Modeling Support for Role-Based Delegation in Process-Aware Information Systems

In the paper, an integrated approach for the modeling and enforcement of delegation policies in process-aware information systems is presented. In particular, a delegation extension for process-related role-based access control (RBAC) models is specified. The extension is generic in the sense that it can be used to extend process-aware information systems or process modeling languages with support for process-related RBAC delegation models. Moreover, the detection of delegation-related conflicts is discussed and a set of pre-defined resolution strategies for each potential conflict is provided. Thereby, the design-time and runtime consistency of corresponding RBAC delegation models can be ensured. Based on a formal metamodel, UML2 modeling support for the delegation of roles, tasks, and duties is provided. A corresponding case study evaluates the practical applicability of the approach with real-world business processes. Moreover, the approach is implemented as an extension to the BusinessActivity library and runtime engine.

[1]  Silvana Castano,et al.  Managing Workflow Authorization Constraints through Active Database Technology , 2001, Inf. Syst. Frontiers.

[2]  Ignacio García Rodríguez de Guzmán,et al.  Obtaining Use Cases and Security Use Cases from Secure Business Process through the MDA Approach , 2007, WOSIS.

[3]  Akhil Kumar,et al.  W-RBAC - A Workflow Security Model Incorporating Controlled Overriding of Constraints , 2003, Int. J. Cooperative Inf. Syst..

[4]  Andreas Schaad,et al.  Model-driven business process security requirement specification , 2009, J. Syst. Archit..

[5]  Ravi S. Sandhu,et al.  PBDM: a flexible delegation model in RBAC , 2003, SACMAT '03.

[6]  Nora Cuppens-Boulahia,et al.  Negotiating and delegating obligations , 2010, MEDES.

[7]  Jason Crampton,et al.  Delegation and satisfiability in workflow systems , 2008, SACMAT '08.

[8]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[9]  Marta Indulska,et al.  How good is BPMN really? Insights from theory and practice , 2006, ECIS.

[10]  Morris Sloman,et al.  Policy driven management for distributed systems , 1994, Journal of Network and Systems Management.

[11]  D. Richard Kuhn,et al.  A role-based access control model and reference implementation within a corporate intranet , 1999, TSEC.

[12]  Andreas Schaad Detecting conflicts in a role-based delegation model , 2001, Seventeenth Annual Computer Security Applications Conference.

[13]  Mark Strembeck,et al.  Modeling Process-Related Duties with Extended UML Activity and Interaction Diagrams , 2011, Electron. Commun. Eur. Assoc. Softw. Sci. Technol..

[14]  Marta Indulska,et al.  Modeling languages for business processes and business rules: A representational analysis , 2009, Inf. Syst..

[15]  Janni Nielsen,et al.  European Conference on Information Systems (ECIS) , 2008 .

[16]  Nora Cuppens-Boulahia,et al.  Delegation of Obligations and Responsibility , 2011, SEC.

[17]  Roshan K. Thomas,et al.  Flexible team-based access control using contexts , 2001, SACMAT '01.

[18]  Mark Strembeck,et al.  Modeling Support for Delegating Roles, Tasks, and Duties in a Process-Related RBAC Context , 2011, CAiSE Workshops.

[19]  Jongpil Yoon,et al.  Trust management with delegation in grouped peer-to-peer communities , 2006, SACMAT '06.

[20]  Jason Crampton,et al.  Delegation in role-based access control , 2007, International Journal of Information Security.

[21]  David Basin,et al.  Model driven security: From UML models to access control infrastructures , 2006, TSEM.

[22]  Jan Jürjens Sound methods and effective tools for model-based security engineering with UML , 2005, ICSE '05.

[23]  Jason Crampton,et al.  The consistency of task-based authorization constraints in workflow , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[24]  Luca Viganò,et al.  Automated analysis of RBAC policies with temporal constraints and static role hierarchies , 2015, SAC.

[25]  Jason Crampton,et al.  On delegation and workflow execution models , 2008, SAC '08.

[26]  Xingang Wang,et al.  Constraints for Permission-Based Delegations , 2008, 2008 IEEE 8th International Conference on Computer and Information Technology Workshops.

[27]  Douglas C. Schmidt,et al.  Guest Editor's Introduction: Model-Driven Engineering , 2006, Computer.

[28]  Hannes Schwarz,et al.  Model-Driven Software Development , 2013 .

[29]  Bran Selic,et al.  The Pragmatics of Model-Driven Development , 2003, IEEE Softw..

[30]  Ravi S. Sandhu,et al.  Framework for role-based delegation models , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[31]  Henderik Alex Proper,et al.  An Extended RBAC Model for Task Delegation in Workflow Systems , 2011, BIR Workshops.

[32]  Per Runeson,et al.  Guidelines for conducting and reporting case study research in software engineering , 2009, Empirical Software Engineering.

[33]  Wil M. P. van der Aalst,et al.  Workflow Resource Patterns: Identification, Representation and Tool Support , 2005, CAiSE.

[34]  Andreas Schaad,et al.  A transformation approach for security enhanced business processes , 2008, ICSE 2008.

