor. His research interests focus on parallel and distributed processing, Cluster, Grid and Cloud computing. He has published more than 80 papers in international conferences and journals, such as IEEE Transactions on Parallel and Distributed Systems, IPDPS, CCGrid, MASCOTS. He has been a co-chair or a member of the program committee for a number of international conferences, and been the reviewers for many international journals, including IEEE Transactions on Parallel and Distributed Systems, IEEE Transactions on Computers, etc. He is a member of the IEEE.

Nadeem Chaudhary received Ph.D. degree from the Department of Computer Science at the University of Warwick. His research area is parallel and distributed processing and security.

Songling Fu received the B.S. degree in the department of electronic science and technology from Harbin Institute of Technology, Harbin, China, in 2001, and received the M.S. and Ph.D. degree of computer science and technology from National University of Defense Technology, Changsha, China, in 2003 and 2014, respectively. In 2014, he joined in the Department of Electronic Information Engineering at the Hunan Normal University as an Assistant Professor. His research interests include parallel and distributed computing, big data, robot operating systems. He is a member of the IEEE.

Hao Chen received the B.S. degree in chemical engineering from Sichuan University, China, in 1998, and the Ph.D. degree in computer science from Huazhong University of Science and Technology, China in 2005. He is now a Professor at the College of Computer Science and Electronic Engineering, Hunan University, China. His current research interests include parallel and distributed systems, operating systems, cloud computing and systems security. He has published more than 70 papers in journals and conferences, such as IEEE Transactions on Parallel and Distributed Systems, IEEE Transactions on Computers, IPDPS, IWQoS, and ICPP. He is a member of the IEEE and the ACM.

Jianhua Sun is an Associate Professor at the College of Computer Science and Electronic Engineering, Hunan University, China. She received the Ph.D. degree in Computer Science from Huazhong University of Science and Technology, China in 2005. Her research interests are in security and operating systems. She has published more than 70 papers in journals and conferences, such as IEEE Transactions on Parallel and Distributed Systems, IEEE Transactions on Computers.

Kenli Li received the Ph.D. degree in computer science from Huazhong University of Science and Technology, China, in 2003. He was a visiting scholar at University of Illinois at Urbana-Champaign from 2004 to 2005. He is currently a full professor of computer science and technology at Hunan University and deputy director of National Supercomputing Center in Changsha. His major research areas include parallel computing, high-performance computing, grid and cloud computing. He has published more than 130 research papers in international conferences and journals such as IEEE-TC, IEEE-TPDS, IEEE-TSP, JPDC, ICPP, CCGrid. He is an outstanding member of CCF. He is a member of the IEEE and serves on the editorial board of IEEE Transactions on Computers.

Zhangjie Fu received his Ph.D. in computer science from the College of Computer, Hunan University, China, in 2012. He is currently an Associate Professor at the College of Computer and Software, Nanjing University of Information Science and Technology, China. His research interests include Cloud & Outsourcing Security, Digital Forensics, Network and Information Security. His research has been supported by NSFC, PAPD, and GYHY. Zhangjie is a member of IEEE, and a member of ACM.

Dr. Ming-Liang Xu is an associate professor in the School of Information Engineering of Zhengzhou University, China, and currently is the director of CIISR (Center for Interdisciplinary Information Science Research). His research interests include computer graphics and computer vision. Xu got his Ph.D. degree in computer science and technology from the State Key Lab of CAD & CG at Zhejiang University.

View full text

Performance analysis and optimization for workflow authorization

Highlights

Abstract

Introduction

Section snippets

Related work

Checking feasibility of role, SoD and BoD constraints

Calculating the coverage of temporal constraints based on exact values of execution times

The workflow authorization methods

Simulation experiments

Conclusions

Acknowledgment

Future Gener. Comput. Syst.

Inform. Sci.

Future Gener. Comput. Syst.

J. Netw. Comput. Appl.

J. Biomed. Inform.

CIRP J. Manuf. Sci. Technol.

Future Gener. Comput. Syst.

European J. Oper. Res.

Future Gener. Comput. Syst.

J. Math. Anal. Appl.

Role-based authorization constraints specification

ACM Trans. Inf. Syst. Secur.

A generalized temporal role-based access control model

IEEE Trans. Knowl. Data Eng.