Modeling process-related RBAC models with extended UML activity models

ContextBusiness processes are an important source for the engineering of customized software systems and are constantly gaining attention in the area of software engineering as well as in the area of information and system security. While the need to integrate processes and role-based access control (RBAC) models has been repeatedly identified in research and practice, standard process modeling languages do not provide corresponding language elements. ObjectiveIn this paper, we are concerned with the definition of an integrated approach for modeling processes and process-related RBAC models - including roles, role hierarchies, statically and dynamically mutual exclusive tasks, as well as binding of duty constraints on tasks. MethodWe specify a formal metamodel for process-related RBAC models. Based on this formal model, we define a domain-specific extension for a standard modeling language. ResultsOur formal metamodel is generic and can be used to extend arbitrary process modeling languages. To demonstrate our approach, we present a corresponding extension for UML2 activity models. The name of our extension is Business Activities. Moreover, we implemented a library and runtime engine that can manage Business Activity runtime models and enforce the different policies and constraints in a software system. ConclusionThe definition of process-related RBAC models at the modeling-level is an important prerequisite for the thorough implementation and enforcement of corresponding policies and constraints in a software system. We identified the need for modeling support of process-related RBAC models from our experience in real-world role engineering projects and case studies. The Business Activities approach presented in this paper is successfully applied in role engineering projects.

[1]  Mark Strembeck,et al.  A scenario-driven role engineering process for functional RBAC roles , 2002, SACMAT '02.

[2]  Uwe Zdun,et al.  Some Patterns of Component and Language Integration , 2004, EuroPLoP.

[3]  Roshan K. Thomas,et al.  Team-based access control (TMAC): a primitive for applying role-based access controls in collaborative environments , 1997, RBAC '97.

[4]  Gail-Joon Ahn,et al.  Role-based authorization constraints specification using Object Constraint Language , 2001, Proceedings Tenth IEEE International Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises. WET ICE 2001.

[5]  Antti Valmari,et al.  The State Explosion Problem , 1996, Petri Nets.

[6]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[7]  Luciano Lavagno,et al.  Deriving Petri Nets for Finite Transition Systems , 1998, IEEE Trans. Computers.

[8]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティマネジメントシステム-要求事項 : 国際規格ISO/IEC 27001 = Information technology-Security techniques-Information security management systems-Requirements : ISO/IEC 27001 , 2005 .

[9]  Wil M. P. van der Aalst,et al.  Workflow Resource Patterns: Identification, Representation and Tool Support , 2005, CAiSE.

[10]  Tadao Murata,et al.  Petri nets: Properties, analysis and applications , 1989, Proc. IEEE.

[11]  Tom Mens,et al.  A Taxonomy of Model Transformation , 2006, GRaMoT@GPCE.

[12]  Mark Strembeck Conflict checking of separation of duty constraints in RBAC - implementation experiences , 2004, IASTED Conf. on Software Engineering.

[13]  Elisa Bertino,et al.  The specification and enforcement of authorization constraints in workflow management systems , 1999, TSEC.

[14]  Jörg Becker,et al.  Guidelines of Business Process Modeling , 2000, Business Process Management.

[15]  Marianne M. Swanson,et al.  Recommended Security Controls for Federal Information Systems , 2005 .

[16]  Wil M.P. van der Aalst,et al.  YAWL: yet another workflow language , 2005, Inf. Syst..

[17]  R. Sandhu,et al.  Access control: principles and practice , 1994, IEEE Commun. Mag..

[18]  Volker Gruhn,et al.  Model-Driven Software Development , 2005 .

[19]  Mario Piattini,et al.  A BPMN Extension for the Modeling of Security Requirements in Business Processes , 2007, IEICE Trans. Inf. Syst..

[20]  Beate List,et al.  An evaluation of conceptual business process modelling languages , 2006, SAC.

[21]  Torsten Fink,et al.  An MDA approach to Access Control Specifications Using MOF and UML Profiles , 2004, VODCA@FOSAD.

[22]  Wil M. P. van der Aalst,et al.  On the suitability of UML 2.0 activity diagrams for business process modelling , 2006, APCCM.

[23]  Mark Strembeck,et al.  An approach for the systematic development of domain-specific languages , 2009 .

[24]  C. A. Petri Fundamentals of a Theory of Asynchronous Information Flow , 1962, IFIP Congress.

[25]  Shane Sendall,et al.  Model Transformation: The Heart and Soul of Model-Driven Software Development , 2003, IEEE Softw..

[26]  Ekkart Kindler,et al.  On the semantics of EPCs: Resolving the vicious circle , 2006, Data Knowl. Eng..

[27]  David A. Carrington,et al.  An MDA Approach Towards Integrating Formal and Informal Modeling Languages , 2005, FM.

