reasoning over secure business processes
TRANSCRIPT
Reasoning over Secure Business Processes
Achim D Bruckerachimbruckersapcom
joint work with Luca Compagna Pierre Guilleminot and Isabelle Hang
SAP AG Vincenz-Priessnitz-Str 1 76131 Karlsruhe Germany
Dagstuhl Seminar 13211 ldquoAutomated Reasoning on Conceptual Schemasrdquohttpwwwdagstuhlde13211
19052013 ndash 24052013
Abstract
Modern enterprise systems are often process-based ie they allow for thedirect execution of business processes that are specified in a high-levellanguage such as BPMNWe present an approach for validating the compliance of the businessprocesses during design-time Basically while modeling a business processthe business analyst specifies as well the security and compliancerequirements the business process should comply to By pressing a buttonthese requirements are validated and the results are presented in agraphical format to the business analysis As proof-of-concept we created aprototype in which the SVaaS Server is deployed on the SAP NetWeaverCloud and two SVaaS Connectors are built to enable two well-known BPMNtools SAP NetWeaver BPM and Activiti to consume SVaaS againstindustrial relevant business processes
copy 2013 SAP AG All Rights Reserved Page 2 of 12
Business Process Modeling
copy 2013 SAP AG All Rights Reserved Page 3 of 12
SecureBPMN
Subject
UserGroup0
0 Role0 0
0 0
Permission1 0
Action
0
1
AuthorisationConstraint
SoD+max Integer+static Boolean
BoD+min Integer+static Boolean
1
0
ItemAwareElementAction
Activity0
AtomicItemAwareElementAction
CompositeItemAwareElementAction0
0
NeedToKnow
ResourceAC
0
1
1
0
Delegator
Delegation+maxDepth Integer+negotiable Boolean
SimpleDelegation TransferDelegation
11 0
1
0
11
0
0 0
Process
Resource
SecurityFlowNode FlowNode FlowElementSecurityFlow1 1
10
Obligation
0
1
Policy
0
1
0 0
0
1
ItemAwareElement
ProcessAction
AtomicProcessAction
CompositeProcessAction0
0
ActivityAction
AtomicActiviyAction
CompositeActivityAction0
0
Access Control
DelegationlCompliance (SoDBoD)
Need to Knowl
Break-Glass
BPMN Meta-ModelActions
Visualisation
TriggerReset
0
1
1
0
1
0
BaseElement
bull Access Control
bull Delegation
bull SeparationBinding of Duty
bull Need to Know
bull Break Glass
copy 2013 SAP AG All Rights Reserved Page 4 of 12
What and Where to Check
What to Check
bull Structural issuesbull deadlocksbull
bull Compliance issuesbull need to knowbull separation of dutybull binding of dutybull data confidentialitybull
bull Security issuesbull access controlbull
Where to Check
bull Process levelbull consistency of security
specificationsbull static vs dynamic enforcementbull
bull Implementation levelbull access control infrastructurebull data flows (confidentiality)bull
How to Check
bull Model checking
bull Theorem proving (eg SMT)
bull Static code analysis
copy 2013 SAP AG All Rights Reserved Page 5 of 12
Security Validation of Business Process
bull Express security requirements
bull Detect vulnerabilities at design time
bull Highlight execution paths leading to asecurity violation so to provideguidelines in solving the problem
bull Mitigate the deployment ofnon-compliant business processes
copy 2013 SAP AG All Rights Reserved Page 6 of 12
A Cloud-based Architecture
copy 2013 SAP AG All Rights Reserved Page 7 of 12
Demo Business Process Modeling
copy 2013 SAP AG All Rights Reserved Page 8 of 12
Demo Business Process Level Reasoning
copy 2013 SAP AG All Rights Reserved Page 9 of 12
Demo Implementation Level Reasoning
copy 2013 SAP AG All Rights Reserved Page 10 of 12
Thank you
Bibliography
Achim D Brucker and Isabelle Hang Secure and compliant implementation of businessprocess-driven systems In Marcello La Rosa and Pnina Soffer editors Joint Workshop onSecurity in Business Processes (SBP) volume 132 of Lecture Notes in BusinessInformation Processing (LNBIP) pages 662ndash674 Springer-Verlag 2012
