Abstract
Information systems are widely used and help in the management of huge quantities of data. Generally, these data are valuable or sensitive, their access must be restricted to granted users. Security is a mandatory requirement for information systems. Several methods already exist to express access control policies, but few of them support all kinds of constraints that can be defined in access control policies. In this paper, we present EB 3 SEC, a language used to formally model and interpret access control policies in information systems. Permissions, prohibitions and static separation of duty are specified by a class diagram. As EB 3 SEC includes a process algebra, dynamic access control constraints such as obligations and dynamic separation of duty can be easily expressed. Finally, we present the architecture of the tool used to interpret EB 3 SEC models.
Chapter PDF
Similar content being viewed by others
References
Société-Générale: Note explicative concernant la la fraude exceptionnelle (2008), http://www.communiques-presse.net/Banque/societe-generale-note-explicative-concernant-fraude-exceptionnel.html
Mer, F.: loi de sécurité financière. Journal Officiel (177) (January 2003)
Sarbanes, P., Oxley, M.: Sarbanes-oxley act. Public Law (116), 107–204 (2002)
Ni, Q., Bertino, E., Lobo, J.: An obligation model bridging access control policies and privacy policies. In: Proceedings of the 13th ACM Symposium on Access Control Models and Technologies. SACMAT 2008, pp. 133–142. ACM, New York (2008)
Ferraiolo, D.F., Kuhn, D.R., Chandramouli, R.: Role-Based Access Control. Artech House, Inc., Norwood (2003)
Fraikin, B., Frappier, M., Laleau, R.: State-based versus event-based specifications for information systems: a comparison of B and EB3. Software and Systems Modeling 4(3), 236–257 (2005)
Frappier, M., St-Denis, R.: EB 3: an entity − based black − box specification method for information systems. Software and System Modeling 2(2), 134–149 (2003)
Bell, D.E., LaPadula, L.J.: Secure computer systems: Mathematical foundations and model. The MITRE Corporation Bedford MA Technical Report M74244 May 1(M74-244), 42 (1973)
International Committee for Information Technology Standards (INCITS) American National Standard for Information Technology (ANSI): Role-Based Access Control. 359-2004 edn (February 2004)
Kalam, A.A.E., Benferhat, S., Miège, A., Baida, R.E., Cuppens, F., Saurel, C., Balbiani, P., Deswarte, Y., Trouessin, G.: Organization based access control. In: Proceedings of the 4th IEEE International Workshop on Policies for Distributed Systems and Networks. POLICY 2003, IEEE Computer Society, Washington, DC, USA (2003)
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)
Moses, T.: eXtensible Access Control Markup Langage (XACML) Version 2.0. OASIS Standard (2005)
Konopacki, P., Frappier, M., Laleau, R.: Expressing access control policies with an event-based approach. Technical Report TR-LACL-2010-6, LACL (Laboratory of Algorithms, Complexity and Logic), University of Paris-Est, Paris 12 (2010), http://lacl.univ-paris12.fr/Rapports/TR/TR-LACL-2010-6.pdf
Anderson, A.: XACML Profile for Role Based Access Control (RBAC). OASIS Standard (2004)
Xin, J.: Applying model driven architecture approach to model role based access control system. Master’s thesis, University of Ottawa (2006)
Basin, D., Burri, S.J., Karjoth, G.: Dynamic enforcement of abstract separation of duty constraints. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 250–267. Springer, Heidelberg (2009)
Miège, A.: Définition d’un environnement formel d’expression de politiques de sécurité. Modèle Or-BAC et extensions. PhD thesis, Paristech, ENST (September 2005)
Frappier, M., Fraikin, B., Gervais, F., Laleau, R., Richard, M.: Synthesizing information systems: the apis project. In: Rolland, C., Pastor, O., Cavarero, J.L. (eds.) RCIS, pp. 73–84 (2007)
Fraikin, B., Frappier, M.: Efficient symbolic computation of process expressions. Science of Computer Programming 74(9), 723–753 (2009)
