Extending the UML Standards to Model Tree-Structured Data and Their Access Control Requirements
KeywordsUnify Modeling Language Resource Description Framework Security Policy Access Control Model Clinical Document Architecture
This paper proposes extensions to the Unified Modeling Language (UML) [2, 15] standard with new constructs that achieve a two-fold objective. The first objective supports the modeling of tree-structured data and schemas with new UML diagrams to allow generalized design from which target schemas/instances in XML, JSON, RDF, etc., can be generated. The second objective supports the definition of new UML diagrams from role-based access control (RBAC) , lattice-based access control (LBAC) , and discretionary access control (DAC) ) for tree-structure schemas and their instance. The end result is the ability to model tree-structured schemas at a generalized level including access thereby elevating the process of secure information design as a first-class citizen of the software engineering process. By tackling the problem from a perspective of tree-structured schemas, any document format that is represented by such a structure (e.g. XML, specialized JSON structures, RDF, OWL, etc.) can be modeled, secured and safely shared. This effectively allows us to provide separation of concerns with respect to information modeling and RBAC, LBAC, and DAC by defining the information model itself and security requirements in a software process phase.
The remainder of this paper is organized as follow: Sect. 2 provides background knowledge on UML utilized in the paper. Section 3 details the initial set of UML extensions for tree-structured data. Section 4 utilizes this initial set of extensions to UML and builds upon the need for RBAC, LBAC and DAC support by presenting diagram extensions that allow a security engineer to define access control requirements on tree-structured data. Section 5 presents the automated strategy utilized to generate enforcement policies via the proposed UML diagrams. Section 6 discusses related work. Section 7 concludes the paper.
UML is a general-purpose modeling language for object-oriented systems [15, 32]. Currently managed by the Object Management Group (OMG), UML can be used throughout the software development cycle by combining data, business and object modeling. UML provides the benefit of reducing misinterpretation and promoting simple communication of domain requirements with its visual notation. However, while UML can be utilized to define security requirements, what is lacking in the UML standard is actual diagrams that are dedicated to, in our interest, access control models (RBAC, LBAC, and DAC) that allow the definition of security requirements using new security UML diagrams that seamlessly integrate with the UML model and unified design process. This is particularly true for domains such as healthcare where the information to be utilized is private and often governed by legal constructs that assure its proper use and dissemination [1, 3, 4].
3 Extending UML with New Diagrams for Tree-Structured Schemas
This section supports the modeling of tree-structured data and schemas by extending UML with new UML to allow generalized design from which target schemas/instances in XML, JSON, RDF, etc., can be generated. The presentation is in two parts. First, section introduces the new UML Document Schema Class Diagram (DSCD), a UML extension that can handle any tree-structured schema to model the data and realize the instance. Second, the DSCD is demonstrated at an instance level utilizing the HL7 CDA schema, which are specializations of a tree-structure document whose structure can be represented with the UML DSCD modeling construct called the UML Profile.
Specialized UML profile for tree-structured document to DSCD with XML cases.
