Can Feature be used to Model the Changing Access Control Policies ?

Download Full Text
K. Shantha Kumari, Dr. T. Chithralekha
Published Date:
November 05, 2012
Volume 2, Issue 6
21 - 31

access control polices, features functional requirements, modeling, rbac
K. Shantha Kumari, Dr. T. Chithralekha, "Can Feature be used to Model the Changing Access Control Policies ?". International Journal of Research in Computer Science, 2 (6): pp. 21-31, November 2012. doi:10.7815/ijorcs.26.2012.052 Other Formats


Access control policies [ACPs] regulate the access to data and resources in information systems. These ACPs are framed from the functional requirements and the Organizational security & privacy policies. It was found to be beneficial, when the ACPs are included in the early phases of the software development leading to secure development of information systems. Many approaches are available for including the ACPs in requirements and design phase. They relied on UML artifacts, Aspects and also Feature for this purpose. But the earlier modeling approaches are limited in expressing the evolving ACPs due to organizational policy changes and business process modifications. In this paper, we analyze, whether “Feature”- defined as an increment in program functionality can be used as a modeling entity to represent the Evolving Access control requirements. We discuss the two prominent approaches that use Feature in modeling ACPs. Also we have a comparative analysis to find the suitability of Features in the context of changing ACPs. We conclude with our findings and provide directions for further research.

