skip to main content
10.1145/1501434.1501451acmotherconferencesArticle/Chapter ViewAbstractPublication PagespstConference Proceedingsconference-collections
research-article

A constraint based role based access control in the SECTET a model-driven approach

Published: 30 October 2006 Publication History

Abstract

With respect to Service Oriented Architectures (SOA's) paradigm, the core Role Based Access Control (RBAC) has several limitations. In SOA, permissions to execute web services are not assigned statically to roles but are associated with a set of Permission Assignment Constraints (PAC) upon the fulfilment of which a role is assigned a permission to execute a web service. Further, the RBAC does not support partial inheritance which is an integral requirement in SOA. A major challenge in SOA is the inheritance of permissions associated with PAC in the presence of role hierarchies. This contribution has three objectives. First we propose an extension to Role Based Access Control [29], Constraint based RBAC (CRBAC), in order to make RBAC applicable into the dynamic environment of SOA. We then present SECTET-PL [31], a high-level language for the specification of PAC. Being part of the SECTET-framework for model-driven security for B2B-workflows, SECTET-PL is a policy language influenced by OCL [23] and interpreted in the context of UML models. Finally, using Model Driven Architecture (MDA) [18] paradigm, we describe the integration of business requirements and security requirements at the metalevel. The high-level security (CRBAC) models are transformed to low-level web services standard artefacts with the help of Eclipse Modelling Framework and OpenArchitectureWare.

References

[1]
M. Alam, M. Hafner, and R. Breu. Modeling Authorization in a SOA based Application Scenario. IASTED Software Engineering 2006, ISBN: 0-88986-572-8.
[2]
http://www.andromda.org.
[3]
D. Gue Park et al. A Flexible Role-Based Delegation Model using Characteristics of Permissions. DEXA 2005, LNCS 3588, pp. 310--323, 2005.
[4]
E. Bertino et al. TRBAC: A temporal role-based access control model. ACM Transactions on Information and System Security (TISSEC) Volume 4, Issue 3 (August 2001).
[5]
H. Lee et al. A New Role-Based Delegation Model Using Sub-role Hierarchies. ISCIS 2003, LNCS 2869, pp. 811--818, 2003.
[6]
http://wikipedia.org/.
[7]
http://www.eclipse.org/emf/.
[8]
J. B. D. Joshi et al. A Generalized Temporal Role-Based Access Control Model. IEEE Transactions On Knowledge And Data Engineering, VOL. 17, No 1, January 2005.
[9]
J. Jürjens. Secure Systems Development with UML. ISBN: 3540007016.
[10]
http://hissa.nist.gov/rbac/paper/node5.html.
[11]
M. Alam et al. Model Driven Security for Web Services (MDS4WS). INMIC 2004, Digi Obj Id 10.1109/INMIC.2004.1492930.
[12]
M. Alam et al. Modeling Permissions in a (U/X)ML World. To Appear In ARES 2006.
[13]
M. Hafner et al. A Security Architecture For Inter-organizational Workflows-Putting WS Security Standards Together. ICEIS 2005, ISBN: 972-8865-19-8.
[14]
M. Hafner et al. Modeling Inter-organizational Workflow Security in a Peer-to-Peer Environment. IEEE ICWS 2005, ISBN: 0-7695-2409-5.
[15]
M. Hafner et al. "SECTET An Extensible Framework for the Realization of Secure Inter-Organizational Workflows". Accepted for ICEIS 2006.
[16]
M. Schumacher. Security Engineering with Patterns. LNCS 2754 ISBN: 3-540-40731-6, 2003.
[17]
http://www.magicdraw.com/.
[18]
Model Driven Architecture. http://www.omg.org/mda.
[19]
Meta Object Facility: OMG Adapted Specification available at. http://www.omg.org/docs/ptc/04-10-15.pdf.
[20]
http://mdr.netbeans.org/.
[21]
OAW 4 EMF Example available at. http://www.eclipse.org/gmt/oaw/doc/30_emfExample.pdf.
[22]
OAW XPAND Language available at. http://www.eclipse.org/gmt/oaw/doc/r20_xPandReference.pdf.
[23]
UML 2.0 OCL Specification. http://www.omg.org/docs/ptc/03-10-14.pdf.
[24]
Object Management Group. http://www.omg.org.
[25]
Query View Transformation: OMG Adapted Specification available at. http://www.omg.org/docs/ptc/05-11-01.pdf.
[26]
R. Breu and G. Popp. Actor-centric modelling of access rights. FASE 2004. Springer LNCS Vol. 2984, p. 165--179, 2004.
[27]
R. Breu et al. Model Driven Security for Inter-Organizational Workflows in e-Government. TCGOV 2005, Proceedings. ISBN 3-540-25016-6.
[28]
R. Breu et al. Web service engineering - advancing a new software engineering discipline. ICWE 2005, LNCS 3579.
[29]
http://csrc.nist.gov/rbac//.
[30]
www.sectet.org. Will be on Air by the end of May 2006.
[31]
SECTETPL: A Predicative Language for the Specification of Access Rights. http://qe-informatik.uibk.ac.at/~muhammad/TechnicalReportSECTETPL.pdf.
[32]
T. Lodderstedt, D. Basin and J. Doser. A UML Based Modeling Language for Model-Driven Security 5th international conference UML 2002 Dresden, Germany, 2002.
[33]
Web Service Description Language (WSDL), available at. http://www.w3.org/TR/wsdl.
[34]
WSDL First, July 22, 2003. http://webservices.xml.com/pub/a/ws/2003/07/22/ws-dlfirst.html.
[35]
XACML 2.0 Specification Set. http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml.

Cited By

View all
  • (2015)Model driven security framework for software design and verificationSecurity and Communication Networks10.1002/sec.12008:16(2768-2792)Online publication date: 10-Nov-2015
  • (2012)Augmented enterprise models as a foundation for generating security-related softwareProceedings of the Workshop on Model-Driven Security10.1145/2422498.2422506(1-6)Online publication date: 1-Oct-2012
  • (2011)An integrated approach for identity and access management in a SOA contextProceedings of the 16th ACM symposium on Access control models and technologies10.1145/1998441.1998446(21-30)Online publication date: 15-Jun-2011
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
PST '06: Proceedings of the 2006 International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services
October 2006
389 pages
ISBN:1595936041
DOI:10.1145/1501434
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 October 2006

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. model-driven architecture
  2. model-driven security
  3. role based access control
  4. service oriented architectures

Qualifiers

  • Research-article

Conference

PST06
PST06: International Conference on Privacy, Security and Trust
October 30 - November 1, 2006
Ontario, Markham, Canada

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)0
  • Downloads (Last 6 weeks)0
Reflects downloads up to 19 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2015)Model driven security framework for software design and verificationSecurity and Communication Networks10.1002/sec.12008:16(2768-2792)Online publication date: 10-Nov-2015
  • (2012)Augmented enterprise models as a foundation for generating security-related softwareProceedings of the Workshop on Model-Driven Security10.1145/2422498.2422506(1-6)Online publication date: 1-Oct-2012
  • (2011)An integrated approach for identity and access management in a SOA contextProceedings of the 16th ACM symposium on Access control models and technologies10.1145/1998441.1998446(21-30)Online publication date: 15-Jun-2011
  • (2011)Security in Model Driven DevelopmentProceedings of the 2011 Sixth International Conference on Availability, Reliability and Security10.1109/ARES.2011.110(704-709)Online publication date: 22-Aug-2011
  • (2009)EditorialInformation and Software Technology10.1016/j.infsof.2008.05.01051:5(809-814)Online publication date: 1-May-2009
  • (2006)Constraint based role based access control (CRBAC) for restricted administrative delegation constraints in the SECTETProceedings of the 2006 International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services10.1145/1501434.1501487(1-5)Online publication date: 30-Oct-2006

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media