Conceptualizing a Responsibility based Approach for Elaborating...
Transcript of Conceptualizing a Responsibility based Approach for Elaborating...
![Page 1: Conceptualizing a Responsibility based Approach for Elaborating …gaius.isri.cmu.edu/relaw/2010/slides/relaw10-feltus.pdf · 2011. 8. 19. · Conceptualizing a Responsibility based](https://reader034.fdocuments.in/reader034/viewer/2022052104/603ee7d3156d0f0ee8160ac5/html5/thumbnails/1.jpg)
Conceptualizing a Responsibility based Approach for
Elaborating and Verifying RBAC Policies Conforming
with CobiT Framework Requirements
Christophe Feltus, Eric Dubois, Michaël Petit
Third International Workshop on Requirements Engineering and Law
(RELAW 10) - September 28th 2010
![Page 2: Conceptualizing a Responsibility based Approach for Elaborating …gaius.isri.cmu.edu/relaw/2010/slides/relaw10-feltus.pdf · 2011. 8. 19. · Conceptualizing a Responsibility based](https://reader034.fdocuments.in/reader034/viewer/2022052104/603ee7d3156d0f0ee8160ac5/html5/thumbnails/2.jpg)
Motivation
The concept of role
Business role
Application role
Governance requirements
![Page 3: Conceptualizing a Responsibility based Approach for Elaborating …gaius.isri.cmu.edu/relaw/2010/slides/relaw10-feltus.pdf · 2011. 8. 19. · Conceptualizing a Responsibility based](https://reader034.fdocuments.in/reader034/viewer/2022052104/603ee7d3156d0f0ee8160ac5/html5/thumbnails/3.jpg)
Motivation
Our approach
The method that we target is a 2 steps approach
![Page 4: Conceptualizing a Responsibility based Approach for Elaborating …gaius.isri.cmu.edu/relaw/2010/slides/relaw10-feltus.pdf · 2011. 8. 19. · Conceptualizing a Responsibility based](https://reader034.fdocuments.in/reader034/viewer/2022052104/603ee7d3156d0f0ee8160ac5/html5/thumbnails/4.jpg)
Outlines
Presentation of the Responsibility meta-model
Mapping with CobiT
Mapping with RBAC
Example of assignment process
Conclusions and future works
![Page 5: Conceptualizing a Responsibility based Approach for Elaborating …gaius.isri.cmu.edu/relaw/2010/slides/relaw10-feltus.pdf · 2011. 8. 19. · Conceptualizing a Responsibility based](https://reader034.fdocuments.in/reader034/viewer/2022052104/603ee7d3156d0f0ee8160ac5/html5/thumbnails/5.jpg)
Presentation of the Responsibility meta-
model
Elaboration of the meta-model
A state assigned to en employee to signify
him its obligation concerning a behavior,
the accountability regarding this obligation,
and the right necessary to perform it.
![Page 6: Conceptualizing a Responsibility based Approach for Elaborating …gaius.isri.cmu.edu/relaw/2010/slides/relaw10-feltus.pdf · 2011. 8. 19. · Conceptualizing a Responsibility based](https://reader034.fdocuments.in/reader034/viewer/2022052104/603ee7d3156d0f0ee8160ac5/html5/thumbnails/6.jpg)
Concept of obligation/accountability
![Page 7: Conceptualizing a Responsibility based Approach for Elaborating …gaius.isri.cmu.edu/relaw/2010/slides/relaw10-feltus.pdf · 2011. 8. 19. · Conceptualizing a Responsibility based](https://reader034.fdocuments.in/reader034/viewer/2022052104/603ee7d3156d0f0ee8160ac5/html5/thumbnails/7.jpg)
Concept of right
![Page 8: Conceptualizing a Responsibility based Approach for Elaborating …gaius.isri.cmu.edu/relaw/2010/slides/relaw10-feltus.pdf · 2011. 8. 19. · Conceptualizing a Responsibility based](https://reader034.fdocuments.in/reader034/viewer/2022052104/603ee7d3156d0f0ee8160ac5/html5/thumbnails/8.jpg)
Assignment/delegation process
![Page 9: Conceptualizing a Responsibility based Approach for Elaborating …gaius.isri.cmu.edu/relaw/2010/slides/relaw10-feltus.pdf · 2011. 8. 19. · Conceptualizing a Responsibility based](https://reader034.fdocuments.in/reader034/viewer/2022052104/603ee7d3156d0f0ee8160ac5/html5/thumbnails/9.jpg)
Outlines
Presentation of the Responsibility meta-model
Mapping with CobiT
Mapping with RBAC
Example of assignment process
Conclusions and future works
![Page 10: Conceptualizing a Responsibility based Approach for Elaborating …gaius.isri.cmu.edu/relaw/2010/slides/relaw10-feltus.pdf · 2011. 8. 19. · Conceptualizing a Responsibility based](https://reader034.fdocuments.in/reader034/viewer/2022052104/603ee7d3156d0f0ee8160ac5/html5/thumbnails/10.jpg)
Building the responsibilities
Responsibility in CobiT are represented using a RACI
chart
AI6: Manage Change
Assess impact and prioritise changes based on business needs
Same rights and obligations to all employees ?
