A Metamodel for Hybrid Access Control Policies

Modelling is a proven technique to communicate and illustrate complex specifications in a wide range of disciplines. Access control (AC) specification is not an exception in this regard. Actually, it is characterized by the sensitivity and criticality of its contents where clarity and formalism are yet essential desired goals. In a metamodelling approach where textual languages and visual models are two equivalent forms of specifications, we propose an AC metamodel, setting the stage for its derived textual language. Our metamodel is characterized by its formal semantics, its modularity and refinement method, and its integration means for concurrent application of multiple reusable AC models. These characteristics enable AC specification with better readability, clarity, unambiguity and properties verification support.

[1]  Steven A. Demurjian,et al.  A framework of composable access control features: Preserving separation of access control concerns from models to code , 2010, Comput. Secur..

[2]  Jorge Lobo,et al.  Authorization and Obligation Policies in Dynamic Systems , 2008, ICLP.

[3]  David Basin,et al.  Model driven security: From UML models to access control infrastructures , 2006, TSEM.

[4]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[5]  Steve Barker Logical Approaches to Authorization Policies , 2012, Logic Programs, Norms and Action.

[6]  Sushil Jajodia,et al.  Flexible support for multiple access control policies , 2001, TODS.

[7]  Emil C. Lupu,et al.  The Ponder Policy Specification Language , 2001, POLICY.

[8]  Steve Barker The next 700 access control models or a unifying meta-model? , 2009, SACMAT '09.

[9]  Gail-Joon Ahn,et al.  UML-based representation of role-based access control , 2000, Proceedings IEEE 9th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET ICE 2000).

[10]  T. C. Ting,et al.  MAC and UML for secure software design , 2004, FMSE '04.

[11]  Andreas Matheus,et al.  How to Declare Access Control Policies for XML Structured Information Objects using OASIS' eXtensible Access Control Markup Language (XACML) , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[12]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[13]  Jan Jürjens,et al.  Towards Development of Secure Systems Using UMLsec , 2001, FASE.

[14]  Jorge Lobo,et al.  Expressive policy analysis with enhanced system dynamicity , 2009, ASIACCS '09.

[15]  Anneli Folkesson,et al.  Secure Computer Systems , 2013 .

[16]  Ravi S. Sandhu,et al.  Towards a UML based approach to role engineering , 1999, RBAC '99.

[17]  Anneke Kleppe,et al.  MDA explained - the Model Driven Architecture: practice and promise , 2003, Addison Wesley object technology series.

[18]  Kamel Adi,et al.  UACML: Unified Access Control Modeling Language , 2011, 2011 4th IFIP International Conference on New Technologies, Mobility and Security.

[19]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[20]  Andrew D. Gordon,et al.  Design and Semantics of a Decentralized Authorization Language , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).