Enforcing Role-Based Access Control Policies in Web Services with UML and OCL

Role-based access control (RBAC) is a powerful means for laying out higher-level organizational policies such as separation of duty, and for simplifying the security management process. One of the important aspects of RBAC is authorization constraints that express such organizational policies. While RBAC has generated a great interest in the security community, organizations still seek a flexible and effective approach to impose role-based authorization constraints in their security-critical applications. In this paper, we present a Web Services-based authorization framework that can be employed to enforce organization-wide authorization constraints. We describe a generic authorization engine, which supports organization-wide authorization constraints and acts as a central policy decision point within the authorization framework. This authorization engine is implemented by means of the USE system, a validation tool for UML models and OCL constraints.

[1]  Anneke Kleppe,et al.  The Object Constraint Language: Getting Your Models Ready for MDA , 2003 .

[2]  Mark Richters,et al.  A precise approach to validating UML models and OCL constraints , 2002 .

[3]  Roshan K. Thomas,et al.  Flexible team-based access control using contexts , 2001, SACMAT '01.

[4]  Ravi S. Sandhu Role Hierarchies and Constraints for Lattice-Based Access Controls , 1996, ESORICS.

[5]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[6]  Jason Crampton,et al.  Specifying and enforcing constraints in role-based access control , 2003, SACMAT '03.

[7]  Ralph Johnson,et al.  design patterns elements of reusable object oriented software , 2019 .

[8]  David F. Ferraiolo,et al.  An Examination of Federal and Commercial Access Control Policy Needs , 1993 .

[9]  Mary Ellen Zurko,et al.  Separation of duty in role-based environments , 1997, Proceedings 10th Computer Security Foundations Workshop.

[10]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[11]  Ivar Jacobson,et al.  The Unified Modeling Language Reference Manual, Second Edition , 2005 .

[12]  Gail-Joon Ahn,et al.  A role-based delegation framework for healthcare information systems , 2002, SACMAT '02.

[13]  David F. Ferraiolo,et al.  On the formal definition of separation-of-duty policies and their composition , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[14]  Indrakshi Ray,et al.  Using uml to visualize role-based access control constraints , 2004, SACMAT '04.

[15]  Mary Ellen Zurko,et al.  A user-centered, modular authorization service built on an RBAC foundation , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[16]  Elisa Bertino,et al.  A generalized temporal role-based access control model , 2005, IEEE Transactions on Knowledge and Data Engineering.

[17]  Elisa Bertino,et al.  X-GTRBAC: an XML-based policy specification framework and architecture for enterprise-wide access control , 2005, TSEC.

[18]  Karsten Sohr,et al.  Formal specification of role-based security policies for clinical information systems , 2005, SAC '05.

[19]  Elisa Bertino,et al.  The specification and enforcement of authorization constraints in workflow management systems , 1999, TSEC.

[20]  Gail-Joon Ahn,et al.  The rcl 2000 language for specifying role-based authorization constraints , 2000 .

[21]  Martin Gogolla,et al.  Analyzing and Managing Role-Based Access Control Policies , 2008, IEEE Transactions on Knowledge and Data Engineering.

[22]  Günther Pernul,et al.  ABAC - Ein Referenzmodell für attributbasierte Zugriffskontrolle , 2005, Sicherheit.

[23]  Olaf Zimmermann,et al.  Web services-oriented architecture in production in the finance industry , 2004, Informatik-Spektrum.

[24]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.