Need more precisions
![Page 11: Conceptualizing a Responsibility based Approach for Elaborating …gaius.isri.cmu.edu/relaw/2010/slides/relaw10-feltus.pdf · 2011. 8. 19. · Conceptualizing a Responsibility based](https://reader034.fdocuments.in/reader034/viewer/2022052104/603ee7d3156d0f0ee8160ac5/html5/thumbnails/11.jpg)
Collect of tasks
Responsibilities from CobiT
Instantiation with CobiT informations :
4 responsibilities, business role (from RACI) and tasks (partially)
![Page 12: Conceptualizing a Responsibility based Approach for Elaborating …gaius.isri.cmu.edu/relaw/2010/slides/relaw10-feltus.pdf · 2011. 8. 19. · Conceptualizing a Responsibility based](https://reader034.fdocuments.in/reader034/viewer/2022052104/603ee7d3156d0f0ee8160ac5/html5/thumbnails/12.jpg)
Responsibilities to tasks association
From CobiT:
From ITIL:
From the company:
![Page 13: Conceptualizing a Responsibility based Approach for Elaborating …gaius.isri.cmu.edu/relaw/2010/slides/relaw10-feltus.pdf · 2011. 8. 19. · Conceptualizing a Responsibility based](https://reader034.fdocuments.in/reader034/viewer/2022052104/603ee7d3156d0f0ee8160ac5/html5/thumbnails/13.jpg)
Responsibilities to tasks association
From CobiT:
From ITIL:
From the company:
is the employee who gets the action done
is the employee, who provides direction and
authorizes an action
![Page 14: Conceptualizing a Responsibility based Approach for Elaborating …gaius.isri.cmu.edu/relaw/2010/slides/relaw10-feltus.pdf · 2011. 8. 19. · Conceptualizing a Responsibility based](https://reader034.fdocuments.in/reader034/viewer/2022052104/603ee7d3156d0f0ee8160ac5/html5/thumbnails/14.jpg)
Rights to tasks association
From CobiT:
![Page 15: Conceptualizing a Responsibility based Approach for Elaborating …gaius.isri.cmu.edu/relaw/2010/slides/relaw10-feltus.pdf · 2011. 8. 19. · Conceptualizing a Responsibility based](https://reader034.fdocuments.in/reader034/viewer/2022052104/603ee7d3156d0f0ee8160ac5/html5/thumbnails/15.jpg)
Rights to tasks association
From CobiT:
![Page 16: Conceptualizing a Responsibility based Approach for Elaborating …gaius.isri.cmu.edu/relaw/2010/slides/relaw10-feltus.pdf · 2011. 8. 19. · Conceptualizing a Responsibility based](https://reader034.fdocuments.in/reader034/viewer/2022052104/603ee7d3156d0f0ee8160ac5/html5/thumbnails/16.jpg)
Outlines
Presentation of the Responsibility meta-model
Mapping with CobiT
Mapping with RBAC
Example of assignment process
Conclusions and future works
![Page 17: Conceptualizing a Responsibility based Approach for Elaborating …gaius.isri.cmu.edu/relaw/2010/slides/relaw10-feltus.pdf · 2011. 8. 19. · Conceptualizing a Responsibility based](https://reader034.fdocuments.in/reader034/viewer/2022052104/603ee7d3156d0f0ee8160ac5/html5/thumbnails/17.jpg)
Role Based Access Control
To simplify the management of granting permissions to
users
3 main elements :
User, Role and Permission
2 main functions :
User-role
assignment (URA)
Permission-role
assignment (PRA)
RBAC :
![Page 18: Conceptualizing a Responsibility based Approach for Elaborating …gaius.isri.cmu.edu/relaw/2010/slides/relaw10-feltus.pdf · 2011. 8. 19. · Conceptualizing a Responsibility based](https://reader034.fdocuments.in/reader034/viewer/2022052104/603ee7d3156d0f0ee8160ac5/html5/thumbnails/18.jpg)
Mapping responsibility to RBAC role
Business role from Cobit = RBAC concept of role ?
No, because :
Cobit Role (or Business role): an employee assigned to that role
is not obligatory assigned responsible for all the tasks of the
activities.
If Business role = applictaion role, some employees receives to
much permissions.
