Model-Based Specification and Refinement of Usage Control Policies

In existing usage control policy frameworks, policies consisting of authorizations and obligations are specified at a low level of abstraction. As a consequence, these policy specifications become long and complex since they reference many technical elements of the system such as operating system calls or web-service invocations. Due to this complexity, it is difficult for policy authors to assess if the policies they specify are complete and correct in order to achieve their high-level usage control goals. In this paper we describe our approach for specification and refinement of usage control policies that addresses this complexity problem. In our approach, high-level usage control policies are specified considering an abstract system model. To model the abstract system we adopt the Interaction System Design Language (ISDL), which supports the representation and refinement of the system structure, behavior, and information at successive levels of abstraction. By considering a set of possible refinement steps of the system, we propose a set of policy refinement rules that automatically refine the abstract usage control policies specified for a given abstract system model to implementation-level policies. The input of our refinement rules is the abstract system model, the concrete system model, the system refinement steps from abstract to concrete, and the abstract usage control policies. We show the application of our approach in a case study of a supply chain scenario implemented using BPMN. In our case study high-level usage control policies are automatically refined to implementation-level policies that can be enforced in a BPMN engine.

NEISSE Ricardo;  DOERR Joerg; 

2014-08-18

IEEE

JRC81427

978-1-4673-5839-2,   

http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=6596051,    https://publications.jrc.ec.europa.eu/repository/handle/JRC81427,   

10.1109/PST.2013.6596051,