ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
A lightweight approach to specification and analysis of role-based access control extensions
Full text PdfPdf (445 KB)
Source Symposium on Access Control Models and Technologies archive
Proceedings of the seventh ACM symposium on Access control models and technologies table of contents
Monterey, California, USA
SESSION: Access Control Policies and Specifications table of contents
Pages: 13 - 22  
Year of Publication: 2002
ISBN:1-58113-496-7
Authors
Andreas Schaad  University of York, York, United Kingdom
Jonathan D. Moffett  University of York, York, United Kingdom
Sponsor
SIGSAC: ACM Special Interest Group on Security, Audit, and Control
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 3,   Downloads (12 Months): 43,   Citation Count: 14
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/507711.507714
What is a DOI?

ABSTRACT

Role-based access control is a powerful and policy-neutral concept for enforcing access control. Many extensions have been proposed, the most significant of which are the decentralised administration of role-based systems and the enforcement of constraints. However, the simultaneous integration of these extensions can cause conflicts in a later system implementation. We demonstrate how we use the Alloy language for the specification of a conflict-free role-based system. This specification provides us at the same time with a suitable basis for further analysis by the Alloy constraint analyser.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
G. Ahn. RCL 2000. Phd dissertation, George Mason University, 2000.
 
2
D. Clark and D. Wilson. A comparison of commercial and military security policies. In IEEE Symposium on Security and Privacy, pages 184--194, Oakland, California, 1987.
 
3
V. Gligor, S. Gavrila, and D. Ferraiolo. On the formal definition of separation-of-duty policies and their composition. In IEEE Symposium on Security and Privacy, pages 172--185, Oakland, CA, 1998.
 
4
D. Jackson. Alloy: A leightweight object modelling notation. Technical Report 797, MIT Laboratory for Computer Science, 2000.
5
Daniel Jackson , Ian Schechter , Hya Shlyahter, Alcoa: the alloy constraint analyzer, Proceedings of the 22nd international conference on Software engineering, p.730-733, June 04-11, 2000, Limerick, Ireland  [doi>10.1145/337180.337616]
6
Trent Jaeger , Jonathon E. Tidswell, Practical safety in flexible access control models, ACM Transactions on Information and System Security (TISSEC), v.4 n.2, p.158-190, May 2001  [doi>10.1145/501963.501966]
7
D. Richard Kuhn, Mutual exclusion of roles as a means of implementing separation of duty in role-based access control systems, Proceedings of the second ACM workshop on Role-based access control, p.23-30, November 06-07, 1997, Fairfax, Virginia, United States  [doi>10.1145/266741.266749]
8
Jonathan D. Moffett, Control principles and role hierarchies, Proceedings of the third ACM workshop on Role-based access control, p.63-69, October 22-23, 1998, Fairfax, Virginia, United States  [doi>10.1145/286884.286900]
9
Jonathan D. Moffett , Emil C. Lupu, The uses of role hierarchies in access control, Proceedings of the fourth ACM workshop on Role-based access control, p.153-160, October 28-29, 1999, Fairfax, Virginia, United States  [doi>10.1145/319171.319186]
 
10
M. Nash and K. Poland. Some conundrums concerning separation of duty. In IEEE Symposium on Security and Privacy, pages 201--209, Oakland, CA, 1990.
11
Ravi Sandhu , Venkata Bhamidipati , Qamar Munawer, The ARBAC97 model for role-based administration of roles, ACM Transactions on Information and System Security (TISSEC), v.2 n.1, p.105-135, Feb. 1999  [doi>10.1145/300830.300839]
12
Fang Chen , Ravi S. Sandhu, Constraints for role-based access control, Proceedings of the first ACM Workshop on Role-based access control, p.14-es, November 30-December 02, 1995, Gaithersburg, Maryland, United States  [doi>10.1145/270152.270177]
 
13
Ravi S. Sandhu , Edward J. Coyne , Hal L. Feinstein , Charles E. Youman, Role-Based Access Control Models, Computer, v.29 n.2, p.38-47, February 1996  [doi>10.1109/2.485845]
14
Ravi Sandhu , David Ferraiolo , Richard Kuhn, The NIST model for role-based access control: towards a unified standard, Proceedings of the fifth ACM workshop on Role-based access control, p.47-63, July 26-28, 2000, Berlin, Germany  [doi>10.1145/344287.344301]
 
