Conceptualizing a Responsibility based Approach for Elaborating and Verifying RBAC Policies Conforming with CobiT Framework Requirements

Conceptualizing a Responsibility based Approach for Elaborating and Verifying
RBAC Policies Conforming with CobiT Framework Requirements
Toward a Business/IT Alignment Method based on the Translation of Business to Application Roles

Christophe Feltus, Eric Dubois
Michael Petit
Public Research Center Henri Tudor
PReCISE Research Centre,
Luxembourg-Kirchberg,
Faculty of Computer Science, University of Namur,
Luxembourg
Belgium
christophe.feltus@tudor.lu, eric.dubois@tudor.lu
mpe@info.fundp.ac.be


Abstract--The objective of this paper is to present the first
requests traceability of this alignment of permission and
results toward the definition of a two steps approach for
rights according to business needs. In practice, this alignment
aligning business level requirements issued from corporate
between the business view and the technical view is
framework such as CobiT down to technical policies such as
problematic and the traceability of the right assigned to the
the access rights modeled by RBAC. To achieve that, our
employee according to the business specifications too.
approach is based on the concept of employees' responsibility.
In most companies, the management of employees'
Using this concept is motivated by the importance and the
permissions and rights is done by using the central concept
omnipresence of the responsibility all along the company
of a role, which permits to manage a large amount of users
frameworks, from the CEO responsibilities such as in the
on the one hand and the permissions assigned to the role on
financial sector as defined by Sarbanes-Oxley Act down to the
the other hand. Role engineering is the process to define
responsibility at the operation layer such as the one of a trader
roles, which ought to be affected to a set of users who have
who must follow stock quotes for private banking. The
approach is illustrated based on an example, which highlights
the same function in the company. The Role Based Access
how access rights are assigned to employees having
Control (RBAC [4]) has emerged as a reference model in
responsibilities defined at the CobiT framework layer.
this discipline. RBAC models two main types of
assignments, which are the user-role assignment and the
Keywords-Alignment; CobiT; Responsibility; Traceability;
permission-role assignment. That means that a role is defined
Access right; RBAC; Requirement engineering.
with a set of permissions and that users are assigned to his
role to get the permissions.
I.
INTRODUCTION
Using the concept of role presents weaknesses due to the
In all the company's layers, standards and norms define
difficulty to align the role defined at the business layer
business activities. Those activities are called strategic
(business role) and at the same time the roles used at the IT
activities at the higher layer such as the activity to report the
layer to operate IT transactions (application role). This
company's results at the board of directors, management
weakness brings out two kinds of situations. Firstly, the
activities at the intermediary layer like activities to manage
company restricts its number of application roles to the
the budget of a company unit, or operational activities at the
amount of business roles. In this first case, the company
lower layer such as the activity to encode customers' data.
works with a limited number of roles and employees receive,
For all of those activities, implementation rules (e.g.: access
by the way, more permissions and rights than they need. In
right policies) must accordingly be defined. For instance, at
the second case, the company defines as many application
the higher layer, the CEO needs to have access to strategic
roles as IT transaction possibilities. In this second case, the
data to prepare the company report, at the intermediary layer,
company works with many roles, which renders the access
the unit managers need to have access to the accounting
right management difficult and decreases the advantages of
software to manage the budget and at the lower layer, and
according to RBAC specifications. This problem mainly
secretaries need access to the customer database.
emerges due to the misalignment between business role and
Meanwhile governance standards and norms [1, 2, 3]
application role. The business roles gather employees with
request a strict alignment between these business layer
the same function who can have different tasks to perform,
activities and the corresponding rights. This strict alignment
although application roles gather employees with the same
affords e.g. to respect the principle of least privilege and, by
tasks to perform but this could be assigned to different
consequence, to provide to the employees with strict rights,
business role.
which are indispensable to achieve their goals. For instance,
Based on the review of the literature, we have observed
it is not permitted to give access to the customer database to
that the concept of responsibility is central to the business
the whole team of secretaries if only one of them is
models and that it can be model with concepts from the
concerned with the customers' records. The financial sector
business view like the employee's obligations and
is particularly sensitive to this requirement and additionally
accountabilities, and concepts from the technical view like

---