Abstract
In view of recent business scandals that prompted the Sarbanes-Oxley legislation, there is a greater need for businesses to develop systematic approaches to designing business processes that comply with organizational policies. Moreover, it should be possible to express the policy and relate it to a given process in a descriptive or declarative manner. In this paper we propose role patterns, and show how they can be associated with generic task categories and processes in order to meet standard requirements of internal control principles in businesses. We also show how the patterns can be implemented using built-in constraints in a logic-based language like Prolog. While the role patterns are general, this approach is flexible and extensible because user-defined constraints can also be asserted in order to introduce additional requirements as dictated by business policy. The paper also discusses control requirements of business processes, and explores the interactions between role based access control (RBAC) mechanisms and workflows.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
van der Aalst, W.M.P., et al.: Workflow patterns. Distributed and Parallel Databases 14(3), 5–51 (2003)
van der Aalst, W.M.P., Beer, H., van Dongen, B.: Process mining and verification of properties: An approach based on temporal logic. In: Meersman, R., Tari, Z. (eds.) OTM 2005. LNCS, vol. 3760, pp. 130–147. Springer, Heidelberg (2005)
Ahn, G.-J., et al.: Injecting RBAC to secure a web-based workflow system. In: Fifth ACM Workshop on Role-Based Access Control, Berlin, Germany (July 2000)
Antoniou, G., et al.: Representation results for defeasible logic. ACM Trans. Comput. Log. 2(2), 255–287 (2001)
Antoniou, G., Dimaresis, N., Governatori, G.: A System for Modal and Deontic Defeasible Reasoning. In: Australian Conference on Artificial Intelligence 2007, pp. 609–613 (2007)
Berg, D.: Turning Sarbanes-Oxley Projects into Strategic Business Processes. Sarbanes-Oxley Compliance Journal (November 2004)
Bertino, E., Ferrari, E., Atluri, V.: The specification and enforcement of authorization constraints in workflow management systems. ACM Trans. Inf. Syst. Secur. 2(1), 65–104 (1999)
Botha, R.A., Eloff, J.H.P.: Separation of duties for access control enforcement in workflow environments. IBM Systems Journal 40(3) (2001)
Clocksin, W.F., Mellish, C.S.: Programming in Prolog. Springer, New York (1987)
Committee of Sponsoring Organizations. Internal Control – Integrated Framework, http://www.coso.org/publications/executive_summary_integrated_framework.htm
Ferguson, D., Stockton, M.: Enterprise Business Process Management - Architecture, Technology and Standards. In: Business Process Management, Vienna, Austria, pp. 1–15 (2006)
Gamma, Erich, et al.: Design Patterns: Elements of Reusable Object-Oriented Software, hardcover. Addison-Wesley, Reading (1994)
Goedertier, S., Mues, C., Vanthienen, J.: Specifying Process-Aware Access Control Rules in SBVR. In: Paschke, A., Biletskiy, Y. (eds.) RuleML 2007. LNCS, vol. 4824, pp. 39–52. Springer, Heidelberg (2007)
Goedertier, S., Vanthienen, J.: Declarative Process Modeling with Business Vocabulary and Business Rules. In: Proceedings of Object-Role Modeling (ORM 2007) (2007)
Governatori, G., Milosevic, Z.: A Formal Analysis of a Business Contract Language. Int. J. Cooperative Inf. Syst. 15(4), 659–685 (2006)
Green, S.: Manager’s Guide to the Sarbanes-Oxley Act: Improving Internal Controls to Prevent Fraud. Wiley, Chichester (2004)
Haworth, D., Pietron, L.: Sarbanes-Oxley: Achieving Compliance by Starting with ISO 17799. Information Systems Management (Winter 2006)
Holzmann, G.: The Spin Model Checker. Addison-Wesley, Reading (2003)
Huang, W.-K., Atluri, V.: Secureflow: a secure web-enabled workflow management system. In: Proceedings of the Fourth ACM Workshop on Role-Based Access Control, pp. 83–94 (1999)
IBM Websphere Business Modeler (WBM), Version 6, http://www-306.ibm.com/software/integration/wbimodeler/
Information FrameWork (IFW), IBM Industry Models for Financial Services, http://www03.ibm.com/industries/financialservices/doc/content/bin/fss_ifw_gim_2006.pdf
Kuhn, D.R.: Mutual Exclusion of Roles as a Means of Implementing Separation of Duty in Role-Based Access Control Systems. In: Proceedings 2nd ACM Workshop on Role-Based Access Control, Fairfax, VA, pp. 23–30 (October 1997)
Linington, P., et al.: A unified behavioural model and a contract language for extended enterprise. Data Knowl. Eng. 51(1), 5–29 (2004)
Liu, D., et al.: Role-based authorizations for workflow systems in support of task-based separation of duty. J. Syst. Softw. 73(3), 375–387 (2004)
Nagaratnam, N., et al.: Business-driven application security: From modeling to managing secure applications. IBM Systems Journal 44(4) (2005)
Nute, D.: Defeasible logic. In: Handbook of logic in artificial intelligence and logic programming: Nonmonotonic reasoning and uncertain reasoning, vol. 3. Oxford University Press, Inc., New York (1994)
Object Management Group (OMG), Object Constraint Language (OCL), http://www.omg.org/technology/documents/modeling_spec_catalog.htm
Sadiq, S., Governatori, G., Namiri, K.: Modeling Control Objectives for Business Process Compliance. In: BPM 2007, pp. 149–164 (2007)
Sandhu, R., Coyne, E., Feinstein, H., Youman, C.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)
Simon, R., Zurko, M.E.: Separation of Duty in Role-Based Environments. In: Proceedings of the 10th Computer Security Foundation Workshop, Rockport, MA, June 10–12, 1997, pp. 183–194 (1997)
Wainer, J., Kumar, A., Barthelmess, P.: DW-RBAC: A Formal Security Model of Delegation and Revocation in Workflow Systems. Information Systems 32(3), 365–384 (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kumar, A., Liu, R. (2008). A Rule-Based Framework Using Role Patterns for Business Process Compliance. In: Bassiliades, N., Governatori, G., Paschke, A. (eds) Rule Representation, Interchange and Reasoning on the Web. RuleML 2008. Lecture Notes in Computer Science, vol 5321. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-88808-6_9
Download citation
DOI: https://doi.org/10.1007/978-3-540-88808-6_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-88807-9
Online ISBN: 978-3-540-88808-6
eBook Packages: Computer ScienceComputer Science (R0)