Analyzing and managing role-based access control policies

Karsten Sohr; Michael Drouineaud; Gail-Joon Ahn; Martin Gogolla

doi:10.1109/TKDE.2008.28

Analyzing and managing role-based access control policies

Karsten Sohr, Michael Drouineaud, Gail-Joon Ahn, Martin Gogolla

Research output: Contribution to journal › Article

42 Citations (Scopus)

Abstract

Today, more and more sensitive data is stored on computer systems; security-critical business processes are mapped to their digital counterparts. This situation applies to institutes that have different security requirements, such as the healthcare industry, digital government, and financial service institutes. Authorization constraints help the policy architect design and express higher level organizational rules. Although the Importance of authorization constraints has been addressed in the literature, a systematic way to verify and validate authorization constraints does not exist. In this paper, we specify both nontemporal and history-based authorization constraints in the Object Constraint Language (OCL) and first-order linear temporal logic (LTL). Based upon these specifications, we attempt to formally verify role-based access control policies with the help of a theorem prover and to validate policies with the UML-based Specification Environment (USE) system, a validation tool for OCL constraints. We also describe an authorization engine, which supports the enforcement of authorization constraints.

Original language	English (US)
Article number	4441714
Pages (from-to)	924-939
Number of pages	16
Journal	IEEE Transactions on Knowledge and Data Engineering
Volume	20
Issue number	7
DOIs	https://doi.org/10.1109/TKDE.2008.28
State	Published - Jul 2008

Fingerprint

Access control

Specifications

Temporal logic

Industry

Computer systems

Engines

Keywords

Authorization constraints
Linear temporal logic
Object constraint language
Role-based access control policy

ASJC Scopus subject areas

Control and Systems Engineering
Electrical and Electronic Engineering
Artificial Intelligence
Information Systems

Cite this

Sohr, K., Drouineaud, M., Ahn, G-J., & Gogolla, M. (2008). Analyzing and managing role-based access control policies. IEEE Transactions on Knowledge and Data Engineering, 20(7), 924-939. [4441714]. https://doi.org/10.1109/TKDE.2008.28

Analyzing and managing role-based access control policies. / Sohr, Karsten; Drouineaud, Michael; Ahn, Gail-Joon; Gogolla, Martin.

In: IEEE Transactions on Knowledge and Data Engineering, Vol. 20, No. 7, 4441714, 07.2008, p. 924-939.

Research output: Contribution to journal › Article

Sohr, K, Drouineaud, M, Ahn, G-J & Gogolla, M 2008, 'Analyzing and managing role-based access control policies', IEEE Transactions on Knowledge and Data Engineering, vol. 20, no. 7, 4441714, pp. 924-939. https://doi.org/10.1109/TKDE.2008.28

Sohr K, Drouineaud M, Ahn G-J, Gogolla M. Analyzing and managing role-based access control policies. IEEE Transactions on Knowledge and Data Engineering. 2008 Jul;20(7):924-939. 4441714. https://doi.org/10.1109/TKDE.2008.28

Sohr, Karsten ; Drouineaud, Michael ; Ahn, Gail-Joon ; Gogolla, Martin. / Analyzing and managing role-based access control policies. In: IEEE Transactions on Knowledge and Data Engineering. 2008 ; Vol. 20, No. 7. pp. 924-939.

@article{fb498a0d761b4fe6bef26fdce4b73e4a,

title = "Analyzing and managing role-based access control policies",

abstract = "Today, more and more sensitive data is stored on computer systems; security-critical business processes are mapped to their digital counterparts. This situation applies to institutes that have different security requirements, such as the healthcare industry, digital government, and financial service institutes. Authorization constraints help the policy architect design and express higher level organizational rules. Although the Importance of authorization constraints has been addressed in the literature, a systematic way to verify and validate authorization constraints does not exist. In this paper, we specify both nontemporal and history-based authorization constraints in the Object Constraint Language (OCL) and first-order linear temporal logic (LTL). Based upon these specifications, we attempt to formally verify role-based access control policies with the help of a theorem prover and to validate policies with the UML-based Specification Environment (USE) system, a validation tool for OCL constraints. We also describe an authorization engine, which supports the enforcement of authorization constraints.",

keywords = "Authorization constraints, Linear temporal logic, Object constraint language, Role-based access control policy",

author = "Karsten Sohr and Michael Drouineaud and Gail-Joon Ahn and Martin Gogolla",

year = "2008",

month = "7",

doi = "10.1109/TKDE.2008.28",

language = "English (US)",

volume = "20",

pages = "924--939",

journal = "IEEE Transactions on Knowledge and Data Engineering",

issn = "1041-4347",

publisher = "IEEE Computer Society",

number = "7",

}

TY - JOUR

T1 - Analyzing and managing role-based access control policies

AU - Sohr, Karsten

AU - Drouineaud, Michael

AU - Ahn, Gail-Joon

AU - Gogolla, Martin

PY - 2008/7

Y1 - 2008/7

N2 - Today, more and more sensitive data is stored on computer systems; security-critical business processes are mapped to their digital counterparts. This situation applies to institutes that have different security requirements, such as the healthcare industry, digital government, and financial service institutes. Authorization constraints help the policy architect design and express higher level organizational rules. Although the Importance of authorization constraints has been addressed in the literature, a systematic way to verify and validate authorization constraints does not exist. In this paper, we specify both nontemporal and history-based authorization constraints in the Object Constraint Language (OCL) and first-order linear temporal logic (LTL). Based upon these specifications, we attempt to formally verify role-based access control policies with the help of a theorem prover and to validate policies with the UML-based Specification Environment (USE) system, a validation tool for OCL constraints. We also describe an authorization engine, which supports the enforcement of authorization constraints.

AB - Today, more and more sensitive data is stored on computer systems; security-critical business processes are mapped to their digital counterparts. This situation applies to institutes that have different security requirements, such as the healthcare industry, digital government, and financial service institutes. Authorization constraints help the policy architect design and express higher level organizational rules. Although the Importance of authorization constraints has been addressed in the literature, a systematic way to verify and validate authorization constraints does not exist. In this paper, we specify both nontemporal and history-based authorization constraints in the Object Constraint Language (OCL) and first-order linear temporal logic (LTL). Based upon these specifications, we attempt to formally verify role-based access control policies with the help of a theorem prover and to validate policies with the UML-based Specification Environment (USE) system, a validation tool for OCL constraints. We also describe an authorization engine, which supports the enforcement of authorization constraints.

KW - Authorization constraints

KW - Linear temporal logic

KW - Object constraint language

KW - Role-based access control policy

UR - http://www.scopus.com/inward/record.url?scp=44649149548&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=44649149548&partnerID=8YFLogxK

U2 - 10.1109/TKDE.2008.28

DO - 10.1109/TKDE.2008.28

M3 - Article

VL - 20

SP - 924

EP - 939

JO - IEEE Transactions on Knowledge and Data Engineering

JF - IEEE Transactions on Knowledge and Data Engineering

SN - 1041-4347

IS - 7

M1 - 4441714

ER -

Access to Document

10.1109/TKDE.2008.28