Towards a UML 2.0 Profile for RBAC Modeling in Activity Diagrams

Alfonso Rodríguez, Eduardo Fernández-Medina, Mario Piattini


Business Processes are a crucial issue for many companies because they are the key to maintain competitiveness. Moreover, business processes are important for software developers, since they can capture from them the necessary requirements for software design and creation. Besides, business process modeling is the center for conducting and improving how the business is operated. Security is important for business performance, but traditionally, it is considered after the business processes definition. Empirical studies show that, at the business process level, customers, end users, and business analysts are able to express their security needs. In this work, we will present a proposal aimed at integrating security requirements and role identification for RBAC, through business process modeling. We will summarize our UML 2.0 profile for modeling secure business process through activity diagrams, and we will apply this approach to a typical health-care business process.


  1. Artelsmair, C. and Wagner, R.; Towards a Security Engineering Process, The 7th World Multiconference on Systemics, Cybernetics and Informatics. Vol. VI. Orlando, Florida, USA. (2003). pp.22-27.
  2. Atluri, V.; Security for Workflow Systems, Information Security Technical Report. Vol. 6 (2). (2001). pp.59-68.
  3. Backes, M., Pfitzmann, B. and Waider, M.; Security in Business Process Engineering, International Conference on Business Process Management. Vol. 2678, LNCS. Eindhoven, The Netherlands. (2003). pp.168-183.
  4. Bertino, E.; RBAC models - concepts and trends, Computers and Security. Vol. 22 (6). (2003). pp.511-514.
  5. Bertino, E., Ferrari, E. and Atluri, V.; A Flexible model Supporting the Specification and Enforcement of Role-Based Authorizations in Workflow Management Systems, Second ACM Workshop on Role-Based Access Control, Fairfax (Virginia). (1997). pp.1-12.
  6. Bock, C.; UML 2 Activity and Action Models, Journal of Object Technology. Vol. 2 (4), July-August. (2003). pp.43-53.
  7. Bock, C.; UML 2 Activity and Action Models, Part 2: Actions, Journal of Object Technology. Vol. 2 (5), September-October. (2003). pp.41-56.
  8. Botha, R. A. and Eloff, J. H. P.; A framework for access control in workflow systems, Information Management & Computer Security. Vol. 9/3. (2001). pp.126-133.
  9. Caetano, A., Rito Silva, A. and Tribolet, J.; Business Process Modeling with Objects and Roles, 6th International Conference on Enterprise Information Systems (ICEIS 2004). Porto, Portugal. (2004). pp.109-114.
  10. Caetano, A., Zacarias, M., Rito Silva, A. and Tribolet, J.; A Role-Based Framework for Business Process Modeling, 38th Hawaii International Conference on System Sciences (HICSS-38 2005). Big Island, HI, USA. (2005). pp.130-136.
  11. Eriksson, H.-E. and Penker, M., Business Modeling with UML, OMG Press. (2001).
  12. Ferraiolo, D. F., Sandhu, R., Gavrila, S. I., Kuhn, D. R. and Chandramouli, R.; Proposed NIST standard for role-based access control, ACM Transactions on Information and System Security (TISSEC). Vol. 4 (3). (2001). pp.224-274.
  13. Firesmith, D.; Engineering Security Requirements, Journal of Object Technology. Vol. 2 (1), January-February. (2003). pp.53-68.
  14. Firesmith, D.; Specifying Reusable Security Requirements, Journal of Object Technology. Vol. 3 (1), January-February. (2004). pp.61-75.
  15. Giaglis, G. M.; A Taxonomy of Business Process Modelling and Information Systems Modelling Techniques, International Journal of Flexible Manufacturing Systems. Vol. 13 (2). (2001). pp.209-228.
  16. Herrmann, G. and Pernul, G.; Viewing Business Process Security from Different Perspectives, 11th International Bled Electronic Commerce Conference. Slovenia. (1998). pp.89-103.
  17. Kalnins, A., Barzdins, J. and Celms, E.; UML Business Modeling Profile, Thirteenth International Conference on Information Systems Development, Advances in Theory, Practice and Education. Vilnius, Lithuania. (2004). pp.182-194.
  18. List, B. and Korherr, B.; A UML 2 Profile for Business Process Modelling, 1st International Workshop on Best Practices of UML (BP-UML 2005) at ER-2005. Klagenfurt, Austria. (2005).
  19. Liu, P. and Chen, Z.; An Extended RBAC Model for Web Services in Business Process, IEEE International Conference on E-Commerce Technology for Dynamic E-Business (CEC-East'04). (2004). pp.100-107.
