Comprehensive two-level analysis of role-based delegation and revocation policies with UML and OCL

Karsten Sohr, Mirco Kuhlmann, Martin Gogolla, Hongxin Hu, Gail-Joon Ahn

Research output: Contribution to journalArticle

13 Scopus citations

Abstract

Context: Role-based access control (RBAC) has become the de facto standard for access management in various large-scale organizations. Often role-based policies must implement organizational rules to satisfy compliance or authorization requirements, e.g., the principle of separation of duty (SoD). To provide business continuity, organizations should also support the delegation of access rights and roles, respectively. This, however, makes access control more complex and error-prone, in particular, when delegation concepts interplay with SoD rules. Objective: A systematic way to specify and validate access control policies consisting of organizational rules such as SoD as well as delegation and revocation rules shall be developed. A domain-specific language for RBAC as well as delegation concepts shall be made available. Method: In this paper, we present an approach to the precise specification and validation of role-based policies based on UML and OCL. We significantly extend our earlier work, which proposed a UML-based domain-specific language for RBAC, by supporting delegation and revocation concepts. Result: We show the appropriateness of our approach by applying it to a banking application. In particular, we give three scenarios for validating the interplay between SoD rules and delegation/revocation. Conclusion: To the best of our knowledge, this is the first attempt to formalize advanced RBAC concepts, such as history-based SoD as well as various delegation and revocation schemes, with UML and OCL. With the rich tool support of UML, we believe our work can be employed to validate and implement real-world role-based policies.

Original languageEnglish (US)
Pages (from-to)1396-1417
Number of pages22
JournalInformation and Software Technology
Volume54
Issue number12
DOIs
StatePublished - Dec 1 2012

Keywords

  • Delegation
  • OCL
  • RBAC
  • Revocation
  • UML

ASJC Scopus subject areas

  • Software
  • Information Systems
  • Computer Science Applications

Fingerprint Dive into the research topics of 'Comprehensive two-level analysis of role-based delegation and revocation policies with UML and OCL'. Together they form a unique fingerprint.

  • Cite this