Article

A scenario-driven role engineering process for functional RBAC roles

Authors:

Gustaf Neumann,

Mark StrembeckAuthors Info & Claims

SACMAT '02: Proceedings of the seventh ACM symposium on Access control models and technologies

Pages 33 - 42

https://doi.org/10.1145/507711.507717

Published: 03 June 2002 Publication History

Abstract

In this paper we present a novel scenario-driven role engineering process for RBAC roles. The scenario concept is of central significance for the presented approach. Due to the strong human factor in role engineering scenarios are a good means to drive the process. We use scenarios to derive permissions and to define tasks. Our approach considers changeability issues and enables the straightforward incorporation of changes into affected models. Finally we discuss the experiences we gained by applying the scenario-driven role engineering process in three case studies.

References

[1]

G. Booch, I. Jacobson, and J. Rumbaugh. The Unified Modeling Language User Guide. Addison-Wesley, 1999.

Digital Library

[2]

J.M. Carroll. Five reasons for scenario-based design. In Proc. of the IEEE Annual Hawaii International Conference on System Sciences (HICSS), 1999.

Digital Library

[3]

E.J. Coyne. Role engineering.In Proc. of the ACM Workshop on Role-Based Access Control, 1996.

Digital Library

[4]

J.M. Carroll (ed.). Scenario-Based Design: Envisioning Work and Technology in System Development. John Wiley & Sons, 1995.

Digital Library

[5]

P. Epstein and R. Sandhu. Towards A UML Based Approach to Role Engineering. In Proc. of the ACM Workshop on Role-Based Access Control, 1999.

Digital Library

[6]

P. Epstein and R. Sandhu. Engineering of Role/Permission Assignments. In Proc. of the 17th Annual Computer Security Applications Conference (ACSAC), December 2001.

Digital Library

[7]

E.B. Fernandez and J.C. Hawkins. Determining role rights from use cases. In Proc. of the ACM Workshop on Role-Based Access Control, 1997.

Digital Library

[8]

D.F. Ferraiolo, J.F. Barkley, and D.R. Kuhn. A Role-Based Access Control Model and Reference Implementation within a Corporate Intranet. ACM Transactions on Information and System Security, 2(1), February 1999.

Digital Library

[9]

D.F. Ferraiolo, R. Sandhu, S. Gavrila, D.R. Kuhn, and R. Chandramouli. Proposed NIST Standard for Role-Based Access Control. ACM Transactions on Information and System Security, 4(3), August 2001.

Digital Library

[10]

C. Goh and A. Baldwin. Towards a more complete model of role. In Proc. of the ACM Workshop on Role-Based Access Control, 1998.

Digital Library

[11]

O. Gotel and A. Finkelstein. An analysis of the requirements traceability problem. In Proc. of the IEEE International Conference on Requirements Engineering (ICRE), 1994.

[12]

K. Gutzmann. Access control and session management in the HTTP environment. IEEE Internet Computing, January/February 2001.

Digital Library

[13]

I. Jacobson. Object-Oriented Software Engineering. Addison-Wesley, 1992.

[14]

M. Jarke, X.T. Bui, and J.M. Carroll. Scenario management: An interdisciplinary approach. Requirements Engineering Journal, 3(3/4), 1998.

[15]

C. Kaner, J. Falk, and H.Q. Nguyen. Testing Computer Software (second edition). John Wiley & Sons, 1999.

Digital Library

[16]

G. Kotonya and I. Sommerville. Requirements Engineering - Processes and Techniques. John Wiley & Sons, 1998.

Digital Library

[17]

G. Neumann and M. Strembeck. Design and Implementation of a Flexible RBAC-Service in an Object-Oriented Scripting Language. In Proc. of the 8th ACM Conference on Computer and Communications Security (CCS), November 2001.

Digital Library

[18]

W.E. Perry. Effective Methods for Software Testing (second edition). John Wiley & Sons, 2000.

Digital Library

[19]

B. Ramesh and M. Jarke. Toward reference models for requirements traceability. IEEE Transactions on Software Engineering, 27(1), January 2001.

Digital Library

[20]

S. Robertson and J. Robertson. Mastering the Requirements Process. Addison-Wesley, 1999.

Digital Library

[21]

H. Roeckle, G. Schimpf, and R. Weidinger. Process-oriented approach for role-finding to implement role-based security administration in a large industrial organization. In Proc. of the ACM Workshop on Role-Based Access Control, 2000.

Digital Library

[22]

C. Rolland, G. Grosz, and R. Kla. Experience with goal-scenario coupling in requirements engineering. In Proc. of the IEEE International Symposium on Requirements Engineering (RE), 1998.

Digital Library

[23]

R.S. Sandhu, E.J. Coyne, H.L. Feinstein, and C.E. Youman. Role-based access control models. IEEE Computer, 29(2), February 1996.

Digital Library

[24]

The UNIVERSAL Brokerage Platform Homepage. http://www.ist-universal.org.

[25]

A. van Lamsweerde. Goal-Oriented Requirements Engineering: A Guided Tour. In Proc. of the 5th IEEE International Symposium on Requirements Engineering (RE), August 2001.

