A workflow authorization model based on role and task is first described. The basic idea of this model is that roles and permissions are not connected directly but are put together by tasks. This is more convenient for controlling and managing the granularity of permissions. And then an intuitive formal language called RTCL is proposed, which takes the model as context to specify workflow authorization constraints based on role and task. RTCL uses system functions, sets and variable symbols as its basic elements and is proved to be equivalent to a restricted form of first order predicate logic called RFOPL on semantics. Finally, the expressive power of RTCL is demonstrated by showing how it can be used to express a variety of constraints.