Towards a Business-Centric Definition of Security Policies

Aurélien Faravelon 1 Christine Verdier 1 Agnès Front 1
1 SIGMA
LIG - Laboratoire d'Informatique de Grenoble
Abstract : Security requirements are part of business requirements, either because they derive from forensic rules, or because they derive from the business logic that should be translated into functional requirements to guaranty that a system meets its users' needs. Extending several notations such as the UML and the BPMN has been proposed as a means to bridge the gap between business processes engineering, security policies design and system engineering. However, a gap remains between these extensions on the one hand and between the large number of access control models on the other hand. Business logic, system engineering and security design thus remain separated when they should be intertwined. In this paper, we address this issue by defining a metamodel for access control to gather the different aspects of access control. We then introduce extensions to the UML et to BPMN that we derive from this metamodel and show that from a business-centric perspective, we can derive functional requirements, and model security to generate actual security policies.
Document type :
Conference papers
Complete list of metadatas

https://hal.inria.fr/hal-00953441
Contributor : Sophie Dupuy-Chessa <>
Submitted on : Friday, February 28, 2014 - 11:51:48 AM
Last modification on : Wednesday, February 6, 2019 - 2:01:32 AM

Identifiers

  • HAL Id : hal-00953441, version 1

Collections

Citation

Aurélien Faravelon, Christine Verdier, Agnès Front. Towards a Business-Centric Definition of Security Policies. 5th IEEE Int Conf on Research Challenges in Information Science (RCIS'11), 2011, Le Gosier, France. pp.1-11. ⟨hal-00953441⟩

Share

Metrics

Record views

95