Modeling and design of role engineering in development of access control for dynamic information systems

• Autorzy: Poniszewska-Marańda A.
• Języki publikacji: EN

Abstrakty

EN

Nowadays, the growth and complexity of functionalities of current information systems, especially dynamic, distributed and heterogeneous information systems, makes the design and creation of such systems a difficult task and at the same time, strategic for businesses. A very important stage of data protection in an information system is the creation of a high level model, independent of the software, satisfying the needs of system protection and security. The process of role engineering, i.e. the identification of roles and setting up in an organization is a complex task. The paper presents the modeling and design stages in the process of role engineering in the aspect of security schema development for information systems, in particular for dynamic, distributed information systems, based on the role concept and the usage concept. Such a schema is created first of all during the design phase of a system. Two actors should cooperate with each other in this creation process, the application developer and the security administrator, to determine the minimal set of user’s roles in agreement with the security constraints that guarantee the global security coherence of the system.

Słowa kluczowe

EN

access control of information systems; access control models; role engineering; usage control

• Wydawca: Polska Akademia Nauk, Wydział IV Nauk Technicznych
• Czasopismo: Bulletin of the Polish Academy of Sciences. Technical Sciences
• Rocznik: 2013
• Tom: Vol. 61, nr 3
• Strony: 569--579
• Opis fizyczny: Bibliogr. 26 poz., rys.

Twórcy

autor

Poniszewska-Marańda A.

• Institute of Information Technology, Technical University of Lodz, 215 Wólczańska St., 90-924 Łódź, Poland

Bibliografia

• [1] M. Lauder, M. Schlereth, S. Rose, and A. Schurr, “Modeldriven systems engineering: state-of-the-art and research challenges”, Bull. Pol. Ac.: Tech. 58 (3), 357-366 (2010).
• [2] M. Kamola and P. Arabas, “Dynamically established transmission paths in the future Internet - proposal of a framework”, Bull. Pol. Ac.: Tech. 59 (3), 357-366 (2011).
• [3] G. Goncalves and A. Poniszewska-Maranda, “Role engineering: from design to evaluation of security schemas”, J. Systemsand Software 81 (8), 1306-1326 (2008).
• [4] E. Bertino, C. Bettini, and P. Samarati, “A temporal access control mechanism for database systems”, IEEE Trans. on Knowledgeand Data Engineering 8 (1), 67-80 (1996).
• [5] E. Coyne, “Role engineering”, Proc. 1st ACM Workshop onRole-Based Access Control 1, CD-ROM (1996).
• [6] E. Fernandez and J. Hawkins, “Determining role rights from use cases”, Proc. 2nd ACM Workshop on Role-Based AccessControl 1, 121-125 (1997).
• [7] E. Bertino, E. Ferrari, and V. Atlurii, “The specification and enforcement of authorization constraints in workflow management systems”, ACM Trans. on Information and System Security 2 (1), 65-104 (1999).
• [8] P. Epstein and R. Sandhu, “Towards a UML based approach to role engineering”, Proc. 4th ACM Workshop on Role- BasedAccess Control 1, 135-143 (1999).
• [9] H. Roeckle, G. Schimpf, and R. Weidinger, “Process-oriented approach for role-finding to implement role-based security administration in a large industrial organization”, Proc. 5th ACMWorkshop on Role-Based Access Control 1, 103-110 (2000).
• [10] P. Epstein and R. Sandhu, “Engineering of role permission assignment to role engineering”, Proc. 17th Annual ComputerSecurity Applications Conference 1, 127-136 (2001).
• [11] D. Basin, J. Doser, and T. Lodderstedt, “Model driven security: From UML models to access control infrastructures”, ACMTrans. on Software Engineering Methodology 15, 39-91 (2006).
• [12] E. Coyne and J. Davis, Role Engineering for Enterprise SecurityManagement, Artech House, London, 2008.
• [13] G. Neumann and M. Strembeck, “A scenario-driven role engineering process for functional RBAC roles”, Proc. 7th ACMSymposium on Access Control Models and Technologies 1, 33-42 (2002).
• [14] M. Strembeck and G. Neumann, “An integrated approach to engineer and enforce context constraints in RBAC environments”, ACM Trans. on Information and System Security 7 (3), 392-427 (2004).
• [15] R.S. Sandhu and P. Samarati, “Access control: principles and practice”, IEEE Communication 32 (9), 40-48 (1994).
• [16] D. Ferraiolo, R. Sandhu, S. Gavrila, D. Kuhn, and R. Chandramouli, “Proposed NIST standard for role-based access control”, ACM Trans. on Information and Systems Security 4 (3), 224-274 (2001).
• [17] A. Poniszewska-Maranda, G. Goncalves, and F. Hemery, “Representation of extended rbac model using UML language”, LNCS 3381, 413-417 (2005).
• [18] J. Park and R. Sandhu, “The UCONABC usage control model”, ACM Trans. on Information and System Security 7 (1), 128-174 (2004).
• [19] J. Park, X. Zhang, and R. Sandhu, “Attribute mutability in usage control”, Proc. 18th Annual IFIP WG 11.3 Working Conferenceon Data and Applications Security 1, 15-29 (2004).
• [20] G.-J. Ahn, “The RCL 2000 language for specifying role-based authorization constraints”, Ph.D. Thesis, George Mason University, Fairfax, 1999.
• [21] G.-J. Ahn and R.S. Sandhu, “Role-based authorization constraints specification”, ACM Trans. on Information and SystemsSecurity 3 (4), 207-226 (2000).
• [22] A. Poniszewska-Maranda, “Access control coherence of information systems based on security constraints”, LNCS 4166, 412-425 (2006).
• [23] A. Poniszewska-Marada, “Conception approach of access control in heterogeneous information systems using UML”, J. Telecommunication Systems 45 (2-3), 177-190 (2010).
• [24] G. Booch, J. Rumbaugh, and I. Jacobson, The Unified ModellingLanguage User Guide, Addison Wesley, London, 1998.
• [25] OMG, OMG Unified Modeling Language Specification, 2011.
• [26] A. Poniszewska-Maranda, “UML representation of extended role-based access control model with the use of usage control concept”, LNCS 7465, 131-146 (2012).