RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC...

download RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

of 26

Transcript of RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC...

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    1/26

    Conceptualizing a Responsibility based Approach for

    Elaborating and Verifying RBAC Policies Conforming

    with CobiT Framework Requirements

    Christophe Feltus, Eric Dubois, Michal Petit

    Third International Workshop on Requirements Engineering and Law

    (RELAW 10) - September 28th2010

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    2/26

    Motivation

    The concept of role Business role

    Application role

    Governance requirements

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    3/26

    Motivation

    Our approach The method that we target is a 2 steps approach

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    4/26

    Outlines

    Presentation of the Responsibility meta-model Mapping with CobiT

    Mapping with RBAC

    Example of assignment process

    Conclusions and future works

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    5/26

    Outlines

    Presentation of the Responsibility meta-model Mapping with CobiT

    Mapping with RBAC

    Example of assignment process

    Conclusions and future works

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    6/26

    Presentation of the Responsibility meta-

    model

    Elaboration of the model Employee, right, obligation, commitment and behavior

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    7/26

    Presentation of the Responsibility meta-

    model

    Elaboration of the model Employee, right, obligation, commitment and behavior

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    8/26

    Concept of obligation/accountability

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    9/26

    Concept of right

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    10/26

    Assignment/delegation process

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    11/26

    Outlines

    Presentation of the Responsibility meta-model Mapping with CobiT

    Mapping with RBAC

    Example of assignment process

    Conclusions and future works

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    12/26

    Building the responsibilities

    Responsibility in CobiT are represented using a RACIchart

    AI6:Manage Change

    160 possibilities

    Same rights and obligations to all employees ?

    Need more precisions

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    13/26

    Collect of tasks

    Responsibilities from CobiT

    Instantiation with CobiT informations :

    4 responsibilities, business role (from RACI) and tasks (partially)

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    14/26

    Responsibilities to tasks association

    From CobiT:

    From ITIL:

    From the company:

    is the employee who gets the action done

    is the employee, who provides direction and

    authorizes an action

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    15/26

    Rights to tasks association

    From CobiT:

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    16/26

    Outlines

    Presentation of the Responsibility meta-model Mapping with CobiT

    Mapping with RBAC

    Example of assignment process

    Conclusions and future works

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    17/26

    Role Based Access Control To simplify the management of granting permissions to

    users

    3 main elements :

    User, Role and Permission

    2 main functions :

    User-role

    assignment (URA)

    Permission-role

    assignment (PRA)

    RBAC :

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    18/26

    Mapping responsibility to RBAC role

    Business role from Cobit = RBAC concept of role ? No, because :

    Cobit Role (or Business role): an employee assigned to that role

    is not obligatory assigned responsible for all the task of therole.

    RBAC Role (or Application role): an employee assigned to that

    role gets all the permissions needed by that role.

    If Business role = applictaion role, some employees receives to

    much permissions.

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    19/26

    Mapping responsibility to RBAC role

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    20/26

    Mapping responsibility to RBAC role

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    21/26

    Outlines

    Presentation of the Responsibility meta-model Mapping with CobiT

    Mapping with RBAC

    Example of assignment process

    Conclusions and future works

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    22/26

    Example of assignment process

    Task : Prioritizing changes That task corresponds to one responsibility of being

    responsible of activityAssess impact and prioritizing changes

    Following RACI chart : that activity is assigned to the

    business roles : BPO, PMO, Head operation, Head development

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    23/26

    Example of assignment process

    Suppose Bob one BPO identified by the CobiT manager

    RBAC adminsitrator may assigned for that task:

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    24/26

    Outlines

    Presentation of the Responsibility meta-model Mapping with CobiT

    Mapping with RBAC

    Example of assignment process

    Conclusions and future works

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    25/26

    Conclusions and future works

    Business needs for a better alignement of the employeesresponsibility from the management frameworks down to

    the technical rules

    Our approach is to use the responibility as a pivite between

    high layer requirements down to techical rules. Step 1: Responsibility building :

    Business Role, Activities, Tasks, and Rights Responsibilities

    Step 2 : Responsibility assignment :

    Responsibilities, Employees, CommitmentApplication roles assigned to users

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    26/26

    Thank you ! Questions ?


