Skip to main content
SpringerLink
Log in

Monitoring Database Access Constraints with an RBAC Metamodel: A Feasibility Study

  • Conference paper
Engineering Secure Software and Systems (ESSoS 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8978))

Included in the following conference series:

  • 1307 Accesses

Abstract

Role-based access control (RBAC) is widely used in organizations for access management. While basic RBAC concepts are present in modern systems, such as operating systems or database management systems, more advanced concepts like history-based separation of duty are not. In this work, we present an approach that validates advanced organizational RBAC policies using a model-based approach against the technical realization applied within a database. This allows a security officer to examine the correct implementation – possibly across multiple applications – of more powerful policies on the database level. We achieve this by monitoring the current state of a database in a UML/OCL validation tool. We assess the applicability of the approach by a non-trivial feasibility study.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. American National Standards Institute Inc.: Role Based Access Control, ANSI-INCITS 359-2004 (2004)

    Google Scholar 

  2. Anderson, R.J.: Security Engineering: A Guide to Building Dependable Distributed Systems, 2nd edn. Wiley Publishing (2008)

    Google Scholar 

  3. Basin, D.A., Clavel, M., Doser, J., Egea, M.: Automated analysis of security-design models. Information & Software Technology 51(5), 815–831 (2009)

    Article  Google Scholar 

  4. Basin, D.A., Doser, J., Lodderstedt, T.: Model driven security: From UML models to access control infrastructures. ACM Trans. Softw. Eng. Methodology 15(1), 39–91 (2006)

    Article  Google Scholar 

  5. Bertino, E., Sandhu, R.: Database Security-Concepts, Approaches, and Challenges. IEEE Trans. Dependable Secur. Comput. 2(1), 2–19 (2005)

    Article  Google Scholar 

  6. Fernández-Medina, E., Piattini, M.: Extending OCL for secure database development. In: Baar, T., Strohmeier, A., Moreira, A., Mellor, S.J. (eds.) UML 2004. LNCS, vol. 3273, pp. 380–394. Springer, Heidelberg (2004)

    Google Scholar 

  7. Gogolla, M., Büttner, F., Richters, M.: USE: A UML-Based Specification Environment for Validating UML and OCL. Sci. of Comp. Prog. 69, 27–34 (2007)

    Article  MATH  Google Scholar 

  8. Gulutzan, P., Pelzer, T.: SQL-99 complete, Really – An Example-Based Reference Manual of the New Standard. R&D Books (1999)

    Google Scholar 

  9. Hamann, L., Gogolla, M., Sohr, K.: RBAC meta-model and detailed evaluation results, http://www.db.informatik.uni-bremen.de/publications/intern/RBACEvaluation.use (last visited: March 30, 2014)

  10. Hamann, L., Hofrichter, O., Gogolla, M.: OCL-Based Runtime Monitoring of Applications with Protocol State Machines. In: Vallecillo, A., Tolvanen, J.-P., Kindler, E., Störrle, H., Kolovos, D. (eds.) ECMFA 2012. LNCS, vol. 7349, pp. 384–399. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  11. Kuhlmann, M., Sohr, K., Gogolla, M.: Comprehensive Two-Level Analysis of Static and Dynamic RBAC Constraints with UML and OCL. In: Proc. Secure Software Integration and Reliability Improvement (SSIRI 2011), pp. 108–117. IEEE (2011)

    Google Scholar 

  12. Microsoft: SQL Server Notification Services, http://technet.microsoft.com/en-us/library/ms172483%28v=sql.90%29.aspx (last visited: February 05, 2014)

  13. Microsoft: SQL Server Reporting Services (SSRS), http://technet.microsoft.com/en-us/library/ms159106.aspx (last visited: February 05, 2014)

  14. UML Superstructure 2.4.1. Object Management Group (OMG) (August 2011), http://www.omg.org/spec/UML/2.4.1/Superstructure/PDF

  15. Object Constraint Language 2.3.1. Object Management Group (OMG) (January 2012), http://www.omg.org/spec/OCL/2.3.1/

  16. Ramaswamy, C., Sandhu, R.: Role-Based Access Control Features in Commercial Database Management Systems. In: Proc. of 21st National Information Systems Security Conference, pp. 503–511 (1998)

    Google Scholar 

  17. Ray, I., Li, N., France, R.B., Kim, D.K.: Using UML to visualize role-based access control constraints. In: Proc. of the 9th ACM Symp. on Access Control Models and Technologies, pp. 115–124 (2004)

    Google Scholar 

  18. Simon, R., Zurko, M.: Separation of duty in role-based environments. In: 10th IEEE Computer Security Foundations Workshop (CSFW 1997), pp. 183–194 (1997)

    Google Scholar 

  19. The PostgreSQL Global Development Group: PostgreSQL 9.3.2 Documentation: NOTIFY, http://www.postgresql.org/docs/9.3/static/sql-notify.html , (last visited: February 05, 2014)

  20. Treat, R., Mohan, V.: pgFoundry: Sample Databases, dellstore2, http://pgfoundry.org/projects/dbsamples/ (last visited: March 20, 2014)

Download references

Author information

Authors and Affiliations

  1. Computer Science Department, University of Bremen, D-28334, Bremen, Germany

    Lars Hamann, Karsten Sohr & Martin Gogolla

Authors
  1. Lars Hamann
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Karsten Sohr
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Martin Gogolla
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. iMinds-DistriNet, KU Leuven, Belgium

    Frank Piessens

  2. IMDEA Software Institute, Campus de Montegancedo S/N, 28223, Pozuelo de Alarcón, Spain

    Juan Caballero

  3. Inria Sophia Antipolis – Mediterranee, 2004 route des Lucioles, B.P. 93, 06902, Sophia Antipolis Cedex, France

    Nataliia Bielova

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Hamann, L., Sohr, K., Gogolla, M. (2015). Monitoring Database Access Constraints with an RBAC Metamodel: A Feasibility Study. In: Piessens, F., Caballero, J., Bielova, N. (eds) Engineering Secure Software and Systems. ESSoS 2015. Lecture Notes in Computer Science, vol 8978. Springer, Cham. https://doi.org/10.1007/978-3-319-15618-7_16

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-15618-7_16

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-15617-0

  • Online ISBN: 978-3-319-15618-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation