Constraint based role based access control in the SECTET-framework

Abstract

With respect to Service Oriented Architectures (SOA's) paradigm, the core Role Based Access Control (RBAC) has several limitations. In SOA, permissions to execute web services are not assigned statically to roles but are associated with a set of Permission Assignment Constraints (PAC) upon the fulfilment of which a role is assigned a permission to execute a web service. Further, the RBAC does not support partial inheritance which is an integral requirement in SOA. A major challenge in SOA is the inheritance of permissions associated with PAC in the presence of role hierarchies. This contribution has three objectives. First we propose an extension to Role Based Access Control (available at csrc.nist.gov/rbac/), which we call Constraint based RBAC (CRBAC), in order to make RBAC applicable to the dynamic environment of SOA. Within CRBAC, a high-level language - called SECTET-PL (available at http:// qe-informatik.uibk.ac.at/~muhammad/TechnicalReportSECTETPL.pdf) is used for the specification of PAC. Being part of the SECTET-framework for model-driven security for B2B-workflows, SECTET-PL is a policy language influenced by OCL (available at http://www.omg.org/docs/ptc/03-10-14.pdf) and interpreted in the context of UML models. Using the Model Driven Architecture (MDA) (available at http://www.omg.org/mda) paradigm, we then describe the transformation of high-level security models to low-level web services standard artefacts with the help of the Eclipse Modelling Framework and OpenArchitectureWare. Finally, we present the target architecture of the SECTET-framework used to realize the security artefacts generated from the transformations and thus completes the cycle of MDA.