Skip to main content
SpringerLink
Log in

An approach to capture authorisation requirements in business processes

  • Original Research
  • Published:
Requirements Engineering Aims and scope Submit manuscript

Abstract

Business process modelling focuses on the modelling of functional behaviour. In this article, we propose an extension for the business process modelling notation to express non-functional authorisations requirements in a process model to enable the collaboration between security experts and business analysts. To capture multi-level, role-based and Separation of Duty authorisation requirements, new model element attributes and authorisation artefacts are introduced. To enhance the usability of this approach, simple visual decorators are specified to ease the communication of requirements between various stakeholders. To provide an early validation of these authorisation requirements during the definition of a process model, formal semantics are applied to the process model and model-checking techniques are used to provide feedback. As a pragmatic proof-of-concepts, a first prototype implementation is briefly discussed.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11

Similar content being viewed by others

References

  1. Pavlovski CJ, Zou J (2008) Non-functional requirements in business process modeling. In: APCCM. pp 103–112

  2. Russell D, Gangemi GT Sr (1991) Computer security basics. O’Reilly & Associates, Inc., Sebastopol

    Google Scholar 

  3. Hu VC, Ferraiolo DF, Kuhn DR (2006) Assessment of access control systems

  4. Schneider G, Winters JP (2001) Applying use cases (2nd ed): a practical guide. Addison-Wesley Longman Publishing Co., Inc., Boston

    Google Scholar 

  5. Jacobson I (1995) The use-case construct in object-oriented software engineering. pp 309–336

  6. Anjard RP (1996) Process mapping: one of three, new, special quality tools for management, quality and all other professionals. Microelectron Reliab 36(2):223–225

    Article  Google Scholar 

  7. Dumas M, Arthur HM (2001) Uml activity diagrams as a workflow specification language. Lect Notes Comput Sci 2185:76–90

    Article  Google Scholar 

  8. Object Management Group (2006) Business process modeling notation specification. http://www.bpmn.org

  9. Wolter C, Schaad A, Meinel C (2008) Task-based entailment constraints for basic workflow patterns. In: SACMAT ‘08: proceedings of the 13th ACM symposium on access control models and technologies. New York, ACM, pp 51–60

  10. Yu ESK (1997) Towards modeling and reasoning support for early-phase requirements engineering. In: RE ‘97: proceedings of the 3rd IEEE international symposium on requirements engineering (RE’97). IEEE Computer Society, Washington, DC, p 226

  11. Bell DE (2005) Looking back at the Bell-La Padula model. In: ACSAC ‘05: proceedings of the 21st annual computer security applications conference. IEEE Computer Society, Washington, DC, pp 337–351

  12. Clark DD, Wilson DR (1987) A comparison of commercial and military computer security policies. Secur Priv 00:184

    Google Scholar 

  13. Ferraiolo DF, Sandhu R, Gavrila S, Kuhn DR, Chandramouli R (2001) Proposed nist standard for role-based access control. ACM Trans Inf Syst Secur 4(3):224–274

    Article  Google Scholar 

  14. Sejong OH, Park S (2003) Task-role-based access control model. Inf Syst 28(6):533–562

    Article  MATH  Google Scholar 

  15. Di Renzo B, Hillairet M, Picard M, Rifaut A, Bernard C, Hagen D, Maar P, Reinard D (2007) Operational risk management in financial institutions: process assessment in concordance with basel ii. Softw Process 12(4):321–330

    Article  Google Scholar 

  16. Chen KL, Shing M-L, Lee H, Shing C-C (2007) Modeling in confidentiality and integrity for a supply chain network. Commun IIMA 7(1):41–48

    Google Scholar 

  17. Schaad A, Lotz V, Sohr K (2006) A model-checking approach to analysing organisational controls in a loan origination process. In: SACMAT ‘06: ACM symposium on Access control models and technologies. ACM, New York, pp 139–149

  18. Jaeger T, Sailer R, Zhang X (2004) Resolving constraint conflicts. In SACMAT ‘04: proceedings of the ninth ACM symposium on access control models and technologies. ACM, New York, pp 105–114

  19. Gami N, Mikolajczak B (2007) Integration of multilevel security features into loosely coupled inter-organizational workflows. In: ITNG ‘07: proceedings of the international conference on information technology. IEEE Computer Society, Washington, DC, pp 653–657

  20. Wang L, Wijesekera D, Jajodia S (2004) A logic-based framework for attribute based access control. In: FMSE ‘04: proceedings of the 2004 ACM workshop on formal methods in security engineering. ACM, New York, pp 45–55

  21. Atluri V, Chun SA, Mazzoleni P (2001) A Chinese wall security model for decentralized workflow systems. In: CCS ‘01: proceedings of the 8th ACM conference on computer and communications security. ACM, New York, pp 48–57

