No full-text available
To read the full-text of this research,
you can request a copy directly from the author.
An Extensible Framework for Specifying and Reasoning About Complex Role-Based Access Control Models
Abstract
To date, no methodical approach has been found to integrate multiple access control extensions and concepts proposed for RBAC in an access control model that deals with the complexity of such a model and still leaves the model open for further extensions. As we know from the case studies of our research project [1], bringing together various access control concepts such as separation of duty, workflow-related concepts, and context constraints is necessary in real world scenarios such as in the health care sector and in the financial sector. To solve this problem, this report presents an extensible and flexible framework for the specification of complex RBAC models that is based on the modularization of access control concepts. Each concept is packed into a so-called authorization module and can then be reused and com-bined with other modules in order to specify a full access control model. The framework can be used to define new access control concepts rapidly and concisely as well as to explore and analyze them thoroughly. Further-more, it is capable of delivering a policy data model for each generated access control model which can be used to develop an appropriate policy language. As a method we use formal, object-oriented specification in the Object-Z notation. In particular, we demonstrate how formal reasoning can be applied in order to provide an in-depth analysis of the specification.
... @BULLET We have developed a full formal semantic model of OPL (i.e. formal semantics or policy model), which is designed with a dedicated framework for the definition of access control models [3]. This framework, in turn, makes use of the systematic approach of formal object-oriented specification using Object Z [10] (cf. ...
... There are, for example, approaches adding such a representation format for policies to an RBAC-based model [16, 6, 5]. The policy model which we use for OPL has already incorporated all necessary data modeling facilities for the definition of a policy language [3]. This is achieved in such a way that our access control model clearly separates the static data stored in a policy object from the dynamic data such as session data and role activations. ...
... In this section we introduce the idea behind the policy model and explain how the formal semantics is established. Since the OPL Policy Model is an instance of the extensible framework for the specification of complex RBAC-models defined by Alm [3], we only introduce the key aspects necessary to understand the structure of OPL. The idea behind the OPL policy model is that it is defined as a set of policy modules. ...
Existing policy languages suffer from having a limited ability of directly and elegantly expressing high-level access control principles such as history-based separation of duty, binding of duty, context constraints, Chinese wall, and obligations. Furthermore, it is often difficult to extend a language in order to retrofit these features once required or it is necessary to make use of complicated and complex language constructs to express a concept. In particular, the latter may cause human mistakes in the policy administration. To address this problem, this report introduces a flexible, new policy language. The full language specification is given including a formal semantics written in Object Z and a formal syntax defined in XML. OPL can represent a wide range of access control principl es directly by providing dedicated XML tags for each supported principle. It can be easily extended with further principles if necessary. Since OPL is based on a module concept, it can cope with the language complexity that usually comes with a growing expressiveness. Altogether OPL is suitable to be used in an enterprise environment: it combines the required expressiveness with the simplicity necessary for an appropriate administration. A considerable reference scenario is included in this report.
... Another work [FAl09] has developed a framework for the specification of complex RBAC models. It is based on the modularization of the participating access control concepts. ...
