704 research outputs found
Legal compliance by design (LCbD) and through design (LCtD) : preliminary survey
1st Workshop on Technologies for Regulatory Compliance co-located with the 30th International Conference on Legal Knowledge and Information Systems (JURIX 2017). The purpose of this paper is twofold: (i) carrying out a preliminary survey of the literature and research projects on Compliance by Design (CbD); and (ii) clarifying the double process of (a) extending business managing techniques to other regulatory fields, and (b) converging trends in legal theory, legal technology and Artificial Intelligence. The paper highlights the connections and differences we found across different domains and proposals. We distinguish three different policydriven types of CbD: (i) business, (ii) regulatory, (iii) and legal. The recent deployment of ethical views, and the implementation of general principles of privacy and data protection lead to the conclusion that, in order to appropriately define legal compliance, Compliance through Design (CtD) should be differentiated from CbD
A Catalog of Reusable Design Decisions for Developing UML/MOF-based Domain-specific Modeling Languages
In model-driven development (MDD), domain-specific modeling languages (DSMLs) act as a communication vehicle for aligning the requirements of domain experts with the needs of software engineers. With the rise of the UML as a de facto standard, UML/MOF-based DSMLs are now widely used for MDD. This paper documents design decisions collected from 90 UML/MOF-based DSML projects. These recurring design decisions were gained, on the one hand, by performing a systematic literature review (SLR) on the development of UML/MOF-based DSMLs. Via the SLR, we retrieved 80 related DSML projects for review. On the other hand, we collected decisions from developing ten DSML projects by ourselves. The design decisions are presented in the form of reusable decision records, with each decision record corresponding to a decision point in DSML development processes. Furthermore, we also report on frequently observed (combinations of) decision options as well as on associations between options which may occur within a single decision point or between two decision points. This collection of decision-record documents targets decision makers in DSML development (e.g., DSML engineers, software architects, domain experts).Series: Technical Reports / Institute for Information Systems and New Medi
An OMG model-based approach for aligning information systems requirements and architectures with business
Tese de Doutoramento (Programa Doutoral em Tecnologias e Sistemas de Informação)The challenges involved in developing information systems (which are able to adapt to rapidly
changing business and technological conditions) are directly related to the importance of their
alignment with the business counterpart. These challenges comprise issues that cross management
and information systems domains, relating and aligning them in order to attain superior
performance for the organization, while identifying its strategy and tailoring its business processes.
As this relation is increasingly intertwined its concepts are conducted to pragmatic methods,
incorporating both management and information systems components, for how, when and where
this alignment really matters.
The related topics of the alignment between business and information systems comprise diverse
paths of research, though with little common ground established inside the community, where
problems arouse due to the fast moving business and technological environments. According to
these circumstances, the process of developing information systems to support the alignment
benefits from incorporating the use of structured and model-based approaches. So, as the
development of evermore complex information systems presents a challenge for the currently
available methods, the use of models to support the alignment with business stands as an
increasingly important issue.
Following those challenges, we set out to question how to develop solutions aligning information
systems with business in a model-based approach. Accordingly, we support our research on the
need to understand what are the perspectives involved in aligning information systems with
business, and, moreover, to comprehend in what sense model adoption drives information systems
development. So, the proposed goals for this thesis are: (1) set the basis for the elicitation of
business requirements in order to support a well-grounded development of information systems; (2)
provide for the generation of business models based on the business requirements, while assuring
their alignment and traceability; and (3) arrange for the derivation of information system
architectures from the business requirements, while attaining alignment and traceability for their
mutual transformation and adaptation.
Several issues surrounding these goals have already been described and approached in diverse
ways by other researchers, where existing approaches and associated methods achieved good
results. Nevertheless, these approaches are not without their shortfalls, sometimes failing to present
a complete solution, others being unable to adapt to new challenges, or even incapable of reacting
to recent trends. In order to tackle these issues we propose to build upon those approaches by
adapting, evolving and innovating on solutions in each of the three proposed goals, respectively
intertwining with perspectives from related standards and reference models.
