Formal Analysis of Access Control Policies for Pattern-Based Business Processes

We propose formal analysis of access control policies associated with business processes. Formal analysis of such policies enables us to investigate certain properties of interest and determine whether they hold. Discovering whether these policies create the intended effects, especially when the number of policies is increased and often composed, can become complex. In addition, we believe that access control policies must be specified in such a way that their integration into business processes is straightforward. Prior research has focused on formal verification of either access control policies or business processes but not viewed the two as an integrated whole. We show an approach in which access control policies and business processes are described using the same foundational building blocks, consequently, integration of access control policies and business processes is significantly less complex. Furthermore, access control policies can now be described by business patterns, and this description may result in discovery of access control patterns that can be used in the future. Finally, our approach through the use of business patterns is capable of modeling access control policies in the same way an access control model does. In addition, these policies can be specified and extended using rules, and in this respect, are akin to a policy language.