Abstract
For several reasons enterprises are frequently subject to organizational change. Respective adaptations may concern business processes, but also other components of an enterprise architecture. In particular, changes of organizational structures often become necessary. The information about organizational entities and their relationships is maintained in organizational models. Therefore the quick and correct adaptation of these models is fundamental to adequately cope with organizational changes. However, model changes alone are not sufficient to guarantee consistency. Since organizational models also provide the basis for defining access rules (e.g., actor assignments in workflow management systems or access rules in document-centered applications) this information has to be adapted accordingly (e.g., to avoid dangling references or non-resolvable actor assignments). Current approaches do not adequately address this problem, which often leads to security gaps and delayed change implementation.In this paper we introduce a formal framework for the controlled evolution of organizational models and related access rules. Firstly, we introduce a set of operators with well-defined semantics for defining and changing organizational models. Secondly, we show how to define access rules based on such models. In this context we also define a notion of correctness for access rules. Thirdly, we present a formal framework for the (semi-automated) adaptation of access rules when the underlying organizational model is changed by exploiting the semantics of the applied changes. Altogether the presented approach provides an important contribution for realizing adaptive access control frameworks.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
v.d. Aalst, W., van Hee, K.: Workflow Management. MIT Press, Cambridge (2002)
Sutton, M.: Document Management for the Enterprise: Principles, Techniques and Applications. John Wiley, Chichester (1996)
Linthicum, D.: Enterpise Application Integration. Addison-Wesley, Reading (1999)
Bertino, E., Ferrari, E., Alturi, V.: The specification and enforcement of authorization constraints in wfms. ACM Trans. on Inf. and Sys. Sec. 2, 65–104 (1999)
Sandhu, S.: Authentication, access control and audit. ACM Computings Surveys 28, 241–243 (1996)
Ferraiolo, D., Kuhn, D., Chandramouli, R.: Role–Based Access Control. Artech House (2003)
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 29, 38–47 (1996)
Wainer, J., Barthelmess, P., Kumar, A.: W–RBAC – a workflow security model incorporating controlled overriding of constraints. International Journal of Collaborative Information Systems 12, 455–485 (2003)
El Kalam, A., El Baida, R., Balbiani, P., Benferhat, S., Cuppens, F., Saurel, C., Deswarte, Y., Miege, A., Trouessin, G.: Organization-based access control. In: Proc. 4th IEEE Int. Workshop on Policies for Distributed Systems and Networks, IEEE Computer Society Press, Los Alamitos (2003)
Konyen, I.: Organizational structures and business processes in hospitals. Master’s thesis, University of Ulm, Computer Science Faculty (in German) (1996)
Jablonski, S., Schlundt, M., Wedekind, H.: A generic component for the computer–based use of organizational models (in german). Informatik Forschung und Entwicklung 16, 23–34 (2001)
Klarmann, J.: A comprehensive support for changes in organizational models of workflow management systems. In: ISM 2001. Proc. 4th Int’l Conf. on Inf Systems Modeling, pp. 375–387 (2001)
Dumas, M., ter Hofstede, A.W.A. (eds.): Process Aware Information Systems. Wiley Publishing, Chichester (2005)
Rinderle, S., Reichert, M.: On the controlled evolution of access rules in cooperative information systems. In: Meersman, R., Tari, Z. (eds.) On the Move to Meaningful Internet Systems 2005: CoopIS, DOA, and ODBASE. LNCS, vol. 3760, pp. 238–255. Springer, Heidelberg (2005)
Ferraiolo, D., Sandhu, R., Gavrila, S., Kuhn, D., Chandramouli, R.: Proposed NIST standard for role-based acces control. ACM ToISS 4, 224–274 (2001)
Tolone, W., Ahn, G., Pai, T.: Access control in collaborative systems. ACM Computings Surveys 37, 29–41 (2005)
Reichert, M., Rinderle, S., Kreher, U., Dadam, P.: Adaptive process management with adept2. In: ICDE 2005. Proc. 21st Int’l Conf. on Data Engineering, Tokyo, pp. 1113–1114 (2005)
Berroth, M.: Design of a component for organizational models. Master’s thesis, University of Ulm, Computer Science Faculty (in German) (2005)
Howes, T., Smith, M., Good, G.: Understanding and Deploying LDAP Directory Services. New Riders (2001)
Bertino, E.: Data security. DKE 25, 199–216 (1998)
Zur Muehlen, M.: Resource modeling in workflow applications. In: Proc. of the 1999 Workflow Management Conference (Muenster), pp. 137–153 (1999)
Weber, B., Reichert, M., Wild, W., Rinderle, S.: Balancing flexibility and security in adaptive process management systems. In: Meersman, R., Tari, Z. (eds.) On the Move to Meaningful Internet Systems 2005: CoopIS, DOA, and ODBASE. LNCS, vol. 3760, pp. 59–76. Springer, Heidelberg (2005)
