A uniform approach for access control and business models with explicit rule realization
详细信息    查看全文
  • 作者:Vahid R. Karimi ; Paulo S. C. Alencar
  • 关键词:Access control models ; Business models ; Access control rules ; Patterns ; Resource–Event–Agent
  • 刊名:International Journal of Information Security
  • 出版年:2016
  • 出版时间:April 2016
  • 年:2016
  • 卷:15
  • 期:2
  • 页码:145-171
  • 全文大小:2,072 KB
  • 参考文献:1.Al-Kahtani, M., Sandhu, R.: Rule-Based RBAC with negative authorization. In: Proceedings of the Annual Computer Security Applications Conference (ACSAC), pp. 405–415 (2004)
    2.Al-Kahtani, M., Sandhu, R.: A model for attribute-based user-role assignment. In: Proceedings of the Annual Computer Security Applications Conference (ACSAC), pp. 353–364 (2002)
    3.Ambler, S.: The Elements of UML 2.0 Style. Cambridge University Press, Cambridge (2005)CrossRef
    4.Artale, A., Franconi, E., Guarino, N., Pazzi, L.: Part-whole relations in object-centered systems: an overview. Data Knowl. Eng. 20(3), 347–383 (1996)CrossRef MATH
    5.Barker, S.: The next 700 access control models or a unifying meta-model? In: Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 187–196 (2009)
    6.Benantar, M.: Access Control Systems: Security, Identity, Management, and Trust Models. Springer, Berlin (2006)MATH
    7.Bertino, E., Catania, B., Ferrari, E., Perlasca, P.: A logical framework for reasoning about access control models. ACM Trans. Inf. Syst. Secur. 6(1), 71–127 (2003)CrossRef
    8.Bertino, E., Bonatti, P., Ferrari, E.: TRBAC: a temporal role-based access control model. In: Proceedings of the ACM Workshop on Role-Based Access Control, pp. 21–30 (2000)
    9.Bertino, E., Samarati, P., Jajodia, S.: An extended authorization model for relational databases. IEEE Trans. Knowl. Data Eng. 9(1), 85–101 (1997)CrossRef
    10.Blaha, M., Rumbaugh, J.: Object-Oriented Modeling and Design with UML, 2nd edn. Pearson Prentice Hall, Englewood Cliffs (2005)MATH
    11.Chandramouli, R.: Application of XML tools for enterprise-wide RBAC implementation tasks. In: Proceedings of the ACM Workshop on Role-based Access Control, pp. 11–18 (2000)
    12.Cook, D. and Multiple Contributors: Gold Parsing System. http://​goldparser.​org/​index.​htm
    13.Damianou, N., Dulay, N., Lupu, E., Sloman, M.: The Ponder policy specification language. In: Proceedings of POLICY, pp. 18–38 (2001)
    14.Ferraiolo, D., Atluri, V.: A meta model for access control: why is it needed and is it even possible to achieve? In: Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 153–154 (2008)
    15.Ferraiolo, D., Kuhn, D., Chandramouli, R.: Role-Based Access Control, 2nd edn. Artech House, London (2007)MATH
    16.Ferraiolo, D., Sandhu, R., Gavrila, S., Kuhn, D., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur. 4(3), 224–274 (2001)CrossRef
    17.Finin, T., Joshi, A., Kagal, L., Niu, J., Sandhu, R., Winsborough, W., Thuraisingham, B.: ROWLBAC: Representing role based access control in OWL. In: Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 73–82 (2008)
    18.Fisler, K., Krishnamurthi, S., Dougherty, D.: Embracing policy engineering. In: Proceedings of the Workshop on Future of Software Engineering Research (FoSER), pp. 109–110 (2010)
    19.Fowler, M.: Analysis Patterns: Reusable Object Models. Addison-Wesley, Reading (1997)
    20.Geerts, G., McCarthy, W.: Policy-level specifications in REA enterprise information systems. J. Inf. Syst. 20(2), 37–63 (2006)
    21.Geerts, G., McCarthy, W.: An ontological analysis of the economic primitives of the extended-REA enterprise information architecture. I. J. Acc. Inf. Syst. 3(1), 1–16 (2002)CrossRef
    22.Greco, S., Leone, N., Rullo, P.: COMPLEX: an object-oriented logic programming system. IEEE Trans. Knowl. Data Eng. 4(4), 344–359 (1992)CrossRef
    23.Hruby, P. with contributions by Kiehn, J., Scheller, C.: Model-Driven Design Using Business Patterns. Springer, Berlin (2006)
