Fakultät für Informatik und Mathematik
MIP-0901

MIP-0901

Paper Description

BibTeX entry

@techreport{MIP-0901,
          author={C. Alm}
          title={{An Extensible Framework for Specifying and Reasoning About Complex
          Role-Based Access Control Models}},
          institution={{Fakult{\"a}t f{\"u}r Informatik und Mathematik, Universit{\"a}t Passau}},
          year={2009},
          number={MIP-0901}
}

Abstract

To date, no methodical approach has been found to integrate multiple access control extensions and concepts proposed for RBAC in an access control model that deals with the complexity of such a model and still leaves the model open for further extensions. As we know from the case studies of our research project [1], bringing together various access control concepts such as separation of duty, workflow-related concepts, and context constraints is necessary in real world scenarios such as in the health care sector and in the financial sector.
To solve this problem, this report presents an extensible and flexible framework for the specification of complex RBAC models that is based on the modularization of access control concepts. Each concept is packed into a so-called authorization module and can then be reused and combined with other modules in order to specify a full access control model. The framework can be used to define new access control concepts rapidly and concisely as well as to explore and analyze them thoroughly. Furthermore, it is capable of delivering a policy data model for each generated access control model which can be used to develop an appropriate policy language.
As a method we use formal, object-oriented specification in the Object-Z notation. In particular, we demonstrate how formal reasoning can be applied in order to provide an in-depth analysis of the specification.

Paper itself

MIP-0901.pdf