Expressing Access Control Policies with an Event-Based Approach

  • Pierre Konopacki
  • Marc Frappier
  • Régine Laleau
Conference paper
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 83)


Information systems are widely used and help in the management of huge quantities of data. Generally, these data are valuable or sensitive, their access must be restricted to granted users. Security is a mandatory requirement for information systems. Several methods already exist to express access control policies, but few of them support all kinds of constraints that can be defined in access control policies. In this paper, we present EB 3 SEC, a language used to formally model and interpret access control policies in information systems. Permissions, prohibitions and static separation of duty are specified by a class diagram. As EB 3 SEC includes a process algebra, dynamic access control constraints such as obligations and dynamic separation of duty can be easily expressed. Finally, we present the architecture of the tool used to interpret EB 3 SEC models.


formal method access control security 


  1. 1.
    Société-Générale: Note explicative concernant la la fraude exceptionnelle (2008),
  2. 2.
    Mer, F.: loi de sécurité financière. Journal Officiel (177) (January 2003)Google Scholar
  3. 3.
    Sarbanes, P., Oxley, M.: Sarbanes-oxley act. Public Law (116), 107–204 (2002)Google Scholar
  4. 4.
    Ni, Q., Bertino, E., Lobo, J.: An obligation model bridging access control policies and privacy policies. In: Proceedings of the 13th ACM Symposium on Access Control Models and Technologies. SACMAT 2008, pp. 133–142. ACM, New York (2008)Google Scholar
  5. 5.
    Ferraiolo, D.F., Kuhn, D.R., Chandramouli, R.: Role-Based Access Control. Artech House, Inc., Norwood (2003)zbMATHGoogle Scholar
  6. 6.
    Fraikin, B., Frappier, M., Laleau, R.: State-based versus event-based specifications for information systems: a comparison of B and EB3. Software and Systems Modeling 4(3), 236–257 (2005)CrossRefGoogle Scholar
  7. 7.
    Frappier, M., St-Denis, R.: EB 3: an entity − based black − box specification method for information systems. Software and System Modeling 2(2), 134–149 (2003)CrossRefGoogle Scholar
  8. 8.
    Bell, D.E., LaPadula, L.J.: Secure computer systems: Mathematical foundations and model. The MITRE Corporation Bedford MA Technical Report M74244 May 1(M74-244),  42 (1973)Google Scholar
  9. 9.
    International Committee for Information Technology Standards (INCITS) American National Standard for Information Technology (ANSI): Role-Based Access Control. 359-2004 edn (February 2004)Google Scholar
  10. 10.
    Kalam, A.A.E., Benferhat, S., Miège, A., Baida, R.E., Cuppens, F., Saurel, C., Balbiani, P., Deswarte, Y., Trouessin, G.: Organization based access control. In: Proceedings of the 4th IEEE International Workshop on Policies for Distributed Systems and Networks. POLICY 2003, IEEE Computer Society, Washington, DC, USA (2003)Google Scholar
  11. 11.
    Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)CrossRefGoogle Scholar
  12. 12.
    Moses, T.: eXtensible Access Control Markup Langage (XACML) Version 2.0. OASIS Standard (2005)Google Scholar
  13. 13.
    Konopacki, P., Frappier, M., Laleau, R.: Expressing access control policies with an event-based approach. Technical Report TR-LACL-2010-6, LACL (Laboratory of Algorithms, Complexity and Logic), University of Paris-Est, Paris 12 (2010),
  14. 14.
    Anderson, A.: XACML Profile for Role Based Access Control (RBAC). OASIS Standard (2004)Google Scholar
  15. 15.
    Xin, J.: Applying model driven architecture approach to model role based access control system. Master’s thesis, University of Ottawa (2006)Google Scholar
  16. 16.
    Basin, D., Burri, S.J., Karjoth, G.: Dynamic enforcement of abstract separation of duty constraints. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 250–267. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  17. 17.
    Miège, A.: Définition d’un environnement formel d’expression de politiques de sécurité. Modèle Or-BAC et extensions. PhD thesis, Paristech, ENST (September 2005)Google Scholar
  18. 18.
    Frappier, M., Fraikin, B., Gervais, F., Laleau, R., Richard, M.: Synthesizing information systems: the apis project. In: Rolland, C., Pastor, O., Cavarero, J.L. (eds.) RCIS, pp. 73–84 (2007)Google Scholar
  19. 19.
