Article

XacT: a bridge between resource management and access control in multi-layered applications

Authors:

Benjamin De Boe,

Andreas SchaadAuthors Info & Claims

SESS '05: Proceedings of the 2005 workshop on Software engineering for secure systems—building trustworthy applications

Pages 1 - 7

https://doi.org/10.1145/1083200.1083202

Published: 15 May 2005 Publication History

Abstract

In this paper we describe the eXtreme access control Tool (XacT) which provides an automated way to obtain access control information out of multi-layered applications. We believe that based on this information consistent access control policies can be specified to prevent over-privileged accounts. The main difficulty, that leads to these over-privileged accounts, comes from the distinction that must be made between identifying which users should perform a workflow task (resource management) and which users are allowed to perform a task (access control), as well as the fact that access control enforcement is typically spread over different layers in applications (e.g. database layer, operating system layer, workflow layer). In this paper, we present an automated way to obtain access control information out of multi-layered applications. We base our observations on recent insights into workflow controlled judicial information systems.

References

[1]

Chuck Cavaness and Brian Keeton, Special Edition Using Enterprise JavaBeans 2.0, Chapter 14: Security Design and Management, Que Publishing, February, 2002.

Digital Library

[2]

Damianou, N. A Policy Framework for Management of Distributed Systems. PhD thesis, Imperial College, UK, 2002.

[3]

B. De Win, Engineering application-level security through aspect-oriented software development, Ph.D. Thesis, Department of Computer Science, K. U. Leuven, Leuven, Belgium, March, 2004.

[4]

Gregor Kiczales, Erik Hilsdale, Jim Hugunin, Mik Kersten, Jeffrey Palm and William G. Griswold. An Overview of AspectJ. In Proc. of ECOOP, Springer-Verlag (2001).

Digital Library

[5]

Kiczales, G., Lamping, J., Mendhekar, A., Maeda, C., Videira Lopes, C., Loingtier, J.-M., and Irwin, J. Aspect-Oriented Programming. In Proc. of ECOOP, Springer-Verlag (1997).

[6]

KPMG, Fraud Survey Reports 1996-2002, KPMG International Canada, 2002.

[7]

Brian A. LaMacchia, Sebastian Lange, Matthew Lyons, Rudi Martin, and Kevin T. Price, .NET Framework Security, Pearson Education, Indianapolis, 2002.

Digital Library

[8]

Core and Hierarchical Role Based Access Control (RBAC) profile of XACML, Version 2.0. Committee Draft 01, 30 September 2004. OASIS Open.

[9]

Prime Minister and Minister for the Cabinet Office of the UK. Modernising Government, presented to Parliament, March 1999.

[10]

S. Rohrig. Using Process Models to Analyze Health Care Security Requirements. International Conference Advances in Infrastructure for e-Business, e-Education, e-Science and e-Medecine on the internet. January 2002, l'Aquila, Italy.

[11]

Schaad, A. A Framework for Organisational Control Principles, PhD Thesis. Department of Computer Science, University of York, 2003.

[12]

A. Schaad, P. Spadone, and H. Weichsel. A case study of separation of duty properties in the context of the Austrian "eLaw" process. In Proceedings of the 20th ACM Symposium on Applied Computing 13-17 March 2005, Santa Fe, New Mexico, USA.

Digital Library

[13]

Wolfgang Schult, Peter Tröger, and Andreas Polze. Hasso-Plattner-Institute: Loom.NET - an Aspect Weaving Tool, in Workshop on Aspect-Oriented Programming, ECOOP'03, Darmstadt 2003.

[14]

Harry E. Smith. A Context-Based Access Control Model for HIPAA Privacy and Security Compliance. SANS Security Essentials. CISSP, July 18, 2001.

[15]

Enterprise JavaBeans Specification. Sun Microsystems. November 2003.

[16]

Java Authentication and Authorization Service, Reference Guide, Sun Microsystems.

[17]

Tine Verhanneman, Liesbeth Jaco, Bart De Win, Frank Piessens and Wouter Joosen. Adaptable Access Control Policies for Medical Information Systems. 4th IFIP WG6. 1 International Conference, DAIS 2003, Paris, France, November 17-21, 2003.

[18]

Web Services Architecture. W3C. February 2004.

[19]

Martin Wimmer, Daniela Eberhardt, Pia Ehrnlechner and Alfons Kemper Reliable and Adaptable Security Engineering for Database-Web Services Proceedings of the 4th International Conference on Web Engineering (ICWE 2004), July 28-30, 2004, Munich, Germany.

