A user-centered, modular authorization service built on an RBAC foundation

Zurko, Mary Ellen; Simon, Richard T.; Sanfilippo, T.

doi:10.1109/secpri.1999.766718

Cited by 61 publications

(40 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This means, even if delegations are revoked, the Delegation objects and the corresponding links are not deleted. If our metamodel for role-based delegation is used as a basis for the implementation of an authorization engine [27,35], this information can be used for an audit trail.…”

Section: Revocationconstraintam: Can Revokegdstrongcasc(accountingmanmentioning

confidence: 99%

Comprehensive two-level analysis of role-based delegation and revocation policies with UML and OCL

Sohr

Kuhlmann

Gogolla

et al. 2012

Information and Software Technology

View full text Add to dashboard Cite

Context. Role-based access control (RBAC) has become the de facto standard for access management in various large-scale organizations. Often rolebased policies must implement organizational rules to satisfy compliance or authorization requirements, e.g., the principle of separation of duty (SoD). To provide business continuity, organizations should also support the delegation of access rights and roles, respectively. This, however, makes access control more complex and error-prone, in particular, when delegation concepts interplay with SoD rules.Objective. A systematic way to specify and validate access control policies consisting of organizational rules such as SoD as well as delegation and revocation rules shall be developed. A domain-specific language for RBAC as well as delegation concepts shall be made available.Method. In this paper, we present an approach to the precise specification and validation of role-based policies based on UML and OCL. We significantly extend our earlier work, which proposed a UML-based domain-specific language for RBAC, by supporting delegation and revocation concepts.Result. We show the appropriateness of our approach by applying it to a banking application. In particular, we give three scenarios for validating the interplay between SoD rules and delegation/revocation. Preprint submitted to Information and Software TechnologyApril 19, 2012 Conclusion. To the best of our knowledge, this is the first attempt to formalize advanced RBAC concepts, such as history-based SoD as well as various delegation and revocation schemes, with UML and OCL. With the rich tool support of UML, we believe our work can be employed to validate and implement real-world role-based policies.

show abstract

Section: Revocationconstraintam: Can Revokegdstrongcasc(accountingmanmentioning

confidence: 99%

Comprehensive two-level analysis of role-based delegation and revocation policies with UML and OCL

Sohr

Kuhlmann

Gogolla

et al. 2012

Information and Software Technology

View full text Add to dashboard Cite

show abstract

“…These include the following. Zurko et al [29] have included a graphical user interface for access control policy authoring with their Adage system. The HP Select Access Policy Builder [19] includes a grid-like user interface.…”

Section: Related Workmentioning

confidence: 99%

Relating declarative semantics and usability in access control

Krishnan

Tripunitara

Chik

et al. 2012

Proceedings of the Eighth Symposium on Usable Privacy and Security

View full text Add to dashboard Cite

“…One of those engines is Adage, developed by Zurko et al [30]. Adage has been developed with similar goals in mind.…”

Section: Related Workmentioning

confidence: 99%

Enforcing Role-Based Access Control Policies in Web Services with UML and OCL

Sohr

Mustafa

Bao

et al. 2008

2008 Annual Computer Security Applications Conference (ACSAC)

View full text Add to dashboard Cite

Role-based access control (RBAC) is a powerful means for laying out and developing higher-level organizational policies such as separation of duty, and for simplifying the security management process. One of the important aspects of RBAC is authorization constraints that express such organizational policies. While RBAC has generated a great interest in the security community, organizations still seek a flexible and effective approach to impose role-based authorization constraints in their security-critical applications. In this paper, we present a Web Services-based authorization framework that can be employed to enforce organization-wide authorization constraints. We describe a generic authorization engine, which supports organization-wide authorization constraints and acts as a central policy decision point within the authorization framework. This authorization engine is implemented by means of the USE system, a validation tool for UML models and OCL constraints. Using this system, we also demonstrate how the authorization constraints can be specified in OCL and then be implemented by USE.

show abstract

A user-centered, modular authorization service built on an RBAC foundation

Cited by 61 publications

References 27 publications

Comprehensive two-level analysis of role-based delegation and revocation policies with UML and OCL

Comprehensive two-level analysis of role-based delegation and revocation policies with UML and OCL

Relating declarative semantics and usability in access control

Enforcing Role-Based Access Control Policies in Web Services with UML and OCL

Contact Info

Product

Resources

About