Skip to main content
SpringerLink
Log in

A Rule-Based Framework Using Role Patterns for Business Process Compliance

  • Conference paper
Rule Representation, Interchange and Reasoning on the Web (RuleML 2008)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 5321))

Abstract

In view of recent business scandals that prompted the Sarbanes-Oxley legislation, there is a greater need for businesses to develop systematic approaches to designing business processes that comply with organizational policies. Moreover, it should be possible to express the policy and relate it to a given process in a descriptive or declarative manner. In this paper we propose role patterns, and show how they can be associated with generic task categories and processes in order to meet standard requirements of internal control principles in businesses. We also show how the patterns can be implemented using built-in constraints in a logic-based language like Prolog. While the role patterns are general, this approach is flexible and extensible because user-defined constraints can also be asserted in order to introduce additional requirements as dictated by business policy. The paper also discusses control requirements of business processes, and explores the interactions between role based access control (RBAC) mechanisms and workflows.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. van der Aalst, W.M.P., et al.: Workflow patterns. Distributed and Parallel Databases 14(3), 5–51 (2003)

    Article  Google Scholar 

  2. van der Aalst, W.M.P., Beer, H., van Dongen, B.: Process mining and verification of properties: An approach based on temporal logic. In: Meersman, R., Tari, Z. (eds.) OTM 2005. LNCS, vol. 3760, pp. 130–147. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  3. Ahn, G.-J., et al.: Injecting RBAC to secure a web-based workflow system. In: Fifth ACM Workshop on Role-Based Access Control, Berlin, Germany (July 2000)

    Google Scholar 

  4. Antoniou, G., et al.: Representation results for defeasible logic. ACM Trans. Comput. Log. 2(2), 255–287 (2001)

    Article  MathSciNet  MATH  Google Scholar 

  5. Antoniou, G., Dimaresis, N., Governatori, G.: A System for Modal and Deontic Defeasible Reasoning. In: Australian Conference on Artificial Intelligence 2007, pp. 609–613 (2007)

    Google Scholar 

  6. Berg, D.: Turning Sarbanes-Oxley Projects into Strategic Business Processes. Sarbanes-Oxley Compliance Journal (November 2004)

    Google Scholar 

  7. Bertino, E., Ferrari, E., Atluri, V.: The specification and enforcement of authorization constraints in workflow management systems. ACM Trans. Inf. Syst. Secur. 2(1), 65–104 (1999)

    Article  Google Scholar 

  8. Botha, R.A., Eloff, J.H.P.: Separation of duties for access control enforcement in workflow environments. IBM Systems Journal 40(3) (2001)

    Google Scholar 

  9. Clocksin, W.F., Mellish, C.S.: Programming in Prolog. Springer, New York (1987)

    Book  MATH  Google Scholar 

  10. Committee of Sponsoring Organizations. Internal Control – Integrated Framework, http://www.coso.org/publications/executive_summary_integrated_framework.htm

  11. Ferguson, D., Stockton, M.: Enterprise Business Process Management - Architecture, Technology and Standards. In: Business Process Management, Vienna, Austria, pp. 1–15 (2006)

    Google Scholar 

  12. Gamma, Erich, et al.: Design Patterns: Elements of Reusable Object-Oriented Software, hardcover. Addison-Wesley, Reading (1994)

    Google Scholar 

  13. Goedertier, S., Mues, C., Vanthienen, J.: Specifying Process-Aware Access Control Rules in SBVR. In: Paschke, A., Biletskiy, Y. (eds.) RuleML 2007. LNCS, vol. 4824, pp. 39–52. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  14. Goedertier, S., Vanthienen, J.: Declarative Process Modeling with Business Vocabulary and Business Rules. In: Proceedings of Object-Role Modeling (ORM 2007) (2007)

    Google Scholar 

  15. Governatori, G., Milosevic, Z.: A Formal Analysis of a Business Contract Language. Int. J. Cooperative Inf. Syst. 15(4), 659–685 (2006)

    Article  Google Scholar 

  16. Green, S.: Manager’s Guide to the Sarbanes-Oxley Act: Improving Internal Controls to Prevent Fraud. Wiley, Chichester (2004)

    Google Scholar 

  17. Haworth, D., Pietron, L.: Sarbanes-Oxley: Achieving Compliance by Starting with ISO 17799. Information Systems Management (Winter 2006)

    Google Scholar 

  18. Holzmann, G.: The Spin Model Checker. Addison-Wesley, Reading (2003)

    Google Scholar 

  19. Huang, W.-K., Atluri, V.: Secureflow: a secure web-enabled workflow management system. In: Proceedings of the Fourth ACM Workshop on Role-Based Access Control, pp. 83–94 (1999)

    Google Scholar 

  20. IBM Websphere Business Modeler (WBM), Version 6, http://www-306.ibm.com/software/integration/wbimodeler/

  21. Information FrameWork (IFW), IBM Industry Models for Financial Services, http://www03.ibm.com/industries/financialservices/doc/content/bin/fss_ifw_gim_2006.pdf

  22. Kuhn, D.R.: Mutual Exclusion of Roles as a Means of Implementing Separation of Duty in Role-Based Access Control Systems. In: Proceedings 2nd ACM Workshop on Role-Based Access Control, Fairfax, VA, pp. 23–30 (October 1997)

    Google Scholar 

  23. Linington, P., et al.: A unified behavioural model and a contract language for extended enterprise. Data Knowl. Eng. 51(1), 5–29 (2004)

    Article  Google Scholar 

  24. Liu, D., et al.: Role-based authorizations for workflow systems in support of task-based separation of duty. J. Syst. Softw. 73(3), 375–387 (2004)

    Article  Google Scholar 

  25. Nagaratnam, N., et al.: Business-driven application security: From modeling to managing secure applications. IBM Systems Journal 44(4) (2005)

    Google Scholar 

  26. Nute, D.: Defeasible logic. In: Handbook of logic in artificial intelligence and logic programming: Nonmonotonic reasoning and uncertain reasoning, vol. 3. Oxford University Press, Inc., New York (1994)

    Google Scholar 

  27. Object Management Group (OMG), Object Constraint Language (OCL), http://www.omg.org/technology/documents/modeling_spec_catalog.htm

  28. Sadiq, S., Governatori, G., Namiri, K.: Modeling Control Objectives for Business Process Compliance. In: BPM 2007, pp. 149–164 (2007)

    Google Scholar 

  29. Sandhu, R., Coyne, E., Feinstein, H., Youman, C.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)

    Article  Google Scholar 

  30. Simon, R., Zurko, M.E.: Separation of Duty in Role-Based Environments. In: Proceedings of the 10th Computer Security Foundation Workshop, Rockport, MA, June 10–12, 1997, pp. 183–194 (1997)

    Google Scholar 

  31. Wainer, J., Kumar, A., Barthelmess, P.: DW-RBAC: A Formal Security Model of Delegation and Revocation in Workflow Systems. Information Systems 32(3), 365–384 (2007)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Smeal College of Business, Penn State University, University Park, PA 16802, USA

    Akhil Kumar

  2. IBM Research, 19 Skyline Drive, Hawthorne, NY 10532, USA

    Rong Liu

Authors
  1. Akhil Kumar
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Rong Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Informatics, Aristotle University, 54124, Thessaloniki, Greece

    Nick Bassiliades

  2. National ICT Australia, Queensland Research Laboratory, St Lucia, Queensland, Australia

    Guido Governatori

  3. Chair for Corporate Semantic Web, Free University Berlin, Berlin, Germany

    Adrian Paschke

Rights and permissions

Reprints and permissions

Copyright information

© 2008 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Kumar, A., Liu, R. (2008). A Rule-Based Framework Using Role Patterns for Business Process Compliance. In: Bassiliades, N., Governatori, G., Paschke, A. (eds) Rule Representation, Interchange and Reasoning on the Web. RuleML 2008. Lecture Notes in Computer Science, vol 5321. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-88808-6_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-88808-6_9

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-88807-9

  • Online ISBN: 978-3-540-88808-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation