Enforcing workflow authorization constraints using triggers