  22. Botha RA, Eloff JHP (2001) Separation of duties for access control enforcement in workflow environments. IBM Syst J 40(3):666–682

    Article  Google Scholar 

  23. Lu R, Sadiq S (2007) A survey of comparative business process modeling approaches. Springer, Berlin, pp 82–94

    Google Scholar 

  24. Wohed P, van der Aalst WMP, Dumas M, ter Hofstede AHM, Russell N (2006) On the suitability of BPMN for business process modelling. In: Proceedings of the 4th international conference on business process management (BPM)

  25. Jablonski S, Volz B, Dornstauder S (2008) A meta modeling framework for domain specific process management. In: COMPSAC. pp 1011–1016

  26. Wolter C, Miseldine P, Meinel C (2009) Verification of business process entailment constraints using SPIN. In: To appear in international symposium on engineering secure software and systems

  27. Zhang Z-L, Hong F, Xiao H-J (2006) Verification of strict integrity policy via petri nets. In: ICSNC ‘06: proceedings of the international conference on systems and networks communication. IEEE Computer Society, Washington, DC, pp 23

  28. Ben-Ari Mordechai (2008) Principles of the spin model checker. Springer, Berlin

    MATH  Google Scholar 

  29. Goldblatt Robert (1987) Logics of time and computation. Center for the Study of Language and Information, Stanford

    MATH  Google Scholar 

  30. Tatsubori M, Imamura T, Nakamura Y (2004) Best-practice patterns and tool support for configuring secure web services messaging. In: ICWS ‘04: proceedings of the IEEE international conference on web services. IEEE Computer Society, Washington, DC, p 244

  31. Sadiq SW, Governatori G, Namiri K (2007) Modelling control objectives for business process compliance. In: BPM. pp 149–164

  32. Mylopoulos J, Chung L, Nixon B (1992) Representing and using nonfunctional requirements: a process-oriented approach. IEEE Trans Softw Eng 18(6):483–497

    Article  Google Scholar 

  33. Giorgini P, Massacci F, Zannone N (2005) Security and trust requirements engineering. Lecture Notes in Computer Science. Springer, Berlin, pp 237–272

    Google Scholar 

  34. Hepp M, Roman D (2007) An ontology framework for semantic business process management. In: Wirtschaftsinformatik (1). pp 423–440

  35. Nagaratnam N, Nadalin AJ, Hondo M, McIntosh M, Austel P (2005) Business-driven application security: from modeling to managing secure applications. IBM Syst J 44(4):847–868

    Article  Google Scholar 

  36. Rodrguez A, Fernández-Medina E, Piattini M (2007) A bpmn extension for the modeling of security requirements in business processes. IEICE Trans 90-D(4):745–752

    Article  Google Scholar 

  37. Mossakowski T, Drouineaud M, Sohr K (2003) A temporal-logic extension of role-based access control covering dynamic separation of duties. 00:83

  38. Giblin C, Liu AY, Müller S, Pfitzmann B, Zhou X (2005) Regulations expressed as logical models (realm). Technical Report RZ 3616, IBM Research, Zurich, 07

  39. Gannod GC, Gupta S (2001) An automated tool for analyzing petri nets using SPIN. ASE 0:404

    MATH  Google Scholar 

  40. Ouyang C, Verbeek E, van der Aalst WMP, Breutel S, Dumas M, ter Hofstede AHM (2007) Formal semantics and analysis of control flow in ws-bpel. Sci Comput Program 67(2–3):162–198

    Article  MATH  Google Scholar 

  41. Fisteus JA, Fernández LS, Kloos CD (2005) Applying model checking to BPEL4WS business collaborations. In: SAC ‘05: proceedings of the 2005 ACM symposium on applied computing. ACM, New York, pp 826–830

  42. zur Muehlen M, DT-Y Ho (2005) Risk management in the bpm lifecycle. In: Business process management workshops. pp 454–466

  43. Wolter C, Schaad A, Meinel C (2007) Deriving XACML policies from business process models. In: WISE workshops. pp 142–153

Download references

Author information

Authors and Affiliations

  1. Bombardier Transportation, Schoeneberger Ufer 1, 10785, Berlin, Germany

    Christian Wolter

  2. Hasso-Plattner Institute, Prof.-Dr.-Helmert-Str. 2-3, 14482, Potsdam, Germany

    Christoph Meinel

Authors
  1. Christian Wolter
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Christoph Meinel
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Christian Wolter.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Wolter, C., Meinel, C. An approach to capture authorisation requirements in business processes. Requirements Eng 15, 359–373 (2010). https://doi.org/10.1007/s00766-010-0103-y

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00766-010-0103-y

Keywords

Search

Navigation