TY - GEN
T1 - Model-driven run-time enforcement of complex role-based access control policies
AU - Fadhel, Ameni Ben
AU - Bianculli, Domenico
AU - Briand, Lionel C.
N1 - Publisher Copyright:
© 2018 Association for Computing Machinery.
PY - 2018/9/3
Y1 - 2018/9/3
N2 - A Role-based Access Control (RBAC) mechanism prevents unauthorized users to perform an operation, according to authorization policies which are defined on the user's role within an enterprise. Several models have been proposed to specify complex RBAC policies. However, existing approaches for policy enforcement do not fully support all the types of policies that can be expressed in these models, which hinders their adoption among practitioners. In this paper we propose a model-driven enforcement framework for complex policies captured by GemRBAC+CTX, a comprehensive RBAC model proposed in the literature. We reduce the problem of making an access decision to checking whether a system state (from an RBAC point of view), expressed as an instance of the GemRBAC+CTX model, satisfies the constraints corresponding to the RBAC policies to be enforced at run time. We provide enforcement algorithms for various types of access requests and events, and a prototype tool (MORRO) implementing them. We also show how to integrate MORRO into an industrial Web application. The evaluation results show the applicability of our approach on a industrial system and its scalability with respect to the various parameters characterizing an AC configuration.
AB - A Role-based Access Control (RBAC) mechanism prevents unauthorized users to perform an operation, according to authorization policies which are defined on the user's role within an enterprise. Several models have been proposed to specify complex RBAC policies. However, existing approaches for policy enforcement do not fully support all the types of policies that can be expressed in these models, which hinders their adoption among practitioners. In this paper we propose a model-driven enforcement framework for complex policies captured by GemRBAC+CTX, a comprehensive RBAC model proposed in the literature. We reduce the problem of making an access decision to checking whether a system state (from an RBAC point of view), expressed as an instance of the GemRBAC+CTX model, satisfies the constraints corresponding to the RBAC policies to be enforced at run time. We provide enforcement algorithms for various types of access requests and events, and a prototype tool (MORRO) implementing them. We also show how to integrate MORRO into an industrial Web application. The evaluation results show the applicability of our approach on a industrial system and its scalability with respect to the various parameters characterizing an AC configuration.
KW - Enforcement
KW - Model-driven engineering
KW - Policies
KW - Role-based access control
UR - http://www.scopus.com/inward/record.url?scp=85056558138&partnerID=8YFLogxK
U2 - 10.1145/3238147.3238167
DO - 10.1145/3238147.3238167
M3 - Conference contribution
AN - SCOPUS:85056558138
T3 - ASE 2018 - Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering
SP - 248
EP - 258
BT - ASE 2018 - Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering
A2 - Kastner, Christian
A2 - Huchard, Marianne
A2 - Fraser, Gordon
PB - Association for Computing Machinery, Inc
T2 - 33rd IEEE/ACM International Conference on Automated Software Engineering, ASE 2018
Y2 - 3 September 2018 through 7 September 2018
ER -