ABSTRACT
Several formal access control models are known in the literature, such as DAC, MAC, RBAC, etc. However, these models cannot meet new security requirements required by flexible and dynamic environments which necessitate a combination of elements of these models, in order to properly express varied data protection needs. In this paper, we present a new method for the specification of access control systems. The method makes it possible to design an access control system specific to the high level policy of an organization. The method is based on a generic UML meta-model of access control called CatBAC (Category Based Access Control), together with a refinement process for the extraction of security requirements from high level policies. Based on the category concept, the CatBAC meta-model allows specifying hybrid policies of access control.
- A. Abou-El-Kalam, R. E. Baida, P. Balbiani, S. Benferhat, F. Cuppens, Y. Deswarte, A. Miège, C. Saurel, and G. Trouessin. Organization based access control. In Policies for Distributed Systems and Networks, 2003. Proceedings. POLICY 2003. IEEE 4th International Workshop on, pages 120--131, 2003. Google ScholarDigital Library
- S. Barker. The next 700 access control models or a unifying meta-model? In Proceedings of the 14th ACM symposium on Access control models and technologies, pages 187--196, 1542238, 2009. ACM. Google ScholarDigital Library
- S. Barker. Logical Approaches to Authorization Policies, volume 7360 of Lecture Notes in Computer Science, pages 349--373. Springer Berlin / Heidelberg, 2012. Google ScholarDigital Library
- D. Basin, J. Doser, and T. Lodderstedt. Model driven security: From uml models to access control infrastructures. ACM Trans. Softw. Eng. Methodol., 15(1): 39--91, 2006. Google ScholarDigital Library
- Y. Bouzida, L. Logrippo, and S. Mankovski. Concrete- and abstract-based access control. Int. J. Inf. Secur., 10(4): 223--238, 2011. Google ScholarDigital Library
- N. Correa and R. Giandini. A uml extension to specify model refinements. In CLEI 2006, 2006.Google Scholar
- D. Ferraiolo and D. Kuhn. Role-based access control. In 15th Natl Computer Security Conf., pages 554--563, 1992.Google Scholar
- P. A. Loscocco, S. D. Smalley, P. A. Muckelbauer, R. C. Taylor, S. J. Turner, and J. F. Farrell. The inevitability of failure: The flawed assumption of security in modern computing environments. In Proceedings of the 21st National Information Systems Security Conference, pages 303--314, 1998.Google Scholar
- J. A. Pavlich-Mariscal, S. A. Demurjian, and L. D. Michel. A framework of composable access control features: Preserving separation of access control concerns from models to code. Computers & Security, 29(3): 350--379, 2010.Google ScholarDigital Library
- P. Samarati and S. de Vimercati. Access Control: Policies, Models, and Mechanisms, volume 2171 of Lecture Notes in Computer Science, pages 137--196. Springer Berlin / Heidelberg, 2001. Google ScholarDigital Library
- N. Slimani, H. Khambhammettu, K. Adi, and L. Logrippo. Uacml: Unified access control modeling language. In New Technologies, Mobility and Security (NTMS), 2011 4th IFIP International Conference on, pages 1--8, 2011.Google Scholar
- L. Wang, D. Wijesekera, and S. Jajodia. A logic-based framework for attribute based access control. In Proceedings of the 2004 ACM workshop on Formal methods in security engineering, pages 45--55, 1029140, 2004. ACM. Google ScholarDigital Library
Index Terms
- An access control framework for hybrid policies
Recommendations
Different Access Control Mechanisms for Data Security in Cloud Computing
ICCBDC '17: Proceedings of the 2017 International Conference on Cloud and Big Data ComputingIT companies are largely adopting the emerging technology of cloud computing. Cloud computing technology provides cost-efficient computing resources with increased flexibility, and scalability. The primary concerns in cloud computing implementation are ...
Designing flexible access control models for the cloud
SIN '13: Proceedings of the 6th International Conference on Security of Information and NetworksIn Cloud environments, Cloud users have the possibility to put their sensitive data on Cloud servers, which opens the door to security challenges concerning data protection. In this context, access control is of vital importance, since it provides ...
Configuring role-based access control to enforce mandatory and discretionary access control policies
Access control models have traditionally included mandatory access control (or lattice-based access control) and discretionary access control. Subsequently, role-based access control has been introduced, along with claims that its mechanisms are general ...
Comments