Model-Driven Integration and Analysis of Access-control Policies in Multi-layer Information Systems

Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 455)


Security is a critical concern for any information system. Security properties such as confidentiality, integrity and availability need to be enforced in order to make systems safe. In complex environments, where information systems are composed of a number of heterogeneous subsystems, each must participate in their achievement. Therefore, security integration mechanisms are needed in order to 1) achieve the global security goal and 2) facilitate the analysis of the security status of the whole system. For the specific case of access-control, access-control policies may be found in several components (databases, networks and applications) all, supposedly, working together in order to meet the high level security property. In this work we propose an integration mechanism for access-control policies to enable the analysis of the system security. We rely on model-driven technologies and the XACML standard to achieve this goal.


Policy Language Security Policy Context Attribute Content Management System XACML Policy 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Bauer, L., Appel, A.W.: Access Control for the Web via Proof-Carrying Authorization. PhD thesis, Princeton University (2003)Google Scholar
  2. 2.
    Bonatti, P., De Capitani di Vimercati, S., Samarati, P.: An Algebra for Composing Access Control Policies. TISSEC 5(1), 1–35 (2002)CrossRefGoogle Scholar
  3. 3.
    Casalino, M.M., Thion, R.: Refactoring multi-layered access control policies through (de)composition. In: CNSM, pp. 243–250 (2013)Google Scholar
  4. 4.
    Cuppens, F., Cuppens-Boulahia, N., Sans, T., Miège, A.: A formal approach to specify and deploy a network security policy. In: FAST 2004, pp. 203–218 (2004)Google Scholar
  5. 5.
    Davy, S., Jennings, B., Strassner, J.: The Policy Continuum-Policy Authoring and Conflict Analysis. Computer Communications 31(13), 2981–2995 (2008)CrossRefGoogle Scholar
  6. 6.
    Hu, H., Ahn, G.-J., Kulkarni, K.: Anomaly discovery and resolution in web access control policies. In: SACMAT 2011, pp. 165–174. ACM (2011)Google Scholar
  7. 7.
    Jin, X., Krishnan, R., Sandhu, R.: A unified attribute-based access control model covering DAC, MAC and RBAC. In: Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J. (eds.) DBSec 2012. LNCS, vol. 7371, pp. 41–55. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  8. 8.
    Jouault, F., Allilaire, F., Bézivin, J., Kurtev, I.: ATL: A Model Transformation Tool. Science of Computer Programming 72(1), 31–39 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  9. 9.
    Lockhart, H., Parducci, B., Anderson, A.: OASIS XACML TC (2013)Google Scholar
  10. 10.
    Lodderstedt, T., Basin, D., Doser, J.: SecureUML: a UML-based modeling language for model-driven security. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  11. 11.
    Martínez, S., Cosentino, V., Cabot, J., Cuppens, F.: Reverse engineering of database security policies. In: Decker, H., Lhotská, L., Link, S., Basl, J., Tjoa, A.M. (eds.) DEXA 2013, Part II. LNCS, vol. 8056, pp. 442–449. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  12. 12.
    Martínez, S., Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N., Cabot, J.: Model-driven extraction and analysis of network security policies. In: Moreira, A., Schätz, B., Gray, J., Vallecillo, A., Clarke, P. (eds.) MODELS 2013. LNCS, vol. 8107, pp. 52–68. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  13. 13.
    Martínez, S., García-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N., Cabot, J.: Towards an access-control metamodel for web content management systems. In: ICWE Workshops, pp. 148–155 (2013)Google Scholar
  14. 14.
    Mazzoleni, P., Crispo, B., Sivasubramanian, S., Bertino, E.: XACML Policy Integration Algorithms. TISSEC 11(1), 4 (2008)CrossRefGoogle Scholar
  15. 15.
    Mouelhi, T., Fleurey, F., Baudry, B., Le Traon, Y.: A model-based framework for security policy specification, deployment and testing. In: Czarnecki, K., Ober, I., Bruel, J.-M., Uhl, A., Völter, M. (eds.) MODELS 2008. LNCS, vol. 5301, pp. 537–552. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  16. 16.
    OMG. OCL, version 2.0. Object Management Group, June 2005Google Scholar
  17. 17.
    Preda, S., Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J., Toutain, L.: Model-driven security policy deployment: property oriented approach. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 123–139. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  18. 18.
    Sandhu, R., Ferraiolo, D., Kuhn, R.: The NIST Model for Role-Based Access Control: Towards A Unified Standard. RBAC 2000, pp. 47–63. ACM (2000)Google Scholar
  19. 19.
    Trninic, B., Sladic, G., Milosavljevic, G., Milosavljevic, B., Konjovic, Z.: PolicyDSL: towards generic access control management based on a policy metamodel. In: SoMeT, pp. 217–223 (2013)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2015

Authors and Affiliations

  1. 1.AtlanMod Team (Inria, Mines Nantes, LINA)NantesFrance
  2. 2.RST DepartmentTélécom SudParis, CNRS Samovar UMR 5157EvryFrance
  3. 3.Télécom Bretagne, LUSSI DepartmentUniversité Européenne de BretagneRennesFrance
  4. 4.ICREA - UOCBarcelonaSpain

Personalised recommendations