Patterns for session-based access control

The concept of session, the context under which a user accesses resources is very important to apply access control. We present first the Controlled Access Session pattern for describing how sessions can limit the rights of a user. We then combine this pattern with two existing access control patterns. First we consider a pattern for Session-Based Role-Based Access Control, intended for organizations in which job functions form the basis for privilege assignments. Then, we present a Session-Based Attribute-Based Access Control pattern for organizations in which accesses are controlled based on values of user attributes and object properties. Since the general properties of those patterns have been described earlier we emphasize the additional effect of using sessions. The Controlled Access Session pattern can also be combined with other models of access control or used on its own.

[1]  Günther Pernul,et al.  CSAP - An Adaptable Security Module for the E-Government System Webocrat , 2003, SEC.

[2]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[3]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[4]  Eduardo B. Fernandez,et al.  The Credential Pattern * , 2006 .

[5]  Antonio Corradi,et al.  Context-based access control management in ubiquitous environments , 2004, Third IEEE International Symposium on Network Computing and Applications, 2004. (NCA 2004). Proceedings..

[6]  Ramez Elmasri,et al.  Fundamentals of database systems (2nd ed.) , 1994 .

[7]  Heinrich Kersten,et al.  Sicherheit in Informationssystemen , 1991 .

[8]  David W. Chadwick,et al.  The PERMIS X.509 role based privilege management infrastructure , 2002, SACMAT '02.

[9]  Pierangela Samarati,et al.  Research Directions in Data and Applications Security XVIII , 2004, IFIP International Federation for Information Processing.

[10]  Peter Sommerlad,et al.  Security Patterns: Integrating Security and Systems Engineering , 2006 .

[11]  Eduardo B. Fernández,et al.  An authorization model for a shared data base , 1975, SIGMOD '75.

[12]  Eduardo B. Fernandez,et al.  The credentials pattern , 2006, PLoP '06.

[13]  Ralph Johnson,et al.  design patterns elements of reusable object oriented software , 2019 .

[14]  Ramez Elmasri,et al.  Fundamentals of Database Systems, 5th Edition , 2006 .

[15]  Joseph W. Yoder,et al.  Architectural Patterns for Enabling Application Security , 1998 .

[16]  Nat Pryce,et al.  Abstract Session An Object Structural Pattern , 1997 .

[17]  Ramez Elmasri,et al.  Fundamentals of Database Systems , 1989 .

[18]  Eduardo B. Fernandez,et al.  Patterns for the eXtensible Access Control Markup Language , 2005 .

[19]  Eduardo B. Fernández,et al.  A Pattern System for Access Control , 2004, DBSec.

[20]  Benedict G. E. Wiedemann Protection? , 1998, Science.

[21]  Günther Pernul,et al.  ABAC - Ein Referenzmodell für attributbasierte Zugriffskontrolle , 2005, Sicherheit.

[22]  Rita C. Summers Secure Computing: Threats and Safeguards , 1996 .

[23]  Rolf Oppliger,et al.  Using Attribute Certificates to Implement Role-based Authorization and Access Controls , 2000 .

[24]  Sushil Jajodia,et al.  Proceedings of the 19th annual IFIP WG 11.3 working conference on Data and Applications Security , 2005 .

[25]  Eduardo B. Fernandez,et al.  A pattern language for security models , 2001 .

[26]  Jaehong Park,et al.  The UCONABC usage control model , 2004, TSEC.

[27]  Eduardo B. Fernandez,et al.  Database Security and Integrity , 1981 .

[28]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.