Title :
Towards a business-centric definition of access control policies
Author :
Faravelon, Aurélien ; Verdier, Christine ; Front, Agnés
Author_Institution :
Lab. d´´Inf. de Grenoble, Equipe SIGMA, Grenoble, France
Abstract :
Security requirements are part of business requirements, either because they derive from forensic rules, or because they derive from the business logic that should be translated into functional requirements to guaranty that a system meets its users´ needs. Extending several notations such as the UML and the BPMN has been proposed as a means to bridge the gap between business processes engineering, security policies design and system engineering. However, a gap remains between these extensions on the one hand and between the large number of access control models on the other hand. Business logic, system engineering and security design thus remain separated when they should be intertwined. In this paper, we address this issue by defining a metamodel for access control to gather the different aspects of access control. We then introduce extensions to the UML et to BPMN that we derive from this metamodel and show that from a business-centric perspective, we can derive functional requirements, and model security to generate actual security policies.
Keywords :
Unified Modeling Language; authorisation; business data processing; BPMN; UML; access control policies; business centric definition; business logic; business processes engineering; business requirements; forensic rules; functional requirements; security policies design; security requirements; Access control; Adaptation models; Context; Medical services; Object oriented modeling; Unified modeling language;
Conference_Titel :
Research Challenges in Information Science (RCIS), 2011 Fifth International Conference on
Conference_Location :
Gosier
Print_ISBN :
978-1-4244-8670-0
Electronic_ISBN :
2151-1349
DOI :
10.1109/RCIS.2011.6006835
