Analyzing and managing role-based access control policies

Karsten Sohr; Michael Drouineaud; Gail-Joon Ahn; Martin Gogolla

doi:10.1109/TKDE.2008.28

Analyzing and managing role-based access control policies

Karsten Sohr, Michael Drouineaud, Gail-Joon Ahn, Martin Gogolla

Research output: Contribution to journal › Article › peer-review

45 Scopus citations

Abstract

Today, more and more sensitive data is stored on computer systems; security-critical business processes are mapped to their digital counterparts. This situation applies to institutes that have different security requirements, such as the healthcare industry, digital government, and financial service institutes. Authorization constraints help the policy architect design and express higher level organizational rules. Although the Importance of authorization constraints has been addressed in the literature, a systematic way to verify and validate authorization constraints does not exist. In this paper, we specify both nontemporal and history-based authorization constraints in the Object Constraint Language (OCL) and first-order linear temporal logic (LTL). Based upon these specifications, we attempt to formally verify role-based access control policies with the help of a theorem prover and to validate policies with the UML-based Specification Environment (USE) system, a validation tool for OCL constraints. We also describe an authorization engine, which supports the enforcement of authorization constraints.

Original language	English (US)
Article number	4441714
Pages (from-to)	924-939
Number of pages	16
Journal	IEEE Transactions on Knowledge and Data Engineering
Volume	20
Issue number	7
DOIs	https://doi.org/10.1109/TKDE.2008.28
State	Published - Jul 2008

Keywords

Authorization constraints
Linear temporal logic
Object constraint language
Role-based access control policy

ASJC Scopus subject areas

Information Systems
Computer Science Applications
Computational Theory and Mathematics

Access to Document

10.1109/TKDE.2008.28

Fingerprint Dive into the research topics of 'Analyzing and managing role-based access control policies'. Together they form a unique fingerprint.

Cite this

@article{fb498a0d761b4fe6bef26fdce4b73e4a,

title = "Analyzing and managing role-based access control policies",

abstract = "Today, more and more sensitive data is stored on computer systems; security-critical business processes are mapped to their digital counterparts. This situation applies to institutes that have different security requirements, such as the healthcare industry, digital government, and financial service institutes. Authorization constraints help the policy architect design and express higher level organizational rules. Although the Importance of authorization constraints has been addressed in the literature, a systematic way to verify and validate authorization constraints does not exist. In this paper, we specify both nontemporal and history-based authorization constraints in the Object Constraint Language (OCL) and first-order linear temporal logic (LTL). Based upon these specifications, we attempt to formally verify role-based access control policies with the help of a theorem prover and to validate policies with the UML-based Specification Environment (USE) system, a validation tool for OCL constraints. We also describe an authorization engine, which supports the enforcement of authorization constraints.",

keywords = "Authorization constraints, Linear temporal logic, Object constraint language, Role-based access control policy",

author = "Karsten Sohr and Michael Drouineaud and Gail-Joon Ahn and Martin Gogolla",

note = "Funding Information: The work of Karsten Sohr was supported in part by the German Research Foundation (DFG) under the Grant SO 515/2-1. The work of Michael Drouineaud was supported by the German Federal Ministry of Education and Research under Grant FKZ01ISF19B (ORKA project). This work of Gail-J. Ahn was partially supported by the grants from US National Science Foundation (NSF-IIS-0242393) and the US Department of Energy Early Career Principal Investigator Award (DE-FG02-03ER25565).",

year = "2008",

month = jul,

doi = "10.1109/TKDE.2008.28",

language = "English (US)",

volume = "20",

pages = "924--939",

journal = "IEEE Transactions on Knowledge and Data Engineering",

issn = "1041-4347",

publisher = "IEEE Computer Society",

number = "7",

}

TY - JOUR

T1 - Analyzing and managing role-based access control policies

AU - Sohr, Karsten

AU - Drouineaud, Michael

AU - Ahn, Gail-Joon

AU - Gogolla, Martin

N1 - Funding Information: The work of Karsten Sohr was supported in part by the German Research Foundation (DFG) under the Grant SO 515/2-1. The work of Michael Drouineaud was supported by the German Federal Ministry of Education and Research under Grant FKZ01ISF19B (ORKA project). This work of Gail-J. Ahn was partially supported by the grants from US National Science Foundation (NSF-IIS-0242393) and the US Department of Energy Early Career Principal Investigator Award (DE-FG02-03ER25565).

PY - 2008/7

Y1 - 2008/7

N2 - Today, more and more sensitive data is stored on computer systems; security-critical business processes are mapped to their digital counterparts. This situation applies to institutes that have different security requirements, such as the healthcare industry, digital government, and financial service institutes. Authorization constraints help the policy architect design and express higher level organizational rules. Although the Importance of authorization constraints has been addressed in the literature, a systematic way to verify and validate authorization constraints does not exist. In this paper, we specify both nontemporal and history-based authorization constraints in the Object Constraint Language (OCL) and first-order linear temporal logic (LTL). Based upon these specifications, we attempt to formally verify role-based access control policies with the help of a theorem prover and to validate policies with the UML-based Specification Environment (USE) system, a validation tool for OCL constraints. We also describe an authorization engine, which supports the enforcement of authorization constraints.

AB - Today, more and more sensitive data is stored on computer systems; security-critical business processes are mapped to their digital counterparts. This situation applies to institutes that have different security requirements, such as the healthcare industry, digital government, and financial service institutes. Authorization constraints help the policy architect design and express higher level organizational rules. Although the Importance of authorization constraints has been addressed in the literature, a systematic way to verify and validate authorization constraints does not exist. In this paper, we specify both nontemporal and history-based authorization constraints in the Object Constraint Language (OCL) and first-order linear temporal logic (LTL). Based upon these specifications, we attempt to formally verify role-based access control policies with the help of a theorem prover and to validate policies with the UML-based Specification Environment (USE) system, a validation tool for OCL constraints. We also describe an authorization engine, which supports the enforcement of authorization constraints.

KW - Authorization constraints

KW - Linear temporal logic

KW - Object constraint language

KW - Role-based access control policy

UR - http://www.scopus.com/inward/record.url?scp=44649149548&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=44649149548&partnerID=8YFLogxK

U2 - 10.1109/TKDE.2008.28

DO - 10.1109/TKDE.2008.28

M3 - Article

AN - SCOPUS:44649149548

VL - 20

SP - 924

EP - 939

JO - IEEE Transactions on Knowledge and Data Engineering

JF - IEEE Transactions on Knowledge and Data Engineering

SN - 1041-4347

IS - 7

M1 - 4441714

ER -