busital 2010 _ enhancement of business it alignment by including responsibility

8/16/2019 BUSITAL 2010 _ Enhancement of Business IT Alignment by Including Responsibility

1/24

Enhancement of Business IT Alignment by Including

Responsibility Components in RBAC

Christophe Feltus, Michaël Petit, Morris Sloman

5th International Workshop on Business/IT Alignment and Interoperability

(BUSITAL 2010) - June 7th 2010


2/24

Outlines

Introduction Responsibility model

RBAC

Responsibility-RBAC

Conclusions and future works


3/24

Outlines


RBAC

Responsibility-RBAC



4/24

Introduction

Market crisis has highlighted needs for more transparencyand more commitment of the manager end of the

employee.

Many governance frameworks formalized these needs

through the concept of responsibility Current IT frameworks poorly include that concept and as

consequence,

responsibility is not aligned onto technical rules

lack of interoperability


5/24


6/24

• L. Cholvy :▫ Something bad happened and you caused it or could have prevented it

▫

Obligation or moral duty to report or explain you actions or someone else’s actionto a given authority (answerability)

▫ Position, which enables you to make decision in a given organization but implies that

you must be prepared to justify your actions (accountability)

• D'Arcy McCallum :▫

Responsibility is not something that you can actually assign to someone▫ Responsibility, in fact, has to come from within

▫ A person is responsible: we mean that he holds a personal commitment to doing

something to some standard of quality

▫ And while you cannot assign responsibility, you can and do assign

accountability...with the expectation that a person will execute the activity assigned

to them to a standard of quality

Responsibility

Responsibility: Foreword


7/24

Functional vs. Structural Obligation [Dobson] :

o functional obligation : what a employee must do with respect to a state of affairs

(e.g. execute an activity)

o structural (managerial) obligation : what a employee must do in order to fulfill a

responsibility such as directing, supervising and monitoring

o Sanction is positive or negative also : compensation or a remediation [Fox]

Functional

Obligation

Type of

Managerial

Obligation

Type of

Task

Object

Compose

Compose

Compose

Actor

Concern

Obligation

Behavior

Accountability

Concern

1..*

Sanction

0..*

Compose

1..*

1

Type of

1

1..*

1..*

1

Compose

1

1

Responsibility

Positive

Sanction

Negative

SanctionType of

Type of

Functional vs. Managerial Obligation


8/24

Accountability :

o Obligation or moral duty to report or explain the action or someone else’s action to a given

authority [Cholvy et al.]

o Responsibility is defined as an obligation(s) to report the achievement, maintenance or avoidance of

some given state [Sommerville et al.]

o Accountability is composed of one answerability and zero or one sanction [Fox]

TasK

Object

Compose

Compose

Compose

Actor

Concern

Obligation

Behavior

Accountability

Concern

1..*

Sanction

0..*

Compose

1..*

1

Type of

1

1..*

1..*

1

Compose

1

1

Soft

Accountability

Type ofType of

Hard

Accountability

Managerial

Obligation

Type of

Responsibility

Functional

Obligation

Type of

Accountability


9/24

o Common but not systematically embedded concept

o Capability : describes the possession of requisite qualities , skills or resourcs to performan action

[Vernadat,F.B.][Qingfeng et al.]

o Authority : the power to command and control others employees (CIMOSA)

o Delegation right : right to transfer some part of the responsibility to another employee

Managerial

Obligation

Type of

Concern

Obligation

Behavior

Accountability

Concern

1..*

Sanction

0..*

Compose

1..*

1

Type of

1

1..*

1..*

1

Compose

1

Needed

for

Delegation

Possibility

Type

of

Access Right

Type of

AuthorityType of

Capability

Type of

RightRequire

1 0..*

1..*

Require1..*

Task

Object

Compose

Compose

Compose

Actor

1

Responsibility

Rights


10/24

Delegation vs. Assignment :

o Assignment is the action of linking an employee to a responsibility

o Delegation is the transfer of an employee’s responsibility assignment to another employee

Right to further delegate the same obligation or not [Sommerville]

Delegation of accountability or not [Norman]

RightRequire

1 0..*

Delegation

Possibility

Type

of

Concern

Obligation

Behavior

Accountability

Concern

1..*

Sanction

0..*

Compose

1..*

1

Type of

1

1..*

1..*

1

Compose

1

1..*

Require1..*

Require

Task

Object

Compose

Compose

Compose

Actor

1 1..*

0..*

Pledge

EmployeeIs assigned

Delegation

1..*

Is delegated

Delegate

Activate

1..* 1

Commitment

Commitment

Antecedent

1..*

1

1

Responsibility

Delegation


11/24

o Moral engagement to fulfill the action difficult to integrate in a formalized framework

o The psychological attachment felt by the person for the organization; it will reflect the degree to which the

individual internalizes or adopts characteristics or perspetives of the organization [O’Reilly and Chapman]

o The relative strength of an individual’s identification with and involvement in a particular organization

