TY - JOUR
T1 - Analyzing and managing role-based access control policies
AU - Sohr, Karsten
AU - Drouineaud, Michael
AU - Ahn, Gail-Joon
AU - Gogolla, Martin
N1 - Funding Information:
The work of Karsten Sohr was supported in part by the German Research Foundation (DFG) under the Grant SO 515/2-1. The work of Michael Drouineaud was supported by the German Federal Ministry of Education and Research under Grant FKZ01ISF19B (ORKA project). This work of Gail-J. Ahn was partially supported by the grants from US National Science Foundation (NSF-IIS-0242393) and the US Department of Energy Early Career Principal Investigator Award (DE-FG02-03ER25565).
PY - 2008/7
Y1 - 2008/7
N2 - Today, more and more sensitive data is stored on computer systems; security-critical business processes are mapped to their digital counterparts. This situation applies to institutes that have different security requirements, such as the healthcare industry, digital government, and financial service institutes. Authorization constraints help the policy architect design and express higher level organizational rules. Although the Importance of authorization constraints has been addressed in the literature, a systematic way to verify and validate authorization constraints does not exist. In this paper, we specify both nontemporal and history-based authorization constraints in the Object Constraint Language (OCL) and first-order linear temporal logic (LTL). Based upon these specifications, we attempt to formally verify role-based access control policies with the help of a theorem prover and to validate policies with the UML-based Specification Environment (USE) system, a validation tool for OCL constraints. We also describe an authorization engine, which supports the enforcement of authorization constraints.
AB - Today, more and more sensitive data is stored on computer systems; security-critical business processes are mapped to their digital counterparts. This situation applies to institutes that have different security requirements, such as the healthcare industry, digital government, and financial service institutes. Authorization constraints help the policy architect design and express higher level organizational rules. Although the Importance of authorization constraints has been addressed in the literature, a systematic way to verify and validate authorization constraints does not exist. In this paper, we specify both nontemporal and history-based authorization constraints in the Object Constraint Language (OCL) and first-order linear temporal logic (LTL). Based upon these specifications, we attempt to formally verify role-based access control policies with the help of a theorem prover and to validate policies with the UML-based Specification Environment (USE) system, a validation tool for OCL constraints. We also describe an authorization engine, which supports the enforcement of authorization constraints.
KW - Authorization constraints
KW - Linear temporal logic
KW - Object constraint language
KW - Role-based access control policy
UR - http://www.scopus.com/inward/record.url?scp=44649149548&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=44649149548&partnerID=8YFLogxK
U2 - 10.1109/TKDE.2008.28
DO - 10.1109/TKDE.2008.28
M3 - Article
AN - SCOPUS:44649149548
VL - 20
SP - 924
EP - 939
JO - IEEE Transactions on Knowledge and Data Engineering
JF - IEEE Transactions on Knowledge and Data Engineering
SN - 1041-4347
IS - 7
M1 - 4441714
ER -