Answering the first goal, in what regards the main contributions of this thesis, we propose to
broaden the elicitation of requirements by relating functional and nonfunctional requirements from
business processes. So, we present a unified metamodel representation for those requirements,
accompanied by a customizable method for their joint elicitation, based-on business-driven
use-cases, goals and rules. This approach adopts the Rational Unified Process (RUP) development methodology and the Business Motivation Model (BMM) standard model language representation
for business requirements. Moreover, the metamodel representation and method operationalization
are accompanied by a prototype support tool that completes this first contribution.
For the second goal, a more business-oriented one correlated to the higher-level requirements, we
propose to generate business models directly from the inferred functional and nonfunctional
requirements. So, we present a three-dimensional approach built on the relation of the referred
requirements with the Balanced Scorecard (BSC) reference model, where an additional mapping to
the Business Model Canvas (BMC) is also made available. This proposal provides an associated
metamodel representation for the relation between the elements involved and a customizable
method for their operationalization, all accompanied by a prototype support tool.
On the third goal, focused on system architectures and connected to the lower-level requirements,
we propose to derive service-oriented participants from the functional requirements, while aligning
the nonfunctional requirements with the quality characteristics of the solution to-be. First, we
present an evolution of an existing method for the derivation of a logical architecture, in order to
adapt it to a service-oriented approach (SOA). Then, following on the existing relation between the
nonfunctional and functional side of the low-level requirements, our approach is able to associate
these last with its related services on the derived architecture, in another three-dimensional
approach. Additionally, a mapping of the nonfunctional requirements with the system quality
characteristics (CISQ) is made available. Once more, an associated metamodel, a customizable
method and a prototype support tool are also provided.
The development of these three approaches is supported through the execution of tasks which
originate artifacts and lead to publications associated to their respective research and development
efforts, all according to the Design Science Research (DSR) methodology. These are applied in
ongoing projects involving experimental scenarios in industrial settings and associated to
established research reference patterns, balancing the interests of both researchers and
practitioners while focused both on technology and management audiences. The results obtained
from their evaluation reflect the quality and depth of our findings, helping to validate the scientific
contribution of this work.Os desafios implicados no desenvolvimento de sistemas de informação (que sejam capazes de se
adaptar a condições tecnológicas e de negócios em rápida mutação) estão diretamente
relacionados à importância do seu alinhamento com a contraparte do negócio. Esses desafios
envolvem questões que cruzam os domínios da gestão e dos sistemas de informação,
relacionando-os e alinhando-os com o intuito de alcançar um desempenho superior para a
organização, ao mesmo tempo que identificam a sua estratégia e adequam os seus processos de
negócio. Como esta relação está cada vez mais interligada, os seus conceitos são canalizados para
métodos pragmáticos, incorporando ambos os componentes de sistemas de informação e de
gestão, para saber como, quando e onde este alinhamento realmente interessa.
Os tópicos relacionados com o alinhamento entre negócio e sistemas de informação abrangem
diversos caminhos de pesquisa, embora com poucos alicerces em comum estabelecidos dentro da
comunidade, onde os problemas surgem devido às rápidas mudanças nos negócios e nos
ambientes tecnológicos. De acordo com estas circunstâncias, o processo de desenvolvimento de
sistemas de informação para apoiar o alinhamento beneficia de incorporar o uso de abordagens
estruturadas e baseadas em modelos. Assim, dado que o desenvolvimento de sistemas de
informação cada vez mais complexos apresenta um desafio para os métodos atualmente
disponíveis, o uso de modelos para apoiar o alinhamento com o negócio destaca-se como uma
questão cada vez mais importante.
Em linha com esses desafios, estabelecemos a questão de como desenvolver soluções para alinhar
sistemas de informações com o negócio numa abordagem baseada em modelos. Neste sentido,
apoiamos a nossa pesquisa na necessidade de compreender quais são as perspetivas envolvidas
no alinhamento dos sistemas de informação com o negócio, e, além disso, de compreender em
que sentido a adoção de modelos capacita o desenvolvimento desses sistemas. Assim, os objetivos
propostos para esta tese são: (1) definir as bases para o levantamento de requisitos de negócio a
fim de suportar um desenvolvimento bem fundamentado de sistemas de informação; (2)
disponibilizar a geração de modelos de negócio baseados nos requisitos de negócio, garantindo o
alinhamento e a rastreabilidade entre ambos; e (3) estruturar a derivação de arquiteturas de
sistema de informação a partir dos requisitos de negócio, preservando o alinhamento e
rastreabilidade para a sua mútua transformação e adaptação.
