Deriving XACML Policies from Business Process Models

  • Christian Wolter
  • Andreas Schaad
  • Christoph Meinel
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4832)


The Business Process Modeling Notation (BPMN) has become a defacto standard for describing processes in an accessible graphical notation. The eXtensible Access Control Markup Language (XACML) is an OASIS standard to specify and enforce platform independent access control policies.

In this paper we define a mapping between the BPMN and XACML meta-models to provide a model-driven extraction of security policies from a business process model. Specific types of organisational control and compliance policies that can be expressed in a graphical fashion at the business process modeling level can now be transformed into the corresponding task authorizations and access control policies for process-aware information systems.

As a proof of concept, we extract XACML access control policies from a security augmented banking domain business process. We present an XSLT converter that transforms modeled security constraints into XACML policies that can be deployed and enforced in a policy enforcement and decision environment. We discuss the benefits of our modeling approach and outline how XACML can support task-based compliance in business processes.


Policy Definition Integration Enforcement Separation of Duties Business Process Modeling eXtensible Access Control Markup Language 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Schaad, A., Lotz, V., Sohr, K.: A Model-checking Approach to Analysing Organisational Controls in a Loan Origination Process. In: SACMAT 2006. Proceedings of the eleventh ACM symposium on Access control models and technologies (2006)Google Scholar
  2. 2.
    Tolone, W., Ahn, G.-J., Pai, T., Hong, S.-P.: Access control in collaborative systems. ACM Comput. Surv. 37(1), 29–41 (2005)CrossRefGoogle Scholar
  3. 3.
    Schreiter, T., Laures, G.: A Business Process-centered Approach for Modeling Enterprise Architectures. In: EMISA. Proceedings of Methoden, Konzepte und Technologien für die Entwicklung von dienstebasierten Informationssystemen (2006)Google Scholar
  4. 4.
    Tan, K., Crampton, J., Gunter, C.: The consistency of task-based authorization constraints in workflow systems. In: CSFW 2004. Proceedings of the 17th IEEE workshop on Computer Security Foundations (2004)Google Scholar
  5. 5.
    Anderson, A.: Core and hierarchical role based access control (RBAC) profile of XACML v2.0. OASIS Standard (2005)Google Scholar
  6. 6.
    Wolter, C., Schaad, A.: Modeling of Authorization Constraints in BPMN. In: BPM 2007. Proceedings of the 5th International Conference on Business Process Management (2007)Google Scholar
  7. 7.
    The Workflow Management Coalition.: Process Definition Interface – XML Process Definition Language (2005),
  8. 8.
    Dijkman, R.M., Dumas, M., Ouyang, C.: Formal Semantics and Automated Analysis of BPMN Process Models. In: ePrints Archive (2006)Google Scholar
  9. 9.
    Red Hat Middleware.: JBoss jBPM 2.0 jPdl Reference Manual (2007),
  10. 10.
    Jürjens, J.: UMLsec: Extending UML for Secure Systems Development. In: UML 2002. Proceedings of the 5th International Conference on The Unified Modeling Language, pp. 412–425 (2002)Google Scholar
  11. 11.
    Basin, D., Doser, J., Lodderstedt, T.: Model Driven Security for Process-Oriented Systems. In: SACMAT 2003. Proceedings of the eighth ACM symposium on Access control models and technologies, pp. 100–109 (2003)Google Scholar
  12. 12.
    Dobmeier, W., Pernuk, G.: Modellierung von Zugiffsrichtlinien für offene Systeme. In: EMISA 2006. Tagungsband Fachgruppentreffen Entwicklungsmethoden für Informationssysteme und deren Anwendung (2006)Google Scholar
  13. 13.
    Alam, M., Breu, R., Hafner, M.: Modeling permissions in a (u/x)ml world. In: ARES 2006. Proceedings of the First International Conference on Availability, Reliability and Security, Washington, DC, USA, pp. 685–692. IEEE Computer Society Press, Los Alamitos (2006)Google Scholar
  14. 14.
    Brodie, C.A., Karat, C.-M., Karat, J.: An empirical study of natural language parsing of privacy policy rules using the sparcle policy workbench. In: SOUPS 2006. Proceedings of the second symposium on Usable privacy and security, pp. 8–19. ACM Press, New York (2006)CrossRefGoogle Scholar
  15. 15.
    Hoagland, J.A., Pandey, R., Levitt, K.N.: Security Policy Specification Using a Graphical Approach. Technical report CSE-98-3. The University of California, Davis Department of Computer Science (1998)Google Scholar
  16. 16.
    Neumann, G., Strembeck, M.: An approach to engineer and enforce context constraints in an rbac environment. In: SACMAT. Proc. of the 8th ACM Symposium on Access Control Models and Technologies (2003)Google Scholar
  17. 17.
    Muehlen, M.z.: Evaluation of workflow management systems using meta models. In: HICSS 1999. Proceedings of the Thirty-second Annual Hawaii International Conference on System Sciences, Washington, DC, USA, vol. 5, p. 5060. IEEE Computer Society Press, Los Alamitos (1999)Google Scholar
  18. 18.
    Yu, L., Schmid, B.: A conceptual framework for agent-oriented and role-based work ow modeling. In: Proc. of the 1st Int. Workshop on Agent-Oriented Information Systems (1999)Google Scholar
  19. 19.
    Bertino, E., Ferrari, E., Atluri, V.: The Specification and Enforcement of Authorization Constraints in Workflow Management Systems. ACM Transactions on Information and System Security 2, 65–104 (1999)CrossRefGoogle Scholar
  20. 20.
    Mendling, J., Strembeck, M., Stermsek, G., Neumann, G.: An approach to extract rbac models from bpel4ws processes. In: Proceedings of the 13th IEEE International Workshops on Enabling Technologies: Infrastructures for Collaborative Enterprises (WETICE), Modena, Italy (June 2004)Google Scholar
  21. 21.
    Ouyang, C., van der Aalst, W.M.P., Marlon, D., ter Hofstede, Arthur, H.M.: Translating BPMN to BPEL. In: BPM Center Report BPM-06-02 (2006)Google Scholar
  22. 22.
    Leymann, F., Roller, D.: Production Workflow: Concepts and Techniques. Prentice Hall PTR, Upper Saddle River (2000)zbMATHGoogle Scholar
  23. 23.
    Object Management Group.: Business Process Modeling Notation Specification (2006),

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Christian Wolter
    • 1
  • Andreas Schaad
    • 1
  • Christoph Meinel
    • 2
  1. 1.SAP Research, Vincenz-Priessnitz-Str. 1, 76131 KarlsruheGermany
  2. 2.Hasso-Plattner-Institute (HPI) for IT Systems Engineering, University of PotsdamGermany

Personalised recommendations