Access control policies (ACPs) are essential for creating a secure access control system. ACPs are often studied and specified based on access control models, such as attribute-based access control (ABAC). Moreover, the execution of business process instances is typically recorded in a business process event log. Ensuring conformance with ABAC policies for the process log at the time of post-execution is crucial. To perform conformance testing of ABAC policies for event logs, it is necessary to formalize the ABAC policies. However, this formalization is typically carried out manually, leading to low efficiency and maintainability, as well as a high risk of errors and difficulty in detecting them. Also, the top-down approach for ABAC policy engineering is often less feasible due to the challenges and costs associated with manually developing ABAC policies, which makes it difficult to document security requirements. Besides, there is a lack of an ABAC metamodel that supports the formalization and conformance testing of ABAC policies, and little attention is paid to constructing ABAC policies from existing event logs. This paper presents a fine-grained and highly automated model-driven framework enabling the formalization and conformance testing of ABAC policies for business processes. In our approach, an ABAC metamodel and its patterns are proposed to solve the problems mentioned above. The approach is experimented with and evaluated on three business processes: One simulated and two real-world processes.
NguyenDHSeiYTaharaY, et al.Toward a pattern-based comprehensive framework using process mining for rbac conformance checks. Int J Software Eng Knowled Eng2025; 35: 157–194.
9.
HuVCKuhnDRFerraioloDF, et al.Attribute-based access control. Computer2015; 48: 85–88.
10.
SMohamedAKYAuerDHoferD, et al.A systematic literature review for authorization and access control: definitions, strategies and models. Int J Web Inform Syst2022; 18: 156–180.
11.
KashmarNAddaMAtiehM, et al.A review of access control metamodels. Procedia Comput Sci2021; 184: 445–452.
12.
KormanMLagerstromREkstedtM. Modeling enterprise authorization: a unified metamodel and initial validation. Complex Syst Inform Model Quart2016; 7: 1–24.
13.
NguyenDHSeiYTaharaY, et al.A model-based approach for designing and validating ABAC policies. In: R Lee (ed.) Software engineering and management: Theory and applications, Vol. 17, 2025, pp.19–36. Springer.
14.
FernandezMMackieIThuraisinghamB. Specification and analysis of ABAC policies via the category-based metamodel. In: Proceedings of the Ninth ACM conference on data and application security and privacy, 2019, pp.173–184. ACM.
15.
KashmarNAddaMAtiehM, et al.Access control metamodel for policy specification and enforcement: From conception to formalization. Procedia Comput Sci2021; 184: 887–892.
16.
ZdilarM. Attribute based access control metamodel for spreadsheet programs. In: 35th International scientific conference CECIIS 2024, 2024, pp.409–416.
17.
KrautsevichLLazouskiAMartinelliF, et al.Towards attribute-based access control policy engineering using risk. In: Risk Assessment and risk-driven testing: First International Workshop, RISK 2013, Held in Conjunction with ICTSS 2013, Istanbul, Turkey, November 12, 2013, Revised Selected Papers 1, 2014, pp.80–90. Springer.
18.
DasSMitraBAtluriV, et al.Policy engineering in RBAC and ABAC. In: From database to cyber security. Lecture notes in computer science. Vol. 11170, 2018, pp.24–54. Springer.
19.
XuZStollerSD. Mining attribute-based access control policies. IEEE Trans Dependable Secure Comput2015; 12: 533–545.
20.
BuiTShabramEMatriciaA. An approach for handling missing attribute values in attribute-based access control policy mining. In: International Symposium on Foundations and Practice of Security, 2024, pp.235–248. Springer Nature Switzerland.
21.
MocanuDTurkmenFLiottaA. Towards ABAC policy mining from logs with deep learning. In: The 18th International Multiconference, IS2015, intelligent systems, ljubljana, Slovenia, 2015.
22.
XuZStollerSD. Mining attribute-based access control policies from logs. In: IFIP Annual conference on data and applications security and privacy, proceedings 28, 2014, pp.276–291. Springer Berlin Heidelberg.
23.
Van der AalstWM. Process mining: a 360 degree overview. In: Process Mining Handbook, 2022, pp.3–34. Springer.
24.
AccorsiRStockerT. On the exploitation of process mining for security audits: the conformance checking case. In: Proceedings of the 27th Annual ACM symposium on applied computing, 2012, pp.1709–1716. Association for Computing Machinery.
KentS. Model driven engineering. In: International conference on integrated formal methods, 2002, pp.286–298. Springer Berlin Heidelberg.
27.
AkehurstDKentS. A relational approach to defining transformations in a metamodel. In: International conference on the unified modeling language, 2002, pp.243–258. Springer Berlin Heidelberg.
28.
BoochGJacobsonIRumbaughJ. The unified modeling language. Unix Rev1996; 14: 5.
29.
ReisigW. Understanding petri nets. Verlag Berlin An: Springer, 2016.
30.
ChinosiMTrombettaA. BPMN: An introduction to the standard. Comput Stand Interfaces2012; 34: 124–134.
31.
