Abstract
Organizations use Role-Based Access Control (RBAC) to protect computer-based resources from unauthorized access. There has been considerable work on formally specifying RBAC policies but there is still a need for RBAC policy specification techniques that can be integrated into software design methods. This paper describes a method for incorporating specifications of RBAC policies into UML design models. Reusable RBAC policies are specified as patterns and are expressed using UML template diagrams. Incorporating RBAC policies into an application specific model involves instantiating the patterns and composing the instantiations with the model. The method also includes a technique for specifying patterns of RBAC violations. Developers can use the patterns to identify policy violations in their models. The method is illustrated using a small banking application.
Chapter PDF
Similar content being viewed by others
References
Ahn, G.J., Sandhu, R.: Role-based Authorization Constraints Specification. ACM Transactions on Information and Systems Security 3(4), 207–226 (2000)
Barker, S.: Security Policy Specification in Logic. In: Proceedings of the International Conference on Artificial Intelligence, Las Vegas, NV, pp. 143–148 (2000)
Barker, S., Rosenthal, A.: Flexible Security Policies in SQL. In: Proceedings of the 15th Annual IFIP WG 11.3 Working Conference on Data and Applications Security, Niagara-onthe-Lake, Canada (2001)
Bertino, E., Bonatti, P., Ferrari, E.: TRBAC: A Temporal Role-Based Access Control Model. In: Proceedings of the 5th ACM Workshop on Role-Based Access Control, Berlin, Germany, pp. 21–30 (2000)
Chandramouli, R.: Application of XML Tools for Enterprise-Wide RBAC Implementation Tasks. In: Proceedings of 5th ACM workshop on Role-Based Access Control, Berlin, Germany (July 2000)
Chen, F., Sandhu, R.: Constraints for Role-Based Access Control. In: Proceedings of the 1st ACM Workshop on Role-Based Access Control, Gaithersburg, MD (1995)
Damianou, N., Dulay, N.: The Ponder Policy Specification Language. In: Proceedings of the Policy Workshop, Bristol, U.K. (2001)
Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed NIST Standard for Role-Based Access Control. ACM Transactions on Information and Systems Security 4(3) (August 2001)
Georg, G., France, R., Ray, I.: An Aspect-Based Approach to Modeling Security Concerns. In: Proceedings of the Workshop on Critical Systems Development with UML, Dresden, Germany (2002)
Georg, G., Ray, I., France, R.: Using Aspects to Design a Secure System. In: Proceedings of the Interational Conference on Engineering Complex Computing Systems (ICECCS 2002), Greenbelt, MD, December 2002. ACM Press, New York (2002)
Hayton, R.J., Bacon, J.M., Moody, K.: Access Control in Open Distributed Environment. In: IEEE Symposium on Security and Privacy, Oakland, CA, May 1998, pp. 3–14 (1998)
Hitchens, M., Varadarajan, V.: Tower: A Language for Role-Based Access Control. In: Proceedings of the Policy Workshop, Bristol, U.K. (2001)
Hoagland, J.A., Pandey, R., Levitt, K.N.: Security Policy Specification Using a Graphical Approach. Technical Report CSE-98-3, Computer Science Department, University of California Davis (July 1998)
Jajodia, S., Samarati, P., Subrahmanian, V.S.: A Logical Language for Expressing Authorizations. In: IEEE Symposium on Security and Privacy, Oakland, CA, May 1997, pp. 31–42 (1997)
Jurjens, J.: UMLsec: Extending UML for Secure Systems Development. In: Proceedings of Fifth International Conference on the Unified Modeling Language, Dresden, Germany, October 2002, pp. 412–425 (2002)
Kim, D.-K., France, R., Ghosh, S., Song, E.: Using Role-Based Modeling Language (RBML) as Precise Characterizations of Model Families. In: Proceedings of the Interational Conference on Engineering Complex Computing Systems (ICECCS 2002), Greenbelt, MD, December 2002. ACM Press, New York (2002)
Lodderstedt, T., Basin, D.A., Doser, J.: SecureUML: A UML-Based Modeling Language for Model-Driven Security. In: Proceedings of Fifth International Conference on the Unified Modeling Language, Dresden, Germany, October 2002, pp. 426–441 (2002)
Messmer, B.T., Bunke, H.: Subgraph Isomorphism in Polynomial Time. In: Graph Theory - ECCV 1998. LNCS. Springer, Heidelberg (1998)
OASIS. XACML Language Proposal, Version 0.8. Technical report, Organization for the Advancement of Structured Information Standards (January 2002), Available electronically from: http://www.oasis-open.org/committees/xacml
Ribeiro, C., Zuquete, A., Ferreira, P.: SPL: An Access Control Language for Security Policies with Complex Constraints. In: Proceedings of the Network and Distributed System Security Symposium, San Diego, CA (February 2001)
Tidswell, J.E., Jaeger, T.: An Access Control Model for Simplifying Constraint Expression. In: Proceedings of 7th ACM conference on Computer and communications security, Athens, Greese, November 2000, pp. 154–163 (2000)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kim, DK., Ray, I., France, R., Li, N. (2004). Modeling Role-Based Access Control Using Parameterized UML Models. In: Wermelinger, M., Margaria-Steffen, T. (eds) Fundamental Approaches to Software Engineering. FASE 2004. Lecture Notes in Computer Science, vol 2984. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-24721-0_13
Download citation
DOI: https://doi.org/10.1007/978-3-540-24721-0_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-21305-5
Online ISBN: 978-3-540-24721-0
eBook Packages: Springer Book Archive