A Feature-Based Modeling Approach for Building Hybrid Access Control Systems

Role-Based Access Control (RBAC) and Mandatory Access Control (MAC) are widely used access control models. They are often used together in domains where both data integrity and information flow are concerned. There is much work on combined use of RBAC and MAC policies at the kernel level, which focuses on enforcing hybrid policies at run-time. However, there is little work on techniques for developing hybrid systems of RBAC and MAC from a development perspective. In this work, we present a feature-based modeling approach for developing hybrid access control systems. In the approach, RBAC and MAC are designed in terms of features and features are configured based on requirements. Configured features are then composed to produce a design model that supports hybrid access control. The approach enables systematic development of hybrid systems of RBAC and MAC and reduces development complexity and errors through need-based configuration of features in early development phases. We use a hospital system to demonstrate the approach. Tool support for the approach is also discussed.

[1]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[2]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[3]  Jorge Lobo,et al.  Privacy-Aware Role-Based Access Control , 2007, IEEE Security & Privacy.

[4]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[5]  Indrakshi Ray,et al.  Using Parameterized UML to Specify and Compose Access Control Models , 2003, IICIS.

[6]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[7]  Anneke Kleppe,et al.  The Object Constraint Language: Getting Your Models Ready for MDA , 2003 .

[8]  Vijayalakshmi Atluri,et al.  Role-based Access Control , 1992 .

[9]  Ravi S. Sandhu Role Hierarchies and Constraints for Lattice-Based Access Controls , 1996, ESORICS.

[10]  Arun Kumar,et al.  Context sensitivity in role-based access control , 2002, OPSR.

[11]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[12]  Indrakshi Ray,et al.  Modeling Role-Based Access Control Using Parameterized UML Models , 2004, FASE.

[13]  Elisa Bertino,et al.  TRBAC , 2001, ACM Trans. Inf. Syst. Secur..

[14]  Charles Ashbacher,et al.  The Object Constraint Language Second Edition, Getting Your Models Ready for MDA, by Jos Warmer and Anneke Kleppe. , 2003 .

[15]  Sylvia L. Osborn Mandatory access control and role-based access control revisited , 1997, RBAC '97.

[16]  Kyo Chul Kang,et al.  Feature-Oriented Domain Analysis (FODA) Feasibility Study , 1990 .

[17]  D. Richard Kuhn,et al.  Role based access control on MLS systems without kernel changes , 1998, RBAC '98.

[18]  Dae-Kyoo Kim,et al.  A Verifiable Modeling Approach to Configurable Role-Based Access Control , 2010, FASE.

[19]  Evangelos Triantaphyllou,et al.  USING THE ANALYTIC HIERARCHY PROCESS FOR DECISION MAKING IN ENGINEERING APPLICATIONS: SOME CHALLENGES , 1995 .

[20]  Eduardo B. Fernández,et al.  A Pattern System for Access Control , 2004, DBSec.

[21]  Michal Antkiewicz,et al.  FeaturePlugin: feature modeling plug-in for Eclipse , 2004, eclipse '04.

[22]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[23]  R. Sandhu,et al.  Access control: principles and practice , 1994, IEEE Commun. Mag..

[24]  Ravi S. Sandhu,et al.  Configuring role-based access control to enforce mandatory and discretionary access control policies , 2000, TSEC.

[25]  Gail-Joon Ahn,et al.  UML-based representation of role-based access control , 2000, Proceedings IEEE 9th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET ICE 2000).

[26]  P. Samarati,et al.  Access control: principle and practice , 1994, IEEE Communications Magazine.

[27]  Ramaswamy Chandramouli,et al.  Role-Based Access Control, Second Edition , 2007 .

[28]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..