Abstract
The problem of analyzing security requirements is to be addressed in legacy sys- tems when planned restructuring interventions involve also security aspects. In this paper, we propose a three-level model for authorization analysis and an as- sociated method to extract authorizations from legacy systems. The model allows the security administrator to analyze process authorizations for database accesses at different granularity levels of the involved data. The connection between pro- cesses and user roles within organizational units of the legacy system are discussed. The initial results of an experimentation of the approach on a set of processes and databases of the Italian Public Administration information systems are presented.
Chapter PDF
Similar content being viewed by others
References
Aiken, P., Muntz, A., and Richards, R.. (1994) DoD Legacy Systems - Reverse Engineering Data Requirements. Communications of the ACM, 37 (5).
Batini, C., Castano, S., De Antonellis, V., Fugini, M.G., and Pernici, B. (1996) Analysis of an Inventory of Information Systems in the Public Administration. Requirements Engineering Journal, 1 (1).
Castano, S., Fugini, M.G., Martella, G., and Samarati, P. (1995) Database Security,Addison-Wesley.
Castano, S. (1996) An Approach to Deriving Global Authorizations in Federated Database Systems. In Proc. of 10th Annual IFIP WG 11.3 Working Conference on Database Security,Como, Italy.
Chen, P.P. (1976) The Entity-Relationship Model: Towards a Unified View of Data. ACM Trans. on Database Systems, 1 (1).
Georgakopoulos, G., Hornik, M., and Sheth, A. (1995) An Overview of Workflow Management: From Process Modeling to Workflow Automation Infrastructure. Distributed and Parallel Databases, 3.
Holbein, R., Teufel, S., and Bauknecht, K. (1995) The Use of Business Process Models for Security Designs in Organisations, in [ISS95].
Information Systems Security - Facing the information society of the 21st Century,Proc. of IFIP /SEC’95, 12th Int. Information Security Conference, S.K. (Eds. Katsikas S.K. and Gritzalis, D.), ChapmanandHall.
Jonscher, D., and Dittrich, K.R.. (1994) An Approach for Building Secure Database Federations. In Proc. of the 20th Int. Conf. on Very Large Databases,Santiago, Chile.
Oh, Y.C., and Navathe, S.B. (1995) SEER: Security Enhanced Entity-Relationship Model for Secure Relational Databases. In Proc. of 00-ER’95, Int. Conf. on the Object-Oriented and Entity-Relationship Modelling, LNCS n. 1021, Gold Coast, Australia.
Rabitti, F., Bertino, E., Kim, W., and Woelk, D. (1991) A Model of Authorization for Next-Generation Database Systems, ACM-Trans. On Database Systems, 16(1).
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., and Youman, C.E. (1996) Role-Based Access Control Models. IEEE Computer, February.
Sheth A.P. and Larson, J.P. (1990) Federated Database Systems for Managing Distributed, Heterogeneous, and Autonomous Databases, ACM Computing Surveys, 22(3).
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 1997 Springer Science+Business Media Dordrecht
About this chapter
Cite this chapter
Castano, S., Fugini, M.G. (1997). Deriving Authorizations from Process Analysis in Legacy Information Systems. In: Yngström, L., Carlsen, J. (eds) Information Security in Research and Business. IFIP — The International Federation for Information Processing. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-35259-6_5
Download citation
DOI: https://doi.org/10.1007/978-0-387-35259-6_5
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4757-5481-0
Online ISBN: 978-0-387-35259-6
eBook Packages: Springer Book Archive