Várias questões envolvendo estes objetivos foram já descritas e tratadas de diversas maneiras por
outros investigadores, tendo as abordagens existentes e os métodos associados alcançado bons
resultados. No entanto, essas abordagens têm as suas lacunas, umas vezes falham em apresentar
uma solução completa, noutras são ineficientes ao se adaptarem a novos desafios, ou mesmo
incapazes de reagir às novas tendências. Para lidar com estas questões, propomo-nos apoiar
nessas abordagens, adaptando, evoluindo e inovando em soluções para cada um dos três objetivos
propostos, intersetando-as, respetivamente, com perspetivas de modelos de referência e padrões
relacionados.
Relativamente ao primeiro objetivo, no que concerne aos principais contributos desta tese,
propomos alargar o levantamento de requisitos, relacionando os requisitos funcionais e nãofuncionais
dos processos de negócios. Assim, apresentamos um meta-modelo para a
representação unificada desses requisitos, acompanhado por um método personalizável para o seu levantamento conjunto, baseada em casos-de-uso, metas e regras orientadas a negócio. Esta
abordagem adota a metodologia de desenvolvimento do Rational Unified Process (RUP) e a
representação padrão do modelo de linguagem do Business Motivation Model (BMM), para os
requisitos de negócio. Além disso, a representação meta-modelo e a operacionalização do método
são acompanhados por um protótipo de uma ferramenta de suporte que completa esta primeira
contribuição.
Quanto ao segundo objetivo, mais orientado ao negócio e correlacionado com os requisitos de nível
superior, propomos gerar modelos de negócio a partir dos requisitos funcionais e não-funcionais
inferidos. Assim, apresentamos uma abordagem tridimensional, construída sobre a relação dos
referidos requisitos com o modelo de referência do Balanced Scorecard (BSC), em que um
mapeamento adicional para o Business Model Canvas (BMC) é também disponibilizado. Esta
proposta inclui um meta-modelo para representação da relação entre os elementos envolvidos e
um método personalizável para a sua operacionalização, tudo acompanhado por um protótipo de
uma ferramenta de suporte.
No terceiro objetivo, focado em arquiteturas de sistema e ligado aos requisitos de nível inferior,
propomos derivar participantes orientados-a-serviços desde os requisitos funcionais, alinhando os
requisitos não-funcionais com as características de qualidade da solução a obter. Primeiro,
apresentamos uma evolução de um método existente para a derivação de uma arquitetura lógica,
adaptando-o a uma abordagem-orientada-a-serviços (SOA). Assim, prosseguindo a relação existente
entre o lado não-funcional e funcional dos requisitos de baixo nível, a nossa abordagem associa
estes últimos com os serviços relacionados na arquitetura derivada, numa outra abordagem
tridimensional. Além disso, um mapeamento dos requisitos não-funcionais com as características
de qualidade do sistema (CISQ) é disponibilizado. Mais uma vez, um meta-modelo associado, um
método personalizável e um protótipo da ferramenta de suporte são disponibilizados.
O desenvolvimento destas três abordagens é suportado pela execução de tarefas, as quais dão
origem a artefatos e levam a publicações associadas aos seus esforços de pesquisa e
desenvolvimento respetivamente, tudo de acordo com a metodologia DSR. Estas são aplicadas a
projetos em andamento, os quais envolvem cenários experimentais em ambientes industriais e
associados a padrões de investigação de referência, equilibrando os interesses de investigadores e
profissionais assim como dos diferentes públicos de tecnologia e gestão. Os resultados obtidos na
sua avaliação refletem a qualidade e a profundidade dos nossos resultados, ajudando a validar a
contribuição científica deste trabalho
Architectural Alignment of Access Control Requirements Extracted from Business Processes
Geschäftsprozesse und IT-Systeme sind einer ständigen Evolution unterworfen und beeinflussen sich in hohem Maße gegenseitig. Dies führt zu der Herausforderung, Sicherheitsaspekte innerhalb von Geschäftsprozessen und Enterprise Application Architectures (EAAs) in Einklang zu bringen. Im Besonderen gilt dies für Zugriffskontrollanforderungen, welche sowohl in der IT-Sicherheit als auch im Datenschutz einen hohen Stellenwert haben. Die folgenden drei Ziele der Geschäftsebene verdeutlichen die Bedeutung von Zugriffskontrollanforderungen:
Identifikation und Schutz von kritischen und schützenswerten Daten und Assets.
