Specifying Process-Aware Access Control Rules in SBVR

Access control is an important aspect of regulatory compliance. Therefore, access control specifications must be process-aware in that they can refer to an underlying business process context, but do not specify when and how they must be enforced. Such access control specifications are often expressed in terms of general rules and exceptions, akin to defeasible logic. In this paper we demonstrate how a role-based, process-aware access control policy can be specified in the SBVR. In particular, we define an SBVR vocabulary that allows for a process-aware specification of defeasible access control rules. Because SBVR does not support defeasible rules, we show how a set of defeasible access control rules can be transformed into ordinary SBVR access control rules using decision tables as a transformation mechanism.

[1]  Jan Vanthienen,et al.  Declarative Process Modeling with Business Vocabulary and Business Rules , 2007, OTM Workshops.

[2]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[3]  Dov M. Gabbay,et al.  Handbook of logic in artificial intelligence and logic programming (vol. 1) , 1993 .

[4]  Nick Bassiliades,et al.  Visualizing Defeasible Logic Rules for the Semantic Web , 2006, ASWC.

[5]  Jan Vanthienen How business rules (re)define business processes: A service oriented view , 2007 .

[6]  Nick Bassiliades,et al.  A Visual Environment for Developing Defeasible Rule Bases for the Semantic Web , 2005, RuleML.

[7]  P. Sarbanes,et al.  Sarbanes-Oxley Act of 2002 , 2002 .

[8]  Mark Strembeck,et al.  An integrated approach to engineer and enforce context constraints in RBAC environments , 2004, TSEC.

[9]  Michael J. Maher,et al.  Representation results for defeasible logic , 2000, TOCL.

[10]  Jan Vanthienen,et al.  Designing Compliant Business Processes with Obligations and Permissions , 2006, Business Process Management Workshops.

[11]  Fausto Giunchiglia,et al.  The Semantic Web - ASWC 2006, First Asian Semantic Web Conference, Beijing, China, September 3-7, 2006, Proceedings , 2006, ASWC.

[12]  Jan Vanthienen 50 Ways to represent your rule sets , 2006 .

[13]  Donald Chapin,et al.  Semantics of Business Vocabulary & Business Rules (SBVR) , 2005, Rule Languages for Interoperability.

[14]  Jan Vanthienen,et al.  An Illustration of Verification and Validation in the Modelling Phase of KBS Development , 1998, Data Knowl. Eng..

[15]  Benjamin N. Grosof,et al.  A declarative approach to business rules in contracts: courteous logic programs in XML , 2015, EC '99.

[16]  Dov M. Gabbay,et al.  Handbook of Logic in Artificial Intelligence and Logic Programming: Volume 3: Nonmonotonic Reasoning and Uncertain Reasoning , 1994 .

[17]  Silvie Spreeuwenberg,et al.  A Knowledge Based Tool to Validate and Verify an Aion Knowledge Base , 1999, EUROVAV.

[18]  Jan Vanthienen,et al.  EM-BrA2CE v0.1: A Vocabulary and Execution Model for Declarative Business Process Modeling , 2007 .

[19]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[20]  Gerd Wagner,et al.  Elements of a First Visual Rule Language for the Semantic Web , 2004 .

[21]  Jan Vanthienen,et al.  Developing legal knowledge based systems using decision tables , 1993, ICAIL '93.

[22]  Gerd Wagner,et al.  Some Applications of a Unified Foundational Ontology in Business Modeling , 2005 .

[23]  Donald Nute,et al.  Defeasible Logic , 1994, INAP.

[24]  Michael J. Maher,et al.  Efficient Defeasible Reasoning Systems , 2001, Int. J. Artif. Intell. Tools.