ABSTRACT
When building an access control aware system, integrating access control specifications into the development process is problematic. Even if security modeling is structured at the early phases of development, security mechanisms are placed into the system at the final phases. This late integration affects security and maintainability of the resulting system in a bad way. In this paper, we present a solution for this problem. We propose a Unified Modeling Language (UML) Profile for Role-Based Access Control (RBAC), with which access control specifications can be modeled graphically together with problem domain specifications from the beginning of the design phase, making it possible to extend security integration over entire development process. We employed significant RBAC constraints like static and dynamic separation of duties into the profile and introduced how Object Constraint Language (OCL) is used to validate well-formedness and meaning of information models against the RBAC.
- Ahn, G., and Shin, M.E. 2001. Role-Based Authorization Constraints Specification Using Object Constraint Language. In Proceedings of the 10th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, 2001, 157--162. Google ScholarDigital Library
- American National Standard for Information Technology, 2004. Role Based Access Control, ANSI INCITS 359-2004.Google Scholar
- Basin, D., Doser, J., and Lodderstedt, T. 2006. Model Driven Security: From UML Models to Access Control Infrastructures. ACM Transactions on Software Engineering and Methodology, Vol.15, No.1, 2006, 39--91. Google ScholarDigital Library
- Bell, D.E., and LaPadula, L.J. 1976. Secure Computer System: Unified Exposition and Multics Interpretation. MTR-2997 Rev. 1, Bedford, MA: The Mitre Corporation, March.Google Scholar
- Brewer, D., and Nash, M. 1989. The Chinese Wall Security Policy. In Proceedings of the 1989 IEEE Symposium on Security and Privacy. IEEE C.S. Press, 206--214.Google Scholar
- Cirit, C., and Buzluca, F. 2009. A UML Profile for RBAC, in XMI format = http://www.buzluca.info/rbac/RBAC.profile.xmiGoogle Scholar
- Clark, D. D., and Wilson, D. R. 1987. A Comparison of Commercial and Military Computer Security Policies. In Proceedings of the 1987 IEEE Symposium on Research in Security and Privacy. IEEE Press, 184--194.Google Scholar
- Ferraiolo, D., and Kuhn, R. 1992. Role-Based Access Control. In Proceedings of the 15th NIST-NSA National Computer Security Conference, 554--563.Google Scholar
- Ferraiolo, D., Kuhn, R., and Chandramouli, R. 2007. Role-Based Access Control, Second Edition. Artech House, Information Security and Privacy Series. Google ScholarDigital Library
- Ferraiolo, D., Kuhn, R., and Sandhu, R. 2007. RBAC Standard Rationale: Comments on "A Critique of the ANSI Standard on Role-Based Access Control". IEEE Security and Privacy, Vol. 5, No. 6, Nov./Dec. 2007, 51--53. Google ScholarDigital Library
- Fuentes-Fernández, L., and Vallecillo-Moreno, A. 2004. An Introduction to UML Profiles. UPGRADE, European Journal for the Informatics Professional Vol. 5, No. 2, 5--13.Google Scholar
- Jürjens, J. 2002. UMLsec: Extending UML for Secure Systems Development. In Proceedings of the 5th International Conference on the Unified Modeling Languages, October 2002, 412--425. Google ScholarDigital Library
- Jin, X. 2006. Applying Model Driven Architecture Approach to Model Role Based Access Control System. Thesis (M.Sc.)--University of Ottawa, 2006.Google Scholar
- Object Management Group, 2003. MDA Guide Version 1.0.1 (Jun. 2003). http://www.omg.org/cgi-bin/doc?omg/03-06-01Google Scholar
- Object Management Group, 2006. Meta Object Facility (MOF) Core Specification, OMG Available Specification, Ver. 2.0 (Jan. 2006). http://www.omg.org/spec/MOF/2.0/Google Scholar
- Object Management Group, 2007. MOF 2.0/XMI Mapping, OMG Available Specification, Version 2.1.1. (Dec. 2007) http://www.omg.org/cgi-bin/doc?formal/2007-12-01Google Scholar
- Object Management Group, 2006. Object Constraint Language, OMG Available Specification, Version 2.0 (May. 2006). http://www.omg.org/spec/OCL/2.0/Google Scholar
- Object Management Group, 2009. OMG Unified Modeling Language (OMG UML), Superstructure, Version 2.2 (Feb. 2009). http://www.omg.org/cgi-bin/doc?formal/09-02-02Google Scholar
- Object Management Group, 2002. UML Profile for CORBA Specification, Version 1.0 (Apr. 2002). http://www.omg.org/cgi-bin/doc?formal/02-04-01Google Scholar
- Object Management Group, 2005. UML Testing Profile, Version 1.0 (Jul. 2005). http://www.omg.org/cgi-bin/doc?formal/05-07-07Google Scholar
- Organization for the Advancement of Structured Information Standards, 2005. Core: eXtensible Access Control Markup Language (XACML) Version 2.0 (Feb. 2005). http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdfGoogle Scholar
- Ray, I., Li, N., France, R., and Kim, D. 2004. Using UML to Visualize Role-Based Access Control Constraints. In Proceedings of the 9th ACM Symposium on Access Control Models and Technologies, 2004, 115--124. Google ScholarDigital Library
- Shin, M.E., and Ahn, G. 2000. UML-Based Representation of Role-Based Access Control. In Proceedings of the 9th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, 2000, 195--200. Google ScholarDigital Library
- Wang, H., Zhang, Y., Cao, J., and Yang, J. 2004. Specifying Role-Based Access Constraints with Object Constraint Language. APWeb 2004, LNCS Vol. 3007, Springer Berlin / Heidelberg, 687--696.Google Scholar
Index Terms
- A UML profile for role-based access control
Recommendations
Model driven security: From UML models to access control infrastructures
We present a new approach to building secure systems. In our approach, which we call Model Driven Security, designers specify system models along with their security requirements and use tools to automatically generate system architectures from the ...
Configuring role-based access control to enforce mandatory and discretionary access control policies
Access control models have traditionally included mandatory access control (or lattice-based access control) and discretionary access control. Subsequently, role-based access control has been introduced, along with claims that its mechanisms are general ...
Delegation in role-based access control
User delegation is a mechanism for assigning access rights available to one user to another user. A delegation can either be a grant or transfer operation. Existing work on delegation in the context of role-based access control models has extensively ...
Comments