Nowadays, there is an increasing need for interaction in business community. In such context, organizations collaborate with each other in order to achieve a common goal. In such environment, each organization has to design and implement an interoperability security policy. This policy has two objectives: (i) it specifies the information or the resources to be shared during the collaboration and (ii) it define the privileges of the organizations' users. To guarantee a certain level of security, it is mandatory to check whether the organizations' information systems behave as required by the interoperability security policy. In this thesis we propose a method to test the behavior of a system with respect to its interoperability security policies. Our methodology is based on two approaches: active testing approach and passive testing approach. We found that these two approaches are complementary when checking contextual interoperability security policies. Let us mention that a security policy is said to be contextual if the activation of each security rule is constrained with conditions. The active testing consists in generating a set of test cases from a formal model. Thus, we first propose a method to integrate the interoperability security policies in a formal model. This model specifies the functional behavior of an organization. The functional model is represented using the Extended Finite Automata formalism, whereas the interoperability security policies are specified using OrBAC model and its extension O2O. In addition, we propose a model checking based method to check whether the behavior of a model respects some interoperability security policies. To generate the test cases, we used a dedicated tool developed in our department. The tool allows generating abstract test cases expressed in the TTCN notation to facilitate its portability. In passive testing approach, we specify the interoperability policy, that the system under test has to respect, with Linear Temporal logics. We analyze then the collected traces of the system execution in order to deduce a verdict on their conformity with respect to the interoperability policy. Finally, we show the applicability of our methods though a hospital network case study. This application allows to demonstrate the effectiveness and reliability of the proposed approaches
... The extensibility of OPL is achieved by adding a new policy module for any newly required access control concept. The formal semantics and the XML syntax of OPL directly support this kind of extension because they are based on a dedicated extensible framework [2]. Since each application of OPL has to include only the policy modules needed to express the required access control concepts, administration may focus on these policy modules. ...
Existing policy languages suffer from a limited ability of directly and elegantly expressing high-level access control principles
such as history-based separation of duty [22], binding of duty [26], context constraints [24], Chinese wall properties [10],
and obligations [20]. It is often difficult to extend a language in order to retrofit these features once required or it is
necessary to use complicated and complex language constructs to express such concepts. The latter, however, is cumbersome
and error-prone for humans dealing with policy administration.
We present the flexible policy language OPL that can represent a wide range of access control principles in XML directly, by providing dedicated language constructs
for each supported principle. It can be easily extended with further principles if necessary. OPL is based on a module concept,
and it can easily cope with the language complexity that usually comes with a growing expressiveness. OPL is suitable to be
used in an enterprise environment, since it combines the required expressiveness with the simplicity necessary for an appropriate
administration.
XACML has become a standard access control policy language in web service environments. However, there is still no feasible solution for XACML policy administration and validation that overcomes the complexity and verbosity of XACML, in particular with regard to high-level access control principles such as history-based separation of duty. Hence, XACML policy management is still difficult and error-prone. In order to solve this problem, we present a translation approach from the high-level declarative access control policy language OPL to XACML. Thereby we can, on the one hand, handle the complexity of the administration of policies including advanced authorization constraints. On the other hand, we are able to keep an XACML based enforcement environment which may be already in place.
Computerized workflow systems have attracted consid- erable research interest in the last fifteen years. More re- cently, there have been several XML-based languages pro- posed for specifying and orchestrating business processes, culminating in WS-BPEL. A significant omission from WS- BPEL is the ability to specify authorization information as- sociating users with activities in the business process and authorization constraints on the execution of activities such as separation of duty. In this paper, we address these defi- ciencies by developing the RBAC-WS-BPEL and BPCL lan- guages. The first of these provides for the specification of authorization information associated with a business pro- cess specified in WS-BPEL, while BPCL provides for the articulation of authorization constraints.
There still exists an open question on how formal models can be fully realized in the system development phase. The Model Driven Development (MDD) approach has been re- cently introduced to deal with such a critical issue for build- ing high assurance software systems. The MDD approach focuses on the transformation of high- level design models to system implementation modules. How- ever, this emerging development approach lacks an adequate procedure to address security issues derived from formal security models. In this paper, we propose an empirical framework to integrate security model representation, secu- rity policy speciflcation, and systematic validation of secu- rity model and policy, which would be eventually used for accommodating security concerns during the system devel- opment. We also describe how our framework can minimize the gap between security models and the development of se- cure systems. In addition, we overview a proof-of-concept prototype of our tool that facilitates existing software engi- neering mechanisms to achieve the above-mentioned features of our framework.
This paper addresses the issues surrounding user-to-user delegation in RBAC. We show how delegations can be incorporated into the RBAC model in a simple and straightforward manner. A special feature of the model is that it allows fine-grained control over what rights a user wishes to delegate as opposed to delegation at the role level where all the rights of a role must be delegated. In addition, the model provides a rich set of controls regarding further delegations of a right, generic constraints that further control delegations, and an innovative model for revocations. Properties of both delegation and revocation are discussed, and our work is compared with other related research.
