RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC...

download RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

of 26

Transcript of RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC...

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    1/26

    Conceptualizing a Responsibility based Approach for

    Elaborating and Verifying RBAC Policies Conforming

    with CobiT Framework Requirements

    Christophe Feltus, Eric Dubois, Michal Petit

    Third International Workshop on Requirements Engineering and Law

    (RELAW 10) - September 28th2010

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    2/26

    Motivation

    The concept of role Business role

    Application role

    Governance requirements

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    3/26

    Motivation

    Our approach The method that we target is a 2 steps approach

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    4/26

    Outlines

    Presentation of the Responsibility meta-model Mapping with CobiT

    Mapping with RBAC

    Example of assignment process

    Conclusions and future works

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    5/26

    Outlines

    Presentation of the Responsibility meta-model Mapping with CobiT

    Mapping with RBAC

    Example of assignment process

    Conclusions and future works

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    6/26

    Presentation of the Responsibility meta-

    model

    Elaboration of the model Employee, right, obligation, commitment and behavior

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    7/26

    Presentation of the Responsibility meta-

    model

    Elaboration of the model Employee, right, obligation, commitment and behavior

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    8/26

    Concept of obligation/accountability

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    9/26

    Concept of right

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    10/26

    Assignment/delegation process

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    11/26

    Outlines

    Presentation of the Responsibility meta-model Mapping with CobiT

    Mapping with RBAC

    Example of assignment process

    Conclusions and future works

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    12/26

    Building the responsibilities

    Responsibility in CobiT are represented using a RACIchart

    AI6:Manage Change

    160 possibilities

    Same rights and obligations to all employees ?

    Need more precisions

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    13/26

    Collect of tasks

    Responsibilities from CobiT

    Instantiation with CobiT informations :

    4 responsibilities, business role (from RACI) and tasks (partially)

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    14/26

    Responsibilities to tasks association

    From CobiT:

    From ITIL:

    From the company:

    is the employee who gets the action done

    is the employee, who provides direction and

    authorizes an action

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    15/26

    Rights to tasks association

    From CobiT:

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    16/26

    Outlines

    Presentation of the Responsibility meta-model Mapping with CobiT

    Mapping with RBAC

    Example of assignment process

    Conclusions and future works

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    17/26

    Role Based Access Control To simplify the management of granting permissions to

    users

    3 main elements :

    User, Role and Permission

    2 main functions :

    User-role

    assignment (URA)

    Permission-role

    assignment (PRA)

    RBAC :

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    18/26

    Mapping responsibility to RBAC role

    Business role from Cobit = RBAC concept of role ? No, because :

    Cobit Role (or Business role): an employee assigned to that role

    is not obligatory assigned responsible for all the task of therole.

    RBAC Role (or Application role): an employee assigned to that

    role gets all the permissions needed by that role.

    If Business role = applictaion role, some employees receives to

    much permissions.

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    19/26

    Mapping responsibility to RBAC role

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    20/26

    Mapping responsibility to RBAC role

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    21/26

    Outlines

    Presentation of the Responsibility meta-model Mapping with CobiT

    Mapping with RBAC

    Example of assignment process

    Conclusions and future works

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    22/26

    Example of assignment process

    Task : Prioritizing changes That task corresponds to one responsibility of being

    responsible of activityAssess impact and prioritizing changes

    Following RACI chart : that activity is assigned to the

    business roles : BPO, PMO, Head operation, Head development

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    23/26

    Example of assignment process

    Suppose Bob one BPO identified by the CobiT manager

    RBAC adminsitrator may assigned for that task:

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    24/26

    Outlines

    Presentation of the Responsibility meta-model Mapping with CobiT

    Mapping with RBAC

    Example of assignment process

    Conclusions and future works

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    25/26

    Conclusions and future works

    Business needs for a better alignement of the employeesresponsibility from the management frameworks down to

    the technical rules

    Our approach is to use the responibility as a pivite between

    high layer requirements down to techical rules. Step 1: Responsibility building :

    Business Role, Activities, Tasks, and Rights Responsibilities

    Step 2 : Responsibility assignment :

    Responsibilities, Employees, CommitmentApplication roles assigned to users

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    26/26

    Thank you ! Questions ?