Model-driven business process security requirement specification

Authors:
Christian Wolter;Michael Menzel;Andreas Schaad;Philip Miseldine;Christoph Meinel
Affiliations:
SAP Research, CEC Karlsruhe, Vincenz-Priessnitz-Strasse 1, 76131 Karlsruhe, Germany;Hasso-Plattner-Institute, Prof.-Dr.-Helmert-Str. 2-3, 14482 Postdam, Germany;SAP Research, CEC Karlsruhe, Vincenz-Priessnitz-Strasse 1, 76131 Karlsruhe, Germany;SAP Research, CEC Karlsruhe, Vincenz-Priessnitz-Strasse 1, 76131 Karlsruhe, Germany;Hasso-Plattner-Institute, Prof.-Dr.-Helmert-Str. 2-3, 14482 Postdam, Germany
Venue:
Journal of Systems Architecture: the EUROMICRO Journal
Year:
2009

Citing 22
Cited 12

Logics of time and computation

Logics of time and computation
Role-Based Access Control Models

Computer
SecureFlow: a secure Web-enabled workflow management system

RBAC '99 Proceedings of the fourth ACM workshop on Role-based access control
Security in Computing

Security in Computing
The Use of Information Capacity in Schema Integration and Translation

VLDB '93 Proceedings of the 19th International Conference on Very Large Data Bases
Task-Based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-Oriented Autorization Management

Proceedings of the IFIP TC11 WG11.3 Eleventh International Conference on Database Securty XI: Status and Prospects
UMLsec: Extending UML for Secure Systems Development

UML '02 Proceedings of the 5th International Conference on The Unified Modeling Language
Model driven security for process-oriented systems

Proceedings of the eighth ACM symposium on Access control models and technologies
Task-role-based access control model

Information Systems
Securing Web Services with WS-Security: Demystifying WS-Security, WS-Policy, SAML, XML Signature, and XML Encryption

Securing Web Services with WS-Security: Demystifying WS-Security, WS-Policy, SAML, XML Signature, and XML Encryption
Best-Practice Patterns and Tool Support for Configuring Secure Web Services Messaging

ICWS '04 Proceedings of the IEEE International Conference on Web Services
A logic-based framework for attribute based access control

Proceedings of the 2004 ACM workshop on Formal methods in security engineering
Business-driven application security: from modeling to managing secure applications

IBM Systems Journal
A model-checking approach to analysing organisational controls in a loan origination process

Proceedings of the eleventh ACM symposium on Access control models and technologies
Integration of risk identification with business process models

Systems Engineering
Axis2, Middleware for Next Generation Web Services

ICWS '06 Proceedings of the IEEE International Conference on Web Services
An Attribute-Based Access Control Model for Web Services

PDCAT '06 Proceedings of the Seventh International Conference on Parallel and Distributed Computing, Applications and Technologies
Principles of the Spin Model Checker

Principles of the Spin Model Checker
Modeling of task-based authorization constraints in BPMN

BPM'07 Proceedings of the 5th international conference on Business process management
Modeling control objectives for business process compliance

BPM'07 Proceedings of the 5th international conference on Business process management
Towards a UML 2.0 extension for the modeling of security requirements in business processes

TrustBus'06 Proceedings of the Third international conference on Trust, Privacy, and Security in Digital Business
Security ontology for annotating resources

OTM'05 Proceedings of the 2005 OTM Confederated international conference on On the Move to Meaningful Internet Systems: CoopIS, COA, and ODBASE - Volume Part II

Lightweight modeling and analysis of security concepts

ESSoS'11 Proceedings of the Third international conference on Engineering secure software and systems
Modeling process-related RBAC models with extended UML activity models

Information and Software Technology
A decade of model-driven security

Proceedings of the 16th ACM symposium on Access control models and technologies
An integrated approach for identity and access management in a SOA context

Proceedings of the 16th ACM symposium on Access control models and technologies
Derivation of trust federation for collaborative business processes

Information Systems Frontiers
Achieving life-cycle compliance of service-oriented architectures: open issues and challenges

DPM'09/SETOP'09 Proceedings of the 4th international workshop, and Second international conference on Data Privacy Management and Autonomous Spontaneous Security
Security and safety of assets in business processes

Proceedings of the 27th Annual ACM Symposium on Applied Computing
A framework for modelling security architectures in services ecosystems

ESOCC'12 Proceedings of the First European conference on Service-Oriented and Cloud Computing
Towards an approach to design and enforce security in web service composition

International Journal of Web Engineering and Technology
Augmented enterprise models as a foundation for generating security-related software: requirements and objectives

Proceedings of the Workshop on Model-Driven Security
Enforcement of entailment constraints in distributed service-based business processes

Information and Software Technology
Towards the automatic and optimal selection of risk treatments for business processes using a constraint programming approach

Information and Software Technology

Quantified Score

Hi-index	0.00

Visualization

Abstract

Various types of security goals, such as authentication or confidentiality, can be defined as policies for service-oriented architectures, typically in a manual fashion. Therefore, we foster a model-driven transformation approach from modelled security goals in the context of process models to concrete security implementations. We argue that specific types of security goals may be expressed in a graphical fashion at the business process modelling level which in turn can be transformed into corresponding access control and security policies. In this paper we present security policy and policy constraint models. We further discuss a translation of security annotated business processes into platform specific target languages, such as XACML or AXIS2 security configurations. To demonstrate the suitability of this approach an example transformation is presented based on an annotated process.