  20. Lodderstedt, T., Basin, D. and Doser, J.; SecureUML: A UML-Based Modeling Language for Model-Driven Security, UML 2002 - The Unified Modeling Language, 5th International Conference. Vol. 2460. Dresden, Germany. (2002). pp.426-441.
  21. Maña, A., Montenegro, J. A., Rudolph, C. and Vivas, J. L.; A business process-driven approach to security engineering, 14th. International Workshop on Database and Expert Systems Applications (DEXA). Prague, Czech Republic. (2003). pp.477-481.
  22. Maña, A., Ray, D., Sánchez, F. and Yagüe, M. I.; Integrando la Ingeniería de Seguridad en un Proceso de Ingeniería Software, VIII Reunión Española de Criptología y Seguridad de la Información, RECSI'04. Leganés, Madrid. España. (2004). pp.383-392.
  23. Mega; Business process Modeling and Standardization. In (2004).
  24. Mouratidis, H., Giorgini, P. and Manson, G. A.; When security meets software engineering: a case of modelling secure information systems, Information Systems. Vol. 30 (8). (2005). pp.609-629.
  25. Object Management Group; Unified Modeling Language: Superstructure, version 2.0, formal/05-07-04. In (2005).
  26. Quirchmayr, G.; Survivability and Business Continuity Management, ACSW Frontiers 2004 Workshops. Dunedin, New Zealand. (2004). pp.3-6.
  27. Rodríguez, A., Fernández-Medina, E. and Piattini, M.; Integrating Security Requirement with a UML 2.0 Profile, International Symposium on Frontiers in Availability, Reliability and Security in conjunction with ARES 2006. Accepted. Vienna, Austria. (2006).
  28. Röhm, A. W., Herrmann, G. and Pernul, G.; A Language for Modelling Secure Business Transactions, 15th. Annual Computer Security Applications Conference. Phoenix, Arizona. (1999). pp.22-31.
  29. Roser, S. and Bauer, B.; A Categorization of Collaborative Business Process Modeling Techniques, 7th IEEE International Conference on E-Commerce Technology Workshops (CEC 2005). Munchen, Germany. (2005). pp.43-54.
  30. Sandhu, R. and Samarati, P.; Authentication, Access Control, and Audit, ACM Computing Surveys. Vol. 28 Nº1 March 1996. (1996). pp.241-243.
  31. Sandhu, R. S.; Future Directions in Role-Based Access Control Models, International Workshop on Information Assurance in Computer Networks: Methods, Models, and Architectures for Network Security. Vol. 2052. St. Petersburg, Russia. (2001). pp.22-26.
  32. Stefanov, V., List, B. and Korherr, B.; Extending UML 2 Activity Diagrams with Business Intelligence Objects, 7th International Conference on Data Warehousing and Knowledge Discovery (DaWaK2005). Copenhagen, Denmark. (2005).
  33. Tryfonas, T. and Kiountouzis, E. A.; Perceptions of Security Contributing to the Implementation of Secure IS, Security and Privacy in the Age of Uncertainty, IFIP TC11 18th International Conference on Information Security (SEC2003). Vol. 250. Athens, Greece. (2003). pp.313-324.
  34. van Wyk, K. R. and McGraw, G.; Bridging the Gap between Software Development and Information Security, IEEE Security and Privacy. Vol. 3 (5). (2005). pp.75-79.
  35. W.M.P. van der Aalst, Hofstede, A. H. M. t. and Weske, M.; Business Process Management: A Survey, International Conference on Business Process Management (BPM 2003). Volume 2678 (LNCS). Eindhoven, The Netherlands. (2003). pp.1-12.
  36. WfMC, Workflow Management Coalition: Terminology & Glossary., (1999). p.65.
  37. Zuccato, A.; Holistic security requirement engineering for electronic commerce, Computers & Security. Vol. 23 (1). (2004). pp.63-76.

Paper Citation

in Harvard Style

Rodríguez A., Fernández-Medina E. and Piattini M. (2006). Towards a UML 2.0 Profile for RBAC Modeling in Activity Diagrams . In Proceedings of the 4th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2006) ISBN 978-972-8865-52-8, pages 174-184. DOI: 10.5220/0002483901740184

in Bibtex Style

author={Alfonso Rodríguez and Eduardo Fernández-Medina and Mario Piattini},
title={Towards a UML 2.0 Profile for RBAC Modeling in Activity Diagrams},
booktitle={Proceedings of the 4th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2006)},

in EndNote Style

JO - Proceedings of the 4th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2006)
TI - Towards a UML 2.0 Profile for RBAC Modeling in Activity Diagrams
SN - 978-972-8865-52-8
AU - Rodríguez A.
AU - Fernández-Medina E.
AU - Piattini M.
PY - 2006
SP - 174
EP - 184
DO - 10.5220/0002483901740184