A Framework Based on Role Patterns to Design Secure Business Processes

In view of recent business scandals that prompted the Sarbanes-Oxley legislation, there is a greater need for businesses to develop systematic approaches to designing secure business processes where the security aspects can be integrated into the process tightly. In this paper we propose 10 role patterns, and show how they can be associated with generic task categories and processes in order to meet standard requirements of internal control principles in businesses. We also show how the patterns can be implemented using built-in constraints in a logic based language like Prolog. While the role patterns are general, this approach is flexible and extendible because user-defined constraints can also be asserted in order to introduce additional requirements as dictated by business policy. The paper also discusses control requirements of business processes, explores the interactions between role based access control (RBAC) mechanisms and workflows, and gives an architecture for integrating our framework into an existing workflow system.

By: Akhil Kumar; Rong Liu

Published in: RC24523 in 2008


This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.


Questions about this service can be mailed to reports@us.ibm.com .