We describe in more detail than before the reference model for role-based access control introduced by Nyanchama and Osborn, and the role-graph model with its accompanying algorithms, which is one way of implementing role-role relationships. An alternative role insertion algorithm is added, and it is shown how the role creation policies of Fernandez et al. correspond to role addition algorithms in our model. We then use our reference model to provide a taxonomy for kinds of conflict. We then go on to consider in some detail privilege-privilege and and role-role conflicts in conjunction with the role graph model. We show how role-role conflicts lead to a partitioning of the role graph into nonconflicting collections that can together be safely authorized to a given user. Finally, in an appendix, we present the role graph algorithms with additional logic to disallow roles that contain conflicting privileges.
We present an approach that uses special purpose role-based access control (RBAC) constraints to base certain access control decisions on context information. In our approach a context constraint is defined as a dynamic RBAC constraint that checks the actual values of one or more contextual attributes for predefined conditions. If these conditions are satisfied, the corresponding access request can be permitted. Accordingly, a conditional permission is an RBAC permission that is constrained by one or more context constraints. We present an engineering process for context constraints that is based on goal-oriented requirements engineering techniques, and describe how we extended the design and implementation of an existing RBAC service to enable the enforcement of context constraints. With our approach we aim to preserve the advantages of RBAC and offer an additional means for the definition and enforcement of fine-grained context-dependent access control policies.
In role-based access control (RBAC), permissions are associated with roles' and users are made members of roles, thereby acquiring the roles; permissions. RBAC's motivation is to simplify administration of authorizations. An appealing possibility is to use RBAC itself to manage RBAC, to further provide administrative convenience and scalability, especially in decentralizing administrative authority, responsibility, and chores. This paper describes the motivation, intuition, and formal definition of a new role-based model for RBAC administration. This model is called ARBAC97 (administrative RBAC '97) and has three components: URA97 (user-role assignment '97), RPA97 (permission-role assignment '97), and RRA97 (role-role assignment '97) dealing with different aspects of RBAC administration. URA97, PRA97, and an outline of RRA97 were defined in 1997, hence the designation given to the entire model. RRA97 was completed in 1998. ARBAC97 is described completely in this paper for the first time. We also discusses possible extensions of ARBAC97.
Considering the current expansion of IT-infrastructure, the security of the data inside this infrastructure becomes increasingly important. Therefore, assuring certain security properties of IT-systems by formal methods is desirable. So far in security, formal methods have mostly been used to prove properties of security protocols. However, access control is an indispensable part of security inside a given IT-system, which has not yet been sufficiently examined using formal methods. The paper presents an example of a RBAC security policy having the dual control property. This is proved in a first-order linear temporal logic (LTL) that has been embedded in the theorem prover Isabelle/HOL by the authors. Thus, the correctness of the proof is assured by Isabelle/HOL. The authors consider first-order LTL a good formalism for expressing RBAC authorisation constraints and deriving properties from given RBAC security policies. Furthermore, it might also be applied to safety-related issues in similar manner.
In 2004, the American National Standards Institute approved the Role-Based Access Control standard to fulfill "a need among government and industry purchasers of information technology products for a consistent and uniform definition of role based access control (RBAC) features". Such uniform definitions give IT product vendors and customers a common and unambiguous terminology for RBAC features, which can lead to wider adoption of RBAC and increased productivity. However, the current ANSI RBAC Standard has several limitations, design flaws, and technical errors that, it unaddressed, could lead to confusions among IT product vendors and customers and to RBAC implementations with different semantics, thus defeating the standard's purpose.
