Extending RBAC Model to Control Sequences of CRUD Expressions

Óscar Mortágua Pereira, Diogo Regateiro, Rui L. Aguiar, "Extending RBAC Model to Control Sequences of CRUD Expressions", Proc. 26th SEKE - International Conference on Software Engineering and Knowledge Engineering, Vancouver, Canada, Jul 2014
http://www.ksi.edu/seke/seke14.html

Abstract

In database applications, access control is aimed at supervising users’ requests to access sensitive data. Users’ requests are mainly formalized by Create, Read, Update and Delete (CRUD) expressions. The supervision process can be formalized at a high level, such as based on the RBAC model, but in the end the relevant aspect is the data being accessed through each CRUD expression. In critical database applications access control can be enforced not on a CRUD by CRUD basis but enforced at the level of sequences of CRUD expressions (workflow). This situation can occur whenever established security policies are based on strict procedures that define step by step the actions (sequences of CRUD expressions) to be followed. Current RBAC models do not support this type of security policies. To overcome this security gap, we leverage previous researches to propose an extension to the RBAC model to control for each role which sequences of CRUD expressions are authorized. We demonstrate empirical evidence of the effectiveness of our proposal from a use case based on Java and JDBC. Our use case is based on typed security layers built from a software architectural model and also from metadata based on the proposed RBAC model extension.

Information

Conference: 26th SEKE - International Conference on Software Engineering and Knowledge Engineering in Vancouver, Canada