[28]  Heinz Roland Weistroffer,et al.  A Framework for Integrating Sarbanes-Oxley Compliance into the Systems Development Process , 2007, Commun. Assoc. Inf. Syst..

[29]  Andreas Schaad,et al.  Model-driven business process security requirement specification , 2009, J. Syst. Archit..

[30]  M. Gallaher,et al.  The Economic Impact of Role-Based Access Control , 2002 .

[31]  J. Leon Zhao,et al.  Workflow Automation: Overview and Research Issues , 2001, Inf. Syst. Frontiers.

[32]  Remco M. Dijkman,et al.  Semantics and analysis of business process models in BPMN , 2008, Inf. Softw. Technol..

[33]  Ruth Breu,et al.  Model based development of access policies , 2007, International Journal on Software Tools for Technology Transfer.

[34]  Kees M. van Hee,et al.  History-based joins: Semantics, soundness and implementation , 2008, Data Knowl. Eng..

[35]  U. Zdun Patterns of Component and Language Integration , 2006 .

[36]  Akhil Kumar,et al.  W-RBAC - A Workflow Security Model Incorporating Controlled Overriding of Constraints , 2003, Int. J. Cooperative Inf. Syst..

[37]  Jason Crampton,et al.  Delegation and satisfiability in workflow systems , 2008, SACMAT '08.

[38]  Ivo Vondrák,et al.  Business Process Modeling , 2007, Encyclopedia of Database Systems.

[39]  Mark Strembeck,et al.  Reusable Architectural Decisions for DSL Design: Foundational Decisions in DSL Projects , 2009, EuroPLoP.

[40]  Jan Jürjens Model-Based Run-Time Checking of Security Permissions Using Guarded Objects , 2008, RV.

[41]  Wil M. P. van der Aalst,et al.  Formalization and verification of event-driven process chains , 1999, Inf. Softw. Technol..

[42]  James L. Peterson,et al.  Petri Nets , 1977, CSUR.

[43]  Jan H. P. Eloff,et al.  Separation of duties for access control enforcement in workflow environments , 2001, IBM Syst. J..

[44]  Mark Strembeck,et al.  Role-Based Access Control for Information Federations in the Industrial Service Sector , 2010, ECIS.

[45]  Ekkart Kindler,et al.  AMFIBIA: A Meta-Model for the Integration of Business Process Modelling Aspects , 2006, The Role of Business Processes in Service Oriented Architectures.

[46]  Mark Strembeck,et al.  An approach to extract RBAC models from BPEL4WS processes , 2004, 13th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises.

[47]  Diomidis Spinellis,et al.  Notable design patterns for domain-specific languages , 2001, J. Syst. Softw..

[48]  Mark Strembeck Scenario-Driven Role Engineering , 2010, IEEE Security & Privacy.

[49]  Mark Strembeck,et al.  An approach for the systematic development of domain‐specific languages , 2009, Softw. Pract. Exp..

[50]  David Basin,et al.  Model driven security: From UML models to access control infrastructures , 2006, TSEM.

[51]  Jan Jürjens Sound methods and effective tools for model-based security engineering with UML , 2005, ICSE '05.

[52]  J. C. Cannon,et al.  Compliance Deconstructed , 2006, ACM Queue.

[53]  Ruth Breu,et al.  Constraint based role based access control in the SECTET-frameworkA model-driven approach , 2008, J. Comput. Secur..

[54]  Martin Gogolla,et al.  Specification and Validation of Authorisation Constraints Using UML and OCL , 2005, ESORICS.

[55]  Vijayalakshmi Atluri,et al.  Inter-instance authorization constraints for secure workflow management , 2006, SACMAT '06.

[56]  Jan Mendling,et al.  Metrics for Process Models: Empirical Foundations of Verification, Error Prediction, and Guidelines for Correctness , 2008, Lecture Notes in Business Information Processing.

[57]  Carl E. Landwehr,et al.  Formal Models for Computer Security , 1981, CSUR.

[58]  Andreas Schaad,et al.  Modeling of Task-Based Authorization Constraints in BPMN , 2007, BPM.

[59]  M Mernik,et al.  When and how to develop domain-specific languages , 2005, CSUR.

[60]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[61]  Douglas C. Schmidt,et al.  Guest Editor's Introduction: Model-Driven Engineering , 2006, Computer.

[62]  Wil M. P. van der Aalst,et al.  On the Suitability of BPMN for Business Process Modelling , 2006, Business Process Management.

[63]  Hannes Schwarz,et al.  Model-Driven Software Development , 2013 .

[64]  Bran Selic,et al.  The Pragmatics of Model-Driven Development , 2003, IEEE Softw..

[65]  Rik Eshuis,et al.  Tool support for verifying UML activity diagrams , 2004, IEEE Transactions on Software Engineering.

