From Secure Business Process Models to Secure Artifact-Centric Specifications

  • Mattia SalnitriEmail author
  • Achim D. Brucker
  • Paolo Giorgini
Conference paper
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 214)


Making today’s systems secure is an extremely difficult and challenging problem. Socio and technical issues interplay and contribute in creating vulnerabilities that cannot be easily prevented without a comprehensive engineering method. This paper presents a novel approach to support process-aware secure systems modeling and automated generation of secure artifact-centric implementations. It combines social and technical perspectives in developing secure systems. This work is the result of an academic and industrial collaboration, where SecBPMN2, a research prototype, has been integrated with SAP River, an industrial artifact-centric language.


Access Control Business Process Modeling Language Data Object Security Requirement 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    OMG: BPMN 2.0. OMG, January 2011.
  2. 2.
    OASIS: Web Services Business Process Execution Language. OASIS, April 2007.
  3. 3.
    SAP SE: SAP River Developer Guide. Document Version 1.0, SAP HANA SPS 08 (2014)Google Scholar
  4. 4.
    Doolittle, J.: PeopleSoft Developer’s Guide for PeopleTools and PeopleCode. McGraw-Hill Osborne Media (2008)Google Scholar
  5. 5.
    Paja, E., Dalpiaz, F., Giorgini, P.: Managing security requirements conflicts in socio-technical systems. In: Ng, W., Storey, V.C., Trujillo, J.C. (eds.) ER 2013. LNCS, vol. 8217, pp. 270–283. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  6. 6.
    Reichert, M., Weber, B.: Enabling Flexibility in Process-Aware Information Systems - Challenges, Methods, Technologies. Springer (2012)Google Scholar
  7. 7.
    SAP SE: SAP Payment Engine Website. (last visited March 28, 2015)
  8. 8.
    Salnitri, M., Dalpiaz, F., Giorgini, P.: Modeling and verifying security policies in business processes. In: Bider, I., Gaaloul, K., Krogstie, J., Nurcan, S., Proper, H.A., Schmidt, R., Soffer, P. (eds.) BPMDS 2014 and EMMSAD 2014. LNBIP, vol. 175, pp. 200–214. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  9. 9.
    Brucker, A.D.: Integrating security aspects into business process models. it - Information Technology 55(6), 239–246 (2013)CrossRefGoogle Scholar
  10. 10.
    Nigam, A., Caswell, N.S.: Business artifacts: an approach to operational specification. IBM Syst. J. 42(3), 428–445 (2003)CrossRefGoogle Scholar
  11. 11.
    Keller, H., Krüger, S.: ABAP Objects. SAP PRESS (2007)Google Scholar
  12. 12.
    SecBPMN Website. (last visited March 28, 2015)
  13. 13.
    Cohn, D., Hull, R.: Business artifacts: A data-centric approach to modeling business operations and processes. IEEE Data Eng. Bull. 32(3), 3–9 (2009)Google Scholar
  14. 14.
    OMG: OMG Unified Modeling Language, Infrastructure, V2.1.2 (2007).
  15. 15.
    Wainer, J., Barthelmess, P., Kumar, A.: W-RBAC - a workflow security model incorporating controlled overriding of constraints. Int. J. Cooperative Inf. Syst. 12(4), 455–485 (2003)CrossRefGoogle Scholar
  16. 16.
    Simon, R., Zurko, M.: Separation of duty in role-based environments. In: CSFW 1997, pp. 183–194. IEEE Computer Society (1997)Google Scholar
  17. 17.
    Ferraiolo, D., Kuhn, R.: Role-based access control. In: 15th NIST-NCSC National Computer Security Conference, pp. 554–563 (1992)Google Scholar
  18. 18.
    Brucker, A.D., Hang, I.: Secure and compliant implementation of business process-driven systems. In: La Rosa, M., Soffer, P. (eds.) BPM Workshops 2012. LNBIP, vol. 132, pp. 662–674. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  19. 19.
    Mülle, J., von Stackelberg, S., Böhm, K.: A security language for BPMN process models. Technical report, University Karlsruhe (KIT) (2011)Google Scholar
  20. 20.
    Rodríguez, A., Fernández-Medina, E., Piattini, M.: A BPMN extension for the modeling of security requirements in business processes. IEICE - Trans. Inf. Syst. E90–D, 745–752 (2007)CrossRefGoogle Scholar
  21. 21.
    Brucker, A.D., Hang, I., Lückemeyer, G., Ruparel, R.: SecureBPMN: modeling and enforcing access control requirements in business processes. In: Atluri, V., Vaidya, J., Kern, A., Kantarcioglu, M., eds.: SACMAT 2012, pp. 123–126. ACM (2012)Google Scholar
  22. 22.
    Lohmann, N.: Compliance by design for artifact-centric business processes. Information Systems 38(4), 606–618 (2013)CrossRefGoogle Scholar
  23. 23.
    Lohmann, N., Nyolt, M.: Artifact-centric modeling using BPMN. In: Pallis, G., Jmaiel, M., Charfi, A., Graupner, S., Karabulut, Y., Guinea, S., Rosenberg, F., Sheng, Q.Z., Pautasso, C., Ben Mokhtar, S. (eds.) ICSOC 2011 Workshops. LNCS, vol. 7221, pp. 54–65. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  24. 24.
    Estañol, M., Queralt, A., Sancho, M.R., Teniente, E.: Artifact-centric business process models in UML. In: La Rosa, M., Soffer, P. (eds.) BPM Workshops 2012. LNBIP, vol. 132, pp. 292–303. Springer, Heidelberg (2013) CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Mattia Salnitri
    • 1
    Email author
  • Achim D. Brucker
    • 2
  • Paolo Giorgini
    • 1
  1. 1.University of TrentoTrentoItaly
  2. 2.SAP SEKarlsruheGermany

Personalised recommendations