Einführung einer organisationsweiten IT-Sicherheit zum Schutz vor cyberkriminellen Attacken.
Einhaltung der zunehmenden Flut an Gesetzen, welche die IT-Sicherheit und den Datenschutz betreffen.
Alle drei Ziele sind in einem hohen Maß mit Zugriffskontrollanforderungen auf Seiten der Geschäftsebene verbunden. Aufgrund der Fülle und Komplexität stellt die vollständige und korrekte Umsetzung dieser Zugriffskontrollanforderungen eine Herausforderung für die IT dar. Hierfür muss das Wissen von der Geschäftsebene hin zur IT übertragen werden. Die unterschiedlichen Terminologien innerhalb der Fachdomänen erschweren diesen Prozess. Zusätzlich beeinflussen die Größe von Unternehmen, die Komplexität von EAAs sowie die Verflechtung zwischen EAAs und Geschäftsprozessen die Fehleranfälligkeit im Entwurfsprozess von Zugriffsberechtigungen und EAAs. Dieser Zusammenhang führt zu einer Diskrepanz zwischen ihnen und den Geschäftsprozessen und wird durch den Umstand der immer wiederkehrenden Anpassungen aufgrund von Evolutionen der Geschäftsprozesse und IT-Systeme verstärkt.
Bisherige Arbeiten, die auf Erweiterungen von Modellierungssprachen setzen, fordern einen hohen Aufwand von Unternehmen, um vorhandene Modelle zu erweitern und die Erweiterungen zu pflegen. Andere Arbeiten setzen auf manuelle Prozesse. Diese erfordern viel Aufwand, skalieren nicht und sind bei komplexen Systemen fehleranfällig.
Ziel meiner Arbeit ist es, zu untersuchen, wie Zugriffskontrollanforderungen zwischen der Geschäftsebene und der IT mit möglichst geringem Mehraufwand für Unternehmen angeglichen werden können. Im Speziellen erforsche ich, wie Zugriffskontrollanforderungen der Geschäftsebene, extrahiert aus Geschäftsprozessen, automatisiert in Zugriffsberechtigungen für Systeme der rollenbasierten Zugriffskontrolle (RBAC) überführt werden können und wie die EAA zur Entwurfszeit auf die Einhaltung der extrahierten Zugriffskontrollanforderungen überprüft werden kann. Hierdurch werden Sicherheitsexperten beim Entwerfen von Zugriffsberechtigungen für RBAC Systeme unterstützt und die Komplexität verringert. Weiterhin werden Enterprise-Architekten in die Lage versetzt, die EAA zur Entwurfszeit auf Datenflüsse von Services zu untersuchen, welche gegen die geschäftsseitige Zugriffskontrollanforderungen verstoßen und diese Fehler zu beheben.
Die Kernbeiträge meiner Arbeit lassen sich wie folgt zusammenfassen:
Ein Ansatz zur automatisierten Extraktion von geschäftsseitigen Zugriffskontrollanforderungen aus Geschäftsprozessen mit anschließender Generierung eines initialen Rollenmodells für RBAC.
Ein Ansatz zum automatisierten Erstellen von architekturellen Datenfluss-Bedingungen aus Zugriffskontrollanforderungen zur Identifikation von verbotenen Datenflüssen in Services von IT-Systemen der EAA.
Eine Prozessmodell für Unternehmen über die Einsatzmöglichkeiten der Ansätze innerhalb verschiedener Evolutionsszenarien.
Ein Modell zur Verknüpfung relevanter Elemente aus Geschäftsprozessen, RBAC und EAAs im Hinblick auf die Zugriffskontrolle. Dieses wird automatisiert durch die Ansätze erstellt und dient unter anderem zur Dokumentation von Entwurfsentscheidungen, zur Verbesserung des Verständnisses von Modellen aus anderen Domänen und zur Unterstützung des Enterprise-Architekten bei der Auflösung von Fehlern innerhalb der EAA.
