Abstract
Nowadays security has become an important aspect in information systems engineering. A mainstream method for information system security is Role-based Access Control (RBAC), which restricts system access to authorised users. While the benefits of RBAC are widely acknowledged, the implementation and administration of RBAC policies remains a human intensive activity, typically postponed until the implementation and maintenance phases of system development. This deferred security engineering approach makes it difficult for security requirements to be accurately captured and for the system’s implementation to be kept aligned with these requirements as the system evolves. In this paper we propose a model-driven approach to manage SQL database access under the RBAC paradigm. The starting point of the approach is an RBAC model captured in SecureUML. This model is automatically translated to Oracle Database views and instead-of triggers code, which implements the security constraints. The approach has been fully instrumented as a prototype and its effectiveness has been validated by means of a case study.
Highlights
Security engineering is an engineering discipline within system engineering “concerned with lowering the risk of intentional unauthorized harm to valuable assets to level that is acceptable to the system’s stakeholders by preventing and reacting to malicious harm, misuse, threats, and security risks” [16]
We propose to solve the above problem by using model driven architecture (MDA)
In this paper we present a set of transformation templates that help to translate the security model expressed in SecureUML [4], [25], to security constraints based on database views and instead-of triggers
Summary
Security engineering is an engineering discipline within system engineering “concerned with lowering the risk of intentional unauthorized harm to valuable assets to level that is acceptable to the system’s stakeholders by preventing and reacting to malicious harm, misuse, threats, and security risks” [16]. In this paper we present a set of transformation templates that help to translate the security model expressed in SecureUML [4], [25], to security constraints based on database views and instead-of triggers. These security constraints are applied to the SQL database schema (which could be generated from, e.g., the UML class diagram) to enforce the role-based access control rules to the secured data.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
