Analyzing and managing role-based access control policies

Karsten Sohr, Michael Drouineaud, Gail-Joon Ahn, Martin Gogolla

Research output: Contribution to journalArticle

42 Citations (Scopus)

Abstract

Today, more and more sensitive data is stored on computer systems; security-critical business processes are mapped to their digital counterparts. This situation applies to institutes that have different security requirements, such as the healthcare industry, digital government, and financial service institutes. Authorization constraints help the policy architect design and express higher level organizational rules. Although the Importance of authorization constraints has been addressed in the literature, a systematic way to verify and validate authorization constraints does not exist. In this paper, we specify both nontemporal and history-based authorization constraints in the Object Constraint Language (OCL) and first-order linear temporal logic (LTL). Based upon these specifications, we attempt to formally verify role-based access control policies with the help of a theorem prover and to validate policies with the UML-based Specification Environment (USE) system, a validation tool for OCL constraints. We also describe an authorization engine, which supports the enforcement of authorization constraints.

Original languageEnglish (US)
Article number4441714
Pages (from-to)924-939
Number of pages16
JournalIEEE Transactions on Knowledge and Data Engineering
Volume20
Issue number7
DOIs
StatePublished - Jul 2008

Fingerprint

Access control
Specifications
Temporal logic
Industry
Computer systems
Engines

Keywords

  • Authorization constraints
  • Linear temporal logic
  • Object constraint language
  • Role-based access control policy

ASJC Scopus subject areas

  • Control and Systems Engineering
  • Electrical and Electronic Engineering
  • Artificial Intelligence
  • Information Systems

Cite this

Analyzing and managing role-based access control policies. / Sohr, Karsten; Drouineaud, Michael; Ahn, Gail-Joon; Gogolla, Martin.

In: IEEE Transactions on Knowledge and Data Engineering, Vol. 20, No. 7, 4441714, 07.2008, p. 924-939.

Research output: Contribution to journalArticle

Sohr, Karsten ; Drouineaud, Michael ; Ahn, Gail-Joon ; Gogolla, Martin. / Analyzing and managing role-based access control policies. In: IEEE Transactions on Knowledge and Data Engineering. 2008 ; Vol. 20, No. 7. pp. 924-939.
@article{fb498a0d761b4fe6bef26fdce4b73e4a,
title = "Analyzing and managing role-based access control policies",
abstract = "Today, more and more sensitive data is stored on computer systems; security-critical business processes are mapped to their digital counterparts. This situation applies to institutes that have different security requirements, such as the healthcare industry, digital government, and financial service institutes. Authorization constraints help the policy architect design and express higher level organizational rules. Although the Importance of authorization constraints has been addressed in the literature, a systematic way to verify and validate authorization constraints does not exist. In this paper, we specify both nontemporal and history-based authorization constraints in the Object Constraint Language (OCL) and first-order linear temporal logic (LTL). Based upon these specifications, we attempt to formally verify role-based access control policies with the help of a theorem prover and to validate policies with the UML-based Specification Environment (USE) system, a validation tool for OCL constraints. We also describe an authorization engine, which supports the enforcement of authorization constraints.",
keywords = "Authorization constraints, Linear temporal logic, Object constraint language, Role-based access control policy",
author = "Karsten Sohr and Michael Drouineaud and Gail-Joon Ahn and Martin Gogolla",
year = "2008",
month = "7",
doi = "10.1109/TKDE.2008.28",
language = "English (US)",
volume = "20",
pages = "924--939",
journal = "IEEE Transactions on Knowledge and Data Engineering",
issn = "1041-4347",
publisher = "IEEE Computer Society",
number = "7",

}

TY - JOUR

T1 - Analyzing and managing role-based access control policies

AU - Sohr, Karsten

AU - Drouineaud, Michael

AU - Ahn, Gail-Joon

AU - Gogolla, Martin

PY - 2008/7

Y1 - 2008/7

N2 - Today, more and more sensitive data is stored on computer systems; security-critical business processes are mapped to their digital counterparts. This situation applies to institutes that have different security requirements, such as the healthcare industry, digital government, and financial service institutes. Authorization constraints help the policy architect design and express higher level organizational rules. Although the Importance of authorization constraints has been addressed in the literature, a systematic way to verify and validate authorization constraints does not exist. In this paper, we specify both nontemporal and history-based authorization constraints in the Object Constraint Language (OCL) and first-order linear temporal logic (LTL). Based upon these specifications, we attempt to formally verify role-based access control policies with the help of a theorem prover and to validate policies with the UML-based Specification Environment (USE) system, a validation tool for OCL constraints. We also describe an authorization engine, which supports the enforcement of authorization constraints.

AB - Today, more and more sensitive data is stored on computer systems; security-critical business processes are mapped to their digital counterparts. This situation applies to institutes that have different security requirements, such as the healthcare industry, digital government, and financial service institutes. Authorization constraints help the policy architect design and express higher level organizational rules. Although the Importance of authorization constraints has been addressed in the literature, a systematic way to verify and validate authorization constraints does not exist. In this paper, we specify both nontemporal and history-based authorization constraints in the Object Constraint Language (OCL) and first-order linear temporal logic (LTL). Based upon these specifications, we attempt to formally verify role-based access control policies with the help of a theorem prover and to validate policies with the UML-based Specification Environment (USE) system, a validation tool for OCL constraints. We also describe an authorization engine, which supports the enforcement of authorization constraints.

KW - Authorization constraints

KW - Linear temporal logic

KW - Object constraint language

KW - Role-based access control policy

UR - http://www.scopus.com/inward/record.url?scp=44649149548&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=44649149548&partnerID=8YFLogxK

U2 - 10.1109/TKDE.2008.28

DO - 10.1109/TKDE.2008.28

M3 - Article

VL - 20

SP - 924

EP - 939

JO - IEEE Transactions on Knowledge and Data Engineering

JF - IEEE Transactions on Knowledge and Data Engineering

SN - 1041-4347

IS - 7

M1 - 4441714

ER -