ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
A constraint based role based access control in the SECTET a model-driven approach
Full text PdfPdf (3.92 MB)
Source PST; Vol. 380 archive
Proceedings of the 2006 International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services table of contents
Markham, Ontario, Canada
SESSION: Security computing table of contents
Article No. 13  
Year of Publication: 2006
ISBN:1-59593-604-1
Authors
Muhammad Alam  Universität Innsbruck, Austria
Michael Hafner
Ruth Breu
Sponsor
SIGSAC: ACM Special Interest Group on Security, Audit, and Control
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 6,   Downloads (12 Months): 69,   Citation Count: 2
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1501434.1501451
What is a DOI?

ABSTRACT

With respect to Service Oriented Architectures (SOA's) paradigm, the core Role Based Access Control (RBAC) has several limitations. In SOA, permissions to execute web services are not assigned statically to roles but are associated with a set of Permission Assignment Constraints (PAC) upon the fulfilment of which a role is assigned a permission to execute a web service. Further, the RBAC does not support partial inheritance which is an integral requirement in SOA. A major challenge in SOA is the inheritance of permissions associated with PAC in the presence of role hierarchies. This contribution has three objectives. First we propose an extension to Role Based Access Control [29], Constraint based RBAC (CRBAC), in order to make RBAC applicable into the dynamic environment of SOA. We then present SECTET-PL [31], a high-level language for the specification of PAC. Being part of the SECTET-framework for model-driven security for B2B-workflows, SECTET-PL is a policy language influenced by OCL [23] and interpreted in the context of UML models. Finally, using Model Driven Architecture (MDA) [18] paradigm, we describe the integration of business requirements and security requirements at the metalevel. The high-level security (CRBAC) models are transformed to low-level web services standard artefacts with the help of Eclipse Modelling Framework and OpenArchitectureWare.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
M. Alam, M. Hafner, and R. Breu. Modeling Authorization in a SOA based Application Scenario. IASTED Software Engineering 2006, ISBN: 0-88986-572-8.
 
2
http://www.andromda.org.
 
3
D. Gue Park et al. A Flexible Role-Based Delegation Model using Characteristics of Permissions. DEXA 2005, LNCS 3588, pp. 310--323, 2005.
4
Elisa Bertino , Piero Andrea Bonatti , Elena Ferrari, TRBAC: A temporal role-based access control model, ACM Transactions on Information and System Security (TISSEC), v.4 n.3, p.191-233, August 2001  [doi>10.1145/501978.501979]
 
5
H. Lee et al. A New Role-Based Delegation Model Using Sub-role Hierarchies. ISCIS 2003, LNCS 2869, pp. 811--818, 2003.
 
6
http://wikipedia.org/.
 
7
http://www.eclipse.org/emf/.
 
8
James B. D. Joshi , Elisa Bertino , Usman Latif , Arif Ghafoor, A Generalized Temporal Role-Based Access Control Model, IEEE Transactions on Knowledge and Data Engineering, v.17 n.1, p.4-23, January 2005  [doi>10.1109/TKDE.2005.1]
 
9
J. Jürjens. Secure Systems Development with UML. ISBN: 3540007016.
 
10
http://hissa.nist.gov/rbac/paper/node5.html.
 
11
M. Alam et al. Model Driven Security for Web Services (MDS4WS). INMIC 2004, Digi Obj Id 10.1109/INMIC.2004.1492930.
 
12
Muhammad Alam , Ruth Breu , Michael Hafner, Modeling permissions in a (U/X)ML world, Proceedings of the First International Conference on Availability, Reliability and Security, p.685-692, April 20-22, 2006  [doi>10.1109/ARES.2006.84]
 
13
M. Hafner et al. A Security Architecture For Inter-organizational Workflows-Putting WS Security Standards Together. ICEIS 2005, ISBN: 972-8865-19-8.
 
14
Michael Hafner , Michael Breur , Ruth Breu , Andrea Nowak, Modelling Inter-organizational Workflow Security in a Peer-to-Peer Environment, Proceedings of the IEEE International Conference on Web Services, p.533-540, July 11-15, 2005  [doi>10.1109/ICWS.2005.83]
 
15
M. Hafner et al. "SECTET An Extensible Framework for the Realization of Secure Inter-Organizational Workflows". Accepted for ICEIS 2006.
 
16
Markus Schumacher, Security Engineering with Patterns: Origins, Theoretical Models, and New Applications, Springer-Verlag New York, Inc., Secaucus, NJ, 2003
 
17
http://www.magicdraw.com/.
 
18
Model Driven Architecture. http://www.omg.org/mda.
 
19
Meta Object Facility: OMG Adapted Specification available at. http://www.omg.org/docs/ptc/04-10-15.pdf.
 
20
http://mdr.netbeans.org/.
 
21
OAW 4 EMF Example available at. http://www.eclipse.org/gmt/oaw/doc/30_emfExample.pdf.
 
22
OAW XPAND Language available at. http://www.eclipse.org/gmt/oaw/doc/r20_xPandReference.pdf.
 
23
UML 2.0 OCL Specification. http://www.omg.org/docs/ptc/03-10-14.pdf.
 
24
Object Management Group. http://www.omg.org.
 
25
Query View Transformation: OMG Adapted Specification available at. http://www.omg.org/docs/ptc/05-11-01.pdf.
 
26
R. Breu and G. Popp. Actor-centric modelling of access rights. FASE 2004. Springer LNCS Vol. 2984, p. 165--179, 2004.
 
27
R. Breu et al. Model Driven Security for Inter-Organizational Workflows in e-Government. TCGOV 2005, Proceedings. ISBN 3-540-25016-6.
 
28
R. Breu et al. Web service engineering - advancing a new software engineering discipline. ICWE 2005, LNCS 3579.
 
29
http://csrc.nist.gov/rbac//.
 
30
www.sectet.org. Will be on Air by the end of May 2006.
 
31
SECTETPL: A Predicative Language for the Specification of Access Rights. http://qe-informatik.uibk.ac.at/~muhammad/TechnicalReportSECTETPL.pdf.
 
32
Torsten Lodderstedt , David A. Basin , Jürgen Doser, SecureUML: A UML-Based Modeling Language for Model-Driven Security, Proceedings of the 5th International Conference on The Unified Modeling Language, p.426-441, September 30-October 04, 2002
 
33
Web Service Description Language (WSDL), available at. http://www.w3.org/TR/wsdl.
 
34
WSDL First, July 22, 2003. http://webservices.xml.com/pub/a/ws/2003/07/22/ws-dlfirst.html.
 
35
XACML 2.0 Specification Set. http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml.

CITED BY  2
Muhammad Alam , Michael Hafner , Ruth Breu, Constraint based role based access control (CRBAC) for restricted administrative delegation constraints in the SECTET, Proceedings of the 2006 International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services, October 30-November 01, 2006, Markham, Ontario, Canada
Eduardo Fernández-Medina , Jan Jurjens , Juan Trujillo , Sushil Jajodia, Editorial: Model-Driven Development for secure information systems, Information and Software Technology, v.51 n.5, p.809-814, May, 2009

INDEX TERMS

Keywords:
model-driven architecture, model-driven security, role based access control, service oriented architectures

Collaborative Colleagues:
Muhammad Alam: colleagues
Michael Hafner: colleagues
Ruth Breu: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player