8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements
1/26
Conceptualizing a Responsibility based Approach for
Elaborating and Verifying RBAC Policies Conforming
with CobiT Framework Requirements
Christophe Feltus, Eric Dubois, Michal Petit
Third International Workshop on Requirements Engineering and Law
(RELAW 10) - September 28th2010
8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements
2/26
Motivation
The concept of role Business role
Application role
Governance requirements
8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements
3/26
Motivation
Our approach The method that we target is a 2 steps approach
8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements
4/26
Outlines
Presentation of the Responsibility meta-model Mapping with CobiT
Mapping with RBAC
Example of assignment process
Conclusions and future works
8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements
5/26
Outlines
Presentation of the Responsibility meta-model Mapping with CobiT
Mapping with RBAC
Example of assignment process
Conclusions and future works
8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements
6/26
Presentation of the Responsibility meta-
model
Elaboration of the model Employee, right, obligation, commitment and behavior
8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements
7/26
Presentation of the Responsibility meta-
model
Elaboration of the model Employee, right, obligation, commitment and behavior
8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements
8/26
Concept of obligation/accountability
8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements
9/26
Concept of right
8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements
10/26
Assignment/delegation process
8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements
11/26
Outlines
Presentation of the Responsibility meta-model Mapping with CobiT
Mapping with RBAC
Example of assignment process
Conclusions and future works
8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements
12/26
Building the responsibilities
Responsibility in CobiT are represented using a RACIchart
AI6:Manage Change
160 possibilities
Same rights and obligations to all employees ?
Need more precisions
8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements
13/26
Collect of tasks
Responsibilities from CobiT
Instantiation with CobiT informations :
4 responsibilities, business role (from RACI) and tasks (partially)
8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements
14/26
Responsibilities to tasks association
From CobiT:
From ITIL:
From the company:
is the employee who gets the action done
is the employee, who provides direction and
authorizes an action
8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements
15/26
Rights to tasks association
From CobiT:
8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements
16/26
Outlines
Presentation of the Responsibility meta-model Mapping with CobiT
Mapping with RBAC
Example of assignment process
Conclusions and future works
8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements
17/26
Role Based Access Control To simplify the management of granting permissions to
users
3 main elements :
User, Role and Permission
2 main functions :
User-role
assignment (URA)
Permission-role
assignment (PRA)
RBAC :
8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements
18/26
Mapping responsibility to RBAC role
Business role from Cobit = RBAC concept of role ? No, because :
Cobit Role (or Business role): an employee assigned to that role
is not obligatory assigned responsible for all the task of therole.
RBAC Role (or Application role): an employee assigned to that
role gets all the permissions needed by that role.
If Business role = applictaion role, some employees receives to
much permissions.
8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements
19/26
Mapping responsibility to RBAC role
8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements
20/26
Mapping responsibility to RBAC role
8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements
21/26
Outlines
Presentation of the Responsibility meta-model Mapping with CobiT
Mapping with RBAC
Example of assignment process
Conclusions and future works
8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements
22/26
Example of assignment process
Task : Prioritizing changes That task corresponds to one responsibility of being
responsible of activityAssess impact and prioritizing changes
Following RACI chart : that activity is assigned to the
business roles : BPO, PMO, Head operation, Head development
8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements
23/26
Example of assignment process
Suppose Bob one BPO identified by the CobiT manager
RBAC adminsitrator may assigned for that task:
8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements
24/26
Outlines
Presentation of the Responsibility meta-model Mapping with CobiT
Mapping with RBAC
Example of assignment process
Conclusions and future works
8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements
25/26
Conclusions and future works
Business needs for a better alignement of the employeesresponsibility from the management frameworks down to
the technical rules
Our approach is to use the responibility as a pivite between
high layer requirements down to techical rules. Step 1: Responsibility building :
Business Role, Activities, Tasks, and Rights Responsibilities
Step 2 : Responsibility assignment :
Responsibilities, Employees, CommitmentApplication roles assigned to users
8/12/2019 RELAW 2010 _ Conceptualizing a Responsibility Based Approach for Elaborating and Verifying RBAC Policies Conforming With CobiT Framework Requirements
26/26
Thank you ! Questions ?