[35]  Juliet M. Corbin,et al.  Basics of Qualitative Research (3rd ed.): Techniques and Procedures for Developing Grounded Theory , 2008 .

[36]  Ravi Sandhu,et al.  A Role-Based Delegation Model and Some Extensions , 2000 .

[37]  John Derrick,et al.  Author Obliged to Submit Paper before 4 July: Policies in an Enterprise Specification , 2001, POLICY.

[38]  Ramaswamy Chandramouli,et al.  Role-Based Access Control (2nd ed.) , 2007 .

[39]  John K. Ousterhout,et al.  Tcl: An Embeddable Command Language , 1989, USENIX Winter.

[40]  Vijayalakshmi Atluri,et al.  Supporting conditional delegation in secure workflow management systems , 2005, SACMAT '05.

[41]  Mark Strembeck,et al.  Object-based and class-based composition of transitive mixins , 2007, Inf. Softw. Technol..

[42]  Mark Strembeck,et al.  An Approach for Consistent Delegation in Process-Aware Information Systems , 2012, BIS.

[43]  Jan Jürjens,et al.  From goal-driven security requirements engineering to secure design , 2010 .

[44]  Bernhard Hoisl,et al.  Modeling and enforcing secure object flows in process-driven SOAs: an integrated model-driven approach , 2012, Software & Systems Modeling.

[45]  Qing Li,et al.  Unified Modeling Language , 2009 .

[46]  Andreas Schaad,et al.  Delegation of obligations , 2002, Proceedings Third International Workshop on Policies for Distributed Systems and Networks.

[47]  Mark Strembeck,et al.  Generic Algorithms for Consistency Checking of Mutual-Exclusion and Binding Constraints in a Business Process Context , 2010, OTM Conferences.

[48]  Akira Matsushita,et al.  Capability-based delegation model in RBAC , 2010, SACMAT '10.

[49]  François Charoy,et al.  Task Delegation Based Access Control Models for Workflow Systems , 2009, I3E.

[50]  Mark Strembeck,et al.  Modeling process-related RBAC models with extended UML activity models , 2011, Inf. Softw. Technol..

[51]  Anselm L. Strauss,et al.  Basics of qualitative research : techniques and procedures for developing grounded theory , 1998 .

[52]  Vijayalakshmi Atluri,et al.  Inter-instance authorization constraints for secure workflow management , 2006, SACMAT '06.

[53]  Bente Anda,et al.  Experiences from conducting semi-structured interviews in empirical software engineering research , 2005, 11th IEEE International Software Metrics Symposium (METRICS'05).

[54]  Claus Pahl Proceedings of the IASTED International Conference on Software Engineering , 2008 .

[55]  N. Hoffart Basics of Qualitative Research: Techniques and Procedures for Developing Grounded Theory , 2000 .

[56]  Martin Gogolla,et al.  Comprehensive two-level analysis of role-based delegation and revocation policies with UML and OCL , 2012, Inf. Softw. Technol..

[57]  Akhil Kumar,et al.  DW-RBAC: A formal security model of delegation and revocation in workflow systems , 2007, Inf. Syst..

[58]  Ravi S. Sandhu,et al.  Task-Based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-Oriented Autorization Management , 1997, DBSec.

[59]  Jan H. P. Eloff,et al.  Separation of duties for access control enforcement in workflow environments , 2001, IBM Syst. J..

[60]  Elisa Bertino,et al.  Fine-grained role-based delegation in presence of the hybrid role hierarchy , 2006, SACMAT '06.

[61]  Mark Strembeck,et al.  Detecting and Resolving Conflicts of Mutual-Exclusion and Binding Constraints in a Business Process Context , 2011, OTM Conferences.

[62]  Jan Mendling,et al.  Understanding Business Process Models: The Costs and Benefits of Structuredness , 2012, CAiSE.

[63]  Vijayalakshmi Atluri,et al.  Role-based Access Control , 1992 .

[64]  François Charoy,et al.  Dynamic Authorisation Policies for Event-Based Task Delegation , 2010, CAiSE.

[65]  Gustaf Neumann,et al.  XOTcl: an object-oriented scripting language , 2000 .

[66]  Mark Strembeck Scenario-Driven Role Engineering , 2010, IEEE Security & Privacy.

[67]  Mario Piattini,et al.  Towards a UML 2.0 Extension for the Modeling of Security Requirements in Business Processes , 2006, TrustBus.

[68]  Mark Strembeck,et al.  Evaluating A Uml-Based Modeling Framework For Process-Related Security Properties: A Qualitative Multi-Method Study , 2013, ECIS.

[69]  Mathias Weske,et al.  Business Process Management: Concepts, Languages, Architectures , 2007 .

[70]  David W. Chadwick,et al.  Obligations for Role Based Access Control , 2007, 21st International Conference on Advanced Information Networking and Applications Workshops (AINAW'07).

[71]  Mark Strembeck Embedding policy rules for software-based systems in a requirements context , 2005, Sixth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'05).

[72]  Seog Park,et al.  Task-role-based access control model , 2003, Inf. Syst..