Role-based access control (RBAC) models have generated a great interest in the security community as a powerful and generalized approach to security management. In many practical scenarios, users may be restricted to assume roles only at predefined time periods. Furthermore, roles may only be invoked on prespecified intervals of time depending upon when certain actions are permitted. To capture such dynamic aspects of a role, a temporal RBAC (TRBAC) model has been recently proposed. However, the TRBAC model addresses the role enabling constraints only. In This work, we propose a generalized temporal role-based access control (GTRBAC) model capable of expressing a wider range of temporal constraints. In particular, the model allows expressing periodic as well as duration constraints on roles, user-role assignments, and role-permission assignments. In an interval, activation of a role can further be restricted as a result of numerous activation constraints including cardinality constraints and maximum active duration constraints. The GTRBAC model extends the syntactic structure of the TRBAC model and its event and trigger expressions subsume those of TRBAC. Furthermore, GTRBAC allows expressing role hierarchies and separation of duty (SoD) constraints for specifying fine-grained temporal semantics.
design of role hierarchies so that roles which support theprinKMBk of strict least privilege become available, .
ion. ACM Transactions on Programming Languages and Systems, 16(5):1512--1542, September 1994. Bibliography 401 [Che80] B. F. Chellas. Modal Logic -- an Introduction. Cambridge University Press, 1980. [Dam96] D. R. Dams. Abstract Interpretation and Partition Refinement for Model Checking. PhD thesis, Institute for Programming research and Algorithmics. Eindhoven University of Technology, July 1996. [Dij76] E. W. Dijkstra. A Discipline of Programming. Prentice Hall, 1976. [DP96] R. Davies and F. Pfenning. A Modal Analysis of Staged Computation. In 23rd Annual ACM Symposium on Principles of Programming Languages. ACM Press, January 1996. [EN94] R. Elmasri and S. B. Navathe. Fundamentals of Database Systems. Benjamin/Cummings, 1994. [FHMV95] Ronald Fagin, Joseph Y. Halpern, Yoram Moses, and Moshe Y. Vardi. Reasoning about Knowledge. MIT Press, Cambridge, 1995. [Fit93] M. Fitting. Basic modal logic. In D. Gabbay, C. Hogger, and J. Robinson, editors, Handbook of Logic in Artificial In...
The Ponder language provides a common means of speciing security policies that map onto various access control implementation mechanisms for firewalls, operating systems, databases and Java. It supports obligation policies that are event triggered conditionaction rules for policy based management of networks and distributed systems. Ponder can also be used for security management activities such as registration of users or logging and auditing events for dealing with access to critical resources or security violations.
Policy specification for securing Web services is fast emerging as a key research area due to rapid proliferation of Web services in modern day enterprise applications. Whilst the use of XML technology to support these Web services has resulted in their tremendous growth, it has also introduced a new set of security challenges specific to these Web services. Though there has been recent research in areas of XML-based document security, these challenges have not been addressed within the XML framework. In this paper, we present X-RBAC, an XML-based RBAC policy specification framework for enforcing access control in dynamic XML-based Web services. An X-RBAC system has been implemented as a Java application, and is based on a specification language that addresses specific security requirements of these Web services. We discuss the salient features of the specification language, and present the software architecture of our X-RBAC system.
In this paper we define formally a wide variety of separation-of-duty (SoD) properties, which include the best known to date, and establish their relationships within a formal model of role-based access control (RBAC). The formalism helps remove all ambiguities of informal definition, and offers a wide choice of implementation strategies. We also explore the composability of SoD properties and policies under a simple criterion. We conclude that practical implementation for SoD policies requires new methods and tools for security administration even within applications that already support RBAC, such as most database management systems. 1 Introduction As a security principle, separation of duty (SoD) has had wide application in business, industry, and government [3, 4, 7]. Its purpose is to ensure that failures of omission or commission within an organization are caused only by collusion among individuals and, therefore, are riskier and less likely, and that chances of collusion are m...
