Aligning Business Process Access Control Policies with Enterprise Architecture

Abstract

Access control policies are a fundamental building block in meeting security and privacy requirements in organizations across business processes, enterprise architectures, and software architectures. Usage of different models for business processes and software makes eliciting and enforcing access control policies hard. Approaches like enterprise architecture management target complex mutual interdependencies between business and IT models but can be hard to apply. We suggest an approach to derive access control requirements from business processes and test compliance of software designs by data flow analyses. As a result, business processes and software designs are aligned w.r.t. access control requirements.