    24.Hu, V., Ferraiolo, D., Kuhn, R., Schnitzer, A., Sandlin, K., Miller. R., Scarfone, K.: Guide to Attribute Based Access Control (ABAC) Definition and Considerations. National Institute of Standards and Technology (NIST) special publication 800-162 (2014)
    25.Jackson, M.: Aspects of abstraction in software development. Softw. Syst. Model. 11(4), 495–511 (2012)CrossRef
    26.Jin, X., Krishnan, R., Sandhu, R.: A unified attribute-based access control model covering DAC, MAC and RBAC. In: Proceedings of the Conference on Database Security (DBSec), pp. 41–55 (2012)
    27.Kagal, L., Finin, T., Joshi, A.: A policy language for a pervasive computing environment. In: Proceedings of POLICY, pp. 63–74 (2003)
    28.Karimi, V.: A Uniform Formal Approach to Business and Access Control Models, Policies and their Combinations. PhD thesis, University of Waterloo (2012)
    29.Karimi, V., Cowan, D.: Access control models for business processes. In: Proceedings of the International Conference on Security and Cryptography (SECRYPT), pp. 489–498 (2010)
    30.Kern, A., Walhorn, C.: Rule support for role-based access control. In: Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 130–138 (2005)
    31.Kuhn, D., Coyne, E., Weil, T.: Adding attributes to role-based access control. IEEE Comput. 43(6), 79–81 (2010)CrossRef
    32.Martin, J., Odell, J.: Object-Oriented Methods: A Foundation, UML Edition. Prentice Hall, Englewood Cliffs (1998)
    33.McCarthy, W.: The REA accounting model: a generalized framework for accounting systems in a shared data environment. Acc. Rev. 57(3), 54–78 (1982)
    34.Motschnig-Pitrik, R., Kaasbøll, J.: Part-whole relationship categories and their application in object-oriented analysis. IEEE Trans. Knowl. Data Eng. 11(5), 779–797 (1999)CrossRef
    35.Motschnig-Pitrik, R., Storey, V.: Modelling of set membership: the notion and the issues. Data Knowl. Eng. 16(2), 147–185 (1995)CrossRef MATH
    36.Odell, J.: Advanced Object-Oriented Analysis and Design Using UML. Cambridge University Press, Cambridge (1998)MATH
    37.Organization for the Advancement of Structured Information Standards (OASIS): eXtensible Access Control Markup Language (XACML), Version 3.0, Committee Specification 01 (2010)
    38.Organization for the Advancement of Structured Information Standards (OASIS), Moses, T. (ed.): eXtensible Access Control Markup Language (XACML), Version 2.0 (2005)
    39.Osborn, S., Sandhu, R., Munawer, Q.: Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Trans. Inf. Syst. Secur. 3(2), 85–106 (2000)CrossRef
    40.Park, J., Sandhu, R.: The \(\text{ UCON }_{{\rm ABC}}\) usage control model. ACM Trans. Inf. Syst. Secur. 7(1), 128–174 (2004)CrossRef
    41.Ray, I., Li, N., France, R., Kim, D.: Using UML to visualize role-based access control constraints. In: Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 115–124 (2004)
    42.Rumbaugh, J., Jacobson, I., Booch, G.: Unified Modeling Language Reference Manual, 2nd edn. Addison-Wesley, Reading (2005)
    43.Sandhu, R.: The authorization leap from rights to attributes: maturation or chaos? In: Proceddings of the ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 69–70 (2012)
    44.Sandhu, R., Coyne, E., Feinstein, H., Youman, C.: Role-based access control model. IEEE Comput. 29(2), 38–47 (1996)CrossRef
    45.Sandhu, R., Munawer, Q.: How to do discretionary access control using roles. In: Proceddings of the ACM Workshop on Role-Based Access Control, pp. 47–54 (1998)
    46.Shanks, G., Tansley, E., Nuredini, J., Tobin, D.: Representing part-whole relations in conceptual modeling: an empirical evaluation. MIS Q. 32(3), 553–573 (2008)
    47.Shanks, G., Tansley, E., Weber, R.: Representing composites in conceptual modeling. Commun. ACM 47(7), 77–80 (2004)CrossRef
