Specifying Usage Control Model with Object Constraint Language

The recent usage control model (UCON) is a foundation for next-generation access control models with distinguishing properties of decision continuity and attribute mutability. Constraints in UCON are one of the most important components that have involved in the principle motivations of usage analysis and design. The importance of constraints associated with authorizations, obligations, and conditions in UCON has been recognized but modeling these constraints has not been received much attention. In this paper we use a de facto constraints specification language in software engineering to analyze the constraints in UCON model. We show how to represent constraints with object constraint language (OCL) and give out a formalized specification of UCON model which is built from basic constraints, such as authorization predicates, obligation actions and condition requirements. Further, we show the flexibility and expressive capability of this specified UCON model with extensive examples.

[1]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[2]  Emil C. Lupu,et al.  The Ponder Policy Specification Language , 2001, POLICY.

[3]  Gail-Joon Ahn,et al.  Role-based authorization constraints specification using Object Constraint Language , 2001, Proceedings Tenth IEEE International Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises. WET ICE 2001.

[4]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[5]  Martin Gogolla,et al.  On Formalizing the UML Object Constraint Language OCL , 1998, ER.

[6]  Jaehong Park,et al.  A logical specification for usage control , 2004, SACMAT '04.

[7]  Elisa Bertino,et al.  A temporal authorization model , 1994, CCS '94.

[8]  Jaehong Park,et al.  The UCONABC usage control model , 2004, TSEC.

[9]  Sushil Jajodia,et al.  Obligation monitoring in policy management , 2002, Proceedings Third International Workshop on Policies for Distributed Systems and Networks.

[10]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[11]  Jorge Lobo,et al.  Monitors for History-Based Policies , 2001, POLICY.

[12]  Elisa Bertino,et al.  A Temporal Access Control Mechanism for Database Systems , 1996, IEEE Trans. Knowl. Data Eng..

[13]  Jaehong Park,et al.  Usage Control: A Vision for Next Generation Access Control , 2003, MMM-ACNS.

[14]  Ravi S. Sandhu,et al.  Lattice-based access control models , 1993, Computer.

[15]  Sushil Jajodia,et al.  Provisions and Obligations in Policy Management and Security Applications , 2002, VLDB.

[16]  Sushil Jajodia,et al.  Flexible support for multiple access control policies , 2001, TODS.

[17]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[18]  Elisa Bertino,et al.  Dependencies and separation of duty constraints in GTRBAC , 2003, SACMAT '03.

[19]  David A. Bell,et al.  Secure computer systems: mathematical foundations and model , 1973 .

[20]  Elisa Bertino,et al.  A generalized temporal role-based access control model , 2005, IEEE Transactions on Knowledge and Data Engineering.

[21]  Elisa Bertino,et al.  An access control model supporting periodicity constraints and temporal reasoning , 1998, TODS.