    Fraikin, B., Frappier, M.: Efficient symbolic computation of process expressions. Science of Computer Programming 74(9), 723–753 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    Frappier, M., Gervais, F., Laleau, R., Fraikin, B., St-Denis, R.: Extending statecharts with process algebra operators. In: Innovations in Systems and Software Engineering, pp. 285–292. Springer, London (August 2008)Google Scholar
  21. 21.
    Alm, C., Drouineaud, M., Faltin, U., Sohr, K., Wolf, R.: A classification framework designed for advanced role-based access control models and mechanisms. Technical report, Technologie-Zentrum Informatik Bremen University (2009)Google Scholar
  22. 22.
    Wainer, J., Barthelmess, P., Kumar, A.: W-rbac a workflow security model incorporating controlled overriding of constraints. International Journal of Cooperative Information Systems 12(4), 455–486 (2003)CrossRefGoogle Scholar
  23. 23.
    Basin, D., Doser, J., Lodderstedt, T.: Model driven security: From uml models to access control infrastructures. ACM Trans. Softw. Eng. Methodol. 15(1), 39–91 (2006)CrossRefGoogle Scholar
  24. 24.
    Bertino, E., Catania, B., Ferrari, E., Perlasca, P.: A logical framework for reasoning about access control models. In: Proceedings of the Sixth ACM Symposium on Access Control Models and Technologies. SACMAT 2001, ACM, New York (2001)Google Scholar
  25. 25.
    Cholvy, L., Cuppens, F.: nalyzing consistency of security policies. In: Proceedings IEEE Symposium on Security and Privacy, pp. 103–112 (May 1997)Google Scholar
  26. 26.
    Jajodia, S., Samarati, P., Sapino, M.L., Subrahmanian, V.S.: Flexible support for multiple access control policies. ACM Trans. Database Syst. 26, 214–260 (2001)CrossRefzbMATHGoogle Scholar
  27. 27.
    Bertino, E., Bonatti, P.A., Ferrari, E.: Trbac: A temporal role-based access control model. ACM Trans. Inf. Syst. Secur. 4, 191–233 (2001)CrossRefGoogle Scholar
  28. 28.
    Crampton, J., Khambhammettu, H.: Xacml and role-based access control. In: Presentation at DIMACS Workshop on Security of Web Services and e-Commerce, p. 174. Springer, Heidelberg (2005)Google Scholar
  29. 29.
    Li, N., Wang, Q.: Beyond separation of duty: An algebra for specifying high-level security policies. J. ACM 55(3), 1–46 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  30. 30.
    Lodderstedt, T., Basin, D.A., Doser, J.: Secureuml: A uml-based modeling language for model-driven security. In: Proceedings of the 5th International Conference on The Unified Modeling Language. UML 002, London, UK, pp. 426–441. Springer, Heidelberg (2002)Google Scholar
  31. 31.
    Kolovski, V., Hendler, J., Parsia, B.: Analyzing web access control policies. In: WWW 2007: Proceedings of the 16th International Conference on World Wide Web, pp. 677–686. ACM, New York (2007)Google Scholar
  32. 32.
    Sohr, K., Drouineaud, M., Ahn, G.J., Gogolla, M.: Analyzing and managing role-based access control policies. IEEE Trans. on Knowl. and Data Eng. 20, 924–939 (2008)CrossRefGoogle Scholar
  33. 33.
    Basin, D., Clavel, M., Doser, J., Egea, M.: Automated analysis of security-design models. Inf. Softw. Technol. 51, 815–831 (2009)CrossRefGoogle Scholar
  34. 34.
    Ayed, S., Cuppens-Boulahia, N., Cuppens, F.: Deploying access control in distributed workflow. In: Proceedings of the Sixth Australasian Conference on Information Security, Darlinghurst, Australia. AISC 2008, vol. 81, pp. 9–17. Australian Computer Society, Inc. (2008)Google Scholar
  35. 35.
    Kallel, S., Charfi, A., Mezini, M., Jmaiel, M., Klose, K.: From formal access control policies to runtime enforcement aspects. In: Massacci, F., Redwine Jr., S.T., Zannone, N. (eds.) ESSoS 2009. LNCS, vol. 5429, pp. 16–31. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  36. 36.
    Cuppens, F., Cuppens-Boulahia, N., Coma, C.: MotOrBAC: un outil d’administration et de simulation de politiques de sécurité. In: Security in Network Architectures (SAR) and Security of Information Systems (SSI), First Joint Conference, June 6-9 (2006)Google Scholar
  37. 37.
    Jackson, D.: Software Abstractions: Logic, Language, and Analysis. The MIT Press, Cambridge (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Pierre Konopacki
    • 1
    • 2
  • Marc Frappier
    • 1
  • Régine Laleau
    • 2
  1. 1.GRIL, Département d’informatiqueUniversité de SherbrookeCanada
  2. 2.Université Paris-Est, LACL, IUT Sénart FontainebleauFontainebleauFrance

Personalised recommendations