    48.Simon, R., Zurko, M.: Separation of duty in role-based environments. In: Proceedings of the Computer Security Foundations Workshop (CSFW), pp. 183–194 (1997)
    49.Stallings, W., Brown, L., with contributions by Bauer, M., Howard, M.: Computer Security: Principles and Practice. Pearson Prentice Hall, Englewood Cliffs (2008)
    50.The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC): International Standard, ISO/IEC 14977. Information technology-Syntactic metalanguage-Extended BNF (1996)
    51.The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC): International Standard, ISO/IEC 15944-4:2007(E). Information Technology-Business Operational View-Part 4: Business Transaction Scenarios-Accounting and Economy Ontology (2007)
    52.Tonti, G., Bradshaw, J., Jeffers, R., Montanari, R., Suri, N., Uszok, A.: Semantic Web languages for policy representation and reasoning: a comparison of KAoS, Rei, and Ponder. In: Proceedings of the International Semantic Web Conference, pp. 419–437 (2003)
    53.Twidle, K., Dulay, N., Lupu, E., Sloman, M.: Ponder2: A policy system for autonomous pervasive environments. In: Proceedings of the International Conference on Autonomic and Autonomous Systems (ICAS), pp. 330–335 (2009)
    54.Twidle, K., Marinovic, S., Dulay, N.: Teleo-reactive policies in Ponder2. In: Proceedings of POLICY, pp. 57–60 (2010)
    55.Verhanneman, T., Piessens, F., De Win, B., Joosen, W.: Uniform application-level access control enforcement of organizationwide policies. In: Proceedings of the Annual Computer Security Applications Conference (ACSAC), pp. 431–440 (2005)
    56.Winston, M., Chaffin, R., Herrmann, D.: A taxonomy of part-whole relations. Cogn. Sci. 11(4), 417–444 (1987)CrossRef
    57.Yuan, E., Tong, J.: Attributed based access control (ABAC) for Web services. In: Proceedings of the International Conference on Web Services (ICWS), pp. 561–569 (2005)
  • 作者单位:Vahid R. Karimi (1)
    Paulo S. C. Alencar (1)
    Donald D. Cowan (1)

    1. Cheriton School of Computer Science, University of Waterloo, Waterloo, ON, Canada
  • 刊物类别:Computer Science
  • 刊物主题:Data Encryption
    Computer Communication Networks
    Operating Systems
    Coding and Information Theory
    Management of Computing and Information Systems
    Communications Engineering and Networks
  • 出版者:Springer Berlin / Heidelberg
  • ISSN:1615-5270
文摘
Access control is an important part of security in software, such as business applications, since it determines the access of users to objects and operations and the constraints of this access. Business and access control models are expressed using different representations. In addition, access control rules are not generally defined explicitly from access control models. Even though the business model and access control model are two separate modeling abstractions, they are inter-connected as access control is part of any business model. Therefore, the first goal is to add access control models to business models using the same fundamental building blocks. The second goal is to use these models and define general access control rules explicitly from these models so that the connection between models and their realizations are also present. This paper describes a new common representation for business models and classes of access control models based on the Resource–Event–Agent (REA) modeling approach to business models. In addition, the connection between models and their represented rules is clearly defined. We present a uniform approach to business and access control models. First, access control primitives are mapped onto REA-based access control patterns. Then, REA-based access control patterns are combined to define access control models. Based on these models, general access control rules are expressed in Extended Backus–Naur Form.

© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号

地址:北京市海淀区学院路29号 邮编:100083

电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700