Abstract
Authorisation constraints can help the policy architect design and express higher-level security policies for organisations such as financial institutes or governmental agencies. Although the importance of constraints has been addressed in the literature, there does not exist a systematic way to validate and test authorisation constraints. In this paper, we attempt to specify non-temporal constraints and history-based constraints in Object Constraint Language (OCL) which is a constraint specification language of Unified Modeling Language (UML) and describe how we can facilitate the USE tool to validate and test such policies. We also discuss the issues of identification of conflicting constraints and missing constraints.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Ahn, G.-J.: The RCL 2000 language for specifying role-based authorization constraints, Ph.D. thesis, George Mason University, Fairfax, Virginia (1999)
Ahn, G.-J., Shin, M.E.: Role-Based Authorization Constraints Specification Using Object Constraint Language. In: Proc. of the 10th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise, pp. 157–162. IEEE, Los Alamitos (2001)
American National Standards Institute Inc., Role Based Access Control, ANSI-INCITS 359-2004 (2004)
Anderson, R.: A security policy model for clinical information systems. In: Proceedings of the IEEE Symposium on Research in Security and Privacy, Oakland, CA, pp. 30–43. IEEE Computer Society Press, CA (1996)
Clark, D.D., Wilson, D.R.: A comparison of commercial and military computer security policies. In: Proceedings of the 1987 IEEE Symposium on Security and Privacy, pp. 184–194 (1987)
Crampton, J.: Specifying and enforcing constraints in role-based access control. In: Proc. of the 8th ACM Symposium on Access Control Models and Technologies, June 2–3, pp. 43–50. ACM Press, New York (2003)
EU, Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Directive 95/46/EC (1995), http://www.privacy.org/pi/intl_orgs/ec/eudp.html
Ferraiolo, D., Gilbert, D., Lynch, N.: An examination of federal and commercial access control policy needs. In: Proc. of the NIST-NCSC Nat (U.S.) Comp. Security Conference, pp. 107–116 (1993)
Ferraiolo, D.F., Kuhn, D.R., Chandramouli, R.: Role-based access control, Artec House, Boston (2003)
Gligor, V.D., Gavrila, S.I., Ferraiolo, D.: On the formal definition of separation-of-duty policies and their composition. In: 1998 IEEE Symposium on Security and Privacy (SSP 1998), pp. 172–185. IEEE, Los Alamitos (May 1998)
Gogolla, M., Bohling, J., Richters, M.: Validation of UML and OCL models by automatic snapshot generation. In: Stevens, P., Whittle, J., Booch, G. (eds.) UML 2003. LNCS, vol. 2863, pp. 265–279. Springer, Heidelberg (2003)
Gogolla, M., Richters, M.: Transformation rules for UML class diagrams. In: Bézivin, J., Muller, P.-A. (eds.) UML 1998. LNCS, vol. 1618, pp. 92–106. Springer, Heidelberg (1999)
Jaeger, T., Tidswell, J.E.: Practical safety in flexible access control models. ACM TISSEC 4(2), 158–190 (2001)
Koch, M., Mancini, L.V., Parisi-Presicce, F.: A Graph Based Formalism for RBAC. ACM Transactions on Information and System Security (TISSEC) 5(3), 332–365 (2002)
Koch, M., Parisi-Presicce, F.: Visual specifications of policies and their verification. In: Pezzé, M. (ed.) FASE 2003. LNCS, vol. 2621, pp. 278–293. Springer, Heidelberg (2003)
Mossakowski, T., Drouineaud, M., Sohr, K.: A temporal-logic extension of role-based access control covering dynamic separation of duties. In: Proc. of TIME-ICTL 2003, Cairns, Queensland, Australia, July 8–10 (2003)
Nash, M.J., Poland, K.R.: Some conundrums concerning separation of duty. In: Proc. IEEE Symposium on Research in Security and Privacy, pp. 201–207 (1990)
Ray, I., Li, N., France, R., Kim, D.-K.: Using UML to visualize role-based access control constraints. In: Proc. of the 9th ACM symposium on Access control models and technologies, pp. 115–124. ACM Press, New York (2004)
Richters, M.: A Precise Approach to Validating UML Models and OCL Constraints, Ph.D. thesis, Universität Bremen, Fachbereich Mathematik und Informatik, Logos Verlag, Berlin, BISS Monographs, No. 14 (2002)
Richters, M., Gogolla, M.: Validating UML models and OCL constraints. In: Evans, A., Kent, S., Selic, B. (eds.) UML 2000. LNCS, vol. 1939, pp. 265–277. Springer, Heidelberg (2000)
Rumbaugh, J., Jacobson, I., Booch, G.: The Unified Modeling Language Reference Manual, 2nd edn. Object Technology Series. Addison Wesley, Reading (2004)
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. Computer 29(2), 38–47 (1996)
Simon, R., Zurko, M.: Separation of duty in role-based environments. In: 10th IEEE Computer Security Foundations Workshop (CSFW 1997), pp. 183–194 (June 1997)
Sohr, K., Drouineaud, M., Ahn, G.-J.: Formal Specification of Role-based Security Policies for Clinical Information Systems, Santa Fe, New Mexico. In: Proc. of the 20th ACM Symposium on Applied Computing (2005) (to appear)
Warmer, J., Kleppe, A.: The Object Constraint Language: Getting your models ready for MDA. Addison-Wesley, Reading (2003)
Ziemann, P., Gogolla, M.: An OCL Extension for Formulating Temporal Constraints, Research Report 1/03, Universität Bremen (2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Sohr, K., Ahn, GJ., Gogolla, M., Migge, L. (2005). Specification and Validation of Authorisation Constraints Using UML and OCL. In: di Vimercati, S.d.C., Syverson, P., Gollmann, D. (eds) Computer Security – ESORICS 2005. ESORICS 2005. Lecture Notes in Computer Science, vol 3679. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11555827_5
Download citation
DOI: https://doi.org/10.1007/11555827_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-28963-0
Online ISBN: 978-3-540-31981-8
eBook Packages: Computer ScienceComputer Science (R0)