Gustaf Neumann
ABSTRACT
In this paper we present a novel scenario-driven role engineering process for RBAC roles. The scenario concept is of central significance for the presented approach. Due to the strong human factor in role engineering scenarios are a good means to drive the process. We use scenarios to derive permissions and to define tasks. Our approach considers changeability issues and enables the straightforward incorporation of changes into affected models. Finally we discuss the experiences we gained by applying the scenario-driven role engineering process in three case studies.
- G. Booch, I. Jacobson, and J. Rumbaugh. The Unified Modeling Language User Guide. Addison-Wesley, 1999. Google Scholar
Digital Library
- J.M. Carroll. Five reasons for scenario-based design. In Proc. of the IEEE Annual Hawaii International Conference on System Sciences (HICSS), 1999. Google ScholarDigital Library
- E.J. Coyne. Role engineering.In Proc. of the ACM Workshop on Role-Based Access Control, 1996. Google ScholarDigital Library
- J.M. Carroll (ed.). Scenario-Based Design: Envisioning Work and Technology in System Development. John Wiley & Sons, 1995. Google ScholarDigital Library
- P. Epstein and R. Sandhu. Towards A UML Based Approach to Role Engineering. In Proc. of the ACM Workshop on Role-Based Access Control, 1999. Google ScholarDigital Library
- P. Epstein and R. Sandhu. Engineering of Role/Permission Assignments. In Proc. of the 17th Annual Computer Security Applications Conference (ACSAC), December 2001. Google ScholarDigital Library
- E.B. Fernandez and J.C. Hawkins. Determining role rights from use cases. In Proc. of the ACM Workshop on Role-Based Access Control, 1997. Google ScholarDigital Library
- D.F. Ferraiolo, J.F. Barkley, and D.R. Kuhn. A Role-Based Access Control Model and Reference Implementation within a Corporate Intranet. ACM Transactions on Information and System Security, 2(1), February 1999. Google ScholarDigital Library
- D.F. Ferraiolo, R. Sandhu, S. Gavrila, D.R. Kuhn, and R. Chandramouli. Proposed NIST Standard for Role-Based Access Control. ACM Transactions on Information and System Security, 4(3), August 2001. Google ScholarDigital Library
- C. Goh and A. Baldwin. Towards a more complete model of role. In Proc. of the ACM Workshop on Role-Based Access Control, 1998. Google ScholarDigital Library
- O. Gotel and A. Finkelstein. An analysis of the requirements traceability problem. In Proc. of the IEEE International Conference on Requirements Engineering (ICRE), 1994.Google ScholarCross Ref
- K. Gutzmann. Access control and session management in the HTTP environment. IEEE Internet Computing, January/February 2001. Google ScholarDigital Library
- I. Jacobson. Object-Oriented Software Engineering. Addison-Wesley, 1992. Google Scholar
- M. Jarke, X.T. Bui, and J.M. Carroll. Scenario management: An interdisciplinary approach. Requirements Engineering Journal, 3(3/4), 1998.Google Scholar
- C. Kaner, J. Falk, and H.Q. Nguyen. Testing Computer Software (second edition). John Wiley & Sons, 1999. Google ScholarDigital Library
- G. Kotonya and I. Sommerville. Requirements Engineering - Processes and Techniques. John Wiley & Sons, 1998. Google ScholarDigital Library
- G. Neumann and M. Strembeck. Design and Implementation of a Flexible RBAC-Service in an Object-Oriented Scripting Language. In Proc. of the 8th ACM Conference on Computer and Communications Security (CCS), November 2001. Google ScholarDigital Library
- W.E. Perry. Effective Methods for Software Testing (second edition). John Wiley & Sons, 2000. Google ScholarDigital Library
- B. Ramesh and M. Jarke. Toward reference models for requirements traceability. IEEE Transactions on Software Engineering, 27(1), January 2001. Google ScholarDigital Library
- S. Robertson and J. Robertson. Mastering the Requirements Process. Addison-Wesley, 1999. Google ScholarDigital Library
- H. Roeckle, G. Schimpf, and R. Weidinger. Process-oriented approach for role-finding to implement role-based security administration in a large industrial organization. In Proc. of the ACM Workshop on Role-Based Access Control, 2000. Google ScholarDigital Library
- C. Rolland, G. Grosz, and R. Kla. Experience with goal-scenario coupling in requirements engineering. In Proc. of the IEEE International Symposium on Requirements Engineering (RE), 1998. Google ScholarDigital Library
- R.S. Sandhu, E.J. Coyne, H.L. Feinstein, and C.E. Youman. Role-based access control models. IEEE Computer, 29(2), February 1996. Google ScholarDigital Library
- The UNIVERSAL Brokerage Platform Homepage. http://www.ist-universal.org.Google Scholar
- A. van Lamsweerde. Goal-Oriented Requirements Engineering: A Guided Tour. In Proc. of the 5th IEEE International Symposium on Requirements Engineering (RE), August 2001. Google ScholarDigital Library
Index Terms
- A scenario-driven role engineering process for functional RBAC roles
Recommendations
Scenario-Driven Role Engineering
Access control deals with eliciting, specifying, enforcing, and maintaining access control policies in software-based systems. Recently, role-based access control (RBAC)—together with various extensions—has developed into a de facto standard for access ...
Role Engineering via Prioritized Subset Enumeration
Today, role-based access control (RBAC) has become a well-accepted paradigm for implementing access control because of its convenience and ease of administration. However, in order to realize the full benefits of the RBAC paradigm, one must first define ...
A role-based infrastructure management system: design and implementation: Research Articles
Computer SecurityOver the last decade there has been a tremendous advance in the theory and practice of role-based access control (RBAC). One of the most significant aspects of RBAC can be viewed from its management of permissions on the basis of roles rather than ...
Comments