ACADA: Access Control-driven Architecture with Dynamic Adaptation

Programmers of relational database applications use software solutions (Hibernate, JDBC, LINQ, ADO.NET) to ease the development process of business tiers. These software solutions were not devised to address access control policies, much less for evolving access control policies, in spite of their unavoidable relevance. Currently, access control policies, whenever implemented, are enforced by independent components leading to a separation between policies and their enforcement. This paper proposes a new approach based on an architectural model referred to here as the Access Controldriven Architecture with Dynamic Adaptation (ACADA). Solutions based on ACADA are automatically built to statically enforce access control policies based on schemas of Create, Read, Update and Delete (CRUD) expressions. Then, CRUD expressions are dynamically deployed at runtime driven by established access control policies. Any update in the policies is followed by an adaptation process to keep access control mechanisms aligned with the policies to be enforced. A proof of concept based on Java and Java Database Connectivity (JDBC) is also presented

Representing Aspect Model as Graph Transformation

In this paper we discussed a new method for representing aspect models. This method uses the basics of UML to devise a new way for specifying the model level aspects and transformations among them. The resultant model is effective from both expression and scaling point of view. The work in this paper is based on assumed transaction processing system in a bank

Implementing Advanced RBAC Administration Functionality with USE

Role-based access control (RBAC) is a powerful means for laying out and developing higher-level organizational policies such as separation of duty, and for simplifying the security management process. One of the important aspects of RBAC is authorization constraints that express such organizational policies. While RBAC has generated a great interest in the security community, organizations still seek a flexible and effective approach to impose role-based authorization constraints in their security-critical applications. In particular, today often only basic RBAC concepts have found their way into commercial RBAC products; specifically, authorization constraints are not widely supported. In this paper, we present an RBAC administration tool that can enforce certain kinds of role-based authorization constraints such as separation of duty constraints. The authorization constraint functionality is based upon the OCL validation tool USE. We also describe our practical experience that we gained on integrating OCL functionality into a prototype of an RBAC administration tool that shall be extended to a product in the future

AUTOMATED VERIFICATION OF ROLE-BASED ACCESS CONTROL POLICIES CONSTRAINTS USING PROVER9

ABSTRAC

FORMAL MODELLING OF BUSINESS RULES: WHAT KIND OF TOOL TO USE?

Business rules are today essential parts of a business system model. But presently, there are still various approaches to, definitions and classifications of this concept. Similarly, there are also different approaches in business rules formalization and implementation. This paper investigates formalization using formal language in association with easy domain modelling. Two of the tools that enable such approach are described and compared according to several factors. They represent ontology modelling and UML, nowadays widely used standard for object-oriented modelling. A simple example is also presented

On Mutual Authorizations: Semantics, Integration Issues, and Performance

reciprocity is a powerful determinant of human behavior. None of the existing access control models however captures this reciprocity phenomenon. In this paper, we introduce a new kind of grant, which we call mutual, to express authorizations that actually do this, i.e., users grant access to their resources only to users who allow them access to theirs. We define the syntax and semantics of mutual authorizations and show how this new grant can be included in the Role-Based Access Control model, i.e., extend RBAC with it. We use location-based services as an example to deploy mutual authorizations, and we propose two approaches to integrate them into these services. Next, we prove the soundness and analyze the complexity of both approaches. We also study how the ratio of mutual to allow and to deny authorizations affects the number of persons whose position a given person may read. These ratios may help in predicting whether users are willing to use mutual authorizations instead of deny or allow. Experiments confirm our complexity analysis and shed light on the performance of our approaches