Frappier, M., Gervais, F., Laleau, R., Fraikin, B., St-Denis, R.: Extending statecharts with process algebra operators. In: Innovations in Systems and Software Engineering, pp. 285–292. Springer, London (August 2008)
Alm, C., Drouineaud, M., Faltin, U., Sohr, K., Wolf, R.: A classification framework designed for advanced role-based access control models and mechanisms. Technical report, Technologie-Zentrum Informatik Bremen University (2009)
Wainer, J., Barthelmess, P., Kumar, A.: W-rbac a workflow security model incorporating controlled overriding of constraints. International Journal of Cooperative Information Systems 12(4), 455–486 (2003)
Basin, D., Doser, J., Lodderstedt, T.: Model driven security: From uml models to access control infrastructures. ACM Trans. Softw. Eng. Methodol. 15(1), 39–91 (2006)
Bertino, E., Catania, B., Ferrari, E., Perlasca, P.: A logical framework for reasoning about access control models. In: Proceedings of the Sixth ACM Symposium on Access Control Models and Technologies. SACMAT 2001, ACM, New York (2001)
Cholvy, L., Cuppens, F.: nalyzing consistency of security policies. In: Proceedings IEEE Symposium on Security and Privacy, pp. 103–112 (May 1997)
Jajodia, S., Samarati, P., Sapino, M.L., Subrahmanian, V.S.: Flexible support for multiple access control policies. ACM Trans. Database Syst. 26, 214–260 (2001)
Bertino, E., Bonatti, P.A., Ferrari, E.: Trbac: A temporal role-based access control model. ACM Trans. Inf. Syst. Secur. 4, 191–233 (2001)
Crampton, J., Khambhammettu, H.: Xacml and role-based access control. In: Presentation at DIMACS Workshop on Security of Web Services and e-Commerce, p. 174. Springer, Heidelberg (2005)
Li, N., Wang, Q.: Beyond separation of duty: An algebra for specifying high-level security policies. J. ACM 55(3), 1–46 (2008)
Lodderstedt, T., Basin, D.A., Doser, J.: Secureuml: A uml-based modeling language for model-driven security. In: Proceedings of the 5th International Conference on The Unified Modeling Language. UML 002, London, UK, pp. 426–441. Springer, Heidelberg (2002)
Kolovski, V., Hendler, J., Parsia, B.: Analyzing web access control policies. In: WWW 2007: Proceedings of the 16th International Conference on World Wide Web, pp. 677–686. ACM, New York (2007)
Sohr, K., Drouineaud, M., Ahn, G.J., Gogolla, M.: Analyzing and managing role-based access control policies. IEEE Trans. on Knowl. and Data Eng. 20, 924–939 (2008)
Basin, D., Clavel, M., Doser, J., Egea, M.: Automated analysis of security-design models. Inf. Softw. Technol. 51, 815–831 (2009)
Ayed, S., Cuppens-Boulahia, N., Cuppens, F.: Deploying access control in distributed workflow. In: Proceedings of the Sixth Australasian Conference on Information Security, Darlinghurst, Australia. AISC 2008, vol. 81, pp. 9–17. Australian Computer Society, Inc. (2008)
Kallel, S., Charfi, A., Mezini, M., Jmaiel, M., Klose, K.: From formal access control policies to runtime enforcement aspects. In: Massacci, F., Redwine Jr., S.T., Zannone, N. (eds.) ESSoS 2009. LNCS, vol. 5429, pp. 16–31. Springer, Heidelberg (2009)
Cuppens, F., Cuppens-Boulahia, N., Coma, C.: MotOrBAC: un outil d’administration et de simulation de politiques de sécurité. In: Security in Network Architectures (SAR) and Security of Information Systems (SSI), First Joint Conference, June 6-9 (2006)
Jackson, D.: Software Abstractions: Logic, Language, and Analysis. The MIT Press, Cambridge (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Konopacki, P., Frappier, M., Laleau, R. (2011). Expressing Access Control Policies with an Event-Based Approach. In: Salinesi, C., Pastor, O. (eds) Advanced Information Systems Engineering Workshops. CAiSE 2011. Lecture Notes in Business Information Processing, vol 83. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-22056-2_63
Download citation
DOI: https://doi.org/10.1007/978-3-642-22056-2_63
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-22055-5
Online ISBN: 978-3-642-22056-2
eBook Packages: Computer ScienceComputer Science (R0)