Employing UML and OCL for Designing and Analyzing Role-Based Access Control

Stringent security requirements of organizations like banks or hospitals frequently adopt role-based access control (RBAC) principles to represent and simplify their internal permission management. While representing a fundamental advanced RBAC concept enabling precise restrictions on access rights, authorization constraints increase the complexity of the resulting security policies so that tool support for comfortable creation and adequate validation is required. One contribution of our work is a new approach to developing and analyzing RBAC policies using a UML-based domain-specific language (DSL), which allows hiding the mathematical structures of the underlying authorization constraints implemented in OCL. The presented DSL is highly configurable and extensible with respect to new concepts and classes of authorization constraints, and allows the developer to validate RBAC policies in an effective way. The handling of dynamic (i. e., time-dependent) constraints, their visual representation through the RBAC DSL, and their analysis form another part of our contribution. The approach is supported by a UML and OCL validation tool.