Ideally, the Pentagon’s new approach to safeguarding secrets—continuous monitoring to make sure insiders can’t access data they shouldn’t—would slam the door on leaks. But roles, data, and workflows change so quickly that it is difficult for “zero trust” administrators to keep up. Now a Japanese research team says they’ve found a way to help things run more smoothly.
One of the most widely used frameworks for managing who has access to what is Role-Based Access Control, or RBAC, which assigns permissions to users based on their roles within an organization. For example, a system might allow a financial officer to access payroll data but bar a member of the marketing team. It’s effective but it can slow users down with security checks when they are trying to work. RBAC can struggle with adapting to dynamic or complex workflows and often requires extensive manual oversight.
In the International Journal of Software Engineering and Knowledge Engineering, a team of researchers from the University of Electro-Communications in Tokyo suggests combining RBAC with Unified Modeling Language, or UML, a way to visually represent the structure and behavior of systems. The researchers contend that by translating RBAC policies into UML models, organizations can more accurately represent their workflows and visualize the relationships between roles, tasks, and permissions. That could give monitors a much more timely and accurate understanding of who is accessing what on the network and whether that access is appropriate.
To create these models, the researchers used process-mining techniques. Process mining uses event logs—records of activity within a system—to map how tasks are executed. These logs are key for understanding where access control policies might fail. However, raw event data is often riddled with errors, such as missing or duplicate entries, which can obscure insights. To fix this, the researchers applied advanced preprocessing methods to clean the data and ensure its reliability.
From these refined event logs, the team employed Petri nets and Business Process Model and Notation, or BPMN, both ISO-certified standards for modeling workflows. Petri nets provide a mathematical representation of processes, while BPMN creates a visual diagram of task flows. These models were then converted into UML diagrams using an automated method called Transformation Method for BPMN Conversion. This approach transforms tasks, data, and workflows into UML classes and associations, making it easier to identify access control vulnerabilities.
By merging RBAC with UML modeling, the researchers are addressing two of the biggest headaches in managing access to sensitive systems: complexity and inconsistency.
Picture a maze of permissions across dozens—sometimes hundreds—of roles in an organization. It’s messy and users and monitors often misapply policies. Gaps can open up that hackers or even insiders could exploit. RBAC lays out the rules, but it’s hard to visualize. What’s more, an organization like the Defense Department or an intelligence agency may need to shift users’ roles rapidly as new urgent problems or missions arise, leaving another gap where the rules don’t match what managers or commanders need.
That’s where UML modeling comes in. Think of it as taking that maze and turning it into a clean, interactive map that not only shows you where everything connects but also helps you find and fix any dead ends or shortcuts that shouldn’t exist. By using UML, administrators can actually see how access rules are implemented—who’s doing what, where, and when—and compare that to what the rules were supposed to look like. If something doesn’t match, it’s much easier to spot and correct before it becomes a problem.
Why does this matter so much? Because when you’re dealing with systems that handle highly sensitive data—like the ones used in government and defense—mistakes aren’t just embarrassing; they can be catastrophic. A poorly managed access policy could mean the wrong person gets into the wrong system at the wrong time. Case in point, former Air National Guardsmen Jack Teixeira who worked as an IT specialist and abused his credentials to leak classified information, as revealed in April 2023. Teixeira’s case shows how insider threats escalate or how a small oversight becomes a massive breach.
The researchers used two cases to show their idea is an improvement over current RBAC frameworks: a simulated e-commerce workflow and a real-world loan approval process. These case studies revealed both the promise and the challenges of using process mining and UML to improve access control compliance.
In the first example, the team created a simulated online shopping process using Activiti, an open-source business process management tool. The workflow, represented as a BPMN diagram, included tasks like handling orders and updating inventory. However, when the event logs were examined, they found a glaring issue: one warehouse staff member performed both tasks, violating a “Separation of Duty” SoD policy, which requires that no single person completes tasks meant to be handled by separate roles.
By applying their framework, the researchers translated the BPMN diagram into a UML model and used Object Constraint Language, OCL, to generate specific rules for separation of duty and they were able to find violations of the event log. This wasn’t just about flagging errors—it offered administrators a roadmap to redesign access policies and fix the gaps.
The second case study focused on a real-world loan approval workflow at a Dutch financial institution. Unlike the simulated example, this dataset was massive: over 31,000 cases and 1.2 million events. Using process mining tools, the team filtered and analyzed traces of activity, mapping them onto a UML model. Here, the framework successfully uncovered violations of “Dynamic Separation of Duty” policies—rules that ensure critical tasks are distributed across multiple users to reduce fraud risks.
Two test cases stood out as non-compliant because they involved the same user performing multiple restricted tasks. This kind of automated detection could save administrators hours of manual effort, especially in complex systems where errors might otherwise go unnoticed.
The framework demonstrated its ability to automate tedious compliance checks while offering flexibility to adapt to different workflows.
The implications are significant, particularly for government and defense organizations that manage highly sensitive data. With clearer, more adaptable access control systems, agencies can reduce the risk of unauthorized access and insider threats while maintaining operational efficiency.
But there are limitations. The framework depends on accurate domain knowledge to define the rules. If the policy definitions are incomplete or inconsistent, the system’s output will be, too. The researchers aim to refine their approach by incorporating machine learning techniques.
Read the full article here
