Andreas Schaad

The role-based access control system of a European bank: a case study and discussion

Research in the area of role-based access control has made fast progress over the last few years. However, little has been done to identify and describe existing role-based access control systems within large organisations. This paper describes the access control system of a major European Bank. An overview of the systems structure, its administration and existing control principles constraining the administration is given. In addition, we provide an answer to a key question - the ratio of the number of roles to the system user population - which was raised in the recent RBAC2000 Workshop. Having described certain weaknesses of the Banks system, the case study is extended to a comparison between the system and the RBAC96 models. In particular the issues of inheritance and grouping are addressed.

Modeling of task-based authorization constraints in BPMN

Workflows model and control the execution of business processes inan organisation by defining a set of tasks to be done. The specification of workflowsis well-elaborated and heavily tool supported. Task-based access control istailored to specify authorization constraints for task allocation in workflows. Existingworkflow modeling notations do not support the description of authorizationconstraints for task allocation commonly referred to as resource allocationpatterns. In this paper we propose an extension for the Business Process Modeling Notation(BPMN) to express such authorizations within the workflow model, enablingthe support of resource allocation pattern, such as Separation of Duty,Role-Based Allocation, Case Handling, or History-Based Allocation in BPMN.These pattern allow to specify authorization constraints, for instance role-task assignments,separation of duty, and binding of duty constraints. Based on a formalapproach we develop an authorization constraint artifact for BPMN to describesuch constraints. As a pragmatic demonstration of the feasibility of our proposed extensionwe model authorization constraints inspired by a real world banking workflowscenario. In the course of this paper we identify several aspects of future workrelated to verification and consistency analysis of modeled authorization constraints,tool-supported and pattern-driven authorization constraint description,and automatic derivation of authorization policies, such as defined by the eXtensibleAccess Control Markup Language (XACML).

Model-driven business process security requirement specification

Various types of security goals, such as authentication or confidentiality, can be defined as policies for service-oriented architectures, typically in a manual fashion. Therefore, we foster a model-driven transformation approach from modelled security goals in the context of process models to concrete security implementations. We argue that specific types of security goals may be expressed in a graphical fashion at the business process modelling level which in turn can be transformed into corresponding access control and security policies. In this paper we present security policy and policy constraint models. We further discuss a translation of security annotated business processes into platform specific target languages, such as XACML or AXIS2 security configurations. To demonstrate the suitability of this approach an example transformation is presented based on an annotated process.

A model-checking approach to analysing organisational controls in a loan origination process

Demonstrating the safety of a system (ie. avoiding the undesired propagation of access rights or indirect access through some other granted resource) is one of the goals of access control research, e.g. [1-4]. However, the flexibility required from enterprise resource management (ERP) systems may require the implementation of seemingly contradictory requirements (e.g. tight access control but at the same time support for discretionary delegation of workflow tasks and rights).To aid in the analysis of safety problems in workflow-based ERP system, this paper presents a model-checking based approach for automated analysis of delegation and revocation functionalities. This is done in the context of a real-world banking workflow requiring static and dynamic separation of duty properties.We derived information about the workflow from BPEL specifications and ERP business object repositories. This was captured in a SMV specification together with a definition of possible delegation and revocation scenarios. The required separation properties were translated into a set of LTL-based constraints. In particular, we analyse the interaction between delegation and revocation activities in the context of dynamic separation of duty policies.

Observations on the role life-cycle in the context of enterprise security management

Roles are a powerful and policy neutral concept for facilitating distributed systems management and enforcing access control. Models which are now subject to becoming a standard have been proposed and much work on extensions to these models has been done over the last years as documented in the recent RBAC/SACMAT workshops. When looking at these extensions we can often observe that they concentrate on a particular stage in the life of a role. We investigate how these extensions fit into a more general theoretical framework in order to give practitioners a starting point from which to develop role-based systems. We believe that the life-cycle of a role could be seen as the basis for such a framework and we provide an initial discussion on such a role life-cycle, based on our experiences and observations in enterprise security management. We propose a life-cycle model that is based on an iterative-incremental process similar to those found in the area of software development.

