Model-driven specification and enforcement of RBAC break-glass policies for process-aware information systems |
| |
| Affiliation: | 1. Competence Center for IT-Security, University of Applied Sciences Campus Vienna, Austria;2. Institute for Information Systems and New Media, WU Vienna, Austria;1. Freie Universität Berlin, Berlin, Germany;2. Infopark AG, Berlin, Germany;1. Service d’Hépatogastroentérologie, Hôpital Pitié Salpêtrière, Paris, France;3. Service de Chirurgie Hépatobiliaire et de Transplantation, Hôpital Pitié Salpêtrière, Paris, France;4. Service d’Anatomie Pathologique, Hôpital Pitié Salpêtrière, Paris, France;6. Service d’Anesthésie et Réanimation, Hôpital Pitié Salpêtrière, Paris, France;1. Database Laboratory, Universidade da Coruña, Facultade de Informática, Campus de Elviña s/n, 15071 A Coruña, Spain;2. Yahoo Labs, Barcelona & DTIC, Universitat Pompeu Fabra, Barcelona, Spain;3. DAMA-UPC, Universitat Politèecnica de Catalunya, Campus Diagonal Nord, Building C6, C. Jordi Girona, 1-3, 08034 Barcelona, Spain |
| |
| Abstract: | ContextIn many organizational environments critical tasks exist which – in exceptional cases such as an emergency – must be performed by a subject although he/she is usually not authorized to perform these tasks. Break-glass policies have been introduced as a sophisticated exception handling mechanism to resolve such situations. They enable certain subjects to break or override the standard access control policies of an information system in a controlled manner.ObjectiveIn the context of business process modeling a number of approaches exist that allow for the formal specification and modeling of process-related access control concepts. However, corresponding support for break-glass policies is still missing. In this paper, we aim at specifying a break-glass extension for process-related role-based access control (RBAC) models.MethodWe use model-driven development (MDD) techniques to provide an integrated, tool-supported approach for the definition and enforcement of break-glass policies in process-aware information systems. In particular, we provide modeling support on the computation independent model (CIM) layer as well as on the platform independent model (PIM) and platform specific model (PSM) layers.ResultsOur approach is generic in the sense that it can be used to extend process-aware information systems or process modeling languages with support for process-related RBAC and corresponding break-glass policies. Based on the formal CIM layer metamodel, we present a UML extension on the PIM layer that allows for the integrated modeling of processes and process-related break-glass policies via extended UML Activity diagrams. We evaluated our approach in a case study on real-world processes. Moreover, we implemented our approach at the PSM layer as an extension to the BusinessActivity library and runtime engine.ConclusionOur integrated modeling approach for process-related break-glass policies allows for specifying break-glass rules in process-aware information systems. |
| |
| Keywords: | Access control Business process modeling Model-driven development UML |
| 本文献已被 ScienceDirect 等数据库收录! |
|
