Automatically Extracting Business Level Access Control Requirements from BPMN Models to Align RBAC Policies

Abstract

IT security becomes increasingly important due to the rise of cybercrime incidents but also obligatory security and privacy laws that include confidentiality regulations. To prevent cybercriminal attacks, the business level has to identify critical business data and introduce organization-wide security standards. A close cooperation with the IT level is crucial to avoid mistakes and misunderstandings of security requirements, both may cause severe security breaches. An important building block are access control requirements (ACRs). In a costly, complex and manual role engineering process, experts have to elicit appropriate role-based access control (RBAC) policies according to business security and confidentiality models. This paper makes a first step to close this gap with an approach that automatically extracts business level ACRs from BPMN business processes to build an initial RBAC role model and establish traceability from RBAC policies to business processes. Case study results indicate that the accuracy of extracted policies is appropriate, adaptations in evolution scenarios become faster and human errors are reduced during the engineering of RBAC policies.