![Page 19: Conceptualizing a Responsibility based Approach for Elaborating …gaius.isri.cmu.edu/relaw/2010/slides/relaw10-feltus.pdf · 2011. 8. 19. · Conceptualizing a Responsibility based](https://reader034.fdocuments.in/reader034/viewer/2022052104/603ee7d3156d0f0ee8160ac5/html5/thumbnails/19.jpg)
Mapping responsibility to RBAC role
Employee is consulted during assignment process
![Page 20: Conceptualizing a Responsibility based Approach for Elaborating …gaius.isri.cmu.edu/relaw/2010/slides/relaw10-feltus.pdf · 2011. 8. 19. · Conceptualizing a Responsibility based](https://reader034.fdocuments.in/reader034/viewer/2022052104/603ee7d3156d0f0ee8160ac5/html5/thumbnails/20.jpg)
Mapping responsibility to RBAC role
![Page 21: Conceptualizing a Responsibility based Approach for Elaborating …gaius.isri.cmu.edu/relaw/2010/slides/relaw10-feltus.pdf · 2011. 8. 19. · Conceptualizing a Responsibility based](https://reader034.fdocuments.in/reader034/viewer/2022052104/603ee7d3156d0f0ee8160ac5/html5/thumbnails/21.jpg)
Outlines
Presentation of the Responsibility meta-model
Mapping with CobiT
Mapping with RBAC
Example of assignment process
Conclusions and future works
![Page 22: Conceptualizing a Responsibility based Approach for Elaborating …gaius.isri.cmu.edu/relaw/2010/slides/relaw10-feltus.pdf · 2011. 8. 19. · Conceptualizing a Responsibility based](https://reader034.fdocuments.in/reader034/viewer/2022052104/603ee7d3156d0f0ee8160ac5/html5/thumbnails/22.jpg)
Example of assignment process
Task : Prioritizing changes
That task corresponds to one responsibility of being
responsible of activity Assess impact and prioritizing changes
Following RACI chart : that activity is assigned to the
business roles : BPO, PMO, Head operation, Head development
![Page 23: Conceptualizing a Responsibility based Approach for Elaborating …gaius.isri.cmu.edu/relaw/2010/slides/relaw10-feltus.pdf · 2011. 8. 19. · Conceptualizing a Responsibility based](https://reader034.fdocuments.in/reader034/viewer/2022052104/603ee7d3156d0f0ee8160ac5/html5/thumbnails/23.jpg)
Example of assignment process
Suppose Bob one BPO identified by the CobiT manager
RBAC adminsitrator may assigned for that task:
![Page 24: Conceptualizing a Responsibility based Approach for Elaborating …gaius.isri.cmu.edu/relaw/2010/slides/relaw10-feltus.pdf · 2011. 8. 19. · Conceptualizing a Responsibility based](https://reader034.fdocuments.in/reader034/viewer/2022052104/603ee7d3156d0f0ee8160ac5/html5/thumbnails/24.jpg)
Outlines
Presentation of the Responsibility meta-model
Mapping with CobiT
Mapping with RBAC
Example of assignment process
Conclusions and future works
![Page 25: Conceptualizing a Responsibility based Approach for Elaborating …gaius.isri.cmu.edu/relaw/2010/slides/relaw10-feltus.pdf · 2011. 8. 19. · Conceptualizing a Responsibility based](https://reader034.fdocuments.in/reader034/viewer/2022052104/603ee7d3156d0f0ee8160ac5/html5/thumbnails/25.jpg)
Conclusions and future works
Business needs for a better alignement of the employees’
responsibility from the management frameworks down to
the technical rules
Our approach is to use the responibility as a pivite between
high layer requirements down to techical rules.
Step 1: Responsibility building :
Business Role, Activities, Tasks, and Rights Responsibilities
Step 2 : Responsibility assignment :
Responsibilities, Employees, Commitment
Application roles assigned to users
![Page 26: Conceptualizing a Responsibility based Approach for Elaborating …gaius.isri.cmu.edu/relaw/2010/slides/relaw10-feltus.pdf · 2011. 8. 19. · Conceptualizing a Responsibility based](https://reader034.fdocuments.in/reader034/viewer/2022052104/603ee7d3156d0f0ee8160ac5/html5/thumbnails/26.jpg)
Conclusions and future works
The meta-model of responsibility is considered more or
less stable
The method is theoretical and is exploited based on the
Cobit framework
Apply it on other frameworks
Generalized the approach
Case study
![Page 27: Conceptualizing a Responsibility based Approach for Elaborating …gaius.isri.cmu.edu/relaw/2010/slides/relaw10-feltus.pdf · 2011. 8. 19. · Conceptualizing a Responsibility based](https://reader034.fdocuments.in/reader034/viewer/2022052104/603ee7d3156d0f0ee8160ac5/html5/thumbnails/27.jpg)
Thank you ! Questions ?