This paper introduces the concept of tasks, task instances and task context into traditionalrole-basedaccesscontrol model according to the weaknesses of the current role-based access control and the characteristics of distributedworkflowsystem. We propose a task & role-based access control model, whose architecture is not user-role-permission but user-role-task-permission, and its formal definition. This model overcomes the weaknesses of the bad dynamicadaption and the fake constraint of the least privilege. It can enhance the security and practicability of the distributed workflow system.