INFS 767 Fall 2003 RBAC-MAC-DAC

INFS 767 Fall 2003 RBAC-MAC-DAC

EXTENDING, EXPANDING AND ELABORATING

EXTENDING, EXPANDING AND ELABORATING

What is Abac, Rbac, Etc

What is Abac, Rbac, Etc

Role based access control - RBAC

Role based access control - RBAC

Role-Based Access Control (RBAC)

Role-Based Access Control (RBAC)

RBAC in the Solaris Operating Environment...2 RBAC in the Solaris Operating Environment For a physical analogy illustrating the superuser model versus RBAC, consider a company where

RBAC in the Solaris Operating Environment...2 RBAC in the Solaris Operating Environment For a physical analogy illustrating the superuser model versus RBAC, consider a company where

RBAC-Capability Project

RBAC-Capability Project

RBAC Volume 47 Número 3 Ano 2015

RBAC Volume 47 Número 3 Ano 2015

INFS 767 Fall 2003 Administrative RBAC ARBAC97

INFS 767 Fall 2003 Administrative RBAC ARBAC97

Elaborating the Correlates of Firearm Injury Severity ... · ELABORATING THE CORRELATES OF FIREARM INJURY SEVERITY . COMBINING CRIMINOLOGICAL AND PUBLIC HEALTH CONCERNS . ABSTRACT

Elaborating the Correlates of Firearm Injury Severity ... · ELABORATING THE CORRELATES OF FIREARM INJURY SEVERITY . COMBINING CRIMINOLOGICAL AND PUBLIC HEALTH CONCERNS . ABSTRACT

ROLE BASED ACCESS CONTROL (RBAC) John Barkley RBAC Project Leader Software Diagnostics and Conformance Testing National Institute of Standards and Technology.

ROLE BASED ACCESS CONTROL (RBAC) John Barkley RBAC Project Leader Software Diagnostics and Conformance Testing National Institute of Standards and Technology.

DTT RBAC Presentation 20080724

DTT RBAC Presentation 20080724

ELABORATING THE NEED OF CROSS-CULTURAL TRAINING …ijtbm.com/Images/Short_pdf/1444804424_Dr_Hsiu_ching_Ko_3.pdfINTERNATIONAL JOURNAL OF TRANSFORMATIONS IN BUSINESS MANAGEMENT ELABORATING

ELABORATING THE NEED OF CROSS-CULTURAL TRAINING …ijtbm.com/Images/Short_pdf/1444804424_Dr_Hsiu_ching_Ko_3.pdfINTERNATIONAL JOURNAL OF TRANSFORMATIONS IN BUSINESS MANAGEMENT ELABORATING

Migrating from DAC to RBAC

Migrating from DAC to RBAC

Conceptualizing a Responsibility based Approach for Elaborating …gaius.isri.cmu.edu/relaw/2010/slides/relaw10-feltus.pdf · 2011. 8. 19. · Conceptualizing a Responsibility based

Conceptualizing a Responsibility based Approach for Elaborating …gaius.isri.cmu.edu/relaw/2010/slides/relaw10-feltus.pdf · 2011. 8. 19. · Conceptualizing a Responsibility based

K8s rbac-sso

K8s rbac-sso

Elaborating Academic Enterprise

Elaborating Academic Enterprise

Role Based Access Controls (RBAC) Technical … Role Based Access Controls (RBAC) Technical Overview & Enhancements Executive Summary The Role Based Access Control (RBAC) or User Authorization

Role Based Access Controls (RBAC) Technical … Role Based Access Controls (RBAC) Technical Overview & Enhancements Executive Summary The Role Based Access Control (RBAC) or User Authorization

RbAC 3rd Review Ppt

RbAC 3rd Review Ppt

- RBAC - An Amateur Attempt

- RBAC - An Amateur Attempt