315,957 research outputs found

    Policy analysis for self-administrated role-based access control

    No full text
    Current techniques for security analysis of administrative role-based access control (ARBAC) policies restrict themselves to the separate administration assumption that essentially separates administrative roles from regular ones. The naive algorithm of tracking all users is all that is known for the security analysis of ARBAC policies without separate administration, and the state space explosion that this results in precludes building effective tools. In contrast, the separate administration assumption greatly simplifies the analysis since it makes it sufficient to track only one user at a time. However, separation limits the expressiveness of the models and restricts modeling distributed administrative control. In this paper, we undertake a fundamental study of analysis of ARBAC policies without the separate administration restriction, and show that analysis algorithms can be built that track only a bounded number of users, where the bound depends only on the number of administrative roles in the system. Using this fundamental insight paves the way for us to design an involved heuristic to further tame the state space explosion in practical systems. Our results are also very effective when applied on policies designed under the separate administration restriction. We implement our techniques and report on experiments conducted on several realistic case studies

    Towards Model-Driven Development of Access Control Policies for Web Applications

    Get PDF
    We introduce a UML-based notation for graphically modeling systems’ security aspects in a simple and intuitive way and a model-driven process that transforms graphical specifications of access control policies in XACML. These XACML policies are then translated in FACPL, a policy language with a formal semantics, and the resulting policies are evaluated by means of a Java-based software tool

    Knowledge-Intensive Processes: Characteristics, Requirements and Analysis of Contemporary Approaches

    Get PDF
    Engineering of knowledge-intensive processes (KiPs) is far from being mastered, since they are genuinely knowledge- and data-centric, and require substantial flexibility, at both design- and run-time. In this work, starting from a scientific literature analysis in the area of KiPs and from three real-world domains and application scenarios, we provide a precise characterization of KiPs. Furthermore, we devise some general requirements related to KiPs management and execution. Such requirements contribute to the definition of an evaluation framework to assess current system support for KiPs. To this end, we present a critical analysis on a number of existing process-oriented approaches by discussing their efficacy against the requirements

    Supporting security-oriented, collaborative nanoCMOS electronics research

    Get PDF
    Grid technologies support collaborative e-Research typified by multiple institutions and resources seamlessly shared to tackle common research problems. The rules for collaboration and resource sharing are commonly achieved through establishment and management of virtual organizations (VOs) where policies on access and usage of resources by collaborators are defined and enforced by sites involved in the collaboration. The expression and enforcement of these rules is made through access control systems where roles/privileges are defined and associated with individuals as digitally signed attribute certificates which collaborating sites then use to authorize access to resources. Key to this approach is that the roles are assigned to the right individuals in the VO; the attribute certificates are only presented to the appropriate resources in the VO; it is transparent to the end user researchers, and finally that it is manageable for resource providers and administrators in the collaboration. In this paper, we present a security model and implementation improving the overall usability and security of resources used in Grid-based e-Research collaborations through exploitation of the Internet2 Shibboleth technology. This is explored in the context of a major new security focused project at the National e-Science Centre (NeSC) at the University of Glasgow in the nanoCMOS electronics domain

    Identifying and Evaluating Change Patterns and Change Support Features in Process-Aware Information Systems.

    Get PDF
    In order to provide effective support, the introduction of process-aware information systems (PAIS) must not freeze existing business processes. Instead PAIS should allow authorized users to flexibly deviate from the predefined processes if required and to evolve business processes in a controlled manner over time. Many software vendors promise flexible system solutions for realizing such adaptive PAIS, but are often unable to cope with fundamental issues elated to process change (e.g., correctness and robustness). The existence of different process support paradigms and the lack of methods for comparing existing change approaches makes it difficult for PAIS engineers to choose the adequate technology. In this paper we suggest a set of changes patterns and change support features to foster systematic comparison of existing process management technology with respect to change support. Based on these change patterns and features, we provide a detailed analysis and evaluation of selected systems from both academia and industry

    Change Support in Process-Aware Information Systems - A Pattern-Based Analysis

    Get PDF
    In today's dynamic business world the economic success of an enterprise increasingly depends on its ability to react to changes in its environment in a quick and flexible way. Process-aware information systems (PAIS) offer promising perspectives in this respect and are increasingly employed for operationally supporting business processes. To provide effective business process support, flexible PAIS are needed which do not freeze existing business processes, but allow for loosely specified processes, which can be detailed during run-time. In addition, PAIS should enable authorized users to flexibly deviate from the predefined processes if required (e.g., by allowing them to dynamically add, delete, or move process activities) and to evolve business processes over time. At the same time PAIS must ensure consistency and robustness. The emergence of different process support paradigms and the lack of methods for comparing existing change approaches have made it difficult for PAIS engineers to choose the adequate technology. In this paper we suggest a set of changes patterns and change support features to foster the systematic comparison of existing process management technology with respect to process change support. Based on these change patterns and features, we provide a detailed analysis and evaluation of selected systems from both academia and industry. The identified change patterns and change support features facilitate the comparison of change support frameworks, and consequently will support PAIS engineers in selecting the right technology for realizing flexible PAIS. In addition, this work can be used as a reference for implementing more flexible PAIS
    corecore