15
A. Schaad, Detecting Conflicts in a Role-Based Delegation Model, Proceedings of the 17th Annual Computer Security Applications Conference, p.117, December 10-14, 2001
16
Andreas Schaad , Jonathan Moffett , Jeremy Jacob, The role-based access control system of a European bank: a case study and discussion, Proceedings of the sixth ACM symposium on Access control models and technologies, p.3-9, May 2001, Chantilly, Virginia, United States  [doi>10.1145/373256.373257]
 
17
Richard Simon , Mary Ellen Zurko, Separation of Duty in Role-based Environments, Proceedings of the 10th Computer Security Foundations Workshop (CSFW '97), p.183, June 10-12, 1997

CITED BY  14
Andreas Schaad , Jonathan Moffett, Separation, review and supervision controls in the context of a credit application process: a case study of organisational control principles, Proceedings of the 2004 ACM symposium on Applied computing, March 14-17, 2004, Nicosia, Cyprus
Gleb Naumovich , Paolina Centonze, Static analysis of role-based access control in J2EE applications, ACM SIGSOFT Software Engineering Notes, v.29 n.5, September 2004
Kathi Fisler , Shriram Krishnamurthi , Leo A. Meyerovich , Michael Carl Tschantz, Verification and change-impact analysis of access-control policies, Proceedings of the 27th international conference on Software engineering, May 15-21, 2005, St. Louis, MO, USA
Chiara Braghin , Daniele Gorla , Vladimiro Sassone, Role-based access control for a distributed calculus, Journal of Computer Security, v.14 n.2, p.113-155, January 2006
Adriana Compagnoni , Elsa L. Gunter , Philippe Bidinger, Role-based access control for boxed ambients, Theoretical Computer Science, v.398 n.1-3, p.203-216, May, 2008
Shin Nakajima , Tetsuo Tamai, Formal specification and analysis of JAAS framework, Proceedings of the 2006 international workshop on Software engineering for secure systems, May 20-21, 2006, Shanghai, China
Paolina Centonze , Gleb Naumovich , Stephen J. Fink , Marco Pistoia, Role-Based access control consistency validation, Proceedings of the 2006 international symposium on Software testing and analysis, July 17-20, 2006, Portland, Maine, USA
M. Pistoia , S. Chandra , S. J. Fink , E. Yahav, A survey of static analysis methods for identifying security vulnerabilities in software systems, IBM Systems Journal, v.46 n.2, p.265-288, April 2007
Marco Pistoia , Stephen J. Fink , Robert J. Flynn , Eran Yahav, When Role Models Have Flaws: Static Validation of Enterprise Security Policies, Proceedings of the 29th International Conference on Software Engineering, p.478-488, May 20-26, 2007
Hongxin Hu , GailJoon Ahn, Enabling verification and conformance testing for access control model, Proceedings of the 13th ACM symposium on Access control models and technologies, June 11-13, 2008, Estes Park, CO, USA
Gilles Goncalves , Aneta Poniszewska-Maranda, Role engineering: From design to evolution of security schemes, Journal of Systems and Software, v.81 n.8, p.1306-1326, August, 2008
Scott D. Stoller , Ping Yang , C R. Ramakrishnan , Mikhail I. Gofman, Efficient policy analysis for administrative role based access control, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA
Nan Zhang , Mark Ryan , Dimitar P. Guelev, Synthesising verified access control systems through model checking, Journal of Computer Security, v.16 n.1, p.1-61, January 2008
Manachai Toahchoodee , Indrakshi Ray , Kyriakos Anastasakis , Geri Georg , Behzad Bordbar, Ensuring spatio-temporal access control for real-world applications, Proceedings of the 14th ACM symposium on Access control models and technologies, June 03-05, 2009, Stresa, Italy

INDEX TERMS

Primary Classification:
  D. Software
  D.2 SOFTWARE ENGINEERING
      D.2.4 Software/Program Verification
          Subjects: Model checking


Keywords:
ARBAC97, alloy, separation of duties

Collaborative Colleagues:
Andreas Schaad: colleagues
Jonathan D. Moffett: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player