Abstract
When modelling secure business processes, business analysts firstly specify security constraints and compliance properties that design-time processes should satisfy. Thus, it is a critical task to check whether the process model under security constraints complies with prospective security compliance properties. For some special tasks within a process, they may contain some internal business logics (named as sub-processes) that is a hierarchical process. In security compliance issues of a hierarchical process, security compliance properties are usually represented as complex logic formulas which are not easily understood by business analysts. This paper presents an approach for checking security properties compliance of the hierarchical process. We present the abstract process model and security constraints model respectively via BPMN graphic notation and resource assignments on process behaviours; the expected security compliance properties are modelled by a visual compliance rule graph, which is absorbed easily by a business analyst; model checking technology is applied to verify the security of the hierarchical process model.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Armando A, Ponta SE (2010) Model checking of security-sensitive business processes. In: Degano P, Guttman JD (eds) FAST 2009. LNCS, vol 5983. Springer, Heidelberg, pp 66–80
Armando A, Giunchiglia E, Maratea M, Ponta SE (2012) An action-based approach to the formal specification and automatic analysis of business processes under authorization constraints. J Comput Syst Sci 78(1):119–141
Arsac W, Compagna L, Pellegrino G, Ponta SE (2011) Security validation of business processes via model checking. In: Erlingsson U, Wieringa R, Zannone N, editors, ESSoS, vol 6542 of LNCS, pp 29–42. Springer, doi:10.1007/978-3-642-19125-13
Awad A, Weidlich M, Weske M (2011) Visually specifying compliance rules and explaining their violations for business processes. Vis Lang Comp 22(1):30–55
Berry A, Milosevic Z (2005) Extending choreography with business contract constraints. Int J Coop Inf Sys 14(2–3):131–179
Börger E, Thalheim B (2008) A method for verifiable and validatable business process modeling. In: Advances in Software Engineering. LNCS, vol. 5316, p 59C115. Springer, Berlin
Brucker AD, Doser J, Wol BA (2006) Model transformation semantics and analysis methodology for SecureUML. In Nierstrasz O, Whittle J, Harel D, Reggio G, editors, MoDELS 2006: Model Driven Engineering Languages and Systems, number 4199 in LNCS, pp 306–320. Springer, doi:10.1007/11880240
Brucker AD, Hang I, Luckemeyer G, Ruparel R (2012) “SecureBPMN: Modeling and enforcing access control requirements in business processes.” In: ACM symposium on access control models and technologies (SACMAT). ACM Press, pp 123–126
Cimatti A et al (2002) NuSMV2: an Open Source Tool for Symbolic Model Checking in QA075 Electronic computers. Computer Science http://eprints.biblio.unitn.it/archive/00000085
Compagna L, Guilleminot P, Brucker AD (2013)“Business process compliance via security validation as a service.” In: 2013 IEEE sixth international conference on software testing, Verification and validation
Houssos N, Zavaliadis D, Stamatis K, et al. (2011) Implementation of workflows as Finite State Machines in a national doctoral dissertations archive[J]
Knuplesch D, Reichert M (2011) Ensuring business process compliance along the process life cycle. Technical Report 2011-06, Ulm University
Knuplesch D, Reichert M, Fdhila W, Rinderle-Ma S (2013) On enabling compliance of cross-organizational business processes. In: BPM’13. Vol 8094 of LNCS. pp 146–154
Knuplesch D, Reichert M, Ly LT, Kumar A, Rinderle-Ma S (2013) Visual modeling of business process Compliance rules with the support of multiple perspectives. In: ER’13 (accepted for publication)
Knuplesch D, Reichert M, Pryss R, Fdhila W, Rinderle-Ma S (2013) Ensuring Compliance of Distributed and Collaborative Workflows. In: 9th IEEE Int’l conference on collaborative computing: networking, applications and worksharing (CollborateCom’13), Austin, Texas, United States, October 2013, IEEE Computer Society Press. (2013)
Liu Y, Miuller S, Xu K (2007) A static compliance-checking framework for business process models. IBM Syst J 46(2):335–361
Ly LT et al (2010) Design and verification of instantiable compliance rule graphs in process-aware information systems. In: CAiSE’10. pp 9–23
McMillan K (1992) The SMV system, Symbolic Model Checking an approach 1992, Carnegie Mellon University CMU-CS-92-131
Mulle J, von Stackelberg S, Bohm K (2011) “A security language for BPMN process models, University Karlsruhe (KIT), Tech. Rep
Object Management Group. Business process model and notation (BPMN), version 2.0, 2011. Available as OMG document formal/2011-01-03, (2011)
Peled D (1997) Partial order reduction: linear and branching temporal logics and process algebras. In Peled et al. pp 233–257
Sandhu R, Coyne E, Feinstein H, Youmann C (1996) Role-based access control models. IEEE Comput 2(29):38–47
Schaad A, Lotz V, Sohr K (2006) A model-checking approach to analysing organisational controls in a loan origination process. In: SACMAT, pp 139–149. ACM
Tang M, Li M, Zhang T (2016) The impacts of organizational culture on information security culture: a case study. Inf Technol Manag 17(2):179–186
Wang Q, Li N (2010) Satisfiability and resiliency in workflow authorization systems. ACM Trans Inf Syst Secur 13:40:1–40:35
Wolter C, Meinel C (2010) An approach to capture authorization requirements in business processes. Requir Eng 15(4):359–373
Acknowledgements
This work is supported by National Natural Science Foundation of China (No. 61372115, 61132001 and 61370061). We will thanks Dr. David Knuplesch for his kindly help in introducing eCRG technology.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Duan, L., Zhang, Y., Sun, Ca. et al. Enforcing compliance of hierarchical business process with visual security constraints. Int J Syst Assur Eng Manag 9, 703–715 (2018). https://doi.org/10.1007/s13198-017-0653-1
Received:
Revised:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s13198-017-0653-1