Automatically Extracting Business Level Access Control Requirements from BPMN Models to Align RBAC Policies

Roman Pilipchuk, Robert Heinrich, Ralf Reussner

Abstract

IT security becomes increasingly important due to the rise of cybercrime incidents but also obligatory security and privacy laws that include confidentiality regulations. To prevent cybercriminal attacks, the business level has to identify critical business data and introduce organization-wide security standards. A close cooperation with the IT level is crucial to avoid mistakes and misunderstandings of security requirements, both may cause severe security breaches. An important building block are access control requirements (ACRs). In a costly, complex and manual role engineering process, experts have to elicit appropriate role-based access control (RBAC) policies according to business security and confidentiality models. This paper makes a first step to close this gap with an approach that automatically extracts business level ACRs from BPMN business processes to build an initial RBAC role model and establish traceability from RBAC policies to business processes. Case study results indicate that the accuracy of extracted policies is appropriate, adaptations in evolution scenarios become faster and human errors are reduced during the engineering of RBAC policies.

Download


Paper Citation


in Harvard Style

Pilipchuk R., Heinrich R. and Reussner R. (2021). Automatically Extracting Business Level Access Control Requirements from BPMN Models to Align RBAC Policies.In Proceedings of the 7th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-491-6, pages 300-307. DOI: 10.5220/0010184403000307


in Bibtex Style

@conference{icissp21,
author={Roman Pilipchuk and Robert Heinrich and Ralf Reussner},
title={Automatically Extracting Business Level Access Control Requirements from BPMN Models to Align RBAC Policies},
booktitle={Proceedings of the 7th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2021},
pages={300-307},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0010184403000307},
isbn={978-989-758-491-6},
}


in EndNote Style

TY - CONF

JO - Proceedings of the 7th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Automatically Extracting Business Level Access Control Requirements from BPMN Models to Align RBAC Policies
SN - 978-989-758-491-6
AU - Pilipchuk R.
AU - Heinrich R.
AU - Reussner R.
PY - 2021
SP - 300
EP - 307
DO - 10.5220/0010184403000307