Reasoning on the usage control security policies over data artifact business process models

The inclusion of security aspects in organizations is a crucial aspect to ensure compliance with both internal and external regulations. Business process models are a well-known mechanism to describe and automate the activities of the organizations, which should include security policies to ensure t...

Descripción completa

Detalles Bibliográficos
Autores: Estañol Lamarca, Montserrat|||0000-0001-7204-932X, Varela Vaca, Ángel Jesús, Gómez López, María Teresa, Teniente López, Ernest|||0000-0001-8890-9638, Martínez Gasca, Rafael
Tipo de recurso: artículo
Fecha de publicación:2022
País:España
Institución:Universitat Politècnica de Catalunya (UPC)
Repositorio:UPCommons. Portal del coneixement obert de la UPC
Idioma:inglés
OAI Identifier:oai:upcommons.upc.edu:2117/375237
Acceso en línea:https://hdl.handle.net/2117/375237
https://dx.doi.org/10.2298/CSIS210217061E
Access Level:acceso abierto
Palabra clave:Management information systems
Business -- Data processing
Business process
Security policy
Usage control model
Data artifact
Reasoning
Sistemes d'informació per a la gestió
Negocis -- Informàtica
Àrees temàtiques de la UPC::Informàtica::Sistemes d'informació
Descripción
Sumario:The inclusion of security aspects in organizations is a crucial aspect to ensure compliance with both internal and external regulations. Business process models are a well-known mechanism to describe and automate the activities of the organizations, which should include security policies to ensure the correct performance of the daily activities. Frequently, these security policies involve complex data which cannot be represented using the standard Business Process Model Notation (BPMN). In this paper, we propose the enrichment of the BPMN with a UML class diagram to describe the data model, that is also combined with security policies defined using the UCONABC framework annotated within the business process model. The integration of the business process model, the data model, and the security policies provides a context where more complex reasoning can be applied about the satisfiability of the security policies in accordance with the business process and data models. To do so, wetransform the original models, including security policies, into the BAUML framework (an artifact-centric approach to business process modelling). Once this is done, it is possible to ensure that there are no inherent errors in the model (verification) and that it fulfils the business requirements (validation), thus ensuring that the business process and the security policies are compatible and that they are aligned with the business security requirements.