A lightweight approach to specification and analysis of role-based access control extensions

Role-based access control is a powerful and policy-neutral concept for enforcing access control. Many extensions have been proposed, the most significant of which are the decentralised administration of role-based systems and the enforcement of constraints. However, the simultaneous integration of these extensions can cause conflicts in a later system implementation. We demonstrate how we use the Alloy language for the specification of a conflict-free role-based system. This specification provides us at the same time with a suitable basis for further analysis by the Alloy constraint analyser.

Deriving XACML policies from business process models

The Business Process Modeling Notation (BPMN) has become a defacto standard for describing processes in an accessible graphical notation. The eXtensible Access Control Markup Language (XACML) is an OASIS standard to specify and enforce platform independent access control policies. In this paper we define a mapping between the BPMN and XACML metamodels to provide a model-driven extraction of security policies from a business process model. Specific types of organisational control and compliance policies that can be expressed in a graphical fashion at the business process modeling level can now be transformed into the corresponding task authorizations and access control policies for process-aware information systems. As a proof of concept, we extract XACML access control policies from a security augmented banking domain business process. We present an XSLT converter that transforms modeled security constraints into XACML policies that can be deployed and enforced in a policy enforcement and decision environment. We discuss the benefits of our modeling approach and outline how XACML can support task-based compliance in business processes.

Privacy-preserving social network analysis for criminal investigations

Social network analysis (SNA) is now a commonly used tool in criminal investigations, but evidence gathering and analysis is often restricted by data privacy laws. We consider the case where multiple investigators want to collaborate, but do not yet have sufficient evidence that justifies a plaintext data exchange. This paper proposes a solution for privacy-preserving social network analysis where several investigators can collaborate without actually exchanging sensitive private information. An investigator can request data from other sites to augment his view without revealing personally identifiable data. The investigator can compute important metrics by means of a SNA on the subject while keeping the entire social network unknown him.

Task-based entailment constraints for basic workflow patterns

Access Control decisions are based on the authorisation policies defined for a system as well as observed context and behaviour when evaluating these constraints at runtime. Workflow management systems have been recognised as a primary source for defining authorisation policies at workflow designtime, as well as generating context at runtime. This paper analyses recent work in the workflow community regarding established control-flow patterns. We claim that there is an intrinsic relationship between these patterns and a set of task-based entailment constraints - such as Separation of Duty - that have been recently identified by the access control community. These constraints are based on a pre-determined partial order on sequence and parallel execution patterns. When, however, such an order does not exist, because of more complex control-flow patterns, ambiguous constraint evaluation situations will arise at workflow runtime. Accordingly, this paper reviews basic workflow patterns and identifies relationships between these and task-based entailment constraints. In addition, an analysis of possible runtime ambiguities that may arise from these relationships is presented. Our approach is based on recently developed techniques for visual constraint representation at a workflow design-time.

A Secure Task Delegation Model for Workflows

Workflow management systems provide some of the required technical means to preserve integrity, confidentiality and availability at the control-, data- and task assignment layers of a workflow. We currently observe a move away from predefined strict workflow enforcement approaches towards supporting exceptions which are difficult to foresee when modelling a workflow. One specific approach for exception handling is that of task delegation. The delegation of a task from one principal to another, however, has to be managed and executed in a secure way, in this context implying the presence of a fixed set of delegation events. In this paper, we propose first and foremost, a secure task delegation model within a workflow. The novel part of this model is separating the various aspects of delegation with regards tousers, tasks, events and data, portraying them in terms of a multi-layered state machine. We then define delegation scenarios and analyse additional requirements to support secure task delegation over these layers. Moreover, we detail a delegation protocol with a specific focus on the initial negotiation steps between the involved principals.