A Procedure Model for Enterprise-Wide Authorization Architecture

A procedure model for the development of an authorization architecture, which spans different IT systems and organizational units, is presented. Based on a conceptual discussion of authorization and authorization architecture, existing approaches are discussed. As basic requirements for authorization architecture, a theoretical foundation and a transparent derivation of the procedure model and activities from successful industry practices are proposed. Actual industry practices are presented as case studies, and a procedure model is derived by consolidating these practices. Since the inductively derived procedure model claims reference model status, the paper concludes with a discussion of its genericity and recommendation character.

[1]  Felix Wortmann,et al.  Entwicklung einer Methode für die unternehmensweite Autorisierung , 2006 .

[2]  Gerhard Schimpf,et al.  Process-oriented approach for role-finding to implement role-based security administration in a large industrial organization , 2000, RBAC '00.

[3]  Martin Kuhlmann,et al.  Role mining - revealing business roles for security administration using data mining technology , 2003, SACMAT '03.

[4]  Robert Winter,et al.  An architecture model for supporting application integration decisions , 2003, ECIS.

[5]  Robert Winter,et al.  Method construction - a core approach to organizational engineering , 2005, SAC '05.

[6]  E. B. Fernandez,et al.  Information Systems Security: Scope, State-of-the-art, and Evaluation of Techniques , 2008 .

[7]  Martin Kuhlmann,et al.  A meta model for authorisations in application security systems and their integration into RBAC administration , 2004, SACMAT '04.

[8]  Jan vom Brocke,et al.  Referenzmodellierung: Gestaltung und Verteilung von Konstruktionsprozessen , 2003 .

[9]  Roberto Gorrieri,et al.  Foundations of Security Analysis and Design - Tutorial Lectures , 2000 .

[10]  Felix Wortmann,et al.  Zugriffskontrolle in heterogenen Applikationslandschaften , 2006 .

[11]  Andreas Schaad,et al.  Observations on the role life-cycle in the context of enterprise security management , 2002, SACMAT '02.

[12]  James A. Hall,et al.  The Sarbanes-Oxley Act: Implications for large-scale IT outsourcing , 2007, Commun. ACM.

[13]  Sabrina De Capitani di Vimercati,et al.  Access Control: Policies, Models, and Mechanisms , 2000, FOSAD.

[14]  Heinrich Kersten,et al.  Sicherheit in Informationssystemen , 1991 .

[15]  Teri Robinson Data security in the age of compliance , 2005, NTWK.