-
8/16/2019 BUSITAL 2010 _ Enhancement of Business IT Alignment by Including Responsibility
1/24
Enhancement of Business IT Alignment by Including
Responsibility Components in RBAC
Christophe Feltus, Michaël Petit, Morris Sloman
5th International Workshop on Business/IT Alignment and Interoperability
(BUSITAL 2010) - June 7th 2010
-
8/16/2019 BUSITAL 2010 _ Enhancement of Business IT Alignment by Including Responsibility
2/24
Outlines
Introduction Responsibility model
RBAC
Responsibility-RBAC
Conclusions and future works
-
8/16/2019 BUSITAL 2010 _ Enhancement of Business IT Alignment by Including Responsibility
3/24
Outlines
Introduction Responsibility model
RBAC
Responsibility-RBAC
Conclusions and future works
-
8/16/2019 BUSITAL 2010 _ Enhancement of Business IT Alignment by Including Responsibility
4/24
Introduction
Market crisis has highlighted needs for more transparencyand more commitment of the manager end of the
employee.
Many governance frameworks formalized these needs
through the concept of responsibility Current IT frameworks poorly include that concept and as
consequence,
responsibility is not aligned onto technical rules
lack of interoperability
-
8/16/2019 BUSITAL 2010 _ Enhancement of Business IT Alignment by Including Responsibility
5/24
-
8/16/2019 BUSITAL 2010 _ Enhancement of Business IT Alignment by Including Responsibility
6/24
• L. Cholvy :▫ Something bad happened and you caused it or could have prevented it
▫
Obligation or moral duty to report or explain you actions or someone else’s actionto a given authority (answerability)
▫ Position, which enables you to make decision in a given organization but implies that
you must be prepared to justify your actions (accountability)
• D'Arcy McCallum :▫
Responsibility is not something that you can actually assign to someone▫ Responsibility, in fact, has to come from within
▫ A person is responsible: we mean that he holds a personal commitment to doing
something to some standard of quality
▫ And while you cannot assign responsibility, you can and do assign
accountability...with the expectation that a person will execute the activity assigned
to them to a standard of quality
Responsibility
Responsibility: Foreword
-
8/16/2019 BUSITAL 2010 _ Enhancement of Business IT Alignment by Including Responsibility
7/24
Functional vs. Structural Obligation [Dobson] :
o functional obligation : what a employee must do with respect to a state of affairs
(e.g. execute an activity)
o structural (managerial) obligation : what a employee must do in order to fulfill a
responsibility such as directing, supervising and monitoring
o Sanction is positive or negative also : compensation or a remediation [Fox]
Functional
Obligation
Type of
Managerial
Obligation
Type of
Task
Object
Compose
Compose
Compose
Actor
Concern
Obligation
Behavior
Accountability
Concern
1..*
Sanction
0..*
Compose
1..*
1
Type of
1
1..*
1..*
1
Compose
1
1
Responsibility
Positive
Sanction
Negative
SanctionType of
Type of
Functional vs. Managerial Obligation
-
8/16/2019 BUSITAL 2010 _ Enhancement of Business IT Alignment by Including Responsibility
8/24
Accountability :
o Obligation or moral duty to report or explain the action or someone else’s action to a given
authority [Cholvy et al.]
o Responsibility is defined as an obligation(s) to report the achievement, maintenance or avoidance of
some given state [Sommerville et al.]
o Accountability is composed of one answerability and zero or one sanction [Fox]
TasK
Object
Compose
Compose
Compose
Actor
Concern
Obligation
Behavior
Accountability
Concern
1..*
Sanction
0..*
Compose
1..*
1
Type of
1
1..*
1..*
1
Compose
1
1
Soft
Accountability
Type ofType of
Hard
Accountability
Managerial
Obligation
Type of
Responsibility
Functional
Obligation
Type of
Accountability
-
8/16/2019 BUSITAL 2010 _ Enhancement of Business IT Alignment by Including Responsibility
9/24
o Common but not systematically embedded concept
o Capability : describes the possession of requisite qualities , skills or resourcs to performan action
[Vernadat,F.B.][Qingfeng et al.]
