Abstract
Role-based access control (RBAC) is widely used in organizations for access management. While basic RBAC concepts are present in modern systems, such as operating systems or database management systems, more advanced concepts like history-based separation of duty are not. In this work, we present an approach that validates advanced organizational RBAC policies using a model-based approach against the technical realization applied within a database. This allows a security officer to examine the correct implementation – possibly across multiple applications – of more powerful policies on the database level. We achieve this by monitoring the current state of a database in a UML/OCL validation tool. We assess the applicability of the approach by a non-trivial feasibility study.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
American National Standards Institute Inc.: Role Based Access Control, ANSI-INCITS 359-2004 (2004)
Anderson, R.J.: Security Engineering: A Guide to Building Dependable Distributed Systems, 2nd edn. Wiley Publishing (2008)
Basin, D.A., Clavel, M., Doser, J., Egea, M.: Automated analysis of security-design models. Information & Software Technology 51(5), 815–831 (2009)
Basin, D.A., Doser, J., Lodderstedt, T.: Model driven security: From UML models to access control infrastructures. ACM Trans. Softw. Eng. Methodology 15(1), 39–91 (2006)
Bertino, E., Sandhu, R.: Database Security-Concepts, Approaches, and Challenges. IEEE Trans. Dependable Secur. Comput. 2(1), 2–19 (2005)
Fernández-Medina, E., Piattini, M.: Extending OCL for secure database development. In: Baar, T., Strohmeier, A., Moreira, A., Mellor, S.J. (eds.) UML 2004. LNCS, vol. 3273, pp. 380–394. Springer, Heidelberg (2004)
Gogolla, M., Büttner, F., Richters, M.: USE: A UML-Based Specification Environment for Validating UML and OCL. Sci. of Comp. Prog. 69, 27–34 (2007)
Gulutzan, P., Pelzer, T.: SQL-99 complete, Really – An Example-Based Reference Manual of the New Standard. R&D Books (1999)
Hamann, L., Gogolla, M., Sohr, K.: RBAC meta-model and detailed evaluation results, http://www.db.informatik.uni-bremen.de/publications/intern/RBACEvaluation.use (last visited: March 30, 2014)
Hamann, L., Hofrichter, O., Gogolla, M.: OCL-Based Runtime Monitoring of Applications with Protocol State Machines. In: Vallecillo, A., Tolvanen, J.-P., Kindler, E., Störrle, H., Kolovos, D. (eds.) ECMFA 2012. LNCS, vol. 7349, pp. 384–399. Springer, Heidelberg (2012)
Kuhlmann, M., Sohr, K., Gogolla, M.: Comprehensive Two-Level Analysis of Static and Dynamic RBAC Constraints with UML and OCL. In: Proc. Secure Software Integration and Reliability Improvement (SSIRI 2011), pp. 108–117. IEEE (2011)
Microsoft: SQL Server Notification Services, http://technet.microsoft.com/en-us/library/ms172483%28v=sql.90%29.aspx (last visited: February 05, 2014)
Microsoft: SQL Server Reporting Services (SSRS), http://technet.microsoft.com/en-us/library/ms159106.aspx (last visited: February 05, 2014)
UML Superstructure 2.4.1. Object Management Group (OMG) (August 2011), http://www.omg.org/spec/UML/2.4.1/Superstructure/PDF
Object Constraint Language 2.3.1. Object Management Group (OMG) (January 2012), http://www.omg.org/spec/OCL/2.3.1/
Ramaswamy, C., Sandhu, R.: Role-Based Access Control Features in Commercial Database Management Systems. In: Proc. of 21st National Information Systems Security Conference, pp. 503–511 (1998)
Ray, I., Li, N., France, R.B., Kim, D.K.: Using UML to visualize role-based access control constraints. In: Proc. of the 9th ACM Symp. on Access Control Models and Technologies, pp. 115–124 (2004)
Simon, R., Zurko, M.: Separation of duty in role-based environments. In: 10th IEEE Computer Security Foundations Workshop (CSFW 1997), pp. 183–194 (1997)
The PostgreSQL Global Development Group: PostgreSQL 9.3.2 Documentation: NOTIFY, http://www.postgresql.org/docs/9.3/static/sql-notify.html , (last visited: February 05, 2014)
Treat, R., Mohan, V.: pgFoundry: Sample Databases, dellstore2, http://pgfoundry.org/projects/dbsamples/ (last visited: March 20, 2014)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Hamann, L., Sohr, K., Gogolla, M. (2015). Monitoring Database Access Constraints with an RBAC Metamodel: A Feasibility Study. In: Piessens, F., Caballero, J., Bielova, N. (eds) Engineering Secure Software and Systems. ESSoS 2015. Lecture Notes in Computer Science, vol 8978. Springer, Cham. https://doi.org/10.1007/978-3-319-15618-7_16
Download citation
DOI: https://doi.org/10.1007/978-3-319-15618-7_16
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-15617-0
Online ISBN: 978-3-319-15618-7
eBook Packages: Computer ScienceComputer Science (R0)