Abstract
Access control is an important aspect of regulatory compliance. Therefore, access control specifications must be process-aware in that they can refer to an underlying business process context, but do not specify when and how they must be enforced. Such access control specifications are often expressed in terms of general rules and exceptions, akin to defeasible logic. In this paper we demonstrate how a role-based, process-aware access control policy can be specified in the SBVR. In particular, we define an SBVR vocabulary that allows for a process-aware specification of defeasible access control rules. Because SBVR does not support defeasible rules, we show how a set of defeasible access control rules can be transformed into ordinary SBVR access control rules using decision tables as a transformation mechanism.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Securities and Exchange Commission, U.S.A.: Sarbanes Oxley Act 2002. Securities and Exchange Commission (SEC), U.S.A (2002)
Object Management Group: Business Process Modeling Notation (BPMN) – final adopted specification. OMG Document – dtc/06-02-01 (2006)
Chapin, D.: Semantics of Business Vocabulary & Business Rules (SBVR) [26]
Object Management Group: Semantics of Business Vocabulary and Business Rules (SBVR) – Interim Specification. OMG Document – dtc/06-03-02 (2006)
Goedertier, S., Vanthienen, J.: EM-BrA<Superscript>2</Superscript>CE v0.2: A Vocabulary and Execution Model for Declarative Process Models. Fetew research report, K.U.Leuven (2007), http://www.econ.kuleuven.ac.be/public/ndbaf38/EM-BrAACE
Baisley, D.E., Hall, J., Chapin, D.: Semantic Formulations in SBVR [26]
Unisys: Unisys rules modeler (2005) (10-11-2005), www.unisys.com
Digital Business Ecosystem (DBE): Sbeaver (2007), http://sbeaver.sourceforge.net
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)
Ferraiolo, D.F., Sandhu, R.S., Gavrila, S.I., Kuhn, D.R., Chandramouli, R.: Proposed nist standard for role-based access control. ACM Trans. Inf. Syst. Secur. 4(3), 224–274 (2001)
InterNational Committee for Information Technology Standards (INCITS): Role-Based Access Control. American National Standard ANSI/INCITS 359-2004 (2004), http://csrc.nist.gov/rbac
Guizzardi, G., Wagner, G.: Ontologies and Business Systems Analysis. In: Rosemann, M., Green, P. (eds.) Some Applications of a Unified Foundational Ontology in Business Modeling, pp. 345–367. IDEA Publisher, USA (2005)
Object Management Group: Business Motivation Model (BMM) – adopted specification. OMG Document – dtc/2006-08-03 (2006)
Nute, D.: Defeasible Logic. In: Handbook of Logic in Artificial Intelligence and Logic Programming, pp. 353–395. Oxford University Press, New York (1994)
Antoniou, G., Billington, D., Governatori, G., Maher, M.J.: Representation results for defeasible logic. ACM Trans. Comput. Log. 2(2), 255–287 (2001)
Grosof, B.N., Labrou, Y., Chan, H.Y.: A declarative approach to business rules in contracts: courteous logic programs in XML. In: ACM Conference on Electronic Commerce, pp. 68–77. ACM Press, New York (1999)
Maher, M.J., Rock, A., Antoniou, G., Billington, D., Miller, T.: Efficient defeasible reasoning systems. International Journal on Artificial Intelligence Tools 10(4), 483–501 (2001)
Bassiliades, N., Kontopoulos, E., Antoniou, G.: A visual environment for developing defeasible rule bases for the semantic web. In: Adi, A., Stoutenburg, S., Tabet, S. (eds.) RuleML 2005. LNCS, vol. 3791, pp. 172–186. Springer, Heidelberg (2005)
Kontopoulos, E., Bassiliades, N., Antoniou, G.: Visualizing defeasible logic rules for the semantic web. In: Mizoguchi, R., Shi, Z., Giunchiglia, F. (eds.) ASWC 2006. LNCS, vol. 4185, pp. 278–292. Springer, Heidelberg (2006)
Antoniou, G., Taveter, K., Berndtsson, M., Wagner, G., Spreeuwenberg, S.: A First-Version Visual Rule Language. Report IST-2004-506779, REWERSE (2004)
Vanthienen, J., Robben, F.: Developing legal knowledge based systems using decision tables. In: ICAIL, pp. 282–291 (1993)
Vanthienen, J., Mues, C., Aerts, A.: An Illustration of Verification and Validation in the Modelling Phase of KBS Development. Data Knowl. Eng. 27(3), 337–352 (1998)
Spreeuwenberg, S., Gerrits, R., Boekenoogen, M.: Valens: A knowledge based tool to validate and verify an aion knowledge base (2000)
Vanthienen, J., Mues, C.: Prologa 5.3 - tabular knowledge modeling (2005)
Strembeck, M., Neumann, G.: An integrated approach to engineer and enforce context constraints in rbac environments. ACM Trans. Inf. Syst. Secur. 7(3), 392–427 (2004)
W3C Workshop on Rule Languages for Interoperability, 27-28 April 2005, Washington, DC, USA. In: Rule Languages for Interoperability, W3C (2005)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Goedertier, S., Mues, C., Vanthienen, J. (2007). Specifying Process-Aware Access Control Rules in SBVR. In: Paschke, A., Biletskiy, Y. (eds) Advances in Rule Interchange and Applications. RuleML 2007. Lecture Notes in Computer Science, vol 4824. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-75975-1_4
Download citation
DOI: https://doi.org/10.1007/978-3-540-75975-1_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-75974-4
Online ISBN: 978-3-540-75975-1
eBook Packages: Computer ScienceComputer Science (R0)