Authors:
Roman Pilipchuk
1
;
Stephan Seifermann
2
;
Robert Heinrich
2
and
Ralf Reussner
2
Affiliations:
1
FZI Research Center for Information Technology, Friedrichstraße 60, 10117 Berlin, Germany
;
2
Karlsruhe Institute of Technology, Am Fasanengarten 5, 76131 Karlsruhe, Germany
Keyword(s):
Access Control, Business Process, Enterprise Architecture.
Abstract:
Business processes define requirements for software systems that support business goals. Enterprise Application Architectures (EAAs) organize the structure and behavior of the required software systems. Satisfying requirements regarding the confidentiality of information that originate from the business process design is crucial to fulfill legal obligations and corporate policies. Violating these obligations and policies can lead to high fines and lost assets. There is a gap in modeling confidentiality requirements holistically across business processes and EAAs (Alpers et al., 2019). Hence, aligning EAAs with business processes by identifying violated business access control requirements (ACRs) during the architectural design phase is vital. Thereto, three challenges need to be overcome: i) define the meaning of read and write from ACRs for EAAs, ii) identify relevant parts of the EAA affected by ACRs and iii) define rules to cope with data type refinement. In this paper, we present
the challenges, solutions to them and our scientific findings that we made during the development of AcsALign, which is an approach to align the EAAs to ACRs of business processes in the early design phase and evolution scenarios using the established modeling languages Business Process Model and Notation (BPMN) and Palladio Component Model (PCM). We apply our solutions in a real-world case study. Evaluation results show satisfying accuracy of the requirements extraction and architectural alignment.
(More)