[66]  Mark Strembeck,et al.  Generic Algorithms for Consistency Checking of Mutual-Exclusion and Binding Constraints in a Business Process Context , 2010, OTM Conferences.

[67]  Gail-Joon Ahn,et al.  UML-based representation of role-based access control , 2000, Proceedings IEEE 9th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET ICE 2000).

[68]  Martin Gogolla,et al.  Analyzing and Managing Role-Based Access Control Policies , 2008, IEEE Transactions on Knowledge and Data Engineering.

[69]  Jason Crampton,et al.  The consistency of task-based authorization constraints in workflow , 2004 .

[70]  Ravi S. Sandhu,et al.  Towards a UML based approach to role engineering , 1999, RBAC '99.

[71]  Elisa Bertino,et al.  Access Control and Authorization Constraints for WS-BPEL , 2006, 2006 IEEE International Conference on Web Services (ICWS'06).

[72]  Karsten Sohr,et al.  Enforcing Role-Based Access Control Policies in Web Services with UML and OCL , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[73]  Mark Strembeck,et al.  An integrated approach to engineer and enforce context constraints in RBAC environments , 2004, TSEC.

[74]  Jian Yang,et al.  Specifying Role-Based Access Constraints with Object Constraint Language , 2004, APWeb.

[75]  Wolfgang Reisig,et al.  06291 Abstracts Collection -- The Role of Business Processes in Service-Oriented Architectures , 2006, The Role of Business Processes in Service Oriented Architectures.

[76]  Indrakshi Ray,et al.  Using uml to visualize role-based access control constraints , 2004, SACMAT '04.

[77]  Jan Mendling,et al.  Formalization and Verification of EPCs with OR-Joins Based on State and Context , 2007, CAiSE.

[78]  Kees M. van Hee,et al.  History-Based Joins: Semantics, Soundness and Implementation , 2006, Business Process Management.

[79]  Mark Strembeck A Role Engineering Tool for Role-Based Access Control , 2005 .

[80]  August-Wilhelm Scheer,et al.  ARIS - Business Process Modeling , 1998 .

[81]  Vijayalakshmi Atluri,et al.  Role-based Access Control , 1992 .

[82]  Ninghui Li,et al.  On mutually-exclusive roles and separation of duty , 2004, CCS '04.

[83]  James O. Coplien,et al.  Pattern languages of program design , 1995 .

[84]  Mark Strembeck,et al.  Modeling Composition in Dynamic Programming Environments with Model Transformations , 2006, SC@ETAPS.

[85]  Jan Mendling,et al.  From business process models to process-oriented software systems , 2009, TSEM.

[86]  Remco M. Dijkman,et al.  Petri Net Transformations for Business Processes - A Survey , 2009, Trans. Petri Nets Other Model. Concurr..

[87]  Francesco Parisi-Presicce,et al.  UML specification of access control policies and their formal verification , 2006, Software & Systems Modeling.

[88]  Mario Piattini,et al.  Capturing Security Requirements in Business Processes Through a UML 2.0 Activity Diagrams Profile , 2006, ER.

[89]  Edward J. Coyne,et al.  Role Engineering for Enterprise Security Management , 2007 .

[90]  Jan Jürjens,et al.  Secure systems development with UML , 2004 .

[91]  Edward Roback,et al.  SP 800-12. An Introduction to Computer Security: the NIST Handbook , 1995 .

[92]  D. Richard Kuhn,et al.  A role-based access control model and reference implementation within a corporate intranet , 1999, TSEC.

[93]  Ravi S. Sandhu,et al.  Task-Based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-Oriented Autorization Management , 1997, DBSec.

[94]  Gail-Joon Ahn,et al.  Role-based authorization constraints specification , 2000, TSEC.

[95]  Ting Yu,et al.  Enforcing security properties in task-based systems , 2008, SACMAT '08.

[96]  Markus Völter,et al.  Model-Driven Software Development: Technology, Engineering, Management , 2006 .

[97]  Dragos Manolescu,et al.  Production workflow: concepts and techniques , 2001, SOEN.

[98]  Roshan K. Thomas,et al.  Flexible team-based access control using contexts , 2001, SACMAT '01.

[99]  Jan Jürjens,et al.  Model-based design and analysis of permission-based security , 2005, 10th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS'05).

[100]  Mark Strembeck Embedding policy rules for software-based systems in a requirements context , 2005, Sixth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'05).

[101]  Mark Strembeck,et al.  Specifying Separation of Duty Constraints in BPEL4People Processes , 2008, BIS.

[102]  Marios Damianides,et al.  How does SOX change IT , 2004 .

[103]  Seog Park,et al.  Task-role-based access control model , 2003, Inf. Syst..

[104]  D. Richard Kuhn,et al.  Role-Based Access Controls , 2009, ArXiv.

[105]  P. Samarati,et al.  Access control: principle and practice , 1994, IEEE Communications Magazine.