Modeling and Reasoning about Business Processes under Authorization Constraints: A Planning-Based Approach

Abstract

Business processes under authorization control are sets of coordinated activities subject to a security policy stating which agent can access which resource. Their behavior is difficult to predict due to the complex and unexpected interleaving of different execution flows within the process. Therefore, serious flaws may go undetected and manifest themselves only after deployment. This problem may be tackled by applying formal methods to reason about business process models. In this paper we outline the main contributions in this application domain of (Armando et al. 2012), that uses the action-based planning language C and the Causal Calculator tool CCalc. C is used to specify a business process from the banking domain that is representative of an important class of business processes of practical relevance, and proved to be a rich and natural formal specification language in this domain. CCalc is then used to automatically solve three reasoning tasks that arise in this context. We also compare C with the SMV specification language used in model-checking: the comparison highlights some key advantages of C in the business process domain.