Modeling Role-Based Access Control Using Parameterized UML Models

Organizations use Role-Based Access Control (RBAC) to protect computer-based resources from unauthorized access. There has been considerable work on formally specifying RBAC policies but there is still a need for RBAC policy specification techniques that can be integrated into software design methods. This paper describes a method for incorporating specifications of RBAC policies into UML design models. Reusable RBAC policies are specified as patterns and are expressed using UML template diagrams. Incorporating RBAC policies into an application specific model involves instantiating the patterns and composing the instantiations with the model. The method also includes a technique for specifying patterns of RBAC violations. Developers can use the patterns to identify policy violations in their models. The method is illustrated using a small banking application.

[1]  Fang Chen,et al.  Constraints for role-based access control , 1996, RBAC '95.

[2]  Indrakshi Ray,et al.  Using aspects to design a secure system , 2002, Eighth IEEE International Conference on Engineering of Complex Computer Systems, 2002. Proceedings..

[3]  Karl N. Levitt,et al.  Security Policy Specification Using a Graphical Approach , 1998, ArXiv.

[4]  Elisa Bertino,et al.  TRBAC , 2001, ACM Trans. Inf. Syst. Secur..

[5]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[6]  Robert B. France,et al.  Using Role-Based Modeling Language (RBML) to characterize model families , 2002, Eighth IEEE International Conference on Engineering of Complex Computer Systems, 2002. Proceedings..

[7]  Horst Bunke,et al.  Subgraph Isomorphism in Polynomial Time , 1995 .

[8]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[9]  Vijay Varadharajan,et al.  Tower: A Language for Role Based Access Control , 2001, POLICY.

[10]  Trent Jaeger,et al.  An access control model for simplifying constraint expression , 2000, CCS.

[11]  André Zúquete,et al.  SPL: An Access Control Language for Security Policies and Complex Constraints , 2001, NDSS.

[12]  Emil C. Lupu,et al.  The Ponder Policy Specification Language , 2001, POLICY.

[13]  Gail-Joon Ahn,et al.  Role-based authorization constraints specification , 2000, TSEC.

[14]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[15]  Jean Bacon,et al.  Access control in an open distributed environment , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[16]  Arnon Rosenthal,et al.  Flexible Security Policies in SQL , 2001, DBSec.

[17]  Ramaswamy Chandramouli Application of XML tools for enterprise-wide RBAC implementation tasks , 2000, RBAC '00.

[18]  Sushil Jajodia,et al.  A logical language for expressing authorizations , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).