RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC...

download RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

of 26

Transcript of RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC...

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    1/26

    Conceptualizing a Responsibility based Approach for

    Elaborating and Verifying RBAC Policies Conforming

    with CobiT Framework Requirements

    Christophe Feltus, Eric Dubois, Michal Petit

    Third International Workshop on Requirements Engineering and Law

    (RELAW 10) - September 28th2010

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    2/26

    Motivation

    The concept of role Business role

    Application role

    Governance requirements

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    3/26

    Motivation

    Our approach The method that we target is a 2 steps approach

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    4/26

    Outlines

    Presentation of the Responsibility meta-model Mapping with CobiT

    Mapping with RBAC

    Example of assignment process

    Conclusions and future works

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    5/26

    Outlines

    Presentation of the Responsibility meta-model Mapping with CobiT

    Mapping with RBAC

    Example of assignment process

    Conclusions and future works

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    6/26

    Presentation of the Responsibility meta-

    model

    Elaboration of the model Employee, right, obligation, commitment and behavior

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    7/26

    Presentation of the Responsibility meta-

    model

    Elaboration of the model Employee, right, obligation, commitment and behavior

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    8/26

    Concept of obligation/accountability

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    9/26

    Concept of right

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    10/26

    Assignment/delegation process

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    11/26

    Outlines

    Presentation of the Responsibility meta-model Mapping with CobiT

    Mapping with RBAC

    Example of assignment process

    Conclusions and future works

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    12/26

    Building the responsibilities

    Responsibility in CobiT are represented using a RACIchart

    AI6:Manage Change

    160 possibilities

    Same rights and obligations to all employees ?

    Need more precisions

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    13/26

    Collect of tasks

    Responsibilities from CobiT

    Instantiation with CobiT informations :

    4 responsibilities, business role (from RACI) and tasks (partially)

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    14/26

    Responsibilities to tasks association

    From CobiT:

    From ITIL:

    From the company:

    is the employee who gets the action done

    is the employee, who provides direction and

    authorizes an action

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    15/26

    Rights to tasks association

    From CobiT:

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    16/26

    Outlines

    Presentation of the Responsibility meta-model Mapping with CobiT

    Mapping with RBAC

    Example of assignment process

    Conclusions and future works

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    17/26

    Role Based Access Control To simplify the management of granting permissions to

    users

    3 main elements :

    User, Role and Permission

    2 main functions :

    User-role

    assignment (URA)

    Permission-role

    assignment (PRA)

    RBAC :

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    18/26

    Mapping responsibility to RBAC role

    Business role from Cobit = RBAC concept of role ? No, because :

    Cobit Role (or Business role): an employee assigned to that role

    is not obligatory assigned responsible for all the task of therole.

    RBAC Role (or Application role): an employee assigned to that

    role gets all the permissions needed by that role.

    If Business role = applictaion role, some employees receives to

    much permissions.

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    19/26

    Mapping responsibility to RBAC role

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    20/26

    Mapping responsibility to RBAC role

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    21/26

    Outlines

    Presentation of the Responsibility meta-model Mapping with CobiT

    Mapping with RBAC

    Example of assignment process

    Conclusions and future works

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    22/26

    Example of assignment process

    Task : Prioritizing changes That task corresponds to one responsibility of being

    responsible of activityAssess impact and prioritizing changes

    Following RACI chart : that activity is assigned to the

    business roles : BPO, PMO, Head operation, Head development

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    23/26

    Example of assignment process

    Suppose Bob one BPO identified by the CobiT manager

    RBAC adminsitrator may assigned for that task:

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    24/26

    Outlines

    Presentation of the Responsibility meta-model Mapping with CobiT

    Mapping with RBAC

    Example of assignment process

    Conclusions and future works

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    25/26

    Conclusions and future works

    Business needs for a better alignement of the employeesresponsibility from the management frameworks down to

    the technical rules

    Our approach is to use the responibility as a pivite between

    high layer requirements down to techical rules. Step 1: Responsibility building :

    Business Role, Activities, Tasks, and Rights Responsibilities

    Step 2 : Responsibility assignment :

    Responsibilities, Employees, CommitmentApplication roles assigned to users

  • 8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements

    26/26

    Thank you ! Questions ?


