Designing Data Security Diagrams: Using UML/BPMN and ArchiMate to Map Access Rights

In simple terms, the security of enterprise data and its accessibility should not be treated merely as an asset; a data‑security diagram describes which participants (people, organizations, or systems) may access which corporate data.

This relationship can be represented as a matrix or a mapping between two objects, and the diagram can also be used to demonstrate compliance with privacy regulations such as HIPAA, SOX, etc., while considering trust impacts from partners, outsourcing, or cross‑border hosting.

Because large diagrams become hard to read, it is recommended to create a separate data‑security relationship diagram for each business entity or role, focusing on participants and their tasks, or on external access to systems.

An example table illustrating this approach is shown below.

Links between entities are still required because they can be used in any type of diagram.

UML/BPMN EAP Profile

External participant: participants outside the enterprise.

Internal participant: participants belonging to the enterprise.

Data flow: an activity element (e.g., actor, process) on one side and a data‑carrying element (entity, event, product) on the other; the flow can indicate "adaptability", i.e., what access rights and permissions the activity element has over the data.

ArchiMate

This diagram shows who has the right to access which data and what permissions are granted.

Source: https://architect.pub/togaf-modeling-data-security-diagrams

For further discussion, join the Chief Architect Circle on Knowledge Star, add WeChat ID ca_cto , or join QQ group 792862318.

Thank you for following, sharing, liking, and viewing.