Digital Library

Cited By

Ma XQi QZhao LNing FLi H(2023)Mining Roles Based on User Dynamic Operation LogsRecent Advances in Computer Science and Communications10.2174/266625581666623090114531016:9Online publication date: Nov-2023
https://doi.org/10.2174/2666255816666230901145310
Blundo CCimato S(2023)Role mining under User-Distribution cardinality constraintJournal of Information Security and Applications10.1016/j.jisa.2023.10361178:COnline publication date: 1-Nov-2023
https://dl.acm.org/doi/10.1016/j.jisa.2023.103611
Kang HLiu GWang QZhang QNiu JLuo N(2023)An improved minimal noise role mining algorithm based on role interpretabilityComputers and Security10.1016/j.cose.2023.103100127:COnline publication date: 1-Apr-2023
https://dl.acm.org/doi/10.1016/j.cose.2023.103100
Show More Cited By

Index Terms

A scenario-driven role engineering process for functional RBAC roles
1. Security and privacy
  1. Security services
    1. Access control
  2. Systems security
    1. Operating systems security
2. Software and its engineering
  1. Software creation and management
    1. Software development process management
      1. Software development methods
        Rapid application development

Recommendations

Scenario-Driven Role Engineering

Access control deals with eliciting, specifying, enforcing, and maintaining access control policies in software-based systems. Recently, role-based access control (RBAC)—together with various extensions—has developed into a de facto standard for access ...
Role Engineering via Prioritized Subset Enumeration

Today, role-based access control (RBAC) has become a well-accepted paradigm for implementing access control because of its convenience and ease of administration. However, in order to realize the full benefits of the RBAC paradigm, one must first define ...
A role-based infrastructure management system: design and implementation: Research Articles
Computer Security

Over the last decade there has been a tremendous advance in the theory and practice of role-based access control (RBAC). One of the most significant aspects of RBAC can be viewed from its management of permissions on the basis of roles rather than ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SACMAT '02: Proceedings of the seventh ACM symposium on Access control models and technologies

June 2002

170 pages

ISBN:1581134967

DOI:10.1145/507711

General Chair:
Ravi Sandhu
George Mason University and SingleSignOn.Net
,
Program Chair:
Elisa Bertino
University of Milano, Italy

Copyright © 2002 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 June 2002

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

SACMAT02

Sponsor:

SIGSAC

SACMAT02: 7th ACM Symposium on Access Control Models and Technologies

June 3 - 4, 2002

California, Monterey, USA

Acceptance Rates

Overall Acceptance Rate 177 of 597 submissions, 30%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

114
Total Citations
View Citations
1,785
Total Downloads

Downloads (Last 12 months)12
Downloads (Last 6 weeks)3

Reflects downloads up to 24 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Ma XQi QZhao LNing FLi H(2023)Mining Roles Based on User Dynamic Operation LogsRecent Advances in Computer Science and Communications10.2174/266625581666623090114531016:9Online publication date: Nov-2023
https://doi.org/10.2174/2666255816666230901145310
Blundo CCimato S(2023)Role mining under User-Distribution cardinality constraintJournal of Information Security and Applications10.1016/j.jisa.2023.10361178:COnline publication date: 1-Nov-2023
https://dl.acm.org/doi/10.1016/j.jisa.2023.103611
Kang HLiu GWang QZhang QNiu JLuo N(2023)An improved minimal noise role mining algorithm based on role interpretabilityComputers and Security10.1016/j.cose.2023.103100127:COnline publication date: 1-Apr-2023
https://dl.acm.org/doi/10.1016/j.cose.2023.103100
Tan MWang XShang SLiu A(2022)Blockchain-Based Cross-domain Access Control Mechanism2022 5th International Conference on Information Communication and Signal Processing (ICICSP)10.1109/ICICSP55539.2022.10050706(499-506)Online publication date: 26-Nov-2022
https://doi.org/10.1109/ICICSP55539.2022.10050706
Li CLi FHao ZYin LSun ZWang C(2021)An IoT Crossdomain Access Decision‐Making Method Based on Federated LearningWireless Communications and Mobile Computing10.1155/2021/80057692021:1Online publication date: 27-Dec-2021
https://doi.org/10.1155/2021/8005769
Dubey ARavi USharma SMitra B(2019)Toward Implementing Spatio-Temporal RBAC ExtensionsInformation Systems Security10.1007/978-3-030-36945-3_4(59-78)Online publication date: 3-Dec-2019
https://doi.org/10.1007/978-3-030-36945-3_4
Kern AAnderl R(2018)Using RBAC to Enforce the Principle of Least Privilege in Industrial Remote Maintenance Sessions2018 Fifth International Conference on Internet of Things: Systems, Management and Security10.1109/IoTSMS.2018.8554805(107-114)Online publication date: Oct-2018
https://doi.org/10.1109/IoTSMS.2018.8554805
Liu ADu XWang N(2018)Recognition of Access Control Role Based on Convolutional Neural Network2018 IEEE 4th International Conference on Computer and Communications (ICCC)10.1109/CompComm.2018.8780610(2069-2074)Online publication date: Dec-2018
https://doi.org/10.1109/CompComm.2018.8780610
Das SMitra BAtluri VVaidya JSural S(2018)Policy Engineering in RBAC and ABACFrom Database to Cyber Security10.1007/978-3-030-04834-1_2(24-54)Online publication date: 30-Nov-2018
https://doi.org/10.1007/978-3-030-04834-1_2
Luo YPuyang TSun XShen QYang YRuan AWu Z(2017)RestSep: Towards a Test-Oriented Privilege Partitioning Approach for RESTful APIs2017 IEEE International Conference on Web Services (ICWS)10.1109/ICWS.2017.64(548-555)Online publication date: Jun-2017
https://doi.org/10.1109/ICWS.2017.64
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents