Role engineering: From design to evolution of security schemes

This paper presents a methodology to design the RBAC (Role-Based Access Control) scheme during the design phase of an Information System. Two actors, the component developer and the security administrator, will cooperate to define and set up the minimal set of roles in agreement with the application constraints and the organization constraints that guarantee the global security policy of an enterprise. In order to maintain the global coherence of the existing access control scheme, an algorithm is proposed to detect the possible inconsistencies before the integration of a new component in the Information System.

[1]  Elisa Bertino,et al.  A flexible model supporting the specification and enforcement of role-based authorization in workflow management systems , 1997, RBAC '97.

[2]  Edward J. Coyne Role engineering , 1996, RBAC '95.

[3]  Ravi S. Sandhu,et al.  Separation of Duties in Computerized Information Systems , 1990, DBSec.

[4]  Rafiul Ahad,et al.  Supporting Access Control in an Object-Oriented Database Language , 1992, EDBT.

[5]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[6]  Elisa Bertino,et al.  TRBAC , 2001, ACM Trans. Inf. Syst. Secur..

[7]  Silvana Castano,et al.  Database Security , 1997, IFIP Advances in Information and Communication Technology.

[8]  Ravi S. Sandhu,et al.  Engineering of role/permission assignments , 2001, Seventeenth Annual Computer Security Applications Conference.

[9]  John A. Blackley,et al.  Information Security Fundamentals , 2003 .

[10]  Roshan K. Thomas,et al.  Team-based access control (TMAC): a primitive for applying role-based access controls in collaborative environments , 1997, RBAC '97.

[11]  Aneta Poniszewska-Maranda,et al.  Access Control Coherence of Information Systems Based on Security Constraints , 2006, SAFECOMP.

[12]  Carol V. Brown,et al.  IS Management Handbook , 2003 .

[13]  Elisa Bertino,et al.  A unified framework for enforcing multiple access control policies , 1997, SIGMOD '97.

[14]  Gail-Joon Ahn,et al.  The RSL99 language for role-based separation of duty constraints , 1999, RBAC '99.

[15]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[16]  Aneta Poniszewska-Maranda,et al.  Role engineering of information system using extended RBAC model , 2005, 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE'05).

[17]  Gail-Joon Ahn,et al.  The rcl 2000 language for specifying role-based authorization constraints , 2000 .

[18]  Thomas Peltier Information Security Policies, Procedures, and Standards: Guidelines for Effective Information Security Management , 2001 .

[19]  Gerhard Schimpf,et al.  Process-oriented approach for role-finding to implement role-based security administration in a large industrial organization , 2000, RBAC '00.

[20]  Ravi S. Sandhu Role Hierarchies and Constraints for Lattice-Based Access Controls , 1996, ESORICS.

[21]  George Coulouris,et al.  Role and task-based access control in the PerDiS groupware platform , 1998, RBAC '98.

[22]  Ravi S. Sandhu,et al.  Towards a UML based approach to role engineering , 1999, RBAC '99.

[23]  Ivar Jacobson,et al.  The Unified Modeling Language User Guide , 1998, J. Database Manag..

[24]  Harold F. Tipton,et al.  Handbook of Information Security Management , 1997 .

[25]  Andreas Schaad,et al.  A lightweight approach to specification and analysis of role-based access control extensions , 2002, SACMAT '02.

[26]  Darrel C. Ince,et al.  Towards an Analytical Role Modelling Framework for Security Requirements , 2002 .

[27]  Douglas T. Ross,et al.  Structured Analysis (SA): A Language for Communicating Ideas , 1977, IEEE Transactions on Software Engineering.

[28]  Aneta Poniszewska-Maranda,et al.  Representation of Extended RBAC Model Using UML Language , 2005, SOFSEM.

[29]  E. B. Fernandez,et al.  Determining role rights from use cases , 1997, RBAC '97.

[30]  Mark Strembeck,et al.  A scenario-driven role engineering process for functional RBAC roles , 2002, SACMAT '02.

[31]  Aneta Poniszewska-Maranda,et al.  Verification of access control coherence in information system during modifications , 2003, WET ICE 2003. Proceedings. Twelfth IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, 2003..

[32]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[33]  Dan Thomsen,et al.  Role based access control framework for network enterprises , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[34]  David R. Kuhn,et al.  Role-Based Access Control (RBAC): Features and Motivations | NIST , 1995 .

[35]  Jan Killmeyer,et al.  Information Security Architecture , 2000 .

[36]  Serban I. Gavrila,et al.  Formal specification for role based access control user/role and role/role relationship management , 1998, RBAC '98.

[37]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[38]  Jaehong Park,et al.  The UCONABC usage control model , 2004, TSEC.

[39]  Gail-Joon Ahn,et al.  Role-based authorization constraints specification , 2000, TSEC.

[40]  Ravi S. Sandhu,et al.  The ARBAC97 model for role-based administration of roles: preliminary description and outline , 1997, RBAC '97.

[41]  Roshan K. Thomas,et al.  Flexible team-based access control using contexts , 2001, SACMAT '01.

[42]  Frédéric Cuppens,et al.  Organization based access control , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[43]  Fang Chen,et al.  Constraints for role-based access control , 1996, RBAC '95.

[44]  Frédéric Cuppens,et al.  Modelling contexts in the Or-BAC model , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[45]  Micki Krause,et al.  Information Security Management Handbook on CD-ROM, 2006 Edition , 2006 .