Cited By

Zhu ZZulkernine M(2018)A model-based aspect-oriented framework for building intrusion-aware software systemsInformation and Software Technology10.1016/j.infsof.2008.05.00751:5(865-875)Online publication date: 29-Dec-2018
https://dl.acm.org/doi/10.1016/j.infsof.2008.05.007
Pfitzmann B(2007)Multi-layer audit of access rightsProceedings of the 4th VLDB conference on Secure data management10.5555/1780014.1780017(18-32)Online publication date: 23-Sep-2007
https://dl.acm.org/doi/10.5555/1780014.1780017
Pfitzmann B(2007)Multi-layer Audit of Access RightsSecure Data Management10.1007/978-3-540-75248-6_2(18-32)Online publication date: 2007
https://doi.org/10.1007/978-3-540-75248-6_2
Show More Cited By

Index Terms

XacT: a bridge between resource management and access control in multi-layered applications
1. Applied computing
  1. Enterprise computing
2. Software and its engineering
  1. Software notations and tools
    1. General programming languages
      1. Language features

Recommendations

XacT: a bridge between resource management and access control in multi-layered applications

In this paper we describe the eXtreme access control Tool (XacT) which provides an automated way to obtain access control information out of multi-layered applications. We believe that based on this information consistent access control policies can be ...
Role-based access control for a Grid system using OGSA-DAI and Shibboleth

In this paper, we propose a new role-based access control (RBAC) system for Grid data resources in the Open Grid Services Architecture Data Access and Integration (OGSA-DAI). OGSA-DAI is a widely used framework for integrating data resources in Grids. ...
An administration concept for the enterprise role-based access control model
SACMAT '03: Proceedings of the eighth ACM symposium on Access control models and technologies

Using an underlying role-based model for the administration of roles has proved itself to be a successful approach. This paper sets out to describe the enterprise role-based access control model (ERBAC) in the context of SAM Jupiter, a commercial ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

SESS '05: Proceedings of the 2005 workshop on Software engineering for secure systems—building trustworthy applications

May 2005

112 pages

ISBN:1595931147

DOI:10.1145/1083200

ACM SIGSOFT Software Engineering Notes Volume 30, Issue 4
July 2005
1514 pages
ISSN:0163-5948
DOI:10.1145/1082983
Issue’s Table of Contents

Copyright © 2005 Authors.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 May 2005

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Acceptance Rates

Overall Acceptance Rate 8 of 11 submissions, 73%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
397
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 22 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Zhu ZZulkernine M(2018)A model-based aspect-oriented framework for building intrusion-aware software systemsInformation and Software Technology10.1016/j.infsof.2008.05.00751:5(865-875)Online publication date: 29-Dec-2018
https://dl.acm.org/doi/10.1016/j.infsof.2008.05.007
Pfitzmann B(2007)Multi-layer audit of access rightsProceedings of the 4th VLDB conference on Secure data management10.5555/1780014.1780017(18-32)Online publication date: 23-Sep-2007
https://dl.acm.org/doi/10.5555/1780014.1780017
Pfitzmann B(2007)Multi-layer Audit of Access RightsSecure Data Management10.1007/978-3-540-75248-6_2(18-32)Online publication date: 2007
https://doi.org/10.1007/978-3-540-75248-6_2
Wimmer MKemper ARits MLotz V(2006)Consolidating the Access Control of Composite Applications and Workflows20th Annual IFIP WG 11.3 Working Conference on Data and Applications Security on Data and Applications Security XX - Volume 412710.5555/3127142.3127146(44-59)Online publication date: 31-Jul-2006
https://dl.acm.org/doi/10.5555/3127142.3127146
Schaad ALotz VSohr KFerraiolo DRay I(2006)A model-checking approach to analysing organisational controls in a loan origination processProceedings of the eleventh ACM symposium on Access control models and technologies10.1145/1133058.1133079(139-149)Online publication date: 7-Jun-2006
https://dl.acm.org/doi/10.1145/1133058.1133079
Wimmer MAlbutiu MKemper A(2006)Optimized workflow authorization in service oriented architecturesProceedings of the 2006 international conference on Emerging Trends in Information and Communication Security10.1007/11766155_3(30-44)Online publication date: 6-Jun-2006
https://dl.acm.org/doi/10.1007/11766155_3
Schaad A(2005)Revocation of obligation and authorisation policy objectsProceedings of the 19th annual IFIP WG 11.3 working conference on Data and Applications Security10.1007/11535706_3(28-39)Online publication date: 7-Aug-2005
https://dl.acm.org/doi/10.1007/11535706_3
zhao Y(2014)The design and implementation of legal work management information system2014 IEEE Workshop on Advanced Research and Technology in Industry Applications (WARTIA)10.1109/WARTIA.2014.6976376(746-748)Online publication date: Sep-2014
https://doi.org/10.1109/WARTIA.2014.6976376

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents