Skip to main content
SpringerLink
Log in

Enforcing compliance of hierarchical business process with visual security constraints

  • Original Article
  • Published:
International Journal of System Assurance Engineering and Management Aims and scope Submit manuscript

Abstract

When modelling secure business processes, business analysts firstly specify security constraints and compliance properties that design-time processes should satisfy. Thus, it is a critical task to check whether the process model under security constraints complies with prospective security compliance properties. For some special tasks within a process, they may contain some internal business logics (named as sub-processes) that is a hierarchical process. In security compliance issues of a hierarchical process, security compliance properties are usually represented as complex logic formulas which are not easily understood by business analysts. This paper presents an approach for checking security properties compliance of the hierarchical process. We present the abstract process model and security constraints model respectively via BPMN graphic notation and resource assignments on process behaviours; the expected security compliance properties are modelled by a visual compliance rule graph, which is absorbed easily by a business analyst; model checking technology is applied to verify the security of the hierarchical process model.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1
Fig. 2

Similar content being viewed by others

References

  • Armando A, Ponta SE (2010) Model checking of security-sensitive business processes. In: Degano P, Guttman JD (eds) FAST 2009. LNCS, vol 5983. Springer, Heidelberg, pp 66–80

    Google Scholar 

  • Armando A, Giunchiglia E, Maratea M, Ponta SE (2012) An action-based approach to the formal specification and automatic analysis of business processes under authorization constraints. J Comput Syst Sci 78(1):119–141

    Article  MathSciNet  MATH  Google Scholar 

  • Arsac W, Compagna L, Pellegrino G, Ponta SE (2011) Security validation of business processes via model checking. In: Erlingsson U, Wieringa R, Zannone N, editors, ESSoS, vol 6542 of LNCS, pp 29–42. Springer, doi:10.1007/978-3-642-19125-13

  • Awad A, Weidlich M, Weske M (2011) Visually specifying compliance rules and explaining their violations for business processes. Vis Lang Comp 22(1):30–55

    Article  Google Scholar 

  • Berry A, Milosevic Z (2005) Extending choreography with business contract constraints. Int J Coop Inf Sys 14(2–3):131–179

    Article  Google Scholar 

  • Börger E, Thalheim B (2008) A method for verifiable and validatable business process modeling. In: Advances in Software Engineering. LNCS, vol. 5316, p 59C115. Springer, Berlin

  • Brucker AD, Doser J, Wol BA (2006) Model transformation semantics and analysis methodology for SecureUML. In Nierstrasz O, Whittle J, Harel D, Reggio G, editors, MoDELS 2006: Model Driven Engineering Languages and Systems, number 4199 in LNCS, pp 306–320. Springer, doi:10.1007/11880240

  • Brucker AD, Hang I, Luckemeyer G, Ruparel R (2012) “SecureBPMN: Modeling and enforcing access control requirements in business processes.” In: ACM symposium on access control models and technologies (SACMAT). ACM Press, pp 123–126

  • Cimatti A et al (2002) NuSMV2: an Open Source Tool for Symbolic Model Checking in QA075 Electronic computers. Computer Science http://eprints.biblio.unitn.it/archive/00000085

  • Compagna L, Guilleminot P, Brucker AD (2013)“Business process compliance via security validation as a service.” In: 2013 IEEE sixth international conference on software testing, Verification and validation

  • Houssos N, Zavaliadis D, Stamatis K, et al. (2011) Implementation of workflows as Finite State Machines in a national doctoral dissertations archive[J]

  • Knuplesch D, Reichert M (2011) Ensuring business process compliance along the process life cycle. Technical Report 2011-06, Ulm University

  • Knuplesch D, Reichert M, Fdhila W, Rinderle-Ma S (2013) On enabling compliance of cross-organizational business processes. In: BPM’13. Vol 8094 of LNCS. pp 146–154

  • Knuplesch D, Reichert M, Ly LT, Kumar A, Rinderle-Ma S (2013) Visual modeling of business process Compliance rules with the support of multiple perspectives. In: ER’13 (accepted for publication)

  • Knuplesch D, Reichert M, Pryss R, Fdhila W, Rinderle-Ma S (2013) Ensuring Compliance of Distributed and Collaborative Workflows. In: 9th IEEE Int’l conference on collaborative computing: networking, applications and worksharing (CollborateCom’13), Austin, Texas, United States, October 2013, IEEE Computer Society Press. (2013)

  • Liu Y, Miuller S, Xu K (2007) A static compliance-checking framework for business process models. IBM Syst J 46(2):335–361

    Article  Google Scholar 

  • Ly LT et al (2010) Design and verification of instantiable compliance rule graphs in process-aware information systems. In: CAiSE’10. pp 9–23

  • McMillan K (1992) The SMV system, Symbolic Model Checking an approach 1992, Carnegie Mellon University CMU-CS-92-131

  • Mulle J, von Stackelberg S, Bohm K (2011) “A security language for BPMN process models, University Karlsruhe (KIT), Tech. Rep

  • Object Management Group. Business process model and notation (BPMN), version 2.0, 2011. Available as OMG document formal/2011-01-03, (2011)

  • Peled D (1997) Partial order reduction: linear and branching temporal logics and process algebras. In Peled et al. pp 233–257

  • Sandhu R, Coyne E, Feinstein H, Youmann C (1996) Role-based access control models. IEEE Comput 2(29):38–47

    Article  Google Scholar 

  • Schaad A, Lotz V, Sohr K (2006) A model-checking approach to analysing organisational controls in a loan origination process. In: SACMAT, pp 139–149. ACM

  • Tang M, Li M, Zhang T (2016) The impacts of organizational culture on information security culture: a case study. Inf Technol Manag 17(2):179–186

    Article  Google Scholar 

  • Wang Q, Li N (2010) Satisfiability and resiliency in workflow authorization systems. ACM Trans Inf Syst Secur 13:40:1–40:35

    Google Scholar 

  • Wolter C, Meinel C (2010) An approach to capture authorization requirements in business processes. Requir Eng 15(4):359–373

    Article  Google Scholar 

Download references

Acknowledgements

This work is supported by National Natural Science Foundation of China (No. 61372115, 61132001 and 61370061). We will thanks Dr. David Knuplesch for his kindly help in introducing eCRG technology.

Author information

Authors and Affiliations

  1. School of Computer and Communication Engineering, University of Science and Technology Beijing, Beijing, China

    Li Duan & Chang-ai Sun

  2. State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing, 100876, China

    Yang Zhang & Junliang Chen

Authors
  1. Li Duan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yang Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Chang-ai Sun
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Junliang Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Li Duan.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Duan, L., Zhang, Y., Sun, Ca. et al. Enforcing compliance of hierarchical business process with visual security constraints. Int J Syst Assur Eng Manag 9, 703–715 (2018). https://doi.org/10.1007/s13198-017-0653-1

Download citation

  • Received:

  • Revised:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s13198-017-0653-1

Keywords

Search

Navigation