  1. G Georg, I Ray, and R France, "Using aspects to design a secure system," In Proceedings of the International Conference on Engineering Complex Computing Systems (ICECCS 2002), Greenbelt, MD, ACM Press., 2002. doi: 10.1109/ICECCS.2002.1181504
  2. T Doan, S Demurjian, C T Ting, and C Phillips, "RBAC/MAC security for UML," in Research Directions in Data and Applications Security XVIII ,IFIP International Federation for Information Processing Volume 144. Catalonia, Spain: Springer, 2004, pp. 189-203.
  3. D Kim, I Ray, R France, and N Li, "Modeling Role-Based Access Control Using Parameterized UML Models ," in FASE 2004, LNCS, vol. 2984, 2004, pp. 180–193. doi: 10.1007/978-3-540-24721-0_13
  4. J Jurjens, "UMLsec: Extending UML for Secure Systems Development," in Proceedings. of the 5th International Conference on the UML, Dresden, Germany, 2002, pp. 412–425. doi: 10.1007/3-540-45800-X_32
  5. T Lodderstedt, D Basin, and J Doser, "Secureuml: A UML-based modeling language for model-driven security," in Proceedings of the International Conference on the Unified Modeling Language, UML'2002, 2002, pp. 426-441.
  6. T Priebe, E Fernandez, J Mehlau, and G Pernul, "A Pattern System for Access Control," in Proceedings of Conference on Data and Application Security, 2004, pp. 22–28. doi: 10.1007/1-4020-8128-6_16
  7. Steve Barker, "Security Policy Specification in Logic," in Proceedings of the International Conference on Artificial Intelligence,ICAI'2000, Las Vegas, NV, 2000, pp. 143-148.
  8. Steve Barker and Arnon Rosenthal, "Flexible security policies in SQL," in Proceedings of the fifteenth annual working conference on Database and application security, Niagara, Ontario, Canada, 2001, pp. 167-180.
  9. Elisa Bertino, Piero Andrea Bonatti, and Elena Ferrari, "TRBAC: a temporal role-based access control model," in RBAC '00 Proceedings of the fifth ACM workshop on Role-based access control, Berlin, Germany, 2000, pp. 21–30. doi: 10.1145/501978.501979
  10. Fang Chen and Ravi S. Sandhu, "Constraints for role-based access control," in RBAC '95 Proceedings of the first ACM Workshop on Role-based access control , 1995, p. Article No. 14. doi: 10.1145/270152.270177
  11. R J Hayton, J M Bacon, and K Moody, "Access control in open distributed environment," in In IEEE Symposium on Security and Privacy , Oakland, CA, 1998, pp. 3–14. doi: 10.1109/SECPRI.1998.674819
  12. Michael Hitchens and Vijay Varadharajan, "Tower: A Language for Role-Based Access Control," in POLICY '01 Proceedings of the International Workshop on Policies for Distributed Systems and Networks, Bristol, U.K. , 2001, pp. 88 - 106. doi: 10.1007/3-540-44569-2_6
  13. S Jajodia, P Samarati, and V S Subrahmanian, "A Logical Language for Expressing Authorizations," in IEEE Symposium on Security and Privacy, pages , Oakland, CA, 1997, pp. 31–42. doi: 10.1109/SECPRI.1997.601312
  14. R Ortalo, "A Flexible Method for Information Systems Security Policy Specification," in Proceedings of the 5th European Symposium on Research in Computer Security, Louvain-la-Neuve, Belgium, 1998. doi: 10.1007/BFb0055856
  15. J A Hoagland, R Pandey, and K N Levitt, "Security Policy Specification Using a Graphical Approach," Computer Science Department, University of California, Davis., Technical Report 1998.
  16. OASIS. (2002). Available:
  17. C Ribeiro, A Zuquete, and P Ferreira, "SPL: An Access Control Language for Security Policies with Complex Constraints," in roceedings of the Network and Distributed System Security Symposium, San Diego, CA, 2001.
  18. I Ray, N Li, R. B France, and D. K Kim, "Using UML to visualize role-based access control constraints," in Proceedings of the Symposium on Access Control Models and Technologies(SACMAT), 2004, pp. 31-40. doi: 10.1145/990036.990054
  19. I Ray, N Li, D. K Kim, and R. B France, "Using parameterized UML to specify and compose access control models," in Proceedings of the 6th IFIP TC-11 WG 11.5 Working Conference on Integrity and Internal Control in Information Systems, IICIS'03, Lausanne, Switzerland, (2003)., 2003. doi: 10.1007/1-4020-7901-X_4
  20. R Filman, T Elrad, S Clarke, and M. Aksit, Aspect-Oriented Software Development.: Addison Wesley.,ISBN-10: 0321219767 | ISBN-13: 978-0321219763., 2000.
  21. D R Smith, "A Generative Approach to Aspect-Oriented Programming," in Proceedings of the Third International Conference on Generative Programming and Component Engineering (GPCE’04), p. 2004. doi: 10.1007/978-3-540-30175-2_3
  22. Kyo C. Kang et al., "FORM : A feature-oriented reuse method,Volume 5," Annals of Software Engineering , pp. 143 - 168, 1998.
  23. L Abo Zaid, F Kleinermann, and O De Troyer, "Feature Assembly Framework: Towards Scalable and Reusable Feature Models," in Proceedings of the 5th Workshop on Variability Modeling of Software-Intensive Systems, Namur, Belgium, 2011, pp. 1-9.
  24. Lianshan Sun and Gang Huang, "Modeling Access Control Requirements in Feature Model," in APSEC '09 Proceedings of the 2009 16th Asia-Pacific Software Engineering Conference, Penang, 2009, pp. 241-248. doi: 10.1109/APSEC.2009.21
  25. Hong Mei, Wei Zhang, and Haiyan Zhao, "A Metamodel for modeling system Features and their refinement, constraint and interaction relationships," Software and Systems Modeling 5(2), pp. 172-186, 2006. doi: 10.1007/s10270-006-0004-1
  26. Dae-Kyoo Kim, Lunjin Lu, and Sangsig Kim, "A Verifiable Modeling Approach to Configurable Role-Based Access Control," in Proceedings of Fundamental Approaches to Software Engineering (FASE/ETAPS 2010), Paphos, Cyprus, 2010, pp. 188-201. doi: 10.1007/978-3-642-12029-9_14
  27. S Kim, D. K Kim, L Lu, S Kim, and S Park, "A Feature-Based Approach for Modeling Role-Based Access Control Systems;," Journal of Systems and Software Vol. 84, No. 12, pp. 2035-2052, 2011. doi: 10.1016/j.jss.2011.03.084
  28. S Kim, D.-K Kim, L Lu, S Park, and S Kim, "A Feature-Based Modeling Approach for Building Hybrid Access Control Systems," in 5th International Conference on Secure Software Integration and Reliability Improvement (SSIRI), Jeju, Korea, 2011, pp. 88-97. doi: 10.1109/SSIRI.2011.16
  29. Gail-Joon Ahn and Michael E. Shin, "Role-Based Authorization Constraints Specification Using Object Constraint Language," in WETICE '01 Proceedings of the 10th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, Washington, DC, USA, 2001, pp. 157 – 162.
  30. A Khwaja and J Urban, "A Synthesis of evaluation criteria for software specifications and specification techniques," International Journal of Software Engineering and Knowledge Engineering, vol. 12 , no. 5, pp. 581–599, 2002. doi: 10.1142/S0218194002001062
  31. C Talhi et al., "Usability of Security Specification Approaches for UML Design: A Survey," Journal of Object Technology, vol. 8, no. 6, pp. 103-122, 2009. doi: 10.5381/jot.2009.8.6.a1

    Sorry, there are no citation(s) for this manuscript yet.