Modelling Access Control Mechanisms in Enterprise Architecture

My master thesis has been published at my university site.


In many common enterprise architecture frameworks access control information is not represented in the business and process layer. Access control is composed of three main activities: authentication of users, authorization to perform a certain action and audit of the actions that were performed.
The main objective of this thesis is to develop a model that is able to aggregate access control information to business process and their related elements. This model will be validated and evaluated in three ways: an informed argument, a set of scenarios and a practical case study developed in the Portuguese Department of Investigation and Prosecution.
There is also a brief survey of the related work on the three main areas of interest to this project: Access control mechanisms; Business process modelling languages; and Enterprise architectures frameworks. The access control mechanisms that were analysed are: Mandatory Access Control, Discretionary Access Control, Role Base Access Control (and many derivatives), Task-Based Access Control and Attribute Ac-cess Control. Afterwards, there is a description of the current support for security in some enterprise architecture frameworks. The business process and workflow modelling languages analysed were: BPMN, ArchiMate. ArchiMate was also analysed from the enterprise architecture framework perspective along with TOGAF ADM and Zachman Framework.
Some future work directions (that were not fully explored in this thesis) include: the full integration of this model in enterprise architecture frameworks and business process modelling languages and the automatic generation of security and audit requirements from business rules.