Abstract
The Business Process Modeling Notation (BPMN) has become a defacto standard for describing processes in an accessible graphical notation. The eXtensible Access Control Markup Language (XACML) is an OASIS standard to specify and enforce platform independent access control policies.
In this paper we define a mapping between the BPMN and XACML meta-models to provide a model-driven extraction of security policies from a business process model. Specific types of organisational control and compliance policies that can be expressed in a graphical fashion at the business process modeling level can now be transformed into the corresponding task authorizations and access control policies for process-aware information systems.
As a proof of concept, we extract XACML access control policies from a security augmented banking domain business process. We present an XSLT converter that transforms modeled security constraints into XACML policies that can be deployed and enforced in a policy enforcement and decision environment. We discuss the benefits of our modeling approach and outline how XACML can support task-based compliance in business processes.
Access provided by Autonomous University of Puebla. Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
Keywords
References
Schaad, A., Lotz, V., Sohr, K.: A Model-checking Approach to Analysing Organisational Controls in a Loan Origination Process. In: SACMAT 2006. Proceedings of the eleventh ACM symposium on Access control models and technologies (2006)
Tolone, W., Ahn, G.-J., Pai, T., Hong, S.-P.: Access control in collaborative systems. ACM Comput. Surv. 37(1), 29–41 (2005)
Schreiter, T., Laures, G.: A Business Process-centered Approach for Modeling Enterprise Architectures. In: EMISA. Proceedings of Methoden, Konzepte und Technologien für die Entwicklung von dienstebasierten Informationssystemen (2006)
Tan, K., Crampton, J., Gunter, C.: The consistency of task-based authorization constraints in workflow systems. In: CSFW 2004. Proceedings of the 17th IEEE workshop on Computer Security Foundations (2004)
Anderson, A.: Core and hierarchical role based access control (RBAC) profile of XACML v2.0. OASIS Standard (2005)
Wolter, C., Schaad, A.: Modeling of Authorization Constraints in BPMN. In: BPM 2007. Proceedings of the 5th International Conference on Business Process Management (2007)
The Workflow Management Coalition.: Process Definition Interface – XML Process Definition Language (2005), http://www.wfmc.org
Dijkman, R.M., Dumas, M., Ouyang, C.: Formal Semantics and Automated Analysis of BPMN Process Models. In: ePrints Archive (2006)
Red Hat Middleware.: JBoss jBPM 2.0 jPdl Reference Manual (2007), http://www.jboss.com/products/jbpm/docs/jpdl
Jürjens, J.: UMLsec: Extending UML for Secure Systems Development. In: UML 2002. Proceedings of the 5th International Conference on The Unified Modeling Language, pp. 412–425 (2002)
Basin, D., Doser, J., Lodderstedt, T.: Model Driven Security for Process-Oriented Systems. In: SACMAT 2003. Proceedings of the eighth ACM symposium on Access control models and technologies, pp. 100–109 (2003)
Dobmeier, W., Pernuk, G.: Modellierung von Zugiffsrichtlinien für offene Systeme. In: EMISA 2006. Tagungsband Fachgruppentreffen Entwicklungsmethoden für Informationssysteme und deren Anwendung (2006)
Alam, M., Breu, R., Hafner, M.: Modeling permissions in a (u/x)ml world. In: ARES 2006. Proceedings of the First International Conference on Availability, Reliability and Security, Washington, DC, USA, pp. 685–692. IEEE Computer Society Press, Los Alamitos (2006)
Brodie, C.A., Karat, C.-M., Karat, J.: An empirical study of natural language parsing of privacy policy rules using the sparcle policy workbench. In: SOUPS 2006. Proceedings of the second symposium on Usable privacy and security, pp. 8–19. ACM Press, New York (2006)
Hoagland, J.A., Pandey, R., Levitt, K.N.: Security Policy Specification Using a Graphical Approach. Technical report CSE-98-3. The University of California, Davis Department of Computer Science (1998)
Neumann, G., Strembeck, M.: An approach to engineer and enforce context constraints in an rbac environment. In: SACMAT. Proc. of the 8th ACM Symposium on Access Control Models and Technologies (2003)
Muehlen, M.z.: Evaluation of workflow management systems using meta models. In: HICSS 1999. Proceedings of the Thirty-second Annual Hawaii International Conference on System Sciences, Washington, DC, USA, vol. 5, p. 5060. IEEE Computer Society Press, Los Alamitos (1999)
Yu, L., Schmid, B.: A conceptual framework for agent-oriented and role-based work ow modeling. In: Proc. of the 1st Int. Workshop on Agent-Oriented Information Systems (1999)
Bertino, E., Ferrari, E., Atluri, V.: The Specification and Enforcement of Authorization Constraints in Workflow Management Systems. ACM Transactions on Information and System Security 2, 65–104 (1999)
Mendling, J., Strembeck, M., Stermsek, G., Neumann, G.: An approach to extract rbac models from bpel4ws processes. In: Proceedings of the 13th IEEE International Workshops on Enabling Technologies: Infrastructures for Collaborative Enterprises (WETICE), Modena, Italy (June 2004)
Ouyang, C., van der Aalst, W.M.P., Marlon, D., ter Hofstede, Arthur, H.M.: Translating BPMN to BPEL. In: BPM Center Report BPM-06-02 (2006)
Leymann, F., Roller, D.: Production Workflow: Concepts and Techniques. Prentice Hall PTR, Upper Saddle River (2000)
Object Management Group.: Business Process Modeling Notation Specification (2006), www.bpmn.org
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Wolter, C., Schaad, A., Meinel, C. (2007). Deriving XACML Policies from Business Process Models. In: Weske, M., Hacid, MS., Godart, C. (eds) Web Information Systems Engineering – WISE 2007 Workshops. WISE 2007. Lecture Notes in Computer Science, vol 4832. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-77010-7_15
Download citation
DOI: https://doi.org/10.1007/978-3-540-77010-7_15
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-77009-1
Online ISBN: 978-3-540-77010-7
eBook Packages: Computer ScienceComputer Science (R0)