Extending Role-Based Access Control for Business Usage

Role-based access control (RBAC) is used for managing authorisation in IT systems, by utilising the concept of roles. Existing approaches do not clearly define the term "role" in its different contexts as well as not considering the relation between roles and business process modelling. Therefore this work introduces business and system role-based access control (B&S-RBAC). Established role-based access control models are extended with a business perspective and the term role is defined from a business and from an IT perspective, resulting in business and system roles. The relation between them is shown in a meta-model and the usage of business roles for secure business process modelling is explained.

[1]  Roshan K. Thomas,et al.  Team-based access control (TMAC): a primitive for applying role-based access controls in collaborative environments , 1997, RBAC '97.

[2]  Aileen Cater-Steel,et al.  Resolving the troubled IT-business relationship from a cultural perspective , 2001 .

[3]  Felix Wortmann,et al.  Entwicklung einer Methode für die unternehmensweite Autorisierung , 2006 .

[4]  Frédéric Cuppens,et al.  Organization based access control , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[5]  Stefan Biffl,et al.  Secure business process management: a roadmap , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[6]  Eric. Newcomer,et al.  Understanding SOA with Web Services , 2004 .

[7]  Mathias Weske,et al.  Business Process Management: Concepts, Languages, Architectures , 2007 .

[8]  Kees M. van Hee,et al.  Workflow Management: Models, Methods, and Systems , 2002, Cooperative information systems.

[9]  Christian Wolff,et al.  Identity Management in Business Process Modelling: A Model-driven Approach , 2009, Wirtschaftsinformatik.

[10]  Andreas Schaad,et al.  Observations on the role life-cycle in the context of enterprise security management , 2002, SACMAT '02.

[11]  M. Burling The key to compliance [corporate accounting] , 2005 .

[12]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[13]  Axel Kern,et al.  Advanced features for enterprise-wide role-based access control , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[14]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[15]  Michael Hammer,et al.  Reengineering Work: Don’t Automate, Obliterate , 1990 .