Today more and more security-relevant data is stored on computer systems; security-critical business processes are mapped to their digital counterparts. This situation applies to various domains such as health care industry, digital government, and financial service institutes requiring that different security requirements must be fulfilled. Authorisation constraints can help the policy architect design and express higher-level organisational rules. Although the importance of authorisation constraints has been addressed in the literature, there does not exist a systematic way to verify and validate authorisation constraints. In this paper, we specify both non-temporal and history-based authorisation constraints in the Object Constraint Language (OCL) and first-order linear temporal logic (LTL). Based upon these specifications, we attempt to formally verify role-based access control policies with the help of a theorem prover and to validate policies with the USE system, a validation tool for OCL constraints. We also describe an authorisation engine, which supports the enforcement of authorisation constraints.
The Object Constraint Language OCL allows to formally specify constraints on a UML model. We present a formal syntax and semantics for OCL based on set theory including expressions, invariants and pre- and postconditions. A formal foundation for OCL makes the meaning of constraints precise and helps to eliminate ambiguities and inconsistencies. A precise language de nition is also a prerequisite for implementing CASE tools providing enhanced support for UML models and OCL constraints. We give a survey of some OCL tools and discuss one of the tools in some more detail. The design and implementation of the USE tool supporting the validation of UML models and OCL constraints is based on the formal approach presented in this paper.
The basic concept of role-based access control (RBAC) is that permissions are associated with roles, and users are made members of appropriate roles, thereby acquiring the roles' permissions. This idea has been around since the advent of multi-user computing. Until recently, however, RBAC has received little attention from the research community. This chapter describes the motivations, results, and open issues in recent MAC research.
We provide an introduction to the specification language Z from a logical perspective. The possibility of presenting Z in
this way is a consequence of a number of joint publications on Z logic that Henson and Reeves have co-written since 1997.
We provide an informal as well as a formal introduction to Z logic and show how it may be used, and extended, to investigate
issues such as equational logic, the logic of preconditions, operation and data refinement, and monotonicity.
User delegation is a mechanism for assigning access rights available to a user to another user. A delegation operation can
either be a grant or transfer operation. Delegation for role-based access control models have extensively studied grant delegations. However, transfer
delegations for role-based access control have largely been ignored. This is largely because enforcing transfer delegation
policies is more complex than grant delegation policies. This paper, primarily, studies transfer delegations for role-based
access control models. We also include grant delegations in our model for completeness. We present various mechanisms that
authorise delegations in our model. In particular, we show that the use of administrative scope for authorising delegations
is more efficient than using relations. We also discuss the enforcement and revocation of delegations. Finally, we compare
our work with relevant work in the literature.
Object-Z is an object-oriented extension of the Z notation for formal specifications. Using Object-Z, structuring and developing large, complex software system specifications became possible by defining the systems as collections of independent classes and objects. The class schema framework in Object Z suggests that a one-to-one relationship exists between a class schema and a skeletal Java class with its design contract. The design contract for a Java class includes the invariant property of the class state, the pre and post conditions for the methods. This paper, demonstrates how Java skeletal code with design contracts can be generated from the specifications written in a subset of Object Z. Object Z class schema specification defined using a graphical user interface is converted to a XML representation. The Java skeletal code containing the design contracts is then generated by processing the XML representation
This paper presents a logic for Object-Z which entnds W, the logic for Z adopted as the basis of the deductive system in the Z Base Standard. The logic provides a basis on which tool support for reasoning about Object-Z specifications can be developed. It also formalises the intended meaning of Object-Z constructs and hence provides an abstract, axiomatic semantics of the language
The importance of formalising the specification of standards has been recognised for a number of years. This paper advocates the use of the formal specification language Object-Z in the definition of standards. Object-Z is an extension to the Z language specifically to facilitate specification in an object-oriented style. First, the syntax and semantics of Object-Z are described informally. Then the use of Object-Z in formalising standards is demonstrated by presenting a case study based on the ODP Trader. Finally, a formal semantics is introduced that suggests an approach to the standardisation of Object-Z itself. Because standards are typically large complex systems, the extra structuring afforded by the Object-Z class construct and operation expressions enables the various hierarchical relationships and the communication between objects in a system to be succinctly specified.
