Abstract
Compliance to regulatory requirements is key to successful collaborative business process execution. The review of the EU General Data Protection Regulation (GDPR) brought to the fore the need to comply with data privacy. Access control and authorization mechanisms in workflow management systems based on roles, tasks, and attributes do not sufficiently address the current complex and dynamic privacy requirements in collaborative business process environments due to diverse policies. This paper proposes process driven authorization as an alternative approach to data access control and authorization where access is granted based on a legitimate need to accomplish a task in the business process. Due to vast sources of regulations, a mechanism to derive and validate a composite set of constraints free of conflicts and contradictions is presented. An extended workflow tree language is also presented to support constraint modeling. An industry case pick and pack process is used for illustration.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Change history
03 April 2020
Compliance to regulatory requirements is key to successful collaborative business process execution. The review of the EU General Data Protection Regulation (GDPR) brought to the fore the need to comply with data privacy.
References
E. Bertino, C. Bettini, E. Ferrari, P. Samarati, An access control model supporting periodicity constraints and temporal reasoning. ACM Trans. Database Syst. 23(3), 231 (1998)
E. Bertino, E. Ferrari, V. Atluri, The specification and enforcement of authorization constraints in workflow management systems. ACM Trans. Inf. Syst. Secur. 2(1), 65–104 (1999)
G. Karjoth, Aligning security and business objectives for process-aware information systems, in Proceedings 5th ACM Conference Data Applied Security Privacy—CODASPY’15 (2015) pp. 243–243
S. Sadiq, G. Governatori, Managing regulatory compliance in business processes. Handb. Bus. Process Manag. 2, 159–175 (2010)
K. Tan, J. Crampton, C.A. Gunter, The consistency of task-based authorization constraints in workflow systems, in Proceedings 17th IEEE Computer Security Foundations Workshop, (2004) pp. 155–169
J.P. Kasse, L. Xu, P.T. de Vrieze, The need for compliance verification in collaborative business processes (2018)
O.M.G. Omg, Business Process Model and Notation (BPMN) Version 2.0, in Business, vol. 50 (2011), p. 170
M. Salnitri, F. Dalpiaz, P. Giorgini, Modeling and verifying security policies in business processes, in Lecture Notes in Business Information Processing, vol. 175 (LNBIP, 2014), pp. 200–214
G. Monakova, A.D. Brucker, A. Schaad, Security and safety of assets in business processes, in Proceedings of the 27th Annual ACM Symposium on Applied Computing—SAC’12 (2012) p. 1667
J. Müller, Security mechanisms for workflows in service-oriented architectures (2015)
G. Koliadis, Verifying semantic business process models in inter-operation, in IEEE International Conference on Services Computing (2007)
J.P. Kasse, L. Xu, P. de Vrieze, A comparative assessment of collaborative business process verification approaches, vol. 506 (2017)
D. Basin, E.T.H. Zurich, Optimal workflow-aware authorizations, in Proceedings of the 17th ACM Symposium Access Control Models and Technologies ACM (2011) pp. 93–102
A.M. Awad, A Compliance Management Framework for Business Process Models. Ph.D. thesis (2010)
D. Nikovski, B. Akihiro, Workflow trees for representation and mining of implicitly concurrent business processes, in ICEIS 2008—Proceedings of the 10th International Conference on Enterprise Information Systems (ISAS), vol. 2 (2008), pp. 30–36
J. Crampton, G. Gutin, Constraint expressions and workflow satisfiability, in Proceedings of the 18th ACM Symposium Access Control Models and Technologies ACM (2013), pp. 73–84
D.R. dos Santos, S.E. Ponta, S. Ranise, Modular synthesis of enforcement mechanisms for the workflow satisfiability problem, in Proceedings of the 21st ACM Symposium Access Control Models and Technologies—SACMAT’16 (2016), pp. 89–99
M.C. Mont, R. Thyne, Privacy policy enforcement in enterprises with identity management solutions. J. Comput. Secur. 16(2), 133–163 (2008)
M.C. Mont, R. Thyne, A systemic approach to automate privacy policy enforcement in enterprises, in International Workshop on Privacy Enhancing Technologies (2006), pp. 118–134
Acknowledgements
This research has been sponsored by EU H2020 FIRST project (Grant No. 734599, FIRST: vF Interoperation suppoRting buSiness innovaTion) and National Key R&D Program of China (2017YFE0118700).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Kasse, J.P., Xu, L., de Vrieze, P., Bai, Y. (2020). Process Driven Access Control and Authorization Approach. In: Yang, XS., Sherratt, S., Dey, N., Joshi, A. (eds) Fourth International Congress on Information and Communication Technology. Advances in Intelligent Systems and Computing, vol 1041. Springer, Singapore. https://doi.org/10.1007/978-981-15-0637-6_26
Download citation
DOI: https://doi.org/10.1007/978-981-15-0637-6_26
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-15-0636-9
Online ISBN: 978-981-15-0637-6
eBook Packages: EngineeringEngineering (R0)