httpwwwbruckerchbibliographyabstractbruckerea-secure-2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel SecureBPMNModeling and enforcing access control requirements in business processes In ACMsymposium on access control models and technologies (SACMAT) pages 123ndash126 ACMPress 2012
httpwwwbruckerchbibliographyabstractbruckerea-securebpmn-2012
Luca Compagna Pierre Guilleminot and Achim D Brucker Business process compliancevia security validation as a service In Manuel Oriol and John Penix editors Testing ToolsTrack of International Conference on Software Testing Verification and Validation(ToolsICST) IEEE Computer Society 2013
httpwwwbruckerchbibliographyabstractcompagnaea-bp-compliance-2013
copy 2013 SAP AG All Rights Reserved Page 12 of 12
copy 2013 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2013 SAP AG All Rights Reserved Page 13 of 12
Abstract
Modern enterprise systems are often process-based ie they allow for thedirect execution of business processes that are specified in a high-levellanguage such as BPMNWe present an approach for validating the compliance of the businessprocesses during design-time Basically while modeling a business processthe business analyst specifies as well the security and compliancerequirements the business process should comply to By pressing a buttonthese requirements are validated and the results are presented in agraphical format to the business analysis As proof-of-concept we created aprototype in which the SVaaS Server is deployed on the SAP NetWeaverCloud and two SVaaS Connectors are built to enable two well-known BPMNtools SAP NetWeaver BPM and Activiti to consume SVaaS againstindustrial relevant business processes
copy 2013 SAP AG All Rights Reserved Page 2 of 12
Business Process Modeling
copy 2013 SAP AG All Rights Reserved Page 3 of 12
SecureBPMN
Subject
UserGroup0
0 Role0 0
0 0
Permission1 0
Action
0
1
AuthorisationConstraint
SoD+max Integer+static Boolean
BoD+min Integer+static Boolean
1
0
ItemAwareElementAction
Activity0
AtomicItemAwareElementAction
CompositeItemAwareElementAction0
0
NeedToKnow
ResourceAC
0
1
1
0
Delegator
Delegation+maxDepth Integer+negotiable Boolean
SimpleDelegation TransferDelegation
11 0
1
0
11
0
0 0
Process
Resource
SecurityFlowNode FlowNode FlowElementSecurityFlow1 1
10
Obligation
0
1
Policy
0
1
0 0
0
1
ItemAwareElement
ProcessAction
AtomicProcessAction
CompositeProcessAction0
0
ActivityAction
AtomicActiviyAction
CompositeActivityAction0
0
Access Control
DelegationlCompliance (SoDBoD)
Need to Knowl
Break-Glass
BPMN Meta-ModelActions
Visualisation
TriggerReset
0
1
1
0
1
0
BaseElement
bull Access Control
bull Delegation
bull SeparationBinding of Duty
bull Need to Know
bull Break Glass
copy 2013 SAP AG All Rights Reserved Page 4 of 12
What and Where to Check
What to Check
bull Structural issuesbull deadlocksbull
bull Compliance issuesbull need to knowbull separation of dutybull binding of dutybull data confidentialitybull
bull Security issuesbull access controlbull
Where to Check
bull Process levelbull consistency of security
specificationsbull static vs dynamic enforcementbull
bull Implementation levelbull access control infrastructurebull data flows (confidentiality)bull
How to Check
bull Model checking
bull Theorem proving (eg SMT)
bull Static code analysis
copy 2013 SAP AG All Rights Reserved Page 5 of 12
Security Validation of Business Process
bull Express security requirements
bull Detect vulnerabilities at design time
bull Highlight execution paths leading to asecurity violation so to provideguidelines in solving the problem
bull Mitigate the deployment ofnon-compliant business processes
copy 2013 SAP AG All Rights Reserved Page 6 of 12
A Cloud-based Architecture
copy 2013 SAP AG All Rights Reserved Page 7 of 12
Demo Business Process Modeling
copy 2013 SAP AG All Rights Reserved Page 8 of 12
Demo Business Process Level Reasoning
copy 2013 SAP AG All Rights Reserved Page 9 of 12
Demo Implementation Level Reasoning
copy 2013 SAP AG All Rights Reserved Page 10 of 12
Thank you
