The NIST model for role-based access control: towards a unified standard
RBAC '00 Proceedings of the fifth ACM workshop on Role-based access control
SecureUML: A UML-Based Modeling Language for Model-Driven Security
UML '02 Proceedings of the 5th International Conference on The Unified Modeling Language
Model driven security for process-oriented systems
Proceedings of the eighth ACM symposium on Access control models and technologies
authUML: a three-phased framework to analyze access control specifications in use cases
Proceedings of the 2003 ACM workshop on Formal methods in security engineering
Principles, Standards and Tools for Model Engineering
ICECCS '05 Proceedings of the 10th IEEE International Conference on Engineering of Complex Computer Systems
Editorial: Model-Driven Development for secure information systems
Information and Software Technology
On the Security of Security Software
Electronic Notes in Theoretical Computer Science (ENTCS)
Secure Systems Development with UML
Secure Systems Development with UML
Challenges in model-based evolution and merging of access control policies
Proceedings of the 12th International Workshop on Principles of Software Evolution and the 7th annual ERCIM Workshop on Software Evolution
Hi-index | 0.00 |
It has been argued that security perspectives, of which access control is one, should be taken into account as early as possible in the software development process. Towards that goal, we present in this paper a tool supporting our modelling approach to specify and verify access control in accordance to the NIST standard Role-Based Access Control (RBAC). RBAC is centred on mapping users to their roles in an organisation, to make access control permissions easier to set and maintain. Our modelling approach uses only standard UML mechanisms, like metamodels and OCL constraints, and improves on existing approaches in various ways: designers don't have to learn new languages or adopt new tools or methodologies; user-role and role-permission assignments can be specified separately to be reused across models; access control is specified over class and activity diagrams, including 'anti-scenarios'; access control is automatically verified. The tool is built on top of an existing modelling IDE and allows for automatic verification of models according to our RBAC modelling approach, while providing users with the ability to easily identify and correct errors in the model when they are detected.