Ucs rbac aaa-backu-ps

Ucs rbac aaa-backu-ps

ARBAC 97 (ADMINISTRATIVE RBAC)

ARBAC 97 (ADMINISTRATIVE RBAC)

Law, Logic and Business Processes - RE @ CMUgaius.isri.cmu.edu/relaw/2010/slides/relaw10-governatori.pdfLaw, Logic and Business Processes Guido Governatori RELaw 2010, ... Alignment

Law, Logic and Business Processes - RE @ CMUgaius.isri.cmu.edu/relaw/2010/slides/relaw10-governatori.pdfLaw, Logic and Business Processes Guido Governatori RELaw 2010, ... Alignment

Access Control RBAC Database Activity Monitoring.

Access Control RBAC Database Activity Monitoring.

Role based access control - RBAC

Role based access control - RBAC

RBAC and Usage Control

RBAC and Usage Control

EXTENDING, EXPANDING AND ELABORATING - PrAACtical AAC

EXTENDING, EXPANDING AND ELABORATING - PrAACtical AAC

ContractContract--Based Requirements …gaius.isri.cmu.edu/relaw/2010/slides/relaw10-berenbach.pdfContractContract--Based Requirements EngineeringBased Requirements Engineering Thi

ContractContract--Based Requirements …gaius.isri.cmu.edu/relaw/2010/slides/relaw10-berenbach.pdfContractContract--Based Requirements EngineeringBased Requirements Engineering Thi

RBAC in Solaris

RBAC in Solaris

Bluesocket vWLAN Domain & RBAC Configuration

Bluesocket vWLAN Domain & RBAC Configuration

ROLE BASED ACCESS CONTROL (RBAC) John Barkley RBAC Project Leader Software Diagnostics and Conformance Testing National Institute of Standards and Technology.

ROLE BASED ACCESS CONTROL (RBAC) John Barkley RBAC Project Leader Software Diagnostics and Conformance Testing National Institute of Standards and Technology.

ELABORATING THE NEED OF CROSS-CULTURAL TRAINING …ijtbm.com/Images/Short_pdf/1444804424_Dr_Hsiu_ching_Ko_3.pdfINTERNATIONAL JOURNAL OF TRANSFORMATIONS IN BUSINESS MANAGEMENT ELABORATING

ELABORATING THE NEED OF CROSS-CULTURAL TRAINING …ijtbm.com/Images/Short_pdf/1444804424_Dr_Hsiu_ching_Ko_3.pdfINTERNATIONAL JOURNAL OF TRANSFORMATIONS IN BUSINESS MANAGEMENT ELABORATING

RBAC and HIPAA SecurityWhy RBAC? • Using RBAC has several advantages compared to other access control mechanisms – Simplifies access definitions, auditing and administration of

RBAC and HIPAA SecurityWhy RBAC? • Using RBAC has several advantages compared to other access control mechanisms – Simplifies access definitions, auditing and administration of

RH + Administration of RBAC - profsandhu.com · 1 Administration of RBAC ISA 767, Secure Electronic Commerce Xinwen Zhang, xzhang6@gmu.edu George Mason University Fall 2005 RBAC 3:

RH + Administration of RBAC - profsandhu.com · 1 Administration of RBAC ISA 767, Secure Electronic Commerce Xinwen Zhang, [email protected] George Mason University Fall 2005 RBAC 3:

Role-Based Access Control (RBAC)

Role-Based Access Control (RBAC)

Elaborating on Economic Diversification in Sustainable ...unfccc.int/files/cooperation_support/response_measures/application/... · Elaborating on Economic Diversification in Sustainable

Elaborating on Economic Diversification in Sustainable ...unfccc.int/files/cooperation_support/response_measures/application/... · Elaborating on Economic Diversification in Sustainable

Elaborating Academic Enterprise

Elaborating Academic Enterprise

DTT RBAC Presentation 20080724

DTT RBAC Presentation 20080724

INFS 767 Fall 2003 Administrative RBAC ARBAC97

INFS 767 Fall 2003 Administrative RBAC ARBAC97

INFS 767 Fall 2003 RBAC-MAC-DAC

INFS 767 Fall 2003 RBAC-MAC-DAC