Deriving authorizations from process analysis in legacy information systems

The problem of analyzing security requirements is to be addressed in legacy systems when planned restructuring interventions involve also security aspects. In this paper, we propose a three-level model for authorization analysis and an associated method to extract authorizations from legacy systems. The model allows the security administrator to analyze process authorizations for database accesses at different granularity levels of the involved data. The connection between processes and user roles within organizational units of the legacy system are discussed. The initial results of an experimentation of the approach on a set of processes and databases of the Italian Public Administration information systems are presented.