Bibliography
Achim D Brucker and Isabelle Hang Secure and compliant implementation of businessprocess-driven systems In Marcello La Rosa and Pnina Soffer editors Joint Workshop onSecurity in Business Processes (SBP) volume 132 of Lecture Notes in BusinessInformation Processing (LNBIP) pages 662ndash674 Springer-Verlag 2012
httpwwwbruckerchbibliographyabstractbruckerea-secure-2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel SecureBPMNModeling and enforcing access control requirements in business processes In ACMsymposium on access control models and technologies (SACMAT) pages 123ndash126 ACMPress 2012
httpwwwbruckerchbibliographyabstractbruckerea-securebpmn-2012
Luca Compagna Pierre Guilleminot and Achim D Brucker Business process compliancevia security validation as a service In Manuel Oriol and John Penix editors Testing ToolsTrack of International Conference on Software Testing Verification and Validation(ToolsICST) IEEE Computer Society 2013
httpwwwbruckerchbibliographyabstractcompagnaea-bp-compliance-2013
copy 2013 SAP AG All Rights Reserved Page 12 of 12
copy 2013 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2013 SAP AG All Rights Reserved Page 13 of 12
Business Process Modeling
copy 2013 SAP AG All Rights Reserved Page 3 of 12
SecureBPMN
Subject
UserGroup0
0 Role0 0
0 0
Permission1 0
Action
0
1
AuthorisationConstraint
SoD+max Integer+static Boolean
BoD+min Integer+static Boolean
1
0
ItemAwareElementAction
Activity0
AtomicItemAwareElementAction
CompositeItemAwareElementAction0
0
NeedToKnow
ResourceAC
0
1
1
0
Delegator
Delegation+maxDepth Integer+negotiable Boolean
SimpleDelegation TransferDelegation
11 0
1
0
11
0
0 0
Process
Resource
SecurityFlowNode FlowNode FlowElementSecurityFlow1 1
10
Obligation
0
1
Policy
0
1
0 0
0
1
ItemAwareElement
ProcessAction
AtomicProcessAction
CompositeProcessAction0
0
ActivityAction
AtomicActiviyAction
CompositeActivityAction0
0
Access Control
DelegationlCompliance (SoDBoD)
Need to Knowl
Break-Glass
BPMN Meta-ModelActions
Visualisation
TriggerReset
0
1
1
0
1
0
BaseElement
bull Access Control
bull Delegation
bull SeparationBinding of Duty
bull Need to Know
bull Break Glass
copy 2013 SAP AG All Rights Reserved Page 4 of 12
What and Where to Check
What to Check
bull Structural issuesbull deadlocksbull
bull Compliance issuesbull need to knowbull separation of dutybull binding of dutybull data confidentialitybull
bull Security issuesbull access controlbull
Where to Check
bull Process levelbull consistency of security
specificationsbull static vs dynamic enforcementbull
bull Implementation levelbull access control infrastructurebull data flows (confidentiality)bull
How to Check
bull Model checking
bull Theorem proving (eg SMT)
bull Static code analysis
copy 2013 SAP AG All Rights Reserved Page 5 of 12
Security Validation of Business Process
bull Express security requirements
bull Detect vulnerabilities at design time
bull Highlight execution paths leading to asecurity violation so to provideguidelines in solving the problem
bull Mitigate the deployment ofnon-compliant business processes
copy 2013 SAP AG All Rights Reserved Page 6 of 12
A Cloud-based Architecture
copy 2013 SAP AG All Rights Reserved Page 7 of 12
Demo Business Process Modeling
copy 2013 SAP AG All Rights Reserved Page 8 of 12
Demo Business Process Level Reasoning
copy 2013 SAP AG All Rights Reserved Page 9 of 12
Demo Implementation Level Reasoning
copy 2013 SAP AG All Rights Reserved Page 10 of 12
Thank you
Bibliography
Achim D Brucker and Isabelle Hang Secure and compliant implementation of businessprocess-driven systems In Marcello La Rosa and Pnina Soffer editors Joint Workshop onSecurity in Business Processes (SBP) volume 132 of Lecture Notes in BusinessInformation Processing (LNBIP) pages 662ndash674 Springer-Verlag 2012
httpwwwbruckerchbibliographyabstractbruckerea-secure-2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel SecureBPMNModeling and enforcing access control requirements in business processes In ACMsymposium on access control models and technologies (SACMAT) pages 123ndash126 ACMPress 2012
