Role engineering: From design to evolution of security schemes

Journal of Systems and Software

Volumn 81, Issue 8, 2008, Pages 1306-1326

  Goncalves, Gilles ^a   Poniszewska Maranda, Aneta ^b  

^a UNIVERSITÉ D'ARTOIS   (France)

^b LODZ UNIVERSITY OF TECHNOLOGY   (Poland)

Author keywords

Access control; Constraints; Role engineering; Role based access control model; Security of information system; UML (Unified Modelling Language)

Indexed keywords

INFORMATION SCIENCE; INFORMATION SYSTEMS; PUBLIC POLICY; SECURITY SYSTEMS; TECHNOLOGY;

ACCESS CONTROL SCHEMES; CONSTRAINTS; DESIGN PHASE; GLOBAL COHERENCE; GLOBAL SECURITY; ROLE ENGINEERING; ROLE-BASED ACCESS CONTROL; ROLE-BASED ACCESS CONTROL MODEL; SECURITY ADMINISTRATORS; SECURITY OF INFORMATION SYSTEM; SECURITY SCHEMES; UML (UNIFIED MODELLING LANGUAGE);

ACCESS CONTROL;

EID: 50049104179     PISSN: 01641212     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.jss.2007.11.003     Document Type: Article

References (62)

1. Ahad, R. et al., 1992. Supporting access control in an object-oriented database language. In: Proceedings of the 3rd International Conference Extending Database Technology.
2. Ahn, G.-J., 1999. The RCL 2000 language for specifying role-based authorization constraints. PhD thesis, George Mason University, USA.
3. Ahn G.-J., and Sandhu R.S. The RSL99 language for role-based separation of duty constraints. ACM Transactions on RBAC (1999)
4. Ahn G.-J., and Sandhu R.S. Role-based authorization constraints specification. ACM Transactions on Information and Systems Security (2000)
5. ANSI INCITS 359-2004, American national standard for information technology, role based access control, http://csrc.nist.gov/rbac, 2004.
6. Bell, D.E., La Padula, L.J., 1975. Secure computer system: unified exposition and multi interpretation. Technical Report MTIS ADA023588, MITRE Corporation.
7. Bertino, E., Ferrari, E., Atluri, V. November 1997. A flexible model for the specification and enforcement of authorization constraints in workflow management system. In: Proceedings of the 2nd ACM Workshop on Role-Based Access Control.
8. Bertino, E., Bonatti, P.A., Ferrari, E., August 2001. TRBAC: a temporal role-based access control model, A3.
9. Bhamidipati, V., Sandhu, R.S., 1997. The ARBAC97 model for role-based administration of roles. In: Proceedings of the 2nd ACM Workshop on Role-Based Access.
10. Booch G., Rumbaugh J., and Jacobson I. The Unified Modelling Language User Guide (1998), Addison Wesley
11. Casati, F., Castano, S., Fugini, M., 2001. Managing workflow authorization constraints through active technology. HP Labs Technical Reports HPL-2000-156 20001206 External.
12. Castaro S., Fugini S., Martella G., and Samarati P. Database Security (1994), Addison-Wesley
13. Chappelet, J.-L., Snella, J.-J., 1997. Language for organization, Ossad approach (Un langage pour l'organisation, L'approche Ossad), Presses Polytechniques et Universitaires Romandes.
14. Chen, F., Sandhu, R.S., 1995. Constraints for role-based access control. In: Proceedings of the 1st ACM Workshop on Role-Based Access Control.
15. Coulourisand, G., Dollimore, J., Roberts, M., 1998. Role and task-based access control in the PerDiS groupware platform. In: Proceedings of the ACM Workshop on Role-Based Access Control.
16. Coyne, E.J., 1996. Role engineering. In: Proceedings of the 1st ACM Workshop on Role-Based Access Control (RBAC96), USA.
17. Crook, R., Ince, D., Nuseibeh, B., 2002. Towards an analytical role modelling framework for security requirements. In: Proceedings of the 8th International Workshop on Requirements Engineering: Foundation for Software Quality (REFSQ02), Germany.
18. Cuppens, F., Miege, A., 2003. Modelling contexts in the Or-BAC model. In: Proceedings of the 19th Annual Computer Security Applications Conference, USA.
19. El Kalam, A., El Baida, R., Balbiani, P., Benferhat, S., Cuppens, F., Deswarte, Y., Miege, A., Saurel, C., Trouessin, G., 2003. Organization based access control. In: Proceedings of the IEEE 4th International Workshop on Policies for Distributed Systems and Networks (Policy 2003), Italy.
20. Epstein, P., Sandhu, R.S., 1999. Towards a UML based approach to role engineering. In: Proceedings of the 4th ACM Workshop on Role-Based Access Control, USA.
21. Epstein, P., Sandhu, R.S., 2001. Engineering of role/permission assignments. In: Proceedings of the 17th Annual Computer Security Applications Conference, USA.
22. Fernandez, E.B., Hawkins, J.C., 1997. Determining role rights from use cases. In: Proceedings of the 2nd ACM Workshop on Role-Based Access Control.
23. Ferraiolo, D., Kuhn, D.K., 1992. Role based access control. In: Proceedings of the 15th National Computer Security Conference, NIST/NSA.
24. Ferraiolo D.F., Sandhu R.S., Gavrila S., Kuhn D.R., and Chandramouli R. Proposed NIST standard for role-based access control. ACM Transactions on Information and Systems Security (TISSEC) 4 3 (2001)
25. Gabay, J., 1998. Merise to OMT and UML, InterEditions.
26. Gavrila, S.I., Barkley, J.F., 1998. Formal specification for role based access control user/role and role/role relationship management. In: Proceedings of the ACM Workshop on Role-Based Access Control.
27. Georgiadis, Ch.K., Mavridis, I., Pangalos, G., Thomas, R.K., 2001. Flexible team-based access control using contexts. In: Proceedings of the 6th ACM Symposium on Access Control Models and Technologies (SACMAT 2001).
