A system for visual role-based policy modelling

The definition of security policies in information systems and programming applications is often accomplished through traditional low level languages that are difficult to use. This is a remarkable drawback if we consider that security policies are often specified and maintained by top level enterprise managers who would probably prefer to use simplified, metaphor oriented policy management tools. To support all the different kinds of users we propose a suite of visual languages to specify access and security policies according to the role based access control (RBAC) model. Moreover, a system implementing the proposed visual languages is proposed. The system provides a set of tools to enable a user to visually edit security policies and to successively translate them into (eXtensible Access Control Markup Language) code, which can be managed by a Policy Based Management System supporting such policy language. The system and the visual approach have been assessed by means of usability studies and of several case studies. The one presented in this paper regards the configuration of access policies for a multimedia content management platform providing video streaming services also accessible through mobile devices.

[1]  Gennaro Costagliola,et al.  Extended positional grammars , 2000, Proceeding 2000 IEEE International Symposium on Visual Languages.

[2]  John J. Marciniak,et al.  Encyclopedia of Software Engineering , 1994, Encyclopedia of Software Engineering.

[3]  Karsten Sohr,et al.  Articulating and enforcing authorisation policies with UML and OCL , 2005, SOEN.

[4]  Emil C. Lupu,et al.  Ponder: A Language for Specifying Security and Management Policies for Distributed Systems , 2000 .

[5]  Weigang Wang,et al.  Team-and-role-based organizational context and access control for cooperative hypermedia environments , 1999, Hypertext.

[6]  Carole S. Jordan A Guide to Understanding Discretionary Access Control in Trusted Systems , 1987 .

[7]  Alan F. Blackwell,et al.  Metacognitive theories of visual programming: what do we think we are doing? , 1996, Proceedings 1996 IEEE Symposium on Visual Languages.

[8]  Yvan Labiche,et al.  A Controlled Experiment on the Impact of the Object Constraint Language in UML-Based Development , 2004 .

[9]  Lujo Bauer,et al.  Expandable grids for visualizing and authoring computer security policies , 2008, CHI.

[10]  D. Richard Kuhn,et al.  A role-based access control model and reference implementation within a corporate intranet , 1999, TSEC.

[11]  Karl N. Levitt,et al.  Security Policy Specification Using a Graphical Approach , 1998, ArXiv.

[12]  Dennis G. Kafura,et al.  An XACML-based policy management and authorization service for globus resources , 2003, Proceedings. First Latin American Web Congress.

[13]  Sushil Jajodia,et al.  A logical language for expressing authorizations , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[14]  David Basin,et al.  Model driven security: From UML models to access control infrastructures , 2006, TSEM.

[15]  Nan C. Shu,et al.  Visual Programming: Perspectives and Approaches , 1989, IBM Syst. J..

[16]  Jakob Nielsen,et al.  Usability engineering , 1997, The Computer Science and Engineering Handbook.

[17]  A. N. Oppenheim,et al.  Questionnaire Design, Interviewing and Attitude Measurement , 1992 .

[18]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[19]  Alan F. Blackwell,et al.  Does metaphor increase visual language usability? , 1999, Proceedings 1999 IEEE Symposium on Visual Languages.

[20]  Roshan K. Thomas,et al.  Visual Authorization Modeling in E-commerce Applications , 2003, IEEE Multim..

[21]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[22]  Luigi V. Mancini,et al.  A graph-based formalism for RBAC , 2002, TSEC.

[23]  J. Doug Tygar,et al.  Miró: Visual Specification of Security , 1990, IEEE Trans. Software Eng..

[24]  Uffe Kock Wiil,et al.  Proceedings of the tenth ACM Conference on Hypertext and hypermedia : returning to our diverse roots: returning to our diverse roots , 1999 .

[25]  Yuliang Zheng,et al.  A Framework for the Management of Information Security , 1997, ISW.