Model-driven specification and enforcement of RBAC break-glass policies for process-aware information systems

Information and Software Technology

Volumn 56, Issue 10, 2014, Pages 1289-1308

  Schefer Wenzl, Sigrid ^a,b   Strembeck, Mark ^b  

^a Austria Competence Center for IT Security   (Austria)

^b VIENNA UNIVERSITY OF ECONOMICS AND BUSINESS   (Austria)

Author keywords

Access control; Business process modeling; Model driven development; UML

Indexed keywords

ACCESS CONTROL; INFORMATION SYSTEMS; SPECIFICATIONS; SYSTEMS ANALYSIS; SYSTEMS ENGINEERING;

BUSINESS PROCESS MODEL; COMPUTATION INDEPENDENT MODEL; EXCEPTION HANDLING MECHANISM; INTEGRATED MODELING APPROACHES; MODEL DRIVEN DEVELOPMENT; PROCESS-AWARE INFORMATION SYSTEMS; ROLE-BASED ACCESS CONTROL MODEL; UML;

GLASS;

EID: 84905089674     PISSN: 09505849     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.infsof.2014.04.010     Document Type: Article

References (73)

1. Business Activity Library and Runtime Engine, 2012. < http://wi.wu.ac.at/home/mark/BusinessActivities/library.html >.
2. Oracle Role Manager, 2013. < http://www.oracle.com/us/products/ middleware/identity-management/oracle-role-manager/overview/index.html >.
3. SAP Virsa Firefighter, 2013. < http://sapsecurity.info/virsa- firefighter/ >.
4. J. Alqatawna, E. Rissanen, and B. Sadighi Overriding of access control in XACML Proceedings of the Eighth IEEE International Workshop on Policies for Distributed Systems and Networks 2007 Springer Washington, DC, USA 87 95
5. C.A. Ardagna, S.D.C. di Vimercati, S. Foresti, T.W. Grandison, S. Jajodia, and P. Samarati Access control for smarter healthcare using policy spaces Comput. Secur. 29 8 2010 848 858
6. N.D. Belnap, Modern Uses of Multiple-Valued Logics, 1977, pp. 21-32, reidel, (Chapter A useful four-valued logic).
7. E. Bertino, P.A. Bonatti, and E. Ferrari TRBAC: a temporal role-based access control model ACM Trans. Inf. Syst. Secur. (TISSEC) 4 3 2001
8. E. Bertino, E. Ferrari, and V. Atluri The specification and enforcement of authorization constraints in workflow management systems ACM Trans. Inf. Syst. Secur. (TISSEC) 2 1 1999
9. R.A. Botha, and J.H. Eloff Separation of duties for access control enforcement in workflow environments IBM Syst. J. 40 3 2001
10. G. Bracha, W. Cook, Mixin-based inheritance, in: Proc. of the European Conference on Object-oriented Programming systems, languages and applications (OOPSLA/ECOOP), 1990.
11. G. Bracha, G. Lindstrom, Modularity meets inheritance, in: Proc. of the IEEE International Conference on Computer Languages, 1992.
12. A.D. Brucker, H. Petritsch, Extending Access Control Models with Break-Glass, in: Proceedings of the 14th ACM Symposium on Access Control Models and Technologies (SACMAT), 2009.
13. A.D. Brucker, H. Petritsch, S.G. Weber, Attribute-Based Encryption with Break-glass, in: Proc. of the Workshop In Information Security Theory And Practice (WISTP), 2010.
14. B. Carminati, E. Ferrari, M. Guglielmi, Secure information sharing on support of emergency management, in: Proc. of the International Conference on Privacy, Security, Risk and Trust, 2011.
15. F. Casati, S. Ceri, S. Paraboschi, and G. Pozzi Specification and implementation of exceptions in workflow management systems ACM Trans. Database Syst. 24 1999 405 451
16. D.K.W. Chiu, Q. Li, and K. Karlapalem A meta modeling approach to workflow management systems supporting exception handling Inf. Syst. 24 1999 159 184
17. D.D. Clark, D.R. Wilson, A comparison of commercial and military security policies, in: IEEE Symposium on Security and Privacy, 1987.
18. J. Corbin, and A. Strauss Basics of Qualitative Research: Techniques and Procedures for Developing Grounded Theory 2008 Sage
19. J. Crampton, H. Khambhammettu, Delegation and satisfiability in workflow systems, in: Proceedings of the 13th ACM Symposium on Access Control Models and Technologies (SACMAT), 2008.
20. F. Cuppens, and N. Cuppens-Boulahia Modeling contextual security policies Int. J. Inf. Secur. 7 4 2008
21. M. Dumas, M.L. Rosa, J. Mendling, R. Maesaku, R. Hajo A, N. Semenenko, Understanding business process models: the costs and benefits of structuredness, in: Prod. of the 24th International Conference on Advanced Information Systems Engineering (CAiSE), 2012.
22. D.F. Ferraiolo, D.R. Kuhn, and R. Chandramouli Role-Based Access Control 2nd ed. 2007 Artech House
23. A. Ferreira, D. Chadwick, P. Farinha, R. Correia, G. Zao, R. Chilro, L. Antunes, How to securely break into RBAC: the BTG-RBAC model, in: Proceedings of the 2009 Annual Computer Security Applications Conference, December 2009.