httpwwwbruckerchbibliographyabstractbruckerea-securebpmn-2012
Luca Compagna Pierre Guilleminot and Achim D Brucker Business process compliancevia security validation as a service In Manuel Oriol and John Penix editors Testing ToolsTrack of International Conference on Software Testing Verification and Validation(ToolsICST) IEEE Computer Society 2013
httpwwwbruckerchbibliographyabstractcompagnaea-bp-compliance-2013
copy 2013 SAP AG All Rights Reserved Page 12 of 12
copy 2013 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2013 SAP AG All Rights Reserved Page 13 of 12
SecureBPMN
Subject
UserGroup0
0 Role0 0
0 0
Permission1 0
Action
0
1
AuthorisationConstraint
SoD+max Integer+static Boolean
BoD+min Integer+static Boolean
1
0
ItemAwareElementAction
Activity0
AtomicItemAwareElementAction
CompositeItemAwareElementAction0
0
NeedToKnow
ResourceAC
0
1
1
0
Delegator
Delegation+maxDepth Integer+negotiable Boolean
SimpleDelegation TransferDelegation
11 0
1
0
11
0
0 0
Process
Resource
SecurityFlowNode FlowNode FlowElementSecurityFlow1 1
10
Obligation
0
1
Policy
0
1
0 0
0
1
ItemAwareElement
ProcessAction
AtomicProcessAction
CompositeProcessAction0
0
ActivityAction
AtomicActiviyAction
CompositeActivityAction0
0
Access Control
DelegationlCompliance (SoDBoD)
Need to Knowl
Break-Glass
BPMN Meta-ModelActions
Visualisation
TriggerReset
0
1
1
0
1
0
BaseElement
bull Access Control
bull Delegation
bull SeparationBinding of Duty
bull Need to Know
bull Break Glass
copy 2013 SAP AG All Rights Reserved Page 4 of 12
What and Where to Check
What to Check
bull Structural issuesbull deadlocksbull
bull Compliance issuesbull need to knowbull separation of dutybull binding of dutybull data confidentialitybull
bull Security issuesbull access controlbull
Where to Check
bull Process levelbull consistency of security
specificationsbull static vs dynamic enforcementbull
bull Implementation levelbull access control infrastructurebull data flows (confidentiality)bull
How to Check
bull Model checking
bull Theorem proving (eg SMT)
bull Static code analysis
copy 2013 SAP AG All Rights Reserved Page 5 of 12
Security Validation of Business Process
bull Express security requirements
bull Detect vulnerabilities at design time
bull Highlight execution paths leading to asecurity violation so to provideguidelines in solving the problem
bull Mitigate the deployment ofnon-compliant business processes
copy 2013 SAP AG All Rights Reserved Page 6 of 12
A Cloud-based Architecture
copy 2013 SAP AG All Rights Reserved Page 7 of 12
Demo Business Process Modeling
copy 2013 SAP AG All Rights Reserved Page 8 of 12
Demo Business Process Level Reasoning
copy 2013 SAP AG All Rights Reserved Page 9 of 12
Demo Implementation Level Reasoning
copy 2013 SAP AG All Rights Reserved Page 10 of 12
Thank you
Bibliography
Achim D Brucker and Isabelle Hang Secure and compliant implementation of businessprocess-driven systems In Marcello La Rosa and Pnina Soffer editors Joint Workshop onSecurity in Business Processes (SBP) volume 132 of Lecture Notes in BusinessInformation Processing (LNBIP) pages 662ndash674 Springer-Verlag 2012
httpwwwbruckerchbibliographyabstractbruckerea-secure-2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel SecureBPMNModeling and enforcing access control requirements in business processes In ACMsymposium on access control models and technologies (SACMAT) pages 123ndash126 ACMPress 2012
httpwwwbruckerchbibliographyabstractbruckerea-securebpmn-2012
Luca Compagna Pierre Guilleminot and Achim D Brucker Business process compliancevia security validation as a service In Manuel Oriol and John Penix editors Testing ToolsTrack of International Conference on Software Testing Verification and Validation(ToolsICST) IEEE Computer Society 2013
httpwwwbruckerchbibliographyabstractcompagnaea-bp-compliance-2013