NIST: Proposed Standard for Role-Based Access Control (2004), http://csrc.nist.gov/rbac/rbacSTDACM.pdf
Ferraiolo, D., Kuhn, D.: Role based access control. In: 15th National Computer Security Conference (1992)
Botha, R., Eloff, J.: A framework for access control in workflow systems. Information Management and Computer Security 9, 126–133 (2001)
Pfeiffer, V.: A framework for evaluating access control concepts in workflow management systems. Master’s thesis, University of Ulm, Computer Science Faculty (in German) (2005)
Giuri, L., Iglio, P.: A formal model for role-based access control with constraints. In: Proc. Computer Security Foundations Workshop, pp. 136–145 (1996)
Kuhn, D.: Mutual exclusion of roles as a means of implementing separation of duty in role-based access control systems. In: Proc. 2nd ACM Workshop on Role-based Access Control, pp. 23–30. ACM Press, New York (1997)
v.d. Aalst, W.: Exterminating the dynamic change bug: A concrete approach to support worfklow change. Information Systems Frontiers 3, 297–317 (2001)
Rinderle, S., Reichert, M., Dadam, P.: Correctness criteria for dynamic changes in workflow systems – a survey. Data and Knowledge Engineering, Special Issue on Advances in Business Process Management 50, 9–34 (2004)
Agostini, A., De Michelis, G.: Improving flexibility of workflow management systems. In: BPM 2000. Proc. Int’l Conf. on Business Process Management, pp. 218–234 (2000)
Joeris, G., Herzog, O.: Managing evolving workflow specifications. In: CoopIS 1998. Proc. Int’l Conf. on Cooperative Information Systems, New York City, pp. 310–321 (1998)
Weske, M.: Workflow management systems: Formal foundation, conceptual design, implementation aspects. University of Münster, Germany, Habilitation Thesis (2000)
Sadiq, S., Marjanovic, O., Orlowska, M.: Managing change and time in dynamic workflow processes. IJCIS 9, 93–116 (2000)
Fent, A., Reiter, H., Freitag, B.: Design for change: Evolving workflow specifications in ULTRAflow. In: Pidduck, A.B., Mylopoulos, J., Woo, C.C., Ozsu, M.T. (eds.) CAiSE 2002. LNCS, vol. 2348, pp. 516–534. Springer, Heidelberg (2002)
Kochut, K., Arnold, J., Sheth, A., Miller, J., Kraemer, E., Arpinar, B., Cardoso, J.: IntelliGEN: A distributed workflow system for discovering protein-protein interactions. Distributed and Parallel Databases 13, 43–72 (2003)
Edmond, D., ter Hofstede, A.: A reflective infrastructure for workflow adaptability. Data and Knowledge Engineering 34, 271–304 (2000)
Reichert, M., Dadam, P.: ADEPT flex - supporting dynamic changes of workflows without losing control. JIIS 10, 93–129 (1998)
Rinderle, S., Reichert, M., Dadam, P.: Flexible support of team processes by adaptive workflow systems. Distributed and Parallel Databases 16, 91–116 (2004)
Rinderle, S., Weber, B., Reichert, M., Wild, W.: Integrating process learning and process evolution - a semantics based approach. In: van der Aalst, W.M.P., Benatallah, B., Casati, F., Curbera, F. (eds.) BPM 2005. LNCS, vol. 3649, Springer, Heidelberg (2005)
Klarmann, J.: A comprehensive support for changes in organizational models of workflow management systems. In: ISM 2001. Proc. Int’l Conf. on Information Systems Modeling, Hradec nad Moravici, Czech Republic (2001)
Domingos, D., Rito–Silva, A., Veiga, P.: Authorization and access control in adaptive workflows. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 23–28. Springer, Heidelberg (2003)
v.d. Aalst, W., Jablonski, S.: Dealing with workflow change: Identification of issues an solutions. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 267–276. Springer, Heidelberg (2003)
Klarmann, J.: Using conceptual graphs for organization modeling in workflow management systems. In: WM 2001. Proc. Conf. Professionelles Wissensmanagement, pp. 19–23 (2001)
Rinderle, S., Reichert, M., Dadam, P.: Disjoint and overlapping process changes: Challenges, solutions, applications. In: Meersman, R., Tari, Z. (eds.) On the Move to Meaningful Internet Systems 2004: CoopIS, DOA, and ODBASE. LNCS, vol. 3290, pp. 101–120. Springer, Heidelberg (2004)
Simon, R., Zurko, M.: Separation of duty in role based environments. In: Proc. Computer Security Foundations Workshop X (1997)
Botha, R., Eloff, J.: Separation of duties for access control enforcement in workflow environments. IBM Systems Journal 40(3) (2001)
Ly, T., Rinderle, S., Dadam, P., Reichert, M.: Mining staff assignment rules from event-based data. In: Castellanos, M., Weijters, T. (eds.) BPI 2005. First International Workshop on Business Process Intelligence, Nancy, France, pp. 177–190 (2005)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Rinderle, S., Reichert, M. (2007). A Formal Framework for Adaptive Access Control Models. In: Spaccapietra, S., et al. Journal on Data Semantics IX. Lecture Notes in Computer Science, vol 4601. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-74987-5_3
Download citation
DOI: https://doi.org/10.1007/978-3-540-74987-5_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-74982-0
Online ISBN: 978-3-540-74987-5
eBook Packages: Computer ScienceComputer Science (R0)