Role Slices: A Notation for RBAC Permission Assignment and Enforcement

During the past decade, there has been an explosion in the complexity of software applications, with an increasing emphasis on software design via model-driven architectures, patterns, and models such as the unified modeling language (UML). Despite this, the integration of security concerns throughout the product life cycle has lagged, resulting in software infrastructures that are untrustworthy in terms of their ability to authenticate users and to limit them to their authorized application privileges. To address this issue, we present an approach to integrate role-based access control (RBAC) into UML at design-time for permission assignment and enforcement. Specifically, we introduce a new UML artifact, the role slice, supported via a new UML role-slice diagram, to capture RBAC privileges at design time within UML. Once captured, we demonstrate the utilization of aspect-oriented programming (AOP) techniques for the automatic generation of security enforcement code. Overall, we believe that our approach is an important step to upgrading security to be an indispensable part of the software process.

[1]  Jean-Marc Jézéquel,et al.  ≪UML≫ 2002 — The Unified Modeling Language , 2002, Lecture Notes in Computer Science.

[2]  Reda A. Ammar,et al.  UML Design with Security Integration as First Class Citizen , 2004 .

[3]  Duminda Wijesekera,et al.  Consistent and Complete Access Control Policies in Use Cases , 2003, UML.

[4]  Ravi S. Sandhu,et al.  Towards a UML based approach to role engineering , 1999, RBAC '99.

[5]  David A. Bell,et al.  Secure computer systems: mathematical foundations and model , 1973 .

[6]  T. C. Ting,et al.  RBAC/MAC Security for UML , 2004 .

[7]  David Basin,et al.  Model driven security: From UML models to access control infrastructures , 2006, TSEM.

[8]  Bart De Decker,et al.  Security Through Aspect-Oriented Programming , 2001, Network Security.

[9]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[10]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[11]  T. C. Ting,et al.  MAC and UML for secure software design , 2004, FMSE '04.

[12]  Indrakshi Ray,et al.  Verifiable composition of access control and application features , 2005, SACMAT '05.

[13]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[14]  Bart De Decker,et al.  Advances in Network and Distributed Systems Security, IFIP TC11 WG11.4 First Annual Working Conference on Network Security, November 26-27, 2001, Leuven, Belgium , 2001, Network Security.

[15]  Cristina V. Lopes,et al.  Aspect-oriented programming , 1999, ECOOP Workshops.

[16]  Harold Ossher,et al.  Subject-oriented programming: a critique of pure objects , 1993, OOPSLA '93.

[17]  Pierangela Samarati,et al.  Research Directions in Data and Applications Security XVIII , 2004, IFIP International Federation for Information Processing.

[18]  Dan Thomsen,et al.  Role based access control framework for network enterprises , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[19]  Siobhán Clarke,et al.  Composition of Object-Oriented Software Design Models , 2001 .

[20]  Duminda Wijesekera,et al.  authUML: a three-phased framework to analyze access control specifications in use cases , 2003, FMSE '03.

[21]  Stanley M. Sutton,et al.  N degrees of separation: multi-dimensional separation of concerns , 1999, Proceedings of the 1999 International Conference on Software Engineering (IEEE Cat. No.99CB37002).