Analyzing and managing role-based access control policies

IEEE Transactions on Knowledge and Data Engineering

Volumn 20, Issue 7, 2008, Pages 924-939

  Sohr, Karsten ^b   Drouineaud, Michael ^b   Ahn, Gail Joon ^a,c   Gogolla, Martin ^b  

^a IEEE

^b UNIVERSITY OF BREMEN   (Germany)

^c Arizona State University   (United States)

Author keywords

Authorization constraints; Linear temporal logic; Object constraint language; Role based access control policy

Indexed keywords

(R ,S ,S) POLICY; AUTHORIZATION CONSTRAINTS; BASED SPECIFICATION; CRITICAL BUSINESS; DIGITAL COUNTERPARTS; DIGITAL GOVERNMENT; FIRST ORDERS; HEALTHCARE INDUSTRIES; LINEAR TEMPORAL LOGIC (LTL); OBJECT CONSTRAINT LANGUAGE (OCL); ORGANIZATIONAL RULES; ROLE-BASED ACCESS CONTROL (RBAC); SECURITY REQUIREMENTS; SENSITIVE DATA; SYSTEMATIC (CO);

ARCHITECTURAL DESIGN; COMPUTER CONTROL; COMPUTER CONTROL SYSTEMS; COMPUTER NETWORKS; COMPUTER SYSTEMS; COMPUTERS; CONTROL SYSTEMS; DIGITAL ARITHMETIC; HEALTH; INDUSTRY; SECURITY OF DATA; SECURITY SYSTEMS; SOIL STRUCTURE INTERACTIONS; SPECIFICATIONS; TEMPORAL LOGIC; UNIFIED MODELING LANGUAGE;

ACCESS CONTROL;

EID: 44649149548     PISSN: 10414347     EISSN: None     Source Type: Journal    
DOI: 10.1109/TKDE.2008.28     Document Type: Article

References (46)