24. A. Ferreira, R. Cruz-Correia, L. Antunes, P. Farinha, E. Oliveira-Palhares, D.W. Chadwick, A. Costa-Pereira, How to break access control in a controlled manner, in: Proceedings of the 19th IEEE Symposium on Computer-Based Medical Systems, 2006.
25. C.K. Georgiadis, I. Mavridis, G. Pangalos, R.K. Thomas, Flexible team-based access control using contexts, in: Proceedings of the Sixth ACM Symposium on Access Control Models and Technologies (SACMAT), May 2001.
26. B. Hoisl, S. Sobernig, and M. Strembeck Modeling and enforcing secure object flows in process-driven SOAs: an integrated model-driven approach Software Syst. Model. (SoSyM) 13 2 2014
27. S.E. Hove, B. Anda, Experiences from conducting semi-structured interviews in empirical software engineering research, in: Proc. of the 11th IEEE International Software Metrics Symposium (METRICS), 2005.
28. S. Marinovic, R. Craven, J. Ma, N. Dulay, Rumpole: a flexible break-glass access control model, in: Proceedings of the 16th ACM Symposium on Access Control Models and Technologies (SACMAT), 2011.
29. M. Mernik, J. Heering, and A.M. Sloane When and how to develop domain-specific languages ACM Comput. Surv. (CSUR) 34 4 2005 316 344
30. H. Mouratidis, and J. Jürjens From goal-driven security requirements engineering to secure design Int. J. Intell. Syst. 25 8 2010
31. S. Nurcan, A survey on the flexibility requirements related to business processes and modeling artifacts, in: Proceedings of the Proceedings of the 41st Annual Hawaii International Conference on System Sciences, HICSS '08, January 2008.
32. S. Oh, and S. Park Task-role-based access control model Inf. Syst. 28 6 2003
33. OMG. OMG Business Process Modeling Notation, < http://www.omg.org/ spec/BPMN/1.2/ > January 2009, Version 1.2, formal/2009-01-03, The Object Management Group.
34. OMG. Object Constraint Language Specification, < http://www.omg.org/ technology/documents/formal/ocl.htm > February 2010, Version 2.2, formal/2010-02-01, The Object Management Group.
35. OMG, Unified Modeling Language (OMG UML): Superstructure, < http://www.omg.org/technology/documents/formal/uml.htm > May 2010. Version 2.3, formal/2010-05-03, The Object Management Group.
36. OMG, Meta Object Facility (MOF) Core Specification - Version 2.4.1, 2011. < http://www.omg.org/spec/MOF >.
37. D. Povey. Optimistic security: a new access control paradigm, in: Proceedings of the 1999 Workshop on New Security Paradigms, NSPW '99, 2000.
38. H.F. Ravi Sandhu, Edward Coyne, and C. Youman Role-based access control models IEEE Comput. 29 2 1996
39. M. Reichert, and P. Dadam Adept-flex-supporting dynamic changes of workflows without losing control J. Intell. Inf. Syst. 10 2 1998
40. M. Reichert, S. Rinderle-Ma, and P. Dadam Flexibility in process-aware information systems K. Jensen, W.M. Aalst, Transactions on Petri Nets and Other Models of Concurrency II 2009 Springer-Verlag Berlin, Heidelberg 115 135
41. E. Rissanen, B.S. Firozabadi, M. Sergot, Towards a mechanism for discretionary overriding of access control, in: Proceedings of the 12th International Workshop on Security Protocols, 2004.
42. A. Rodriguez, E. Fernandez-Medina, and M. Piattini Capturing security requirements in business processes through a UML 2.0 activity diagrams profile Workshop Proceedings of Advances in Conceptual Modeling - Theory and Practice (ER Workshops) Lecture Notes in Computer Science (LNCS) vol. 4231 2006 Springer Verlag
43. P. Runeson, and M. Höst Guidelines for conducting and reporting case study research in software engineering Empirical Software Eng. 14 2 2009
44. N. Russell, A.H.M.T. Hofstede, D. Edmond, Workflow resource patterns: identification, representation and tool support, in: Proceedings of the 17th Conference on Advanced Information Systems Engineering (CAiSE'05), volume 3520 of Lecture Notes in Computer Science, 2005.
45. N. Russell, W.M. van der Aalst, A.H.M.T. Hofstede, Exception handling patterns in process-aware information systems, in: International Conference on Advanced Information Systems Engineering (CAiSE), 2006.
46. S. Schefer, M. Strembeck, Modeling process-related duties with extended UML activity and interaction diagrams, in: Proc. of the International Workshop on Flexible Workflows in Distributed Systems, Workshops der wissenschaftlichen Konferenz Kommunikation in verteilten Systemen (WowKiVS), Electronic Communications of the EASST, vol. 37, March 2011.
47. S. Schefer, and M. Strembeck Modeling support for delegating roles, tasks, and duties in a process-related RBAC context International Workshop on Information Systems Security Engineering (WISSE) Lecture Notes in Business Information Processing (LNBIP) 2011 Springer Verlag