The Object Constraint Language OCL allows to formally specify constraints on a UML model. We present a formal syntax and semantics
for OCL based on set theory including expressions, invariants and pre- and postconditions. A formal foundation for OCL makes
the meaning of constraints precise and helps to eliminate ambiguities and inconsistencies. A precise language definition is
also a prerequisite for implementing Case tools providing enhanced support for UML models and OCL constraints. We give a survey of some OCL tools and discuss one of
the tools in some more detail. The design and implementation of the USE tool supporting the validation of UML models and OCL
constraints is based on the formal approach presented in this paper.
In this paper we introduce a series of reference models for Secure Role-Based Workflow systems. We build our models over the well-known RBAC96 framework. The RBAC96 model supports the notion of abstract permissions. The nature of permissions is highly dependent upon the implementation details of the system, so we interpret the permissions for a Workflow system in terms of its components such as tasks, instances of the tasks and operations on them like execute, commit, abort etc. With this interpretation, we show that most of the components of RBAC96 still remain intact. The only components that change are the nature of permissions and their assignment to roles. The models are developed using the recently introduced four-layer OM-AM framework (comprising objective, model, architecture and mechanism layers). In this paper, we focus on the top two layers of OM-AM. We systematically describe our security objectives and construct our models to address these objectives. We also formally describe the models in terms of their components and their interactions. The main purpose for proposing these models is to articulate requirements for building Secure Role-Based Workflow Systems.
A language for specifying role-based access control (RBAC) policies is presented. The language is designed to support the
range of access control policies of commercial object systems. The basic structures of RBAC, such as role, users and permission,
are present in the language as basic constructs. Examples are given in the language of access control situations, such as
static and dynamic separation of duty, delegation and joint action based access policies. The language is flexible and is
able to capture meta-level operations. The language also provides a mechanism for tracking actions and basing access control
decisions on past events.
The kernel of any operating system is its most critical component, the remainder of the system depends upon a correctly functioning and reliable kernel for its operation-what is more, a kernel that has security flaws can be exploited by malicious users. Kernels are notoriously complex and hard to understand. The purpose of this book is to show that the formal specification of kernels is not only possible but also necessary if operating systems are to achieve the levels of reliability and security that is demanded of them today. Specifications of a sequence of kernels of increasing complexity are included, acting as models to enable the designer to identify and reason about the properties of the design-thus making explicit that which is too often left implicit or even unknown. A considerable amount of reasoning is included, showing what can be inferred about a design; and in addition, essential properties of data structures and mechanisms are discussed and the properties of these proved. Also included as an essential aspect of the activity, are the interfaces to the hardware and the processes running on them. It is very easy to get bogged down in complexity issues when considering kernels, but this book's prescriptive rather than descriptive approach shows how the kernel of an operating system can affect both the reliability and performance of these systems in a clear and concise style.
Formal specifications have been a focus of software engineering research for many years and have been applied in a wide variety of settings. Their use in software engineering not only promotes high-level verification via theorem proving or model checking, but also inspires the "correct-by- construction" approach to software development via formal refinement. Although this correct-by-construction method proves to work well for small software systems, it is still a Utopia in the development of large and complex software systems. This paper moves one step forward in this direction by designing and implementing a sound linkage between the high level specification language Object-Z and the object-oriented specification language Spec#. Such a linkage would allow system requirements to be specified in a high-level formal language but validated and used in program language level. This linking process can be readily integrated with an automated program refinement procedure to achieve correctness-by-construction. In case no such procedures are applicable, the obtained contract- based specification can guide programmers to manually generate program code, which can then be verified against the obtained specification using any available program verifiers.