Von RosingMWhiteSCumminsF, et al. Business process model and notation-BPMN. In: The Complete Business Process Handbook, 2015. Amsterdam, Netherlands: Elsevier.
32.
HudakP. Domain-specific languages. Handb Program Lang1997; 3: 21.
33.
RichtersMGogollaM. On formalizing the UML object constraint language OCL. In: International conference on conceptual modeling, 1998, pp.449–464. Springer Berlin Heidelberg.
34.
CabotJGogollaM. Object constraint language (OCL): a definitive guide. In: International school on formal methods for the design of computer, communication and software systems, 2012, pp.58–90. Springer Berlin Heidelberg.
35.
DangDHCabotJ. On automating inference of OCL constraints from counterexamples and examples. In: Knowledge and systems engineering: Proceedings of the sixth international conference KSE 2014, 2015, pp.219–231. Springer.
36.
NguyenDHSeiYTaharaY, et al.Data-Driven OCL invariant patterns-based process model exploration for process mining. In: R Lee (ed). Networking and parallel/distributed computing systems, Vol. 18, 2024, pp.117–135. Springer.
37.
NguyenDHLeVVNguyenTH, et al.A Method to ensure compliance with attribute and role based access control policy for executing bpmn models. In: 2021 International conference on system science and engineering (ICSSE), 2021, pp.360–366. IEEE.
38.
LeshobA. Towards a business-pattern approach for UML models derivation from business process models. In: 2016 IEEE 13th international conference on e-business engineering (ICEBE), 2016, pp.244–249. IEEE.
39.
BoesingHFMatosSNAndradeVC, et al.Using MDA to transform business processes from analysis classes. In: Proceedings of the 16th Brazilian symposium on software components, architectures, and reuse, 2022, pp.50–59.
40.
WeskeM. Business Process Management: Concepts, Languages, Architectures. Heidelberg: Springer, 2024.
41.
RahimiFMollerCHvamL. Business process management and IT management: The missing integration. Int J Inf Manage2016; 36: 142–154.
42.
HoritaH. Research on construction and verification of business processes based on goal-oriented requirements analysis, PhD thesis, the University of Electro-Communications, 2017.
43.
BadakhshanPConboyKGrisoldT, et al.Agile business process management: A systematic literature review and an integrated framework. Business Process Manag J2019; 26: 1505–1523.
44.
KirHErdoganN. A knowledge-intensive adaptive business process management framework. Inf Syst2021; 95: 101639.
45.
LaliwalaZMansuriI. Activiti 5.x Business Process Management Beginner’s Guide. Birmingham: Packt Publishing, 2014.
46.
QuinteroAMRPérezSMVarela-VacaAJ, et al.A domain-specific language for the specification of UCON policies. J Inform Sec Appl2022; 64: 103006.
47.
NaroueiMKhanpourHTakabiH, et al.Towards a top-down policy engineering framework for attribute-based access control. In: Proceedings of the 22nd ACM on symposium on access control models and technologies, 2017, pp.103–114.
48.
Van DongenBFde MedeirosAKAVerbeekHM, et al.The ProM framework: a new era in process mining tool support. In: Applications and Theory of Petri Nets 2005: 26th International Conference, ICATPN 2005, Proceedings 26, 2005, pp.444–454. Springer Berlin Heidelberg.
49.
GogollaMButtnerFRichtersM. USE: A UML-based specification environment for validating UML and OCL. Sci Comput Program2007; 69: 27–34.
50.
ButtnerFGogollaM. Modular embedding of the object constraint language into a programming language. In: Formal Methods, Foundations and Applications: 14th Brazilian Symposium, SBMF 2011, Sao Paulo, Brazil, September 26-30, 2011, Revised Selected Papers 14, 2011, pp.124–139. Springer.
BleviLDelporteLRobbrechtJ. Process mining on the loan application process of a Dutch Financial Institute, BPI Challenge, 2017, pp.328–343.
53.
BrunkJ. Structuring business process context information for process monitoring and prediction. In: 2020 IEEE 22nd conference on business informatics (CBI) (Vol. 1), 2020, pp.39–48. IEEE.
54.
LopesIFFerreiraDR. A survey of process mining competitions: the BPI challenges 20112018. In: Business Process Management Workshops: BPM 2019 international workshops, revised selected Papers 17, 2019, pp.263–274. Springer.
55.
LeemansSJFahlandDVan der AalstWM. Discovering block-structured process models from event logs - a constructive approach. In: International conference on applications and theory of petri nets and concurrency, 2013, pp.311–329. Springer Berlin Heidelberg.
LeemansSJFahlandDVan der AalstWM. Discovering block-structured process models from incomplete event logs. In: International conference on applications and theory of petri nets and concurrency, 2014, pp.91–110. Springer International Publishing.
58.
RehseJRLeemansSJFettkeP, et al.On process discovery experimentation: addressing the need for research methodology in process discovery. ACM Trans Software Eng Methodol2024; 34: 1–29.
59.
BertiAKouraniHvan der AalstWM. PM-LLM-Benchmark: Evaluating large language models on process mining tasks. arXiv preprint arXiv:2407.13244, 2024.
