Vahid R. Karimi, Donald D. Cowan


A business model describes certain operations of an enterprise, and an important aspect of business operations deals with the specification of access control policies, which are used to constrain the business operations by adding what should, could, or must be. We describe the use of patterns for presenting access control models and policies. Our goal is to specify access control policies such that they are based on access control models and have the capability of policy languages, thereby making the foundational blocks of these policies and operational models identical. Thus, the integration of these policies into operational models is straightforward. To show our approach, we use Role-based Access Control (RBAC), a well-known access control model, and also select a business process model whose foundational building blocks are Resources, Events, and Agents (REA). We make three main contributions: 1) the use of the same foundational building blocks and similar models to describe business processes and access control models, 2) access control policies that are based on an access control model, and 3) access control policies that are rule-based and akin to policy languages. As a result, such models are more understandable, and their future modifications are more straightforward.


  1. Al-Kahtani, M. and Sandhu, R. (2002). A model for attribute-based user-role assignment. In ACSAC'02, 18th Annual Computer Security Applications Conference, pages 353-364. IEEE Computer Society.
  2. Bertino, E., Bonatti, P., and Ferrari, E. (2000). TRBAC: A temporal role-based access control model. In RBAC'00, Fifth Workshop on Role-Based Access Control, pages 21-30. ACM.
  3. Blaha, M. and Rumbaugh, J. (2005). Object-oriented Modeling and Design with UML. Pearson Prentice Hall, New Jersey, 2nd edition.
  4. Chandramouli, R. (2000). Application of XML tools for enterprise-wide RBAC implementation tasks. In RBAC'00, pages 11-18. ACM.
  5. Ferraiolo, D. and Atluri, V. (2008). A meta model for access control: Why is it needed and is it even possible to achieve? In SACMAT'08, 13th Symposium on Access Control Models and Technologies, pages 153- 154. ACM.
  6. Ferraiolo, D., Kuhn, D., and Chandramouli, R. (2007). Role-Based Access Control. Artech House, Boston, 2nd edition.
  7. Ferraiolo, D., Sandhu, R., Gavrila, S., Kuhn, D., and Chandramouli, R. (2001). Proposed NIST standard for rolebased access control. ACM Transactions on Information and System Security, 4(3):224-274.
  8. Finin, T., Joshi, A., Kagal, L., Niu, J., Sandhu, R., Winsborough, W., and Thuraisingham, B. (2008). ROWLBAC: Representing role based access control in OWL. In SACMAT'08, pages 73-82. ACM.
  9. Fowler, M. (1997). Analysis Patterns: Reusable Object Models. Addison-Wesley, Menlo Park, California.
  10. Geerts, G. and McCarthy, W. (2006). Policy-level specifications in REA enterprise information systems. Journal of Information Systems, 20(2):37-63.
  11. Hruby, P. (2006). Model-Driven Design Using Business Patterns. Springer-Verlag, New York.
  12. Martin, J. and Odell, J. (1998). Object-Oriented Methods: a Foundation, UML Edition. Prentice Hall, New Jersey, 2nd edition.
  13. OASIS (2005). eXtensible Access Control Markup Language (XACML), Version 2.0. Organization for the Advancement of Structured Information Standards.
  14. OMG (2009). Unified Modeling Language (UML) Superstructure, Version 2.2. Object Management Group.
  15. Ray, I., Li, N., France, R., and Kim, D. (2004). Using UML to visualize role-based access control constraints. In SACMAT'04, pages 115-124. ACM.
  16. Sandhu, R., Coyne, E., Feinstein, H., and Youman, C. (1996). Role-Based Access Control Models. IEEE Computer, 29(2):38-47.
  17. Simon, R. and Zurko, M. (1997). Separation of duty in rolebased environments. In CSFW'97, 10th Computer Security Foundations Workshop, pages 183-194. IEEE Computer Society.
  18. Tonti, G., Bradshaw, J., Jeffers, R., Montanari, R., Suri, N., and Uszok, A. (2003). Semantic web languages for policy representation and reasoning: A comparison of KAoS, Rei, and Ponder. In ISWC'03, 2nd International Semantic Web Conference, pages 419-437. Springer.

Paper Citation

in Harvard Style

R. Karimi V. and D. Cowan D. (2010). ACCESS CONTROL MODELS FOR BUSINESS PROCESSES . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2010) ISBN 978-989-8425-18-8, pages 489-498. DOI: 10.5220/0002959904890498

in Bibtex Style

author={Vahid R. Karimi and Donald D. Cowan},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2010)},

in EndNote Style

JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2010)
SN - 978-989-8425-18-8
AU - R. Karimi V.
AU - D. Cowan D.
PY - 2010
SP - 489
EP - 498
DO - 10.5220/0002959904890498