o Authority : the power to command and control others employees (CIMOSA)
o Delegation right : right to transfer some part of the responsibility to another employee
Managerial
Obligation
Type of
Concern
Obligation
Behavior
Accountability
Concern
1..*
Sanction
0..*
Compose
1..*
1
Type of
1
1..*
1..*
1
Compose
1
Needed
for
Delegation
Possibility
Type
of
Access Right
Type of
AuthorityType of
Capability
Type of
RightRequire
1 0..*
1..*
Require1..*
Task
Object
Compose
Compose
Compose
Actor
1
Responsibility
Rights
-
8/16/2019 BUSITAL 2010 _ Enhancement of Business IT Alignment by Including Responsibility
10/24
Delegation vs. Assignment :
o Assignment is the action of linking an employee to a responsibility
o Delegation is the transfer of an employee’s responsibility assignment to another employee
Right to further delegate the same obligation or not [Sommerville]
Delegation of accountability or not [Norman]
RightRequire
1 0..*
Delegation
Possibility
Type
of
Concern
Obligation
Behavior
Accountability
Concern
1..*
Sanction
0..*
Compose
1..*
1
Type of
1
1..*
1..*
1
Compose
1
1..*
Require1..*
Require
Task
Object
Compose
Compose
Compose
Actor
1 1..*
0..*
Pledge
EmployeeIs assigned
Delegation
1..*
Is delegated
Delegate
Activate
1..* 1
Commitment
Commitment
Antecedent
1..*
1
1
Responsibility
Delegation
-
8/16/2019 BUSITAL 2010 _ Enhancement of Business IT Alignment by Including Responsibility
11/24
o Moral engagement to fulfill the action difficult to integrate in a formalized framework
o The psychological attachment felt by the person for the organization; it will reflect the degree to which the
individual internalizes or adopts characteristics or perspetives of the organization [O’Reilly and Chapman]
o The relative strength of an individual’s identification with and involvement in a particular organization
[Mowday]
o A structural phenomenon which occurs as a result of individual-organizational transactions and alterations
in side-bets or investment over time [Hrebiniak and Alutto]
RightRequire
1 0..*
Delegation
Possibility
Type
of
Concern
Obligation
Behavior
Accountability
Concern
1..*
Sanction
0..*
Compose
1..*
1
Type of
1
1..*
1..*
1
Compose
1
1..*
Require1..*
Require
1
Task
Object
Compose
Compose
Compose
Actor
1 1..*
0..*
Pledge
EmployeeIs assigned
Delegation
1..*
Is delegated
Delegate
Activate
1..* 1
Commitment
Commitment
Antecedent
1..*
1
Responsibility
Commitment
-
8/16/2019 BUSITAL 2010 _ Enhancement of Business IT Alignment by Including Responsibility
12/24
Continuance
Type of
Affective Normative
Type of Type of
Commitment
Outcomes
Citizen
Behavior
Type of
Provide
1 0..*
Employee
Retention
Type of
Employee
Performance
Type of
Willingness to
Exert Efforts
Type ofActivate
1..*
1
Side-bets Desire Maintain
Membership Belief in Goals
And Values
Contribute toContribute to
Contribute to Feeling of Obligation
Contribute to
Type of Type ofType of
Type of
More conscious about their responsibility [Eisenberger]
Commitment
Commitment
Antecedent
Commitment
-
8/16/2019 BUSITAL 2010 _ Enhancement of Business IT Alignment by Including Responsibility
13/24
Outlines
Introduction Responsibility model
RBAC
Responsibility-RBAC
Conclusions and future works
-
8/16/2019 BUSITAL 2010 _ Enhancement of Business IT Alignment by Including Responsibility
14/24
Role Based Access Control To simplify the management of granting permissions to
users
3 main elements :
User, Role and Permission
2 main functions :
User-role assignment
(URA) and Permission-role
assignment (PRA)
RBAC :
-
8/16/2019 BUSITAL 2010 _ Enhancement of Business IT Alignment by Including Responsibility
15/24
Number of roles: Sometime more roles than users
