nach oben

International Journal of Information Security

Erschienen in:

01.04.2016 | Regular Contribution

A uniform approach for access control and business models with explicit rule realization

verfasst von: Vahid R. Karimi, Paulo S. C. Alencar, Donald D. Cowan

Erschienen in: International Journal of Information Security | Ausgabe 2/2016

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Access control is an important part of security in software, such as business applications, since it determines the access of users to objects and operations and the constraints of this access. Business and access control models are expressed using different representations. In addition, access control rules are not generally defined explicitly from access control models. Even though the business model and access control model are two separate modeling abstractions, they are inter-connected as access control is part of any business model. Therefore, the first goal is to add access control models to business models using the same fundamental building blocks. The second goal is to use these models and define general access control rules explicitly from these models so that the connection between models and their realizations are also present. This paper describes a new common representation for business models and classes of access control models based on the Resource–Event–Agent (REA) modeling approach to business models. In addition, the connection between models and their represented rules is clearly defined. We present a uniform approach to business and access control models. First, access control primitives are mapped onto REA-based access control patterns. Then, REA-based access control patterns are combined to define access control models. Based on these models, general access control rules are expressed in Extended Backus–Naur Form.

Vorheriger Artikel Behavior-based approach to detect spam over IP telephony attacks

Nächster Artikel Preventing sensitive relationships disclosure for better social media preservation

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Nur mit Berechtigung zugänglich

A pattern is here used in the same sense as described by Fowler [19].

The early access control models used the term subject for an active process, whereas in some recent access control models, such as role-based access control (RBAC), an operation and a subject are distinguished between [15]: a subject refers to a process possibly invoking several operations.

Al-Kahtani, M., Sandhu, R.: Rule-Based RBAC with negative authorization. In: Proceedings of the Annual Computer Security Applications Conference (ACSAC), pp. 405–415 (2004)

Al-Kahtani, M., Sandhu, R.: A model for attribute-based user-role assignment. In: Proceedings of the Annual Computer Security Applications Conference (ACSAC), pp. 353–364 (2002)

Ambler, S.: The Elements of UML 2.0 Style. Cambridge University Press, Cambridge (2005)CrossRef

Artale, A., Franconi, E., Guarino, N., Pazzi, L.: Part-whole relations in object-centered systems: an overview. Data Knowl. Eng. 20(3), 347–383 (1996)CrossRefMATH

Barker, S.: The next 700 access control models or a unifying meta-model? In: Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 187–196 (2009)

Benantar, M.: Access Control Systems: Security, Identity, Management, and Trust Models. Springer, Berlin (2006)MATH

Bertino, E., Catania, B., Ferrari, E., Perlasca, P.: A logical framework for reasoning about access control models. ACM Trans. Inf. Syst. Secur. 6(1), 71–127 (2003)CrossRef

Bertino, E., Bonatti, P., Ferrari, E.: TRBAC: a temporal role-based access control model. In: Proceedings of the ACM Workshop on Role-Based Access Control, pp. 21–30 (2000)

Bertino, E., Samarati, P., Jajodia, S.: An extended authorization model for relational databases. IEEE Trans. Knowl. Data Eng. 9(1), 85–101 (1997)CrossRef

10.

Blaha, M., Rumbaugh, J.: Object-Oriented Modeling and Design with UML, 2nd edn. Pearson Prentice Hall, Englewood Cliffs (2005)MATH

11.

Chandramouli, R.: Application of XML tools for enterprise-wide RBAC implementation tasks. In: Proceedings of the ACM Workshop on Role-based Access Control, pp. 11–18 (2000)

12.

Cook, D. and Multiple Contributors: Gold Parsing System. http://goldparser.org/index.htm

13.

Damianou, N., Dulay, N., Lupu, E., Sloman, M.: The Ponder policy specification language. In: Proceedings of POLICY, pp. 18–38 (2001)

14.

Ferraiolo, D., Atluri, V.: A meta model for access control: why is it needed and is it even possible to achieve? In: Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 153–154 (2008)

15.

Ferraiolo, D., Kuhn, D., Chandramouli, R.: Role-Based Access Control, 2nd edn. Artech House, London (2007)MATH

16.