28. Goncalves, G., Hemery, F., 2000. From use case in UML to management of roles in information systems. In: Proceedings of the Conference Inforsid, France.
29. Goncalves, G., Hemery, F., 2001. UML-XML platform for management of roles in information system. In: Proceedings of the Conference Inforsid.
30. Goncalves, G., Hemery, F., Poniszewska, A., 2003. Verification of access control coherence in information system during modifications. In: Proceedings of the 12th IEEE International WETICE, Austria.
31. Harrison M.A., Ruzzo W.L., and Ullman J.D. Protection in operating systems. Communication of the ACM 19 8 (1976)
32. He, Q., Antn, A.I., 2003. A framework for modeling privacy requirements in role engineering. In: Proceedings of the 9th International Workshop on Requirements Engineering: Foundation for Software Quality (REFSQ'03), Austria.
33. Jajodia, S., Subrahmanian, V.S., Samarati, P., Bertino, E., 1998. An unified framework for enforcing multiple access control policies. In: Proceedings of the ACM SIGMOD Conference of Management of Data.
34. Kettani, N., Mignet, D., Par, P., Rosenthal-Sabroux, C., 1998. From Merise to UML, Eyrolles.
35. Lamere J.M. Security of Information Systems: How to Organize the Security and Quality of Information Systems in Enterprise (1991), Dunod
36. Le Moigne, J.L., 1994. The Theory of General System: Conception Theory, PUF, Paris.
37. Melese, J., 1972. Component Analysis of systems, Editions Hommes et Techniques.
38. Neumann, G., Strembeck, M., 2002. A scenario-driven role engineering process for functional RBAC roles. In: Proceedings of the 7th ACM Symposium on Access Control Models and Technologies (SACMAT02).
39. Object Management Group, OMG Unified Modeling Language Specification, 2000.
40. Object Management Group, OMG Unified Modeling Language Specification, 2004.
41. Park J., and Sandhu R.S. The UCONABC usage control model. ACM Transactions on Information and System Security 1 1 (2004)
42. Peltier T. Information security policies. Procedures and Standards: Guidelines for Effective Information Security Management (2001), Auerbach Publications
43. Peltier T.R., Peltier J., and Blackley J.A. Information Security Fundamentals (2004), Auerbach Publications
44. Poniszewska, A., 2003. UML specification of access control in information systems: cooperative approach of role conception in RBAC model. PhD thesis, Artois University, France, May.
45. Poniszewska-Maranda A. Access control coherence of information systems based on security constraints. Proceeding of the SafeComp 2006: 25th International Conference on Computer Safety, Security and Reliability (2006), LNCS, Springer-Verlag
46. Poniszewska-Maranda, A., Goncalves, G., Hemery, F., 2005. Representation of extended RBAC model using UML language. In: Proceedings of the SOFSEM 2005: Theory and Practice of Computer Science, LNCS, Springer-Verlag.
47. Poniszewska-Maranda, A. 2005. Role engineering of information system using extended RBAC model. In: Proceedings of the 14th IEEE International WETICE, Sweden.
48. Rockle, H., Schimpf, G., Weidinger, R., 2000. Process-oriented approach for role-finding to implement role-based security administration in a large industrial organization. In: Proceedings of the 5th ACM Workshop on Role-Based Access Control, Berlin, Germany.
49. Ross D. Structured analysis (SA): a language for communicating ideas. IEEE Trans Soft Engineering (1977) 16-34
50. Sandhu, R. S., 1990. Separation of duties in computerized information systems. In: Proceedings of the IFIP WG 11.3 Workshop on Database Security, Halifax.
51. Sandhu R.S. Handbook of Information Security Management (1994), Auerbach Publications
52. Sandhu, R.S., 1996. Role hierarchies and constraints for lattice-based access control. In: Proceedings of the 4th European Symposium of Research in Computer Security, Italy.
53. Sandhu R.S., and Jajodia S. Handbook of Information Security Management (1993), Auerbach Publications
54. Sandhu R.S., Coyne E.J., Feinstein H.L., and Youman C.E. Role-based access control models. IEEE Computer 29 2 (1996)
55. Sandhu R.S., Bhamidipati V., and Munawer Q. The ARBAC97 model for role-based administration of roles. ACM Transactions on Information and Systems Security (1997)
56. Schaad, A., Moffett, J.D., 2002. A lightweight approach to specification and analysis of role based access control extensions. In: Proceedings of the ACM SACMAT.
57. Schimpf, G., 2000. Role-engineering critical success factors for enterprise security administration. In: Proceedings of the 16th Annual Computer Security Applications Conference (ACSAC00).
58. Thomas, R.K., 1997. Team-based access control (TMAC): a primitive for applying role-based access controls in collaborative environments. In: Proceedings of the 2nd ACM Workshop on Role-based Access Control, USA.
59. Thomsen, D., O'Brien, D., Bogle, J., 1998. Role based access control framework for network enterprises. In: Proceedings of the 14th Annual Computer Security Application Conference.
60. Tipton H.F., and Krause M. Information Security. Management Handbook (2006), Auerbach Publications
61. Tudor J.K. Information Security Architecture: An Integrated Approach to Security in the Organization (2006), Auerbach Publications
62. Wermer J., and Kleppe A. OCL: the constraint language of the UML. Journal of Object-Oriented Programming (1999)