Since the 1970s, computer systems have featured multiple applications and served multiple users, leading to heightened awareness of data security issues. System administrators and software developers focused on different kinds of access control to ensure that only authorized users were given access to certain data or resources. One kind of access control that emerged is role-based access control (RBAC). A role is chiefly a semantic construct forming the basis of access control policy. With RBAC, system administrators create roles according to the job functions performed in a company or organization, grant permissions (access authorization) to those roles, and then assign users to the roles on the basis of their specific job responsibilities and qualifications. A role can represent specific task competency, such as that of a physician or a pharmacist. Or it can embody the authority and responsibility of, say, a project supervisor. Roles define both the specific individuals allowed to access resources and the extent to which resources are accessed. For example, an operator role might access all computer resources but not change access permissions; a security officer role might change permissions but have no access to resources; and an auditor role might access only audit trails. Roles are used for system administration in such network operating systems as Novell's NetWare and Microsoft's Windows NT. This article explains why RBAC is receiving renewed attention as a method of security administration and review, describes a framework of four reference models the authors have developed to better understand RBAC and categorize different implementations, and discusses the use of RBAC to manage itself. The authors' framework separates the administration of RBAC from its access control functions.
Role-based access control is a powerful and policy-neutral concept for enforcing access control. Many extensions have been proposed, the most significant of which are the decentralised administration of role-based systems and the enforcement of constraints. However, the simultaneous integration of these extensions can cause conflicts in a later system implementation. We demonstrate how we use the Alloy language for the specification of a conflict-free rolebased system. This specification provides us at the same time with a suitable basis for further analysis by the Alloy constraint analyser.
Alloy is a little language for describing structural properties. It offers a declaration syntax compatible with graphical object models, and a set-based formula syntax powerful enough to express complex constraints and yet amenable to a fully automatic semantic analysis. Its meaning is given by translation to an even smaller (formally defined) kernel. This paper presents the language in its entirety, and explains its motivation, contributions and deficiencies.
The objective of this paper is to present a web-based Workflow Management System (WFMS), called SecureFlow that can serve as a framework for specification and enforcement of complex security policies within a workflow, such as separation of duties. The main advantage of SecureFlow is that it uses a simple 4GL language such as SQL to specify authorization constraints, thereby improving flexibility and user-friendliness. Due to the modular nature of the SecureFlow architecture, the security specification and enforcement modules can be layered on top of existing workflow systems that do not provide adequate support for security. SecureFlow relies on the Workflow Authorization Model (WAM) recently proposed by Atluri and Huang. 1 Introduction Since timely services are critical for any business, there is a great need to automate or reengineer the business processes. Typically many organizations achieve this by executing these coordinated activities (tasks) that constitute the business proc...
OASIS is a role-based access control architecture for achieving secure interoperation of services in an open, distributed environment. Services define roles and implement formally specified policy for role activation and service use; users must present the required credentials, in the specified context, in order to activate a role or invoke a service. Roles are activated for the duration of a session only. In addition, a role is deactivated immediately if any of the conditions of the membership rule associated with its activation becomes false. OASIS does not use role delegation but instead defines the notion of appointment, whereby a user in some role may issue an appointment certificate to some other user. The role activation conditions of services may include appointment certificates, prerequisite roles and environmental constraints. We motivate our approach and formalise OASIS. First, a basic model is presented followed by an extended model which includes parameterisation.
An Extensible Role-Based Access Control Model Sup- porting Advanced Authorization Constraints (Formal Specifica- tion)
- C Alm
C. Alm.
An Extensible Role-Based Access Control Model Sup-
porting
Advanced
Authorization
Constraints
(Formal
Specifica-
tion),
2008.
http://www.informatik.uni-hamburg.de/SVS/
person-
nel/christopher/pub/calm08rbacmodel.pdf (2008-04-09).
An Environment for Mapping Object-Z Specification into Java/JML annotated code
- V H Von
V. H. Von. An Environment for Mapping Object-Z Specification into Java/JML
annotated code. MSc Thesis, Imperial College London.
Core and hierarchical role based access control (RBAC) profile of XACML v2
- A Anderson
A. Anderson. Core and hierarchical role based access control (RBAC) profile of
XACML v2.0, 2005.