Ferraiolo, D., Sandhu, R., Gavrila, S., Kuhn, D., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur. 4(3), 224–274 (2001)CrossRef

17.

Finin, T., Joshi, A., Kagal, L., Niu, J., Sandhu, R., Winsborough, W., Thuraisingham, B.: ROWLBAC: Representing role based access control in OWL. In: Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 73–82 (2008)

18.

Fisler, K., Krishnamurthi, S., Dougherty, D.: Embracing policy engineering. In: Proceedings of the Workshop on Future of Software Engineering Research (FoSER), pp. 109–110 (2010)

19.

Fowler, M.: Analysis Patterns: Reusable Object Models. Addison-Wesley, Reading (1997)

20.

Geerts, G., McCarthy, W.: Policy-level specifications in REA enterprise information systems. J. Inf. Syst. 20(2), 37–63 (2006)

21.

Geerts, G., McCarthy, W.: An ontological analysis of the economic primitives of the extended-REA enterprise information architecture. I. J. Acc. Inf. Syst. 3(1), 1–16 (2002)CrossRef

22.

Greco, S., Leone, N., Rullo, P.: COMPLEX: an object-oriented logic programming system. IEEE Trans. Knowl. Data Eng. 4(4), 344–359 (1992)CrossRef

23.

Hruby, P. with contributions by Kiehn, J., Scheller, C.: Model-Driven Design Using Business Patterns. Springer, Berlin (2006)

24.

Hu, V., Ferraiolo, D., Kuhn, R., Schnitzer, A., Sandlin, K., Miller. R., Scarfone, K.: Guide to Attribute Based Access Control (ABAC) Definition and Considerations. National Institute of Standards and Technology (NIST) special publication 800-162 (2014)

25.

Jackson, M.: Aspects of abstraction in software development. Softw. Syst. Model. 11(4), 495–511 (2012)CrossRef

26.

Jin, X., Krishnan, R., Sandhu, R.: A unified attribute-based access control model covering DAC, MAC and RBAC. In: Proceedings of the Conference on Database Security (DBSec), pp. 41–55 (2012)

27.

Kagal, L., Finin, T., Joshi, A.: A policy language for a pervasive computing environment. In: Proceedings of POLICY, pp. 63–74 (2003)

28.

Karimi, V.: A Uniform Formal Approach to Business and Access Control Models, Policies and their Combinations. PhD thesis, University of Waterloo (2012)

29.

Karimi, V., Cowan, D.: Access control models for business processes. In: Proceedings of the International Conference on Security and Cryptography (SECRYPT), pp. 489–498 (2010)

30.

Kern, A., Walhorn, C.: Rule support for role-based access control. In: Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 130–138 (2005)

31.

Kuhn, D., Coyne, E., Weil, T.: Adding attributes to role-based access control. IEEE Comput. 43(6), 79–81 (2010)CrossRef

32.

Martin, J., Odell, J.: Object-Oriented Methods: A Foundation, UML Edition. Prentice Hall, Englewood Cliffs (1998)

33.

McCarthy, W.: The REA accounting model: a generalized framework for accounting systems in a shared data environment. Acc. Rev. 57(3), 54–78 (1982)

34.

Motschnig-Pitrik, R., Kaasbøll, J.: Part-whole relationship categories and their application in object-oriented analysis. IEEE Trans. Knowl. Data Eng. 11(5), 779–797 (1999)CrossRef

35.

Motschnig-Pitrik, R., Storey, V.: Modelling of set membership: the notion and the issues. Data Knowl. Eng. 16(2), 147–185 (1995)CrossRefMATH

36.

Odell, J.: Advanced Object-Oriented Analysis and Design Using UML. Cambridge University Press, Cambridge (1998)MATH

37.

Organization for the Advancement of Structured Information Standards (OASIS): eXtensible Access Control Markup Language (XACML), Version 3.0, Committee Specification 01 (2010)

38.

Organization for the Advancement of Structured Information Standards (OASIS), Moses, T. (ed.): eXtensible Access Control Markup Language (XACML), Version 2.0 (2005)

39.

Osborn, S., Sandhu, R., Munawer, Q.: Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Trans. Inf. Syst. Secur. 3(2), 85–106 (2000)CrossRef

40.