copy 2013 SAP AG All Rights Reserved Page 12 of 12
copy 2013 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2013 SAP AG All Rights Reserved Page 13 of 12
What and Where to Check
What to Check
bull Structural issuesbull deadlocksbull
bull Compliance issuesbull need to knowbull separation of dutybull binding of dutybull data confidentialitybull
bull Security issuesbull access controlbull
Where to Check
bull Process levelbull consistency of security
specificationsbull static vs dynamic enforcementbull
bull Implementation levelbull access control infrastructurebull data flows (confidentiality)bull
How to Check
bull Model checking
bull Theorem proving (eg SMT)
bull Static code analysis
copy 2013 SAP AG All Rights Reserved Page 5 of 12
Security Validation of Business Process
bull Express security requirements
bull Detect vulnerabilities at design time
bull Highlight execution paths leading to asecurity violation so to provideguidelines in solving the problem
bull Mitigate the deployment ofnon-compliant business processes
copy 2013 SAP AG All Rights Reserved Page 6 of 12
A Cloud-based Architecture
copy 2013 SAP AG All Rights Reserved Page 7 of 12
Demo Business Process Modeling
copy 2013 SAP AG All Rights Reserved Page 8 of 12
Demo Business Process Level Reasoning
copy 2013 SAP AG All Rights Reserved Page 9 of 12
Demo Implementation Level Reasoning
copy 2013 SAP AG All Rights Reserved Page 10 of 12
Thank you
Bibliography
Achim D Brucker and Isabelle Hang Secure and compliant implementation of businessprocess-driven systems In Marcello La Rosa and Pnina Soffer editors Joint Workshop onSecurity in Business Processes (SBP) volume 132 of Lecture Notes in BusinessInformation Processing (LNBIP) pages 662ndash674 Springer-Verlag 2012
httpwwwbruckerchbibliographyabstractbruckerea-secure-2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel SecureBPMNModeling and enforcing access control requirements in business processes In ACMsymposium on access control models and technologies (SACMAT) pages 123ndash126 ACMPress 2012
httpwwwbruckerchbibliographyabstractbruckerea-securebpmn-2012
Luca Compagna Pierre Guilleminot and Achim D Brucker Business process compliancevia security validation as a service In Manuel Oriol and John Penix editors Testing ToolsTrack of International Conference on Software Testing Verification and Validation(ToolsICST) IEEE Computer Society 2013
httpwwwbruckerchbibliographyabstractcompagnaea-bp-compliance-2013
copy 2013 SAP AG All Rights Reserved Page 12 of 12
copy 2013 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2013 SAP AG All Rights Reserved Page 13 of 12
Security Validation of Business Process
bull Express security requirements
bull Detect vulnerabilities at design time
bull Highlight execution paths leading to asecurity violation so to provideguidelines in solving the problem
bull Mitigate the deployment ofnon-compliant business processes
copy 2013 SAP AG All Rights Reserved Page 6 of 12
A Cloud-based Architecture
copy 2013 SAP AG All Rights Reserved Page 7 of 12
Demo Business Process Modeling
copy 2013 SAP AG All Rights Reserved Page 8 of 12
Demo Business Process Level Reasoning
copy 2013 SAP AG All Rights Reserved Page 9 of 12
Demo Implementation Level Reasoning
copy 2013 SAP AG All Rights Reserved Page 10 of 12
Thank you
Bibliography
Achim D Brucker and Isabelle Hang Secure and compliant implementation of businessprocess-driven systems In Marcello La Rosa and Pnina Soffer editors Joint Workshop onSecurity in Business Processes (SBP) volume 132 of Lecture Notes in BusinessInformation Processing (LNBIP) pages 662ndash674 Springer-Verlag 2012
httpwwwbruckerchbibliographyabstractbruckerea-secure-2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel SecureBPMNModeling and enforcing access control requirements in business processes In ACMsymposium on access control models and technologies (SACMAT) pages 123ndash126 ACMPress 2012
