Enhancing UML to Model Custom Security Aspects

Despite its widespread usage, the Unified Modeling Language (UML) specification still lacks formal, explicit, support for access control. This paper proposes an approach to model security as a separate concern by augmenting UML with separate and new diagrams for role-based, discretionary, and mandatory access controls; collectively, these diagrams provide visual access-control aspects. Individually, each of these diagrams contain a set of security features that augment UML with security capabilities. The intent is to provide designers with a broad set of security features, where they can select only the features needed by their application, merge them into UML, and utilize the custom result to model security aspects. This paper presents a set of features extracted from role-based, discretionary, and mandatory access control, demonstrates their composition into a customizable security model in UML (including a formal basis), and illustrates the approach via a university application.