A feature-based approach for modeling role-based access control systems

Abstract: Role-based access control (RBAC) is a popular access control model for enterprise systems due to its flexibility and scalability. There are many RBAC features available, each providing a different function. Not all features are needed for an RBAC system. Depending on the requirements, one should be able to configure features on a need basis, which reduces development complexity and thus fosters development. However, there have not been suitable methods that enable systematic configuration of RBAC features for system development. This paper presents an approach for configuring RBAC features using a combination of feature modeling and UML modeling. Feature modeling is used for capturing the structure of features and configuration rules, and UML modeling is used for defining the semantics of features. RBAC features are defined based on design principles of partial inheritance and compatibility, which facilitates feature composition and verification. We demonstrate the approach using a banking application and present tool support developed for the approach.

[1]  Ramaswamy Chandramouli Application of XML tools for enterprise-wide RBAC implementation tasks , 2000, RBAC '00.

[2]  Siobhán Clarke,et al.  Composition patterns: an approach to designing reusable aspects , 2001, ICSE 2001.

[3]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[4]  Carlos José Pereira de Lucena,et al.  Refactoring product lines , 2006, GPCE '06.

[5]  Indrakshi Ray,et al.  Using Parameterized UML to Specify and Compose Access Control Models , 2003, IICIS.

[6]  Ramaswamy Chandramouli,et al.  Role-Based Access Control Features in Commercial Database Management Systems , 1998 .

[7]  Sooyong Park,et al.  Quality-driven architecture development using architectural tactics , 2009, J. Syst. Softw..

[8]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[9]  T. C. Ting,et al.  RBAC/MAC Security for UML , 2004 .

[10]  Antonio Ruiz Cortés,et al.  Automated Merging of Feature Models Using Graph Transformations , 2007, GTTSE.

[11]  Mathieu Acher,et al.  Composing Feature Models , 2009, SLE.

[12]  Don S. Batory,et al.  Feature Models, Grammars, and Propositional Formulas , 2005, SPLC.

[13]  K J Biba,et al.  Integrity Considerations for Secure Computer Systems , 1977 .

[14]  Indrakshi Ray,et al.  Verifiable composition of access control and application features , 2005, SACMAT '05.

[15]  Gramm Leach Bliley Privacy Enforcement with an Extended Role-Based Access Control Model , 2006 .

[16]  Ramaswamy Chandramouli,et al.  Role-Based Access Control (2nd ed.) , 2007 .

[17]  Pierre-Yves Schobbens,et al.  Disambiguating the Documentation of Variability in Software Product Lines: A Separation of Concerns, Formalization and Automated Analysis , 2007, 15th IEEE International Requirements Engineering Conference (RE 2007).

[18]  Robert B. France,et al.  Model Composition Directives , 2004, UML.

[19]  Jacques Klein,et al.  Weaving Multiple Aspects in Sequence Diagrams , 2007, LNCS Trans. Aspect Oriented Softw. Dev..

[20]  Alice Faulstich-Brady A taxonomy of inheritance semantics , 1993, Proceedings of 1993 IEEE 7th International Workshop on Software Specification and Design.

[21]  Anneke Kleppe,et al.  The Object Constraint Language: Getting Your Models Ready for MDA , 2003 .

[22]  Mary Lou Soffa,et al.  An approach for exploring code improving transformations , 1997, TOPL.

[23]  K. Czarnecki,et al.  Cardinality-Based Feature Modeling and Constraints : A Progress Report , 2005 .

[24]  Harald Störrle Semantics of interactions in UML 2.0 , 2003, HCC.

[25]  Kyo Chul Kang,et al.  Feature-Oriented Domain Analysis (FODA) Feasibility Study , 1990 .

[26]  Michael Weiss XML Metadata Interchange , 2009, Encyclopedia of Database Systems.

[27]  Wouter Joosen,et al.  Mapping problem-space to solution-space features: a feature interaction approach , 2009, GPCE '09.

[28]  Arun Kumar,et al.  Context sensitivity in role-based access control , 2002, OPSR.

[29]  Indrakshi Ray,et al.  Using uml to visualize role-based access control constraints , 2004, SACMAT '04.

[30]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[31]  Indrakshi Ray,et al.  Modeling Role-Based Access Control Using Parameterized UML Models , 2004, FASE.

[32]  Charles Ashbacher,et al.  The Object Constraint Language Second Edition, Getting Your Models Ready for MDA, by Jos Warmer and Anneke Kleppe. , 2003 .

[33]  Eduardo B. Fernández,et al.  A Pattern System for Access Control , 2004, DBSec.

[34]  Neil A. Ernst,et al.  The Journal of Systems and Software , 2022 .

[35]  Krzysztof Czarnecki,et al.  Feature Diagrams and Logics: There and Back Again , 2007, 11th International Software Product Line Conference (SPLC 2007).

[36]  Jean-Marc Jézéquel,et al.  Proceedings of the 5th International Conference on The Unified Modeling Language , 2002 .

[37]  Evangelos Triantaphyllou,et al.  USING THE ANALYTIC HIERARCHY PROCESS FOR DECISION MAKING IN ENGINEERING APPLICATIONS: SOME CHALLENGES , 1995 .

[38]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[39]  Martin S. Feather,et al.  Succeedings of the seventh international workshop on software specification and design , 1994, SOEN.

[40]  Iris Groher,et al.  Product Line Implementation using Aspect-Oriented and Model-Driven Software Development , 2007, 11th International Software Product Line Conference (SPLC 2007).

[41]  Michal Antkiewicz,et al.  FeaturePlugin: feature modeling plug-in for Eclipse , 2004, eclipse '04.

[42]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[43]  Vijayalakshmi Atluri,et al.  Role-based Access Control , 1992 .

[44]  Ralph Johnson,et al.  design patterns elements of reusable object oriented software , 2019 .

[45]  Hausi A. Müller,et al.  Proceedings of the 23rd International Conference on Software Engineering & Knowledge Engineering (SEKE'2011), Eden Roc Renaissance, Miami Beach, USA, July 7-9, 2011 , 2001, SEKE.

[46]  Elisa Bertino,et al.  TRBAC , 2001, ACM Trans. Inf. Syst. Secur..

[47]  Rohit Gheyi,et al.  A Theory for Feature Models in Alloy , 2006 .

[48]  Sven Apel,et al.  Type-Safe Feature-Oriented Product Lines , 2010, ArXiv.

[49]  Gail-Joon Ahn,et al.  UML-based representation of role-based access control , 2000, Proceedings IEEE 9th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET ICE 2000).

[50]  Michal Antkiewicz,et al.  Mapping features to models: a template approach based on superimposed variants , 2005, GPCE'05.

[51]  Jacques Klein,et al.  Reconciling Automation and Flexibility in Product Derivation , 2008, 2008 12th International Software Product Line Conference.

[52]  Dae-Kyoo Kim,et al.  A Verifiable Modeling Approach to Configurable Role-Based Access Control , 2010, FASE.

[53]  Don S. Batory,et al.  Safe composition of non-monotonic features , 2009, GPCE '09.