httpwwwbruckerchbibliographyabstractbruckerea-securebpmn-2012
Luca Compagna Pierre Guilleminot and Achim D Brucker Business process compliancevia security validation as a service In Manuel Oriol and John Penix editors Testing ToolsTrack of International Conference on Software Testing Verification and Validation(ToolsICST) IEEE Computer Society 2013
httpwwwbruckerchbibliographyabstractcompagnaea-bp-compliance-2013
copy 2013 SAP AG All Rights Reserved Page 12 of 12
copy 2013 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2013 SAP AG All Rights Reserved Page 13 of 12
A Cloud-based Architecture
copy 2013 SAP AG All Rights Reserved Page 7 of 12
Demo Business Process Modeling
copy 2013 SAP AG All Rights Reserved Page 8 of 12
Demo Business Process Level Reasoning
copy 2013 SAP AG All Rights Reserved Page 9 of 12
Demo Implementation Level Reasoning
copy 2013 SAP AG All Rights Reserved Page 10 of 12
Thank you
Bibliography
Achim D Brucker and Isabelle Hang Secure and compliant implementation of businessprocess-driven systems In Marcello La Rosa and Pnina Soffer editors Joint Workshop onSecurity in Business Processes (SBP) volume 132 of Lecture Notes in BusinessInformation Processing (LNBIP) pages 662ndash674 Springer-Verlag 2012
httpwwwbruckerchbibliographyabstractbruckerea-secure-2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel SecureBPMNModeling and enforcing access control requirements in business processes In ACMsymposium on access control models and technologies (SACMAT) pages 123ndash126 ACMPress 2012
httpwwwbruckerchbibliographyabstractbruckerea-securebpmn-2012
Luca Compagna Pierre Guilleminot and Achim D Brucker Business process compliancevia security validation as a service In Manuel Oriol and John Penix editors Testing ToolsTrack of International Conference on Software Testing Verification and Validation(ToolsICST) IEEE Computer Society 2013
httpwwwbruckerchbibliographyabstractcompagnaea-bp-compliance-2013
copy 2013 SAP AG All Rights Reserved Page 12 of 12
copy 2013 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2013 SAP AG All Rights Reserved Page 13 of 12
Demo Business Process Modeling
copy 2013 SAP AG All Rights Reserved Page 8 of 12
Demo Business Process Level Reasoning
copy 2013 SAP AG All Rights Reserved Page 9 of 12
Demo Implementation Level Reasoning
copy 2013 SAP AG All Rights Reserved Page 10 of 12
Thank you
Bibliography
Achim D Brucker and Isabelle Hang Secure and compliant implementation of businessprocess-driven systems In Marcello La Rosa and Pnina Soffer editors Joint Workshop onSecurity in Business Processes (SBP) volume 132 of Lecture Notes in BusinessInformation Processing (LNBIP) pages 662ndash674 Springer-Verlag 2012
httpwwwbruckerchbibliographyabstractbruckerea-secure-2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel SecureBPMNModeling and enforcing access control requirements in business processes In ACMsymposium on access control models and technologies (SACMAT) pages 123ndash126 ACMPress 2012
httpwwwbruckerchbibliographyabstractbruckerea-securebpmn-2012
Luca Compagna Pierre Guilleminot and Achim D Brucker Business process compliancevia security validation as a service In Manuel Oriol and John Penix editors Testing ToolsTrack of International Conference on Software Testing Verification and Validation(ToolsICST) IEEE Computer Society 2013
httpwwwbruckerchbibliographyabstractcompagnaea-bp-compliance-2013
copy 2013 SAP AG All Rights Reserved Page 12 of 12
copy 2013 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2013 SAP AG All Rights Reserved Page 13 of 12
Demo Business Process Level Reasoning
copy 2013 SAP AG All Rights Reserved Page 9 of 12
Demo Implementation Level Reasoning
copy 2013 SAP AG All Rights Reserved Page 10 of 12
Thank you
Bibliography
Achim D Brucker and Isabelle Hang Secure and compliant implementation of businessprocess-driven systems In Marcello La Rosa and Pnina Soffer editors Joint Workshop onSecurity in Business Processes (SBP) volume 132 of Lecture Notes in BusinessInformation Processing (LNBIP) pages 662ndash674 Springer-Verlag 2012
