Anne Baumgrass

Predictive Task Monitoring for Business Processes

Information sources providing real-time status of physical objects have drastically increased in recent times. So far, research in business process monitoring has mainly focused on checking the completion of tasks. However, the availability of real-time information allows for a more detailed tracking of individual business tasks. This paper describes a framework for controlling the safe execution of tasks and signalling possible misbehaviours at runtime. It outlines a real use case on smart logistics and the preliminary results of its application.

Detecting and resolving conflicts of mutual-exclusion and binding constraints in a business process context

Mutual exclusion and binding constraints are important means to define which combinations of subjects and roles can be assigned to the tasks that are included in a business process. Due to the combinatorial complexity of potential role-to-subject and task-to-role assignments, there is a strong need to systematically check the consistency of a given set of constraints. In this paper, we discuss the detection of consistency conflicts and provide resolution strategies for the corresponding conflicts.

Towards the Enhancement of Business Process Monitoring for Complex Logistics Chains

Logistics processes have some characteristics which are fundamentally challenging from a business process management perspective. Their execution usually involves multiple parties and information exchanges and has to ensure a certain level of flexibility in order to respond to unexpected events. On the level of monitoring, potential disruptions have to be detected and reactive measures be taken in order to avoid delays and contract penalties. However, current business process management systems do not exactly address these general requirements which call for the integration of techniques from event processing. Unfortunately, activity-based and event-based execution paradigms are not thoroughly in line. In this paper, we untangle conceptual issues in aligning both. We present a set of three challenges in the monitoring of process-oriented complex logistics chains identified based on a real-world scenario consisting of a three-leg intermodal logistics chain for the transportation of goods. Required features that such a monitoring system should provide, as well as related literature referring to these challenges, are also described.

An Approach for Consistent Delegation in Process-Aware Information Systems

Delegation is an important concept to increase flexibility in authorization and obligation management. Due to the complexity of potential delegation relations, there is a strong need to systematically check the consistency of all delegation assignments. In this paper, we discuss the detection of delegation conflicts based on the formal definitions of a model that supports the delegation of roles, tasks, and duties in a business process context.

Deriving role engineering artifacts from business processes and scenario models

Scenario-driven role engineering is a systematic approach to engineer and maintain RBAC models. Such as every engineering process, this approach heavily depends on human factors and many of the corresponding engineering tasks must be conducted manually. However, based on the experiences we gained from our projects and case studies, we identified several tasks in role engineering that are monotonous, time-consuming, and can get tedious if conducted manually. These tasks include the derivation of candidate RBAC artifacts from business processes and scenario models. In this paper, we present an approach to automatically derive role engineering artifacts from process and scenario models. While our general approach is independent from a specific document format, we especially discuss the derivation of role engineering artifacts from UML activity models, UML interaction models, and BPMN collaboration models. In particular, we use the XMI (XML Metadata Interchange) representation of these models as a tool- and vendor-independent format to identify and automatically derive different role engineering artifacts.

Conformance Checking of RBAC Policies in Process-Aware Information Systems

A process-aware information system (PAIS) is a software system that supports the definition, execution, and analysis of business processes. The execution of process instances is typically recorded in so called event logs. In this paper, we present an approach to automatically generate LTL (Linear Temporal Logic) statements from process-related RBAC (Role-based Access Control) models. These LTL statements are used to check if process executions that are recorded via event logs conform to the access control policies defined via a corresponding RBAC model. To demonstrate our approach, we implemented a RBAC-to-LTL component, and used the ProM tool to test the resulting LTL statements with event logs created from process simulations in CPN tools.

Deriving Current State RBAC Models from Event Logs

Process-aware information systems are used to execute business processes to reach the operational goals of an organization. In this context, access control policies are defined to govern the choice in behavior of such systems. In a role engineering process these access control policies can be defined and customized. This paper introduces a new automated approach to derive current state access control policies from event logs extracted from process-aware information systems. For this purpose, the two standard formats for event logs called MXML and XES are used. It is demonstrated how this derivation can ease certain steps in the scenario-driven role engineering process, that are otherwise time-consuming and can get tedious if conducted manually.

Deriving Process-Related RBAC Models from Process Execution Histories

In a business process context, access permissions grant the rights to perform certain tasks. In particular, process-related role-based access control (RBAC) models define RBAC policies for process-aware information systems (PAIS). In addition, process-related RBAC models allow for the definition of entailment constraints on tasks, such as mutual exclusion or binding constraints, for example. This paper presents an approach to derive process-related RBAC models from process execution histories recorded by a PAIS. In particular, we present algorithms to derive corresponding RBAC artifacts and entailment constraints from standardized XML-based log files. All algorithms presented in this paper have been implemented and were tested via process logs created with CPN Tools.

Bridging the gap between role mining and role engineering via migration guides

In the context of role-based access control (RBAC), mining approaches, such as role mining or organizational mining, can be applied to derive permissions and roles from a systems configuration or from log files. In this way, mining techniques document the current state of a system and produce current-state RBAC models. However, such current-state RBAC models most often follow from structures that have evolved over time and are not the result of a systematic rights management procedure. In contrast, role engineering is applied to define a tailored RBAC model for a particular organization or information system. Thus, role engineering techniques produce a target-state RBAC model that is customized for the business processes supported via the respective information system. The migration from a current-state RBAC model to a tailored target-state RBAC model is, however, a complex task. In this paper, we present a systematic approach to migrate current-state RBAC models to target-state RBAC models. In particular, we use model comparison techniques to identify differences between two RBAC models. Based on these differences, we derive migration rules that define which elements and element relations must be changed, added, or removed. A migration guide then includes all migration rules that need to be applied to a particular current-state RBAC model to produce the corresponding target-state RBAC model. We conducted two comparative studies to identify which visualization technique is most suitable to make migration guides available to human users. Based on the results of these comparative studies, we implemented tool support for the derivation and visualization of migration guides. Our software tool is based on the Eclipse Modeling Framework (EMF). Moreover, this paper describes the experimental evaluation of our tool.

A Case Study on the Suitability of Process Mining to Produce Current-State RBAC Models

Role-based access control (RBAC) is commonly used to implement authorization procedures in Process-aware information systems (PAIS). Process mining refers to a bundle of algorithms that typically discover process models from event log data produced during the execution of real-world processes. Beyond pure control flow mining, some techniques focus on the discovery of organizational information from event logs. However, a systematic analysis and comparison of these approaches with respect to their suitability for mining RBAC models is still missing. This paper works towards filling this gap and provides a first guidance for applying mining techniques for deriving RBAC models.