48. S. Schefer, M. Strembeck, J. Mendling, Checking satisfiability aspects of binding constraints in a business process context, in: BPM 2011 Workshops (2), Proc. of the BPM Workshop on Workflow Security Audit and Certification (WfSAC), 2011.
49. S. Schefer, M. Strembeck, J. Mendling, A. Baumgrass, Detecting and resolving conflicts of mutual-exclusion and binding constraints in a business process context, in: OTM Conferences (1) 2011, Proc. of the 19th International Conference on Cooperative Information Systems (CoopIS), October 2011.
50. S. Schefer-Wenzl, M. Strembeck, A UML extension for modeling break-glass policies, in: 5th International Workshop on Enterprise Modelling and Information Systems Architectures (EMISA), 2012.
51. S. Schefer-Wenzl, M. Strembeck, Modeling context-aware RBAC models for business processes in ubiquitous computing environments, in: Proc. of the 3rd International Conference on Mobile, Ubiquitous and Intelligent Computing (MUSIC), June 2012.
52. S. Schefer-Wenzl, M. Strembeck, Generic support for RBAC break-glass policies in process-aware information systems, in: Proc. of the 28th ACM Symposium on Applied Computing (SAC), 2013.
53. S. Schefer-Wenzl, M. Strembeck, and A. Baumgrass An approach for consistent delegation in process-aware information systems Proc. of the 15th International Conference on Business Information Systems (BIS) Lecture Notes in Business Information Processing (LNBIP) vol. 117 2012 Springer
54. D.C. Schmidt Model-driven engineering - guest editorś introduction IEEE Comput. 39 2 2006
55. B. Selic The pragmatics of model-driven development IEEE Software 20 5 2003
56. T. Stahl, and M. Völter Model-Driven Software Development 2006 John Wiley & Sons
57. M. Strembeck, Embedding policy rules for software-based systems in a requirements context, in: Proc. of the 6th IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY), June 2005.
58. M. Strembeck Scenario-driven role engineering IEEE Secur. Privacy 8 1 2010
59. M. Strembeck, and J. Mendling Generic algorithms for consistency checking of mutual-exclusion and binding constraints in a business process context Proc. of the 18th International Conference on Cooperative Information Systems (CoopIS) Lecture Notes in Computer Science (LNCS) vol. 6426 2010 Springer Verlag
60. M. Strembeck, and J. Mendling Modeling process-related RBAC models with extended UML activity models Inf. Software Technol. 53 5 2011
61. M. Strembeck, and G. Neumann An integrated approach to engineer and enforce context constraints in RBAC environments ACM Trans. Inf. Syst. Secur. (TISSEC) 7 3 2004
62. M. Strembeck, and U. Zdun An approach for the systematic development of domain-specific languages Software: Pract. Exper. (SP&E) 39 15 2009
63. K. Tan, J. Crampton, C.A. Gunter, The consistency of task-based authorization constraints in workflow systems, in: Proceedings of the 17th IEEE workshop on Computer Security Foundations, June 2004.
64. R.K. Thomas, R.S. Sandhu, Task-Based Authorization Controls (TBAC): a family of models for active and enterprise-oriented authorization management, in: Proceedings of the IFIP TC11 WG11.3 Eleventh International Conference on Database Securty XI: Status and Prospects, August 1997.
65. W.M.P. van der Aalst, M. Rosemann, and M. Dumas Deadline-based escalation in process-aware information systems Decis. Support Syst. 43 2007 492 511
66. S. von Stackelberg, K. Böhm, M. Bracht, Embedding 'break the glass' into business process models, in: OTM Conferences (1), 2012.
67. J. Wainer, P. Barthelmess, and A. Kumar W-RBAC - a workflow security model incorporating controlled overriding of constraints Int. J. Coop. Inf. Syst. (IJCIS) 12 4 2003
68. J. Warner, V. Atluri, Inter-instance authorization constraints for secure workflow management, in: Proceedings of the Eleventh ACM Symposium on Access Control Models and Technologies (SACMAT), June 2006.
69. B. Weber, S. Rinderle, M. Reichert, Change patterns and change support features in process-aware information systems, in: International Conference on Advanced Information Systems Engineering (CAiSE), 2007.
70. D. Wetherall, C.J. Lindblad, Extending Tcl for dynamic object-oriented programming, in: Proc. of the USENIX Tcl/Tk Workshop, 1995.
71. C. Wolter, and A. Schaad Modeling of task-based authorization constraints in BPMN G. Alonso, P. Dadam, M. Rosemann, Business Process Management Lecture Notes in Computer Science vol. 4714 2007 Springer Berlin/ Heidelberg
72. C. Wolter, A. Schaad, C. Meinel, Task-based entailment constraints for basic workflow patterns, in: Proceedings of the 13th ACM symposium on Access control models and technologies (SACMAT), 2008.
73. U. Zdun, M. Strembeck, and G. Neumann Object-based and class-based composition of transitive mixins Inf. Software Technol. 49 8 2007