httpwwwbruckerchbibliographyabstractbruckerea-secure-2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel SecureBPMNModeling and enforcing access control requirements in business processes In ACMsymposium on access control models and technologies (SACMAT) pages 123ndash126 ACMPress 2012
httpwwwbruckerchbibliographyabstractbruckerea-securebpmn-2012
Luca Compagna Pierre Guilleminot and Achim D Brucker Business process compliancevia security validation as a service In Manuel Oriol and John Penix editors Testing ToolsTrack of International Conference on Software Testing Verification and Validation(ToolsICST) IEEE Computer Society 2013
httpwwwbruckerchbibliographyabstractcompagnaea-bp-compliance-2013
copy 2013 SAP AG All Rights Reserved Page 12 of 12
copy 2013 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2013 SAP AG All Rights Reserved Page 13 of 12
Demo Implementation Level Reasoning
copy 2013 SAP AG All Rights Reserved Page 10 of 12
Thank you
Bibliography
Achim D Brucker and Isabelle Hang Secure and compliant implementation of businessprocess-driven systems In Marcello La Rosa and Pnina Soffer editors Joint Workshop onSecurity in Business Processes (SBP) volume 132 of Lecture Notes in BusinessInformation Processing (LNBIP) pages 662ndash674 Springer-Verlag 2012
httpwwwbruckerchbibliographyabstractbruckerea-secure-2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel SecureBPMNModeling and enforcing access control requirements in business processes In ACMsymposium on access control models and technologies (SACMAT) pages 123ndash126 ACMPress 2012
httpwwwbruckerchbibliographyabstractbruckerea-securebpmn-2012
Luca Compagna Pierre Guilleminot and Achim D Brucker Business process compliancevia security validation as a service In Manuel Oriol and John Penix editors Testing ToolsTrack of International Conference on Software Testing Verification and Validation(ToolsICST) IEEE Computer Society 2013
httpwwwbruckerchbibliographyabstractcompagnaea-bp-compliance-2013
copy 2013 SAP AG All Rights Reserved Page 12 of 12
copy 2013 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2013 SAP AG All Rights Reserved Page 13 of 12
Thank you
Bibliography
Achim D Brucker and Isabelle Hang Secure and compliant implementation of businessprocess-driven systems In Marcello La Rosa and Pnina Soffer editors Joint Workshop onSecurity in Business Processes (SBP) volume 132 of Lecture Notes in BusinessInformation Processing (LNBIP) pages 662ndash674 Springer-Verlag 2012
httpwwwbruckerchbibliographyabstractbruckerea-secure-2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel SecureBPMNModeling and enforcing access control requirements in business processes In ACMsymposium on access control models and technologies (SACMAT) pages 123ndash126 ACMPress 2012
httpwwwbruckerchbibliographyabstractbruckerea-securebpmn-2012
Luca Compagna Pierre Guilleminot and Achim D Brucker Business process compliancevia security validation as a service In Manuel Oriol and John Penix editors Testing ToolsTrack of International Conference on Software Testing Verification and Validation(ToolsICST) IEEE Computer Society 2013
httpwwwbruckerchbibliographyabstractcompagnaea-bp-compliance-2013
copy 2013 SAP AG All Rights Reserved Page 12 of 12
copy 2013 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2013 SAP AG All Rights Reserved Page 13 of 12
Bibliography
Achim D Brucker and Isabelle Hang Secure and compliant implementation of businessprocess-driven systems In Marcello La Rosa and Pnina Soffer editors Joint Workshop onSecurity in Business Processes (SBP) volume 132 of Lecture Notes in BusinessInformation Processing (LNBIP) pages 662ndash674 Springer-Verlag 2012
httpwwwbruckerchbibliographyabstractbruckerea-secure-2012