Die Anwendbarkeit der Ansätze wurden in zwei Fallstudien untersucht. Die erste Studie ist eine Real-Welt-Studie, entstanden durch eine Kooperation mit einer staatlichen Kunsthalle, welche ihre IT-Systeme überarbeitet. Eine weitere Fallstudie wurde auf Basis von Common Component Modeling Example (CoCoME) durchgeführt. CoCoME ist eine durch die Wissenschaftsgemeinde entwickelte Fallstudie einer realistischen Großmarkt-Handelskette, welche speziell für die Erforschung von Software-Modellierung entwickelt wurde und um Evolutinsszenarien ergänzt wurde. Aufgrund verschiedener gesetzlicher Regularien an die IT-Sicherheit und den Datenschutz sowie dem Fluss von sensiblen Daten eignen sich beide Fallstudien für die Untersuchung von Zugriffskontrollanforderungen. Beide Fallstudien wurden anhand der Goal Question Metric-Methode durchgeführt. Es wurden Validierungsziele definiert. Aus diesen wurden systematisch wissenschaftliche Fragen abgleitet, für welche anschließend Metriken aufgestellt wurden, um sie zu untersuchen. Die folgenden Aspekte wurden untersucht:
Qualität der generierten Zugriffsberechtigungen.
Qualität der Identifikation von fehlerhaften Datenflüssen in Services der EAA.
Vollständigkeit und Korrektheit des generierten Modells zur Nachverfolgbarkeit von Zugriffskontrollanforderungen über Modelle hinweg.
Eignung der Ansätze in Evolutionsszenarien von Geschäftsprozessen und EAAs.
Am Ende dieser Arbeit wird ein Ausblick gegeben, wie sich die vorgestellten Ansätze dieser Arbeit erweitern lassen. Dabei wird unter anderem darauf eingegangen, wie das Modell zur Verknüpfung relevanter Elemente aus Geschäftsprozessen, RBAC und EAAs im Hinblick auf die Zugriffskontrolle, um Elemente aus weiteren Modellen der IT und der Geschäftsebene, erweitert werden kann. Weiterhin wird erörtert wie die Ansätze der Arbeit mit zusätzlichen Eingabeinformationen angereichert werden können und wie die extrahierten Zugriffskontrollanforderungen in weiteren Domänenmodellen der IT und der Geschäftsebene eingesetzt werden können
Architectural Alignment of Access Control Requirements Extracted from Business Processes
Business processes and information systems evolve constantly and affect each other in non-trivial ways. Aligning security requirements between both is a challenging task. This work presents an automated approach to extract access control requirements from business processes with the purpose of transforming them into a) access permissions for role-based access control and b) architectural data flow constraints to identify violations of access control in enterprise application architectures
Recommended from our members
A collaborative framework for feasibility analysis in automotive product development with global supply chain
In the competitive world, time to market, new technology and innovation are the measures of the performance of New Product Development (NPD). Companies tend to use a conventional approach to NPD by assigning representatives from their own support functions to review and recommend changes as projects evolve. In recent years, this approach has been questioned since it is a costly and time-consuming approach due to its iterative nature. Researchers argue that the time to market process and the cost of NPD can be reduced considerably by involving the support functions of the supply chain to a greater extent and also earlier in the NPD process. There is a potential industrial requirement for a collaborative framework that facilitates the linkage between Supply Chain Management (SCM) and New Product Development (NPD).
This research project focuses on the early stages of the collaborative product development process in the extended enterprise. The research output includes the functional requirements of a framework and a developed prototype methodology with tools and technologies that are tested from case studies within industry. The research also introduces the development and analysis of the framework that allows the integration of the flow of product development related activities within original equipment manufacturers (OEM) and suppliers providing future business benefits. An industrial investigation of an OEM in the automotive industry within the research identified that there are different decision making points in product development and manufacturing. The proposed methodology and framework use key drives to predict and quantify its impact on four main criteria namely: feasibility, time, cost and capability that support or advise on key decision making of OEM’s product development and management process
- …