Specifying Process-Aware Access Control Rules in SBVR

  • Stijn Goedertier
  • Christophe Mues
  • Jan Vanthienen
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4824)


Access control is an important aspect of regulatory compliance. Therefore, access control specifications must be process-aware in that they can refer to an underlying business process context, but do not specify when and how they must be enforced. Such access control specifications are often expressed in terms of general rules and exceptions, akin to defeasible logic. In this paper we demonstrate how a role-based, process-aware access control policy can be specified in the SBVR. In particular, we define an SBVR vocabulary that allows for a process-aware specification of defeasible access control rules. Because SBVR does not support defeasible rules, we show how a set of defeasible access control rules can be transformed into ordinary SBVR access control rules using decision tables as a transformation mechanism.


access control defeasible logic RBAC SBVR BPM 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Securities and Exchange Commission, U.S.A.: Sarbanes Oxley Act 2002. Securities and Exchange Commission (SEC), U.S.A (2002)Google Scholar
  2. 2.
    Object Management Group: Business Process Modeling Notation (BPMN) – final adopted specification. OMG Document – dtc/06-02-01 (2006)Google Scholar
  3. 3.
    Chapin, D.: Semantics of Business Vocabulary & Business Rules (SBVR) [26]Google Scholar
  4. 4.
    Object Management Group: Semantics of Business Vocabulary and Business Rules (SBVR) – Interim Specification. OMG Document – dtc/06-03-02 (2006)Google Scholar
  5. 5.
    Goedertier, S., Vanthienen, J.: EM-BrA<Superscript>2</Superscript>CE v0.2: A Vocabulary and Execution Model for Declarative Process Models. Fetew research report, K.U.Leuven (2007),
  6. 6.
    Baisley, D.E., Hall, J., Chapin, D.: Semantic Formulations in SBVR [26]Google Scholar
  7. 7.
    Unisys: Unisys rules modeler (2005) (10-11-2005),
  8. 8.
    Digital Business Ecosystem (DBE): Sbeaver (2007),
  9. 9.
    Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)Google Scholar
  10. 10.
    Ferraiolo, D.F., Sandhu, R.S., Gavrila, S.I., Kuhn, D.R., Chandramouli, R.: Proposed nist standard for role-based access control. ACM Trans. Inf. Syst. Secur. 4(3), 224–274 (2001)CrossRefGoogle Scholar
  11. 11.
    InterNational Committee for Information Technology Standards (INCITS): Role-Based Access Control. American National Standard ANSI/INCITS 359-2004 (2004),
  12. 12.
    Guizzardi, G., Wagner, G.: Ontologies and Business Systems Analysis. In: Rosemann, M., Green, P. (eds.) Some Applications of a Unified Foundational Ontology in Business Modeling, pp. 345–367. IDEA Publisher, USA (2005)Google Scholar
  13. 13.
    Object Management Group: Business Motivation Model (BMM) – adopted specification. OMG Document – dtc/2006-08-03 (2006)Google Scholar
  14. 14.
    Nute, D.: Defeasible Logic. In: Handbook of Logic in Artificial Intelligence and Logic Programming, pp. 353–395. Oxford University Press, New York (1994)Google Scholar
  15. 15.
    Antoniou, G., Billington, D., Governatori, G., Maher, M.J.: Representation results for defeasible logic. ACM Trans. Comput. Log. 2(2), 255–287 (2001)CrossRefMathSciNetGoogle Scholar
  16. 16.
    Grosof, B.N., Labrou, Y., Chan, H.Y.: A declarative approach to business rules in contracts: courteous logic programs in XML. In: ACM Conference on Electronic Commerce, pp. 68–77. ACM Press, New York (1999)CrossRefGoogle Scholar
  17. 17.
    Maher, M.J., Rock, A., Antoniou, G., Billington, D., Miller, T.: Efficient defeasible reasoning systems. International Journal on Artificial Intelligence Tools 10(4), 483–501 (2001)CrossRefGoogle Scholar
  18. 18.
    Bassiliades, N., Kontopoulos, E., Antoniou, G.: A visual environment for developing defeasible rule bases for the semantic web. In: Adi, A., Stoutenburg, S., Tabet, S. (eds.) RuleML 2005. LNCS, vol. 3791, pp. 172–186. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  19. 19.
    Kontopoulos, E., Bassiliades, N., Antoniou, G.: Visualizing defeasible logic rules for the semantic web. In: Mizoguchi, R., Shi, Z., Giunchiglia, F. (eds.) ASWC 2006. LNCS, vol. 4185, pp. 278–292. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  20. 20.
    Antoniou, G., Taveter, K., Berndtsson, M., Wagner, G., Spreeuwenberg, S.: A First-Version Visual Rule Language. Report IST-2004-506779, REWERSE (2004)Google Scholar
  21. 21.
    Vanthienen, J., Robben, F.: Developing legal knowledge based systems using decision tables. In: ICAIL, pp. 282–291 (1993)Google Scholar
  22. 22.
    Vanthienen, J., Mues, C., Aerts, A.: An Illustration of Verification and Validation in the Modelling Phase of KBS Development. Data Knowl. Eng. 27(3), 337–352 (1998)zbMATHCrossRefGoogle Scholar
  23. 23.
    Spreeuwenberg, S., Gerrits, R., Boekenoogen, M.: Valens: A knowledge based tool to validate and verify an aion knowledge base (2000)Google Scholar
  24. 24.
    Vanthienen, J., Mues, C.: Prologa 5.3 - tabular knowledge modeling (2005)Google Scholar
  25. 25.
    Strembeck, M., Neumann, G.: An integrated approach to engineer and enforce context constraints in rbac environments. ACM Trans. Inf. Syst. Secur. 7(3), 392–427 (2004)CrossRefGoogle Scholar
  26. 26.
    W3C Workshop on Rule Languages for Interoperability, 27-28 April 2005, Washington, DC, USA. In: Rule Languages for Interoperability, W3C (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Stijn Goedertier
    • 1
  • Christophe Mues
    • 2
  • Jan Vanthienen
    • 1
  1. 1.Department of Decision Sciences and Information Management, Katholieke Universiteit LeuvenBelgium
  2. 2.School of Management, University of SouthamptonUnited Kingdom

Personalised recommendations