A model-checking approach to analysing organisational controls in a loan origination process

Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT

Volumn 2006, Issue , 2006, Pages 139-149

  Schaad, Andreas ^a   Lotz, Volkmar ^a   Sohr, Karsten ^b  

^a Security and Trust Group   (France)

^b UNIVERSITY OF BREMEN   (Germany)

Author keywords

Delegation; Model checking; Organisational control; Revocation; Separation

Indexed keywords

CONSTRAINT THEORY; DATA FLOW ANALYSIS; DATA STRUCTURES; PUBLIC POLICY;

AUTOMATED ANALYSIS; ENTERPRISE RESOURCE MANAGEMENT (ERP); MODEL CHECKING; ORGANIZATIONAL CONTROL;

SECURITY OF DATA;

EID: 33748067444     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1133058.1133079     Document Type: Conference Paper

References (43)

1. Samarati, P. and S. Vimercati, Access Control: Polcies, Models and Mechanisms, in Foundations of Security Analysis and Design, R. Focardi and R. Gorrieri, Editors. 2001, Springer Lecture Notes 2171. p. 137-196.
2. Harrison, M., W. Ruzzo, and J. Ullman, Protection in Operating Systems. Communications of the ACM, 1976. 19(8): p. 461-471.
3. Jaeger, T. and J. Tidswell, Practical safety inflexible access control models. ACM Transactions on Information and System Security (TISSEC), 2001. 4(2).
4. Crampton, J. A reference monitor for workflow systems with constrained task execution.. in 10th ACM Symposium on Access Control Models and Technologies. 2005.
5. Schaad, A., A Framework for Organisational Control Principles, PhD Thesis, in Department of Computer Science. 2003, University of York.
6. Atluri, V. and W. Huang, An Authorization Model for Workflows. Lecture Notes in Computer Science, 1996. 1146: p. 44-64.
7. Rits, A., B. deBoe, and A. Schaad, XacT: A bridge between resource management and access control in multi-layered applications. in Software Engineering for Secure Systems -Building Trustworthy Applications (SESS'05). 2005. St. Louis, MO, USA.
8. Sohr, K., L. Migge, and G. Ahn. Articulating and enforcing authorisation policies with UML and OCL. in Software Engineering for Secure Systems - Building Trustworthy Applications (SESS'05). 2005. St. Louis, MO, USA.
9. Simon, R. and M. Zurko. Separation of Duty in Role-Based Environments, in Computer Security Foundations Workshop X. 1997. Rockport, Massachusetts.
10. Ahn, G. and R. Sandhu, Role-based authorization constraints specification. Information and System Security Journal, 2000, 3(4): p. 207-226.
11. Schaad, A. An Extended Analysis of Delegating Obligations. in IFIP DBSec 2004.
12. Schaad, A. Revocation of Obligation and Authorisation Policy Objects. in IFIP DBSec 2005. 2005.
13. Schulz, K. and M. Orlowska, Facilitating cross-organisational workflows with a workflow view approach. Data Knowl. Eng., 2004. 51(1): p. 109-147.
14. Frossard, A., Delegation of Tasks in Workflow Management Systems, in School of Computer and Communication Sciences (IC). 2005, Ecole Polytechnique Fédérale de Lausanne (EPFL) Lausanne, Switzerland.
15. Sandhu, R., et al., Role-based access control models. IEEE Computer, 1996, 29(2): p. 38-47.
16. Damianou, N., et al. The Ponder Policy Specification Language, in Policies for Distributed Systems and Networks. 2001. Bristol: Springer Lecture Notes in Computer Science.
17. Pugh, D., Organization Theory: Selected Readings. 4th ed, Penguin Business. 1997: Penguin Books.
18. Mintzberg, H., The structuring of organizations, ed. E. Cliffs. 1979, NJ: Prentice-Hall.
19. Botha, Separation of duties for access control enforcement in workflow environments. IBM SYSTEMS JOURNAL, 2001. 40(3).
20. Saltzer, J, and M. Schroeder. The protection of Information in Computer Systems. in IEEE. 1975.
21. Clark, D. and D. Wilson. A Comparison of Commercial and Military Security Policies. in IEEE Symposium on Security and Privacy. 1987. Oakland, California.
22. Sandhu, R. Transaction Control Expressions for Separation of Duties. in 4th Aerospace Computer Security Conference. 1988. Arizona.
23. Sandhu, R. Separation of Duties in Computerized Information Systems. in IFIP WG11.3 Workshop on Database Security. 1990. Halifax, UK.
24. Nash, M. and K. Poland. Some Conundrums Concerning Separation of Duty. in IEEE Symposium on Security and Privacy. 1990. Oakland, CA.
25. Baldwin, R. Naming and Grouping Privileges to Simplify Security Management in Large Databases. in IEEE Symposium on Security and Privacy. 1990. Oakland.
26. Gligor, V., S. Gavrila, and D. Ferraiolo. On the Formal Definition of Separation-of-Duty Policies and their Composition. in IEEE Symposium on Security and Privacy. 1998. Oakland, CA.
27. Ferraiolo, D., J. Cugini, and D. Kuhn. Role-Based Access Control (RBAC): Features and Motivations. in Computer Security Applications. 1995.
28. Kuhn, R. Mutual exclusion of roles as a means of implementing separation of duty in role-based access control systems. in Proceedings of the second ACM workshop on Role-based access control. 1997.
29. Nyanchama, M. and S. Osborn, The role graph model and conflict of interest. Transactions on Information Systems Security, 1999. 2(1): p. Pages 3 - 33.
30. Muller, J., Delegation and Management. British Journal of Administrative Management, 1981. 31(7): p. 218-224.
31. Moffett, J.D., Delegation of Authority Using Domain Based Access Rules, in Dept of Computing. 1990, Imperial College, University of London.
32. Zhang, L., G. Ahn, and C. B. A Rule-based Framework for Role-Based Delegation. in 6th ACM Symposium on Access Control Models and Technologies. 2001. Chantilly, VA, USA.
33. Hagstrom, A., et al. Revocations - A Categorization. in Computer Security Foundations Workshop. 2001: IEEE.
34. Schaad, A. and J. Moffett. Separation, review and supervision controls in the context of a credit application process: a case study of organisational control principles. in ACM SAC 2004.
35. Janssen, W., et al., Model Checking for Managers. Lecture Notes in Computer Science, 1999. 1680.
36. Loer, K. and M. Harrison. Towards Usable and Relevant Model Checking Techniques for the Analysis of Dependable Interactive Systems. in ASE. 2002.
37. Clarke, E., O. Grumberg, and D. Peled, Model Checking. 2000: The MIT Press.
38. Cimatti, A., et al. NuSMV2: an Open Source Tool for Symbolic Model Checking in QA075 Electronic computers. Computer Science http://eprints.biblio. unitn.it/archive/00000085. 2002.
39. McMillan, K., The SMVsystem, Symbolic Model Checking - an approach 1992, Carnegie Mellon University CMU-CS-92-131.
40. Biere, A., A. Cimatti, and Y. Zhu, eds. Symbolic model checking without BDDs. Tools and Algorithms for the construction and analysis of systems Vol. 1579. 1999, Springer LNCS.
41. Mossakowski, T., M. Drouineaud, and K. Sohr. A temporal-logic extension of role-based access control covering dynamic separation of duties. in TIME-ICTL. 2003. Cairns, Queensland, Australia.
42. nd Edition, Revised and Expanded. CSLI Lecture Notes, 1992. 7.
43. Zhang, N., M. Ryan, and D. Guelev. Evaluating Access Control Policies Through Model Checking. in ISC. 2005.