Specification and Validation of Authorisation Constraints Using UML and OCL

Sohr, Karsten; Ahn, Gail-Joon; Gogolla, Martin; Migge, Lars

doi:10.1007/11555827_5

Cited by 34 publications

(23 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…There are several works that concentrate on these kind of process internal consistency validation, e. g., [3,14]. Moreover, there are several approaches for analyzing access control constraints over UML models, e. g., [11,16,24]. These approaches are limited to simple access control modes, as it UML models are usually quite distant from business process descriptions comprising high level security and compliance goals.…”

Section: Related Workmentioning

confidence: 99%

Secure and Compliant Implementation of Business Process-Driven Systems

Brucker

Hang

2013

Business Process Management Workshops

View full text Add to dashboard Cite

Abstract. Today's businesses are inherently process-driven. Consequently, the use of business-process driven systems, usually implemented on top of service-oriented or cloud-based infrastructures, is increasing. At the same time, the demand on the security, privacy, and compliance of such systems is increasing as well. As a result, the costs-with respect to computational effort at runtime as well as financial costs-for operating business-process driven systems increase steadily. In this paper, we present a method for statically checking the security and conformance of the system implementation, e. g., on the source code level, to requirements specified on the business process level. As the compliance is statically guaranteed-already at design-time-this method reduces the number of run-time checks for ensuring the security and compliance and, thus, improves the runtime performances. Moreover, it reduces the costs of system audits, as there is no need for analyzing the generated log files for validating the compliance to the properties that are already statically guaranteed.

show abstract

Section: Related Workmentioning

confidence: 99%

Secure and Compliant Implementation of Business Process-Driven Systems

Brucker

Hang

2013

Business Process Management Workshops

View full text Add to dashboard Cite

show abstract

“…The most widely used constraints in the literature are Separation of duties, requirements and cardinality [4,5,6]. All these types of constraints are applicable or extendable in the CatBAC model.…”

Section: Representing Constraintsmentioning

confidence: 99%

CatBAC: A generic framework for designing and validating hybrid access control models

Stepien

Khambhammettu

Adi

et al. 2012

2012 IEEE International Conference on Communications (ICC)

View full text Add to dashboard Cite

Many access control models have been proposed in the literature, and they have been extensively studied under the acronyms of DAC, MAC, RBAC, ABAC, etc. Each of these models has been studied in isolation, but some real-life situations need elements of several of them, in order to properly express data protection needs of complex organizations. A formal framework is presented, that allows not only to combine elements of these models, but also to generalize them in new ways. This framework includes elements of a lifecycle methodology, which starts with a UMLbased formalism, called UACML, that expresses semantic elements (classes and their relationships) needed for general access control systems. It continues with the representation of UACML diagrams in our language CatBAC. The latter is a compact textual representation of UACML that makes it possible to express realistic policy systems involving many entities and many constraints. CatBAC is based on Prolog, and this makes it possible to implement analysis and verification tools.

show abstract

“…As [11] observed, although there are several proposals for specifying role-based authorization constraints, "there is a lack of appropriate tool support for the validation, enforcement, and testing of role-based access control policies. Specifically, tools are needed which can be applied quite easily by a policy designer without too much deeper training."…”

Section: The Securemova Toolmentioning

confidence: 99%

“…Specifically, tools are needed which can be applied quite easily by a policy designer without too much deeper training." In response to this need, [11] shows how to employ the USE system to validate and test access control policies formulated in UML and OCL. We comment on this work in Section 7.…”

Section: The Securemova Toolmentioning

confidence: 99%

See 1 more Smart Citation

A Metamodel-Based Approach for Analyzing Security-Design Models

Basin

Clavel

Döser

et al.

Model Driven Engineering Languages and Systems

View full text Add to dashboard Cite

We have previously proposed an expressive UML-based language for constructing and transforming security-design models, which are models that combine design specifications for distributed systems with specifications of their security policies. Here we show how the same framework can be used to analyze these models: queries about properties of the security policy modeled are expressed as formulas in UML's Object Constraint Language and evaluated over the metamodel of the security-design language. We show how this can be done in a semantically precise and meaningful way and demonstrate, through examples, that this approach can be used to formalize and check non-trivial security properties of security-design models. The approach and examples presented have all been implemented and checked in the SecureMOVA tool.

show abstract

Specification and Validation of Authorisation Constraints Using UML and OCL

Cited by 34 publications

References 17 publications

Secure and Compliant Implementation of Business Process-Driven Systems

Secure and Compliant Implementation of Business Process-Driven Systems

CatBAC: A generic framework for designing and validating hybrid access control models

A Metamodel-Based Approach for Analyzing Security-Design Models

Contact Info

Product

Resources

About