Model checking authorization requirements in business processes

• Published in: Computers & security Vol. 40; pp. 1 - 22
• Main Authors: Armando, Alessandro, Ponta, Serena Elisa
• Format: Journal Article
• Language: English
• Published: Amsterdam Elsevier Ltd 01.02.2014; Elsevier; Elsevier Sequoia S.A
• Subjects: Access control; Applied sciences; Authorization requirements; Authorizations; Automatic security analysis; Business; Computer science; control theory; systems; Computer systems and distributed systems. User interface; Computer systems performance. Reliability; Economics; Exact sciences and technology; Information systems. Data bases; Loan originations; Loans; Mathematical models; Memory and file management (including protection and security); Memory organisation. Data processing; Model checking; Organizational control; Policies; Requirements analysis; Security-sensitive business process; Software; Specifications; Studies; Workflow; Access control; Model checking; Authorization requirements; Security-sensitive business process; Organizational control; Automatic security analysis; Groupware; Legislation; Workflow; Integrated management; Delegation; Program verification; Role-based access control; Business process; Loan; Duty separation; Formal specification; Static analysis; Licence procedure; Firm management; Automatic analysis; Computer security
• ISSN: 0167-4048; 1872-6208
• DOI: 10.1016/j.cose.2013.10.002

Business processes are usually expected to meet high level authorization requirements (e.g., Separation of Duty). Since violation of authorization requirements may lead to economic losses and/or legal implications, ensuring that a business process meets them is of paramount importance. Previous work showed that model checking can be profitably used to check authorization requirements in business processes. However, building formal models that simultaneously account for both the workflow and the access control policy is a time consuming and error-prone activity. In this paper we present a new approach to model checking authorization requirements in business processes that allows for the separate specification of the workflow and of the associated access control policy while retaining the ability to carry out a fully automatic analysis of the business process. To illustrate the effectiveness of the approach we describe its application to a Loan Origination Process subject to an RBAC access control policy featuring conditional permission assignments and delegation.