Achim D Brucker Isabelle Hang Gero Luumlckemeyer and Raj Ruparel SecureBPMNModeling and enforcing access control requirements in business processes In ACMsymposium on access control models and technologies (SACMAT) pages 123ndash126 ACMPress 2012
httpwwwbruckerchbibliographyabstractbruckerea-securebpmn-2012
Luca Compagna Pierre Guilleminot and Achim D Brucker Business process compliancevia security validation as a service In Manuel Oriol and John Penix editors Testing ToolsTrack of International Conference on Software Testing Verification and Validation(ToolsICST) IEEE Computer Society 2013
httpwwwbruckerchbibliographyabstractcompagnaea-bp-compliance-2013
copy 2013 SAP AG All Rights Reserved Page 12 of 12
copy 2013 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2013 SAP AG All Rights Reserved Page 13 of 12
copy 2013 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG Theinformation contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors containproprietary software components of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registeredtrademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System pSystem p5 System x System z System z10 System z9 z10 z9 iSeriespSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWEROpenPower PowerPC BatchPipes BladeCenter System Storage GPFSHACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel SysplexMVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informixare trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and othercountriesAdobe the Adobe logo Acrobat PostScript and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the OpenGroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrameand MultiWin are trademarks or registered trademarks of Citrix SystemsIncHTML XML XHTML and W3C are trademarks or registered trademarks ofW3Creg World Wide Web Consortium Massachusetts Institute ofTechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc usedunder license for technology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAPBusinessObjects Explorer StreamWork and other SAP products andservices mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects CrystalReports Crystal Decisions Web Intelligence Xcelsius and other Business Objectsproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of Business Objects Software Ltd BusinessObjects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and otherSybase products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of Sybase Inc Sybase is an SAPcompanyAll other product and service names mentioned are the trademarks of theirrespective companies Data contained in this document serves informationalpurposes only National product specifications may varyThe information in this document is proprietary to SAP No part of this documentmay be reproduced copied or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AGThis document is a preliminary version and not subject to your license agreementor any other agreement with SAP This document contains only intendedstrategies developments and functionalities of the SAPreg product and is notintended to be binding upon SAP to any particular course of business productstrategy andor development Please note that this document is subject tochange and may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP doesnot warrant the accuracy or completeness of the information text graphics linksor other items contained within this material This document is provided without awarranty of any kind either express or implied including but not limited to theimplied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitationdirect special indirect or consequential damages that may result from the use ofthese materials This limitation shall not apply in cases of intent or grossnegligenceThe statutory liability for personal injury and defective products is not affectedSAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use ofthird-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2013 SAP AG All Rights Reserved Page 13 of 12