Abstract: Aiming at challenges of dynamic，united and autonomic in authorization management for distributed workflow system，a composited authorization model for workflow application systems is proposed，which combines authorization ideology of RBAC and dynamic access control mechanism of TBAC.The model provides methods of modelling on composition structures and execution relations in a workflow system，thus a corresponding authorization policy can be constructed by composing authorization policies of processing-units，according to composition structures，execution dependences and subject dependences in the workflow system.Formal descriptions of model definitions and composition calculus are presented.Expressive power and consistency of model，compatibility of composition calculus and their security properties are analyzed in detail.Furthermore，the prototype of an authorization control engine for dynamic permission control is introduced.