[Mowday]

o A structural phenomenon which occurs as a result of individual-organizational transactions and alterations

in side-bets or investment over time [Hrebiniak and Alutto]

RightRequire

1 0..*

Delegation

Possibility

Type

of

Concern

Obligation

Behavior

Accountability

Concern

1..*

Sanction

0..*

Compose

1..*

1

Type of

1

1..*

1..*

1

Compose

1

1..*

Require1..*

Require

1

Task

Object

Compose

Compose

Compose

Actor

1 1..*

0..*

Pledge

EmployeeIs assigned

Delegation

1..*

Is delegated

Delegate

Activate

1..* 1

Commitment

Commitment

Antecedent

1..*

1

Responsibility

Commitment


12/24

Continuance

Type of

Affective Normative

Type of Type of

Commitment

Outcomes

Citizen

Behavior

Type of

Provide

1 0..*

Employee

Retention

Type of

Employee

Performance

Type of

Willingness to

Exert Efforts

Type ofActivate

1..*

1

Side-bets Desire Maintain

Membership Belief in Goals

And Values

Contribute toContribute to

Contribute to Feeling of Obligation

Contribute to

Type of Type ofType of

Type of

More conscious about their responsibility [Eisenberger]

Commitment

Commitment

Antecedent

Commitment


13/24

Outlines


RBAC

Responsibility-RBAC



14/24

Role Based Access Control To simplify the management of granting permissions to

users

3 main elements :

User, Role and Permission

2 main functions :

User-role assignment

(URA) and Permission-role

assignment (PRA)

RBAC :


15/24

Number of roles: Sometime more roles than users

Employee’s commitment:

RBAC does not offer cater for management of the employee’s

commitment Difficulties for representing RBAC in OWL :

ROWLBAC

XACML+OWL

RBAC weaknesses :


16/24

Outlines


RBAC

Responsibility-RBAC



17/24

RightRequire1 0..* Responsibility

Concern

Obligation

Behavior

Accountability

Concern

1..*

Compose

1..*

1

Type of

1

1..*

1..*

1

Compose

1..*Require

1..*1

1 1..*

EmployeeIs

assigned

R

ROLES

P

Permiss-

ions

RBAC: URA RBAC: PRA

Type of

Compose

2..*

Type of

1

U

USERS

Mapping RBAC and responsibility


18/24


Concern

Obligation

Behavior

Accountability

Concern

1..*

Compose

1..*

1

Type of

1

1..*

1..*

1

Compose

1..*Require

1..*1

1 1..*

EmployeeIs

assigned

R

ROLES

P

Permiss-

ions

RBAC: URA RBAC: PRA

Type of

Compose

2..*

Type of

1

U

USERS

Atomic

responsibility

Type

of

Type

of

▫ Assignment to a role

Responsibility assignment – direct / indirect role assignment

Assignment granularity


19/24


Concern

Obligation

Behavior

Accountability

Concern

1..*

Compose

1..*

1

Type of

1

1..*

1..*

1

Compose

1..*Require

1..*1

1 1..*

EmployeeIs

assigned

Pledge

Commitment

R

ROLES

P

Permiss-

ions

RBAC: URA RBAC: PRA

Type of

Compose

2..*

Type of

1

U

USERS

Atomic

responsibility

Type

of

Type

of

▫ The concept of commitment does not exist in RBAC

Involvement of the employee in the assignment process

Employee Commitment


20/24

Assignment process (example)


21/24


Concern

Obligation

Behavior

Accountability

Concern

1..*

Compose

1..*

1

Type of

1

1..*

1..*

1

Compose

1..*Require

1..*1

1 1..*

EmployeeIs

assigned

Pledge

Commitment

R

ROLES

P

Permiss-

ions

RBAC: URA RBAC: PRA

Type of

Compose

2..*

Type of

1

U

USERS

Atomic

responsibility

Type

of

Type

of

▫ In RBAC: role hierarchy and role SoD

Role hierarchy and Responsibility SoD

Hierarchy

SoD

Translation in OWL

SoD


22/24

Outlines


RBAC

Responsibility-RBAC



23/24


Business needs for a better alignement of the employees’responsibility from the management frameworks down to

the technical rules

Our contribution is a responsibility model that we can

mapped with framework at all enterprise levels.That mapping :

Improves the framework or its usage

Permits to align responsibility’s concepts between frameworks

Our future works concern the formalization of aalignment method that exploits the concepts of the

model and the validation of that method in a case study.


24/24

Thank you !

C. Feltus, M. Petit, and M. Sloman, Enhancement of Business IT Alignment by Including Responsibility Components inRBAC 5th International Workshop on Business/IT Alignment and Interoperability (BUSITAL 2010) Hammamet Tunisia

busital 2010 _ enhancement of business it alignment by including responsibility

Documents