1. KPMG, Fraud Survey Reports 1996-2002. KPMG Int'l Canada, 2006.
2. EU, Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, Directive 95/46/EC, http://www.privacy.org/pi/intl_orgs/ec/eudp.html, 1995.
3. M.J. Nash and K.R. Poland, "Some Conundrums Concerning Separation of Duty," Proc. IEEE Symp. Research in Security and Privacy, pp. 201-207, 1990.
4. D.D. Clark and D.R. Wilson, "A Comparison of Commercial and Military Computer Security Policies," Proc. IEEE Symp. Security and Privacy (SSP '87), pp. 184-194, 1987.
5. R. Sandhu, E. Coyne, H. Feinstein, and C. Youman, "Role-Based Access Control Models," Computer, vol. 29, no. 2, pp. 38-47, Feb. 1996.
6. G.-J. Ahn, "The RCL 2000 Language for Specifying Role-Based Authorization Constraints," PhD dissertation, George Mason Univ., 1999.
7. Role Based Access Control, Am. Nat'l Standards Inst. Incorporated, ANSI-INCITS 359-2004, 2004.
8. T. Jaeger and J. Tidswell, "Practical Safety in Flexible Access Control Models," ACM Trans. Information and System Security, vol. 4, no. 2, pp. 158-190, May 2001.
9. T. Nipkow, L. Paulson, and M. Wenzel, Isabelle/HOL - A Proof Assistant for Higher-Order Logic. Springer, 2002.
10. M. Richters, "A Precise Approach to Validating UML Models and OCL Constraints," PhD dissertation, BISS Monographs No. 14, Fachbereich Math. und Informatik, Universität Bremen, 2002.
11. R. Anderson, Security Engineering: A Guide to Building Dependable Distributed Systems. John Wiley & Sons, 2001.
12. R. Goldblatt, Logics of Time and Computation, vol. 7, CSLI, Stanford Univ., second ed., revised and expanded, CSLI Lecture Notes, (first ed. 1987), distributed by Univ. of Chicago Press, 1992.
13. V.D. Gligor, S.I. Gavrila, and D. Ferraiolo, "On the Formal Definition of Separation-of-Duty Policies and Their Composition," Proc. IEEE Symp. Security and Privacy (SSP '98), pp. 172-185, May 1998.
14. Z. Manna and A. Pnueli, The Temporal Logic of Reactive and Concurrent Systems, Specification. Springer, 1992.
15. J. Warmer and A. Kleppe, The Object Constraint Language: Getting Your Models Ready for MDA. Addison-Wesley, 2003.
16. G.-J. Ahn and M. Shin, "Role-Based Authorization Constraints Specification Using Object Constraint Language," Proc. 10th IEEE Int'l Workshops Enabling Technologies: Infrastructure for Collaborative Enterprise (WET ICE '01), pp. 157-162, 2001.
17. I. Ray, N. Li, R. France, and D.-K. Kim, "Using UML to Visualize Role-Based Access Control Constraints," Proc. Ninth ACM Symp. Access Control Models and Technologies (SACMAT '04), pp. 115-124, 2004.
18. R. Simon and M. Zurko, "Separation of Duty in Role-Based Environments," Proc. 10th IEEE Computer Security Foundations Workshop (CSFW '97), pp. 183-194, June 1997.
19. K. Sohr, M. Drouineaud, and G.-J. Ahn, "Formal Specification of Role-based Security Policies for Clinical Information Systems," Proc. 20th ACM Symp. Applied Computing (SAC), 2005.
20. V. Atluri and J. Warner, "Supporting Conditional Delegation in Secure Workflow Management Systems," Proc. 10th ACM Symp. Access Control Models and Technologies (SACMAT '05), E. Ferrari and G.-J. Ahn, eds., pp. 49-58, 2005.
21. J. Joshi, E. Bertino, U. Latif, and A. Ghafoor, "A Generalized Temporal Role-Based Access Control Model," IEEE Trans. Knowledge and Data Eng., vol. 17, no. 1, pp. 4-23, Jan. 2005.
22. E. Bertino, E. Ferrari, and V. Atluri, "The Specification and Enforcement of Authorization Constraints in Workflow Management Systems," ACM Trans. Information and System Security, vol. 2, no. 1, pp. 65-104, 1999.
23. T. Mossakowski, M. Drouineaud, and K. Sohr, "A Temporal-Logic Extension of Role-Based Access Control Covering Dynamic Separation of Duties," Proc. 10th Int'l Symp. Temporal Representation and Reasoning/Fourth Int'l Conf. Temporal Logic (TIME-ICTL '03), July 2003.
24. R. Sandhu, "Transaction Control Expressions for Separation of Duties," Proc. Fourth Aerospace Computer Security Applications Conf., pp. 282-286, 1988.
25. A. Schaad, V. Lotz, and K. Sohr, "A Model-Checking Approach to Analysing Organisational Controls in a Loan Origination Process," Proc. 11th ACM Symp. Access Control Models and Technologies (SACMAT '06), June 2006.
26. E. Barka and R. Sandhu, "A Role-Based Delegation Model and Some Extensions," Proc. 16th Ann. Computer Security Application Conf., pp. 125-134, Dec. 2000.
27. H.M. Gladney, "Access Control for Large Collections," ACM Trans. Information Systems, vol. 15, no. 2, pp. 154-194, 1997.
28. V. Atluri and J. Warner, "Supporting Conditional Delegation in Secure Workflow Management Systems," Proc. 10th ACM Symp. Access Control Models and Technologies (SACMAT '05), pp. 49-58, June 2005.
29. J. Joshi and E. Bertino, "Fine-Grained Role-Based Delegation in Presence of the Hybrid Role Hierarchy," Proc. 11th ACM Symp. Access Control Models and Technologies, pp. 81-90, June 2006.
30. L. Zhang, G.-J. Ahn, and B.-T. Chu, "A Rule-Based Framework for Role-Based Delegation and Revocation," ACM Trans. Information and System Security, vol. 6, no. 3, pp. 404-441, Aug. 2003.
31. A. Hagström, S. Jajodia, F. Parisi-Presicce, and D. Wijesekera, "Revocations - A Classification," Proc. 14th IEEE Computer Security Foundations Workshop (CSFW '01), pp. 44-58, June 2001.
32. K. Sohr and M. Drouineaud, "Isabelle Theories," http:// www.sis.uncc.edu/liisp/rbac/Isabelle.zip, 2005.
33. A. Turing, "On Computable Numbers with an Application to the Entscheidungs Problem," Proc. London Math. Soc. (2), vol. 42, pp. 230-265, www.abelard.org/turpap2, 1936.
34. M. Drouineaud, M. Bortin, P. Torrini, and K. Sohr, "A First Step towards Formal Verification of Security Policy Properties for RBAC," Proc. Fourth Int'l Conf. Quality Software (QSIC '04), pp. 60-67, 2004.
35. E. Clarke, O. Grumberg, and A. Peled, Model Checking. MIT Press, 1999.
36. J. Rumbaugh, I. Jacobson, and G. Booch, "The Unified Modeling Language Reference Manual," Object Technology Series, second ed., Addison Wesley Longman, 2004.
37. K. Sohr, G.-J. Ahn, M. Gogolla, and L. Migge, "Specification and Validation of Authorisation Constraints with UML and OCL," Proc. 10th European Symp. Research in Computer Security (ESORICS), 2005.
38. M. Gogolla, J. Bohling, and M. Richters, "Validation of UML and OCL Models by Automatic Snapshot Generation," Proc. Sixth Int'l Conf. Unified Modeling Language (UML '03), pp. 265-279, 2003.
39. K. Sohr, G.-J. Ahn, and L. Migge, "Articulating and Enforcing Authorisation Policies with UML and OCL," Proc. ACM ICSE Workshop Software Eng. for Secure Systems (SESS '05), May 2005.
40. OASIS, eXtensible Access Control Markup Language (XACML) Version 2.0, http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core- spec-os.pdf, 2005.
41. P. Ziemann and M. Gogolla, "An OCL Extension for Formulating Temporal Constraints," Research Report 1/03, Universität Bremen, 2003.
42. M. Gogolla and M. Richters, "Transformation Rules for UML Class Diagrams," Proc. First Int'l Workshop Unified Modeling Language (UML '98), pp. 92-106, 1999.
43. B. Shafiq, A. Masood, J. Joshi, and A. Ghafoor, "A Role-Based Access Control Policy Verification Framework for Real-Time Systems," Proc. 10th IEEE Int'l Workshop Object-Oriented Real-Time Dependable Systems (WORDS '05), pp. 13-20, 2005.
44. M. Koch, L. Mancini, and F. Parisi-Presicce, "Graph-Based Specification of Access Control Policies," J. Computer and System Sciences, vol. 71, no. 3, pp. 1-33, 2005.
45. J. Crampton, "Specifying and Enforcing Constraints in Role-Based Access Control," Proc. Eighth ACM Symp. Access Control Models and Technologies (SACMAT '03), pp. 43-50, June 2003.
46. J. Wainer and A. Kumar, "A Fine-Grained, Controllable, User-to-User Delegation Method in RBAC," Proc. 10th ACM Symp. Access Control Models and Technologies (SACMAT '05), pp. 59-66, June 2005.