Extending the UML Standards to Model Tree-Structured Data and Their Access Control Requirements

  • Alberto De la Rosa Algarín
  • Steven A. Demurjian
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10074)


Secure data sharing between computational systems is a necessity to many workflows across domains such as healthcare informatics, law enforcement and national security. While there exist many approaches towards securing data for the purpose of dissemination, the vast majority follows the traditional thought of security engineering that occurs as the last step of the overall software engineering process. In this paper we extend the Unified Modeling Language (UML) standard to: (1) modeling tree-structured data and associated schemas and (2) information security via role-based, lattice-based, and discretionary access control; both push it towards the forefront of the software development life-cycle. Tree structured data and associated schemas are dominant in information modeling and exchange formats including: the eXtensible Markup Language (XML), JavaScript Object Notation (JSON), etc. New UML artifacts for tree-structured data and schemas would allow the modeling of generalized information solutions from which XML, JSON, RDF, etc., could be generated; this is akin to generating different object-oriented programming language code from UML class diagrams. This UML extension also allows security experts to model and define information security requirements at the schema level as well, before code is written. The end-result is the assurance of information security for the purpose of sharing across computational systems.


Unify Modeling Language Resource Description Framework Security Policy Access Control Model Clinical Document Architecture 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
  2. 2.
    UML ISO standard. Object Management Group (2014).
  3. 3.
    Annas, G.J.: HIPAA regulations—a new era of medical-record privacy? N. Engl. J. Med. 348, 1486–1490 (2003)CrossRefGoogle Scholar
  4. 4.
    Baumer, D., Earp, J.B., Payton, F.C.: Privacy of medical records: IT implications of HIPAA, pp. 137–152 (2006)Google Scholar
  5. 5.
    Bernauer, M., Kappel, G., Kramler, G.: Representing XML schema in UML–A comparison of approaches, pp. 767–769 (2004)Google Scholar
  6. 6.
    Bernauer, M., Kappel, G., Kramler, G.: Representing XML schema in UML-an UML profile for XML schema (2003)Google Scholar
  7. 7.
    Boudreau, T., Glick, J., Greene, S., Spurlin, V., Woehr, J.J.: NetBeans: The Definitive Guide. O’Reilly Media Inc., Sebastopol (2002)Google Scholar
  8. 8.
    Bray, T., Paoli, J., Sperberg-McQueen, C.M., Maler, E., Yergeau, F.: Extensible markup language (XML) (1998)Google Scholar
  9. 9.
    Crockford, D.: JSON: the fat-free alternative to XML (2006)Google Scholar
  10. 10.
    Damiani, E., Capitani, De, di Vimercati, S., Paraboschi, S., Samarati, P.: Design and implementation of an access control processor for XML documents. Comput. Netw. 33, 59–75 (2000)CrossRefGoogle Scholar
  11. 11.
    Damiani, E., Fansi, M., Gabillon, A., Marrara, S.: A general approach to securely querying XML. Comput. Stand. Interfaces 30, 379–389 (2008)CrossRefGoogle Scholar
  12. 12.
    Dolin, R.H., Alschuler, L., Boyer, S., Beebe, C., Behlen, F.M., Biron, P.V., Shvo, A.S.: HL7 clinical document architecture, release 2. J. Am. Med. Inform. Assoc. 13, 30–39 (2006)CrossRefGoogle Scholar
  13. 13.
    Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Trans. Inform. Syst. Secur. 4, 224–274 (2001)CrossRefGoogle Scholar
  14. 14.
    Ferranti, J.M., Musser, R.C., Kawamoto, K., Hammond, W.: The clinical document architecture and the continuity of care record: A critical analysis. J. Am. Med. Inform. Assoc. 13, 245–252 (2006)CrossRefGoogle Scholar
  15. 15.
    Fowler, M.: UML distilled: a brief guide to the standard object modeling language. Addison-Wesley Professional, Boston (2004)Google Scholar
  16. 16.
    Guideline, M.: Model minimum uniform crash criteria. 811, 631 (2012)Google Scholar
  17. 17.
    Klyne, G., Carroll, J.J., McBride, B.: Resource description framework (RDF): Concepts and abstract syntax. 10 (2004)Google Scholar
  18. 18.
    Lee, M., Kim, H., Kim, J., Lee, J.: StarUML 5.0 developer guide’ (2005)Google Scholar
  19. 19.
    McGuinness, D.L., Van Harmelen, F.: OWL web ontology language overview. 10, 10 (2004)Google Scholar
  20. 20.
    Merkow, M.: cXML: a new taxonomy for E-commerce (1999)Google Scholar
  21. 21.
    Moore, B., Dean, D., Gerber, A., Wagenknecht, G., Vanderheyden, P.: Eclipse development. 379 (2004)Google Scholar
  22. 22.
    OFX, Open Financial Exchange SpecificationGoogle Scholar
  23. 23.
    Ogle, J.H., Alluri, P., Sarasua, W.: MMUCC and MIRE: the role of segmentation in safety analysis (2011)Google Scholar
  24. 24.
    Pavlich-Mariscal, J., Michel, L., Demurjian, S.: Enhancing UML to model custom security aspects (2007)Google Scholar
  25. 25.
    Pavlich-Mariscal, Jaime A., Michel, Laurent, Demurjian, Steven A.: A formal enforcement framework for role-based access control using aspect-oriented programming. In: Briand, Lionel C., Williams, Clay (eds.) MoDELS 2005. LNCS, vol. 3713, pp. 537–552. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  26. 26.
    Pavlich-Mariscal, J.A., Demurjian, S.A., Michel, L.D.: A framework for security assurance of access control enforcement code. Comput. Secur. 29, 770–784 (2010)CrossRefGoogle Scholar
  27. 27.
    Poernomo, I.: The meta-object facility typed, pp. 1845–1849 (2006)Google Scholar
  28. 28.
    Ramirez, A., Vanpeperstraete, P., Rueckert, A., Odutola, K., Bennett, J., Tolke, L., van der Wulp, M.: ArgoUML user manual: a tutorial and reference description (2003)Google Scholar
  29. 29.
    Randolph, N., Gardner, D., Anderson, C., Minutillo, M.: Professional Visual Studio 2010. Wiley, Hoboken (2010)Google Scholar
  30. 30.
    Sandhu, R.S.: Lattice-based access control models. Computer 26, 9–19 (1993)CrossRefGoogle Scholar
  31. 31.
    Sandhu, R.S., Samarati, P.: Access control: principle and practice. IEEE Commun. Mag. 32, 40–48 (1994)CrossRefGoogle Scholar
  32. 32.
    Warmer, J.B., Kleppe, A.G.: The object constraint language: Precise modeling with uml (addison-wesley object technology series) (1998)Google Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Alberto De la Rosa Algarín
    • 1
  • Steven A. Demurjian
    • 2
  1. 1.Loki Labs IncBaltimoreUSA
  2. 2.Department of Computer Science and EngineeringUniversity of ConnecticutStorrsUSA

Personalised recommendations