Modeling Enterprise Authorization: A Unified Metamodel and Initial Validation

Authorization and its enforcement, access control, have stood at the beginning of the art and science of information security, and remain being crucial pillar of security in the information technology (IT) and enterprises operations. Dozens of different models of access control have been proposed. Although Enterprise Architecture as the discipline strives to support the management of IT, support for modeling access policies in enterprises is often lacking, both in terms of supporting the variety of individual models of access control nowadays used, and in terms of providing a unified ontology capable of flexibly expressing access policies for all or the most of the models. This study summarizes a number of existing models of access control, proposes a unified metamodel mapped to ArchiMate, and illustrates its use on a selection of example scenarios and two business cases.

[1]  R. Sandhu,et al.  The UCON ABC Usage Control Model JAEHONG , 2004 .

[2]  David F. Ferraiolo,et al.  Assessment of Access Control Systems , 2006 .

[3]  Peter J. Denning,et al.  Protection: principles and practice , 1972, AFIPS '72 (Spring).

[4]  Jos van Hillegersberg,et al.  Modelling strategy with ArchiMate , 2015, SAC.

[5]  Marc M. Lankhorst,et al.  Enterprise Architecture at Work - Modelling, Communication and Analysis, 2nd Edition , 2005, The Enterprise Engineering Series.

[6]  James E. Rumbaugh,et al.  Unified Modeling Language (UML) , 2010, Encyclopedia of Software Engineering.

[7]  Henry Muccini,et al.  What Industry Needs from Architectural Languages: A Survey , 2013, IEEE Transactions on Software Engineering.

[8]  Robert Lagerström,et al.  Architecture analysis of enterprise systems modifiability - Models, analysis, and validation , 2010, J. Syst. Softw..

[9]  K. PandeyR. Object constraint language (OCL) , 2011 .

[10]  Mathias Ekstedt,et al.  EAF2- A Framework for Categorizing Enterprise Architecture Frameworks , 2009, 2009 10th ACIS International Conference on Software Engineering, Artificial Intelligences, Networking and Parallel/Distributed Computing.

[11]  Kamel Adi,et al.  Dynamic risk-based decision methods for access control systems , 2012, Comput. Secur..

[12]  Henderik Alex Proper,et al.  Modeling Access Control Transactions in Enterprise Architecture , 2014, 2014 IEEE 16th Conference on Business Informatics.

[13]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[14]  Ken Peffers,et al.  Design Science Research in Information Systems. Advances in Theory and Practice , 2012, Lecture Notes in Computer Science.

[15]  Mathias Ekstedt,et al.  Modeling Authorization in Enterprise-wide Contexts , 2015, PoEM.

[16]  Denisse Muñante Arzapalo,et al.  An Approach Based on Model-Driven Engineering to Define Security Policies Using OrBAC , 2013, 2013 International Conference on Availability, Reliability and Security.

[17]  John A. Zachman,et al.  A Framework for Information Systems Architecture , 1987, IBM Syst. J..

[18]  Luís Ferreira Pires,et al.  Modeling resources and capabilities in enterprise architecture: A well-founded ontology-based proposal for ArchiMate , 2015, Inf. Syst..

[19]  Tim Moses,et al.  EXtensible Access Control Markup Language (XACML) version 1 , 2003 .

[20]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[21]  Ravi S. Sandhu The future of access control: Attributes, automation and adaptation , 2013, IRI.

[22]  David F. Ferraiolo,et al.  Guide to Attribute Based Access Control (ABAC) Definition and Considerations , 2014 .

[23]  Jos van Hillegersberg,et al.  Modelling Value with ArchiMate , 2015, CAiSE Workshops.

[24]  A Comparison of the Top Four Enterprise-Architecture Methodologies , 2010 .

[25]  Ravi S. Sandhu Lattice-based enforcement of Chinese Walls , 1992, Comput. Secur..

[26]  Henderik Alex Proper,et al.  An Access Control Model for Organisational Management in Enterprise Architecture , 2013, 2013 Ninth International Conference on Semantics, Knowledge and Grids.

[27]  Tuure Tuunanen,et al.  Design Science Research Evaluation , 2012, DESRIST.

[28]  Benedict G. E. Wiedemann Protection? , 1998, Science.

[29]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[30]  D. Richard Kuhn,et al.  Attribute-Based Access Control , 2017, Computer.

[31]  Martin Bichler,et al.  Design science in information systems research , 2006, Wirtschaftsinf..

[32]  Kamel Adi,et al.  UACML: Unified Access Control Modeling Language , 2011, 2011 4th IFIP International Conference on New Technologies, Mobility and Security.

[33]  Claes Wohlin,et al.  Guidelines for snowballing in systematic literature studies and a replication in software engineering , 2014, EASE '14.

[34]  Peter H. Feiler,et al.  The Architecture Analysis & Design Language (AADL): An Introduction , 2006 .

[35]  Nora Cuppens-Boulahia,et al.  Data and Applications Security and Privacy XXVI , 2012, Lecture Notes in Computer Science.

[36]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[37]  Xin Jin,et al.  A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC , 2012, DBSec.

[38]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[39]  David Basin,et al.  Model driven security: From UML models to access control infrastructures , 2006, TSEM.

[40]  Martin Gogolla,et al.  Object Constraint Language (OCL): A Definitive Guide , 2012, SFM.

[41]  D. E. Bell,et al.  Secure Computer Systems : Mathematical Foundations , 2022 .

[42]  Ravi S. Sandhu,et al.  Lattice-based access control models , 1993, Computer.

[43]  Markus Buschle,et al.  Enterprise Architecture Management's Impact on Information Technology Success , 2011, 2011 44th Hawaii International Conference on System Sciences.

[44]  Janis Stirna,et al.  Advanced Information Systems Engineering Workshops , 2015, Lecture Notes in Business Information Processing.

[45]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[46]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[47]  Asif Gill,et al.  Agile enterprise architecture modelling: Evaluating the applicability and integration of six modelling standards , 2015, Inf. Softw. Technol..