Consistency Checks for Duties in Extended UML2 Activity Models

Process-aware information systems support the execution of business processes. Organizations require the precise specification of security policies that govern the behavior of subjects in these systems. Thereby, obligation policies specify duties to be fulfilled by certain subjects. In organizational contexts, duties are often associated with a certain task in a business process. In this paper, we further elaborate two UML2 extensions which provide modeling support for roles, tasks, and duties in a business process context. In particular, we introduce the notion of mutual exclusion and binding constraints for duties in process-related RBAC models. Furthermore, we formally define respective consistency checks for design-time and runtime models.

[1]  Jan Jürjens,et al.  From goal-driven security requirements engineering to secure design , 2010 .

[2]  R. Ulusay,et al.  Object Constraint Language Specification , 1997 .

[3]  Mark Strembeck,et al.  Modeling process-related RBAC models with extended UML activity models , 2011, Inf. Softw. Technol..

[4]  Ravi S. Sandhu,et al.  Task-Based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-Oriented Autorization Management , 1997, DBSec.

[5]  Gail-Joon Ahn,et al.  Role-based authorization constraints specification , 2000, TSEC.

[6]  Jason Crampton,et al.  The consistency of task-based authorization constraints in workflow , 2004 .

[7]  Morris Sloman,et al.  Policy driven management for distributed systems , 1994, Journal of Network and Systems Management.

[8]  Mark Strembeck Embedding policy rules for software-based systems in a requirements context , 2005, Sixth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'05).

[9]  Mark Strembeck,et al.  Specifying Separation of Duty Constraints in BPEL4People Processes , 2008, BIS.

[10]  John Derrick,et al.  Author Obliged to Submit Paper before 4 July: Policies in an Enterprise Specification , 2001, POLICY.

[11]  Mark Strembeck,et al.  Generic Algorithms for Consistency Checking of Mutual-Exclusion and Binding Constraints in a Business Process Context , 2010, OTM Conferences.

[12]  Elisa Bertino,et al.  The specification and enforcement of authorization constraints in workflow management systems , 1999, TSEC.

[13]  Mark Strembeck,et al.  Modeling Process-Related Duties with Extended UML Activity and Interaction Diagrams , 2011, Electron. Commun. Eur. Assoc. Softw. Sci. Technol..

[14]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[15]  Akhil Kumar,et al.  W-RBAC - A Workflow Security Model Incorporating Controlled Overriding of Constraints , 2003, Int. J. Cooperative Inf. Syst..

[16]  D. Richard Kuhn,et al.  A role-based access control model and reference implementation within a corporate intranet , 1999, TSEC.

[17]  Jan H. P. Eloff,et al.  Separation of duties for access control enforcement in workflow environments , 2001, IBM Syst. J..