Enterprise Architecture Enhanced with Responsibility to Manage Access Rights - Case Study in an EU Institution

  • Michaël Petit
  • Christophe Feltus
  • François Vernadat
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 134)

Abstract

An innovative approach is proposed for aligning the different layers of the enterprise architecture of a European institution. The main objective of the alignment targets the definition and the assignment of the access rights needed by the employees according to business specifications. This alignment is realized by considering the responsibility and the accountabilities (doing, deciding and advising) of these employees regarding business tasks. Therefore, the responsibility (modeled in a responsibility metamodel) is integrated with the enterprise architecture metamodel using a structured method. The approach is illustrated and validated with a dedicated case study dealing with the definition of access rights assigned to employees involved in the user account provisioning and management processes.

Keywords

Access rights management Business/IT alignment Enterprise architecture Responsibility Case study 

References

  1. 1.
    Feltus, C., Petit, M., Vernadat, F.: Enhancement of CIMOSA with Responsibility Concept to Conform to Principles of Corporate Governance of IT. In: 13th IFAC Symposium on Information Control Problems in Manufacturing (INCOM 2009), Moscow, Russia (2009)Google Scholar
  2. 2.
    Feltus, C., Petit, M., Dubois, E.: Strengthening employee’s responsibility to enhance governance of IT: COBIT RACI chart case study. In: 1st ACM Workshop on Information Security Governance. ACM, New York (2009)Google Scholar
  3. 3.
    Clark, D., Wilson, R.: A comparison of commercial and military computer security policies. In: IEEE Symposium on Security and Privacy, p. 184 (1987)Google Scholar
  4. 4.
    Covington, M.J., Long, W., Srinivasan, S., Dev, A.K., Ahamad, M., Abowd, G.D.: Securing context-aware applications using environment roles. In: Symposium on Access Control Models And Technologies (SACMAT 2001), New York, NY, USA, pp. 10–20 (2001)Google Scholar
  5. 5.
    Ferraiolo, F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed nist standard for role-based access control. ACM Trans. Inf. Syst. Secur. 4(3), 224–274 (2001)CrossRefGoogle Scholar
  6. 6.
    Karp, A.H., Haury, H., Davis, M.H.: From abac to zbac: The evolution of access control models. Control (2009)Google Scholar
  7. 7.
    Covington, M.J., Sastry, M.R.: A Contextual Attribute-Based Access Control Model. In: Meersman, R., Tari, Z., Herrero, P. (eds.) OTM Workshops 2006, Part II. LNCS, vol. 4278, pp. 1996–2006. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  8. 8.
    Lang, B., Foster, I., Siebenlist, F., Ananthakrishnan, R., Freeman, T.: A flexible attribute based access control method for grid computing. Journal of Grid Computing 7(2), 169–180 (2008)CrossRefGoogle Scholar
  9. 9.
    Crook, R., Ince, D., Nuseibeh, B.: Modelling access policies using roles in requirements engineering. Information and Software Technology 45(14), 979–991 (2003)CrossRefGoogle Scholar
  10. 10.
    He, Q., Anton, A.I.: A framework for privacy-enhanced access control analysis in requirements engineering. In: Proc. of the 9th Requirements Engineering Foundation for Software Quality (REFSQ 09) (2003)Google Scholar
  11. 11.
    Neumann, G., Strembeck, M.: A scenario-driven role engineering process for functional rbac roles. In: SACMAT 2002. ACM, New York (2002)Google Scholar
  12. 12.
    Lankhorst, M. (ed.), the ArchiMate team: ArchiMate Language Primer (2004)Google Scholar
  13. 13.
    Zachman, J.A.: The Zachman Framework For Enterprise Architecture: Primer for Enterprise Engineering and Manufacturing. Engineering, 1–11 (July 2003) Google Scholar
  14. 14.
    The Open Group. TOGAF (The Open Group Architecture Framework) (2009)Google Scholar
  15. 15.
    Feltus, C., Petit, M., Sloman, M.: Enhancement of Business IT Alignment by Including Responsibility Components in RBAC. In: 5th Busital Workshop, Hammamet, Tunisia (2010)Google Scholar
  16. 16.
    Feltus, C., Petit, M., Dubois, E.: ReMoLa: Responsibility Model Language to Align Access Rights with Business Process Requirements. In: Fifth International Conference on Research Challenges in Information Science (RCIS 2011), Gosier, Guadeloupe, May 19-21 (2011)Google Scholar
  17. 17.
    Petit, M.: Some methodological clues for defining a unified enterprise modelling language. In: Proc. of the International Conference on Enterprise Integration Modeling Technology (ICEIMT 2001), Deventer, The Netherlands, pp. 359–369 (2003)Google Scholar
  18. 18.
    Feltus, C., Dubois, E., Proper, E., Band, I., Petit, M.: Enhancing the ArchiMate® Standard with a Responsibility Modeling Language for Access Rights Management. In: Proc. of the 5th ACM International Conference on Security of Information and Networks (SIN 2012), India (2012)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2012

Authors and Affiliations

  • Michaël Petit
    • 1
  • Christophe Feltus
    • 1
    • 2
    • 3
  • François Vernadat
    • 4
  1. 1.PReCISE Research Centre,Faculty of Computer ScienceUniversity of NamurBelgium
  2. 2.Public Research Centre Henri TudorLuxembourgLuxembourg
  3. 3.EE-TeamLuxembourgLuxembourg
  4. 4.Directorate for Information & TechnologyEuropean Court of AuditorsLuxembourg

Personalised recommendations