Park, J., Sandhu, R.: The \(\text{ UCON }_{{\rm ABC}}\) usage control model. ACM Trans. Inf. Syst. Secur. 7(1), 128–174 (2004)CrossRef

41.

Ray, I., Li, N., France, R., Kim, D.: Using UML to visualize role-based access control constraints. In: Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 115–124 (2004)

42.

Rumbaugh, J., Jacobson, I., Booch, G.: Unified Modeling Language Reference Manual, 2nd edn. Addison-Wesley, Reading (2005)

43.

Sandhu, R.: The authorization leap from rights to attributes: maturation or chaos? In: Proceddings of the ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 69–70 (2012)

44.

Sandhu, R., Coyne, E., Feinstein, H., Youman, C.: Role-based access control model. IEEE Comput. 29(2), 38–47 (1996)CrossRef

45.

Sandhu, R., Munawer, Q.: How to do discretionary access control using roles. In: Proceddings of the ACM Workshop on Role-Based Access Control, pp. 47–54 (1998)

46.

Shanks, G., Tansley, E., Nuredini, J., Tobin, D.: Representing part-whole relations in conceptual modeling: an empirical evaluation. MIS Q. 32(3), 553–573 (2008)

47.

Shanks, G., Tansley, E., Weber, R.: Representing composites in conceptual modeling. Commun. ACM 47(7), 77–80 (2004)CrossRef

48.

Simon, R., Zurko, M.: Separation of duty in role-based environments. In: Proceedings of the Computer Security Foundations Workshop (CSFW), pp. 183–194 (1997)

49.

Stallings, W., Brown, L., with contributions by Bauer, M., Howard, M.: Computer Security: Principles and Practice. Pearson Prentice Hall, Englewood Cliffs (2008)

50.

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC): International Standard, ISO/IEC 14977. Information technology-Syntactic metalanguage-Extended BNF (1996)

51.

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC): International Standard, ISO/IEC 15944-4:2007(E). Information Technology-Business Operational View-Part 4: Business Transaction Scenarios-Accounting and Economy Ontology (2007)

52.

Tonti, G., Bradshaw, J., Jeffers, R., Montanari, R., Suri, N., Uszok, A.: Semantic Web languages for policy representation and reasoning: a comparison of KAoS, Rei, and Ponder. In: Proceedings of the International Semantic Web Conference, pp. 419–437 (2003)

53.

Twidle, K., Dulay, N., Lupu, E., Sloman, M.: Ponder2: A policy system for autonomous pervasive environments. In: Proceedings of the International Conference on Autonomic and Autonomous Systems (ICAS), pp. 330–335 (2009)

54.

Twidle, K., Marinovic, S., Dulay, N.: Teleo-reactive policies in Ponder2. In: Proceedings of POLICY, pp. 57–60 (2010)

55.

Verhanneman, T., Piessens, F., De Win, B., Joosen, W.: Uniform application-level access control enforcement of organizationwide policies. In: Proceedings of the Annual Computer Security Applications Conference (ACSAC), pp. 431–440 (2005)

56.

Winston, M., Chaffin, R., Herrmann, D.: A taxonomy of part-whole relations. Cogn. Sci. 11(4), 417–444 (1987)CrossRef

57.

Yuan, E., Tong, J.: Attributed based access control (ABAC) for Web services. In: Proceedings of the International Conference on Web Services (ICWS), pp. 561–569 (2005)

Titel: A uniform approach for access control and business models with explicit rule realization
verfasst von: Vahid R. Karimi
Paulo S. C. Alencar
Donald D. Cowan
Publikationsdatum: 01.04.2016
Verlag: Springer Berlin Heidelberg
Erschienen in: International Journal of Information Security / Ausgabe 2/2016
Print ISSN: 1615-5262
Elektronische ISSN: 1615-5270
DOI: https://doi.org/10.1007/s10207-015-0275-z

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 2/2016

Resolving privacy-preserving relationships over outsourced encrypted data storages

A hybrid approach to vector-based homomorphic tallying remote voting

Message from the Guest Editors

Preventing sensitive relationships disclosure for better social media preservation

Behavior-based approach to detect spam over IP telephony attacks

Link-time smart card code hardening

Premium Partner