Employee’s commitment:
RBAC does not offer cater for management of the employee’s
commitment Difficulties for representing RBAC in OWL :
ROWLBAC
XACML+OWL
RBAC weaknesses :
-
8/16/2019 BUSITAL 2010 _ Enhancement of Business IT Alignment by Including Responsibility
16/24
Outlines
Introduction Responsibility model
RBAC
Responsibility-RBAC
Conclusions and future works
-
8/16/2019 BUSITAL 2010 _ Enhancement of Business IT Alignment by Including Responsibility
17/24
RightRequire1 0..* Responsibility
Concern
Obligation
Behavior
Accountability
Concern
1..*
Compose
1..*
1
Type of
1
1..*
1..*
1
Compose
1..*Require
1..*1
1 1..*
EmployeeIs
assigned
R
ROLES
P
Permiss-
ions
RBAC: URA RBAC: PRA
Type of
Compose
2..*
Type of
1
U
USERS
Mapping RBAC and responsibility
-
8/16/2019 BUSITAL 2010 _ Enhancement of Business IT Alignment by Including Responsibility
18/24
RightRequire1 0..* Responsibility
Concern
Obligation
Behavior
Accountability
Concern
1..*
Compose
1..*
1
Type of
1
1..*
1..*
1
Compose
1..*Require
1..*1
1 1..*
EmployeeIs
assigned
R
ROLES
P
Permiss-
ions
RBAC: URA RBAC: PRA
Type of
Compose
2..*
Type of
1
U
USERS
Atomic
responsibility
Type
of
Type
of
▫ Assignment to a role
Responsibility assignment – direct / indirect role assignment
Assignment granularity
-
8/16/2019 BUSITAL 2010 _ Enhancement of Business IT Alignment by Including Responsibility
19/24
RightRequire1 0..* Responsibility
Concern
Obligation
Behavior
Accountability
Concern
1..*
Compose
1..*
1
Type of
1
1..*
1..*
1
Compose
1..*Require
1..*1
1 1..*
EmployeeIs
assigned
Pledge
Commitment
R
ROLES
P
Permiss-
ions
RBAC: URA RBAC: PRA
Type of
Compose
2..*
Type of
1
U
USERS
Atomic
responsibility
Type
of
Type
of
▫ The concept of commitment does not exist in RBAC
Involvement of the employee in the assignment process
Employee Commitment
-
8/16/2019 BUSITAL 2010 _ Enhancement of Business IT Alignment by Including Responsibility
20/24
Assignment process (example)
-
8/16/2019 BUSITAL 2010 _ Enhancement of Business IT Alignment by Including Responsibility
21/24
RightRequire1 0..* Responsibility
Concern
Obligation
Behavior
Accountability
Concern
1..*
Compose
1..*
1
Type of
1
1..*
1..*
1
Compose
1..*Require
1..*1
1 1..*
EmployeeIs
assigned
Pledge
Commitment
R
ROLES
P
Permiss-
ions
RBAC: URA RBAC: PRA
Type of
Compose
2..*
Type of
1
U
USERS
Atomic
responsibility
Type
of
Type
of
▫ In RBAC: role hierarchy and role SoD
Role hierarchy and Responsibility SoD
Hierarchy
SoD
Translation in OWL
SoD
-
8/16/2019 BUSITAL 2010 _ Enhancement of Business IT Alignment by Including Responsibility
22/24
Outlines
Introduction Responsibility model
RBAC
Responsibility-RBAC
Conclusions and future works
-
8/16/2019 BUSITAL 2010 _ Enhancement of Business IT Alignment by Including Responsibility
23/24
Conclusions and future works
Business needs for a better alignement of the employees’responsibility from the management frameworks down to
the technical rules
Our contribution is a responsibility model that we can
mapped with framework at all enterprise levels.That mapping :
Improves the framework or its usage
Permits to align responsibility’s concepts between frameworks
Our future works concern the formalization of aalignment method that exploits the concepts of the
model and the validation of that method in a case study.
-
8/16/2019 BUSITAL 2010 _ Enhancement of Business IT Alignment by Including Responsibility
24/24
Thank you !
C. Feltus, M. Petit, and M. Sloman, Enhancement of Business IT Alignment by Including Responsibility Components inRBAC 5th International Workshop on Business/IT Alignment and Interoperability (BUSITAL 2010) Hammamet Tunisia