While it is possible to utilize the UML profile to represent an entire schema as a UML package, we instead have chosen to represent each schema as a tree of stereotyped classes. This approach was chosen in order to capture the hierarchical structure of a schema as a series of related classes. Table 1 has three columns: the first column represents the features of tree structured document, the second column defines the corresponding XML equivalents of these features, and the third column transitions the second column into the equivalent UML profile concept. In the first row of Table 1, a general element in the tree-structured document is equivalent to an XML element ( xsd:element ) and is realized as a UML class; the second row maps the element name to a UML class name. In the third row of Table 1, an element attribute in the tree-structured document is equivalent to a generic attribute in XML which can be mapped to a «stereotyped» attribute in UML. The fourth row corresponds to a patient – child relationship at the schema level to identify a tree and its subtrees, which in XML is observed as nested elements, and is represented as a UML dependency relationship in the DSCD. The fifth row of Table 1 describes complex elements (those that are built out of many sub-elements), which in XML are denoted as xsd:complexType and in the DSCD are denoted as a UML class with the «complexType» stereotype. The sixth row covers a similar case, considering sequences or lists of elements, which in XML are denoted as xsd:sequence and in the DSCD are denoted as a UML class with the «sequence» stereotype. Aggregation of attributes are handled with the seventh row of Table 1 and is represented as xsd:attributeGroup in XML and as a UML class with the «attributeGroup» stereotype in the DSCD. In the eighth row of Table 1, groups of elements in a tree-structured document are equivalent to an XML xsd:group node and is represented as a UML class with the «group» stereotype in DSCD. The ninth row of Table 1 handles acceptable or allowable values for elements, which in XML are usually maxOccurs and minOccurs attributes to an XML element constraints, realized as a «constraint» stereotyped class member in DSCD. In the tenth row of Table 1, indirect references allow elements of a tree-structure document to be associated with one another, which in XML is a ref attribute on an element that are represented as a «ref» class member from UML profile in the DSCD. Lastly, in the eleventh row of Table 1, for tree-structured document, the parent-child relationship between non-named elements corresponds to non-named elements in XML (e.g., xsd:complexType , xsd:attributeGroup , etc.) and is represented with a UML directed association relationship between classes in the DSCD. Note that by using these mappings in Table 1 it is possible to develop an algorithm that operate over an XML schema to generate a DSCD equivalent in UML. Note also that there would need to be other versions of Table 1 for other data formats (e.g., JSON, RDF, etc.) where the second column of the table would be replaced with the relevant model constructs from the other formats.
4 Extending UML Extensions to Model RBAC, LBAC, and DAC of Tree-Structured Schemas
This section presents a set of new UML diagrams from role-based access control (RBAC), lattice-based access control (LBAC), and discretionary access control (DAC) for tree-structure schemas and their instance. This is accomplished by detailing UML standard extension via, a metamodel built on top of the foundation of the security model in Sect. 3. UML provides a large variety of diagrams for the visualization of different software requirements: class, component, deployment, activity, use-case, state-machine, communication, sequence, etc.  The work presented in this section leverages off of early work that has extended UML with new diagrams for RBAC, MAC, and DAC capabilities  from an object-oriented perspective. The extensions presented in this section are achieved via the UML Meta-Object Facility (MOF), which allows the extension of the modeling language with several degrees of formality, as reviewed in Sect. 2.
5 Generating Enforcement Policies from UML Extensions to XACML
6 Related Work
There have been attempts to provide design level security for tree-structured data in the past, though the majority of the efforts focus on securing document formats such as XML in real-life scenarios. For example,  presents an access control system that embeds the definition and enforcement of the security policies in the structure of the XML DTD and documents in order to provide customizable security. This is similar to our work in that security policies act in both a descriptive level of the XML instances and target the XML instances, but differs in their use of the outdated XML DTD’s and their security policies are embedded into the XML instance for a high cost for security updates (recall Sect. 1). Another effort by  details a model that tries to combine the two discussed methodologies to provide security to XML datasets with three security attributes (access, condition and dirty) with changes updated in the both the XML schema its instances. This is similar to our work at the XACML policy level, but differs by our also taking into consideration XML document writing; their XPath’s design only allows reads.
In terms of applying similar approaches to the one presented in this paper, but for functional aspects of a software system, work in  provides the most influential effort for the research presented in this paper by extending UML to represent RBAC and DAC via the introduction of the Role Slice Diagram, the User Diagram, the Delegation Diagram, and MAC extensions coupled with a Secure Subsystem Diagram. The work in  aims to provide security to the functional aspects of a software component, down to the granularity of methods in classes (in contrast, our work aims to provide the same level of security assurance to the information/data aspect of the software). To achieve this, the Secure Subsystem Diagram presented by  denotes the subset of an application’s overall classes and methods that are restricted and require permissions to be in place for authorized users. The Role Slice Diagram, similar to the Document Role Slice in this paper, denotes RBAC policies from a role perspective. From an enforcement perspective, once defined, the diagrams are utilized to generate aspect-oriented enforcement code in AspectJ that is able to verify, at runtime, whether the active user has a role with permissions over the protected method and grants or denies access accordingly.
Information modeling is focused on representing, using, and exchanging data in large-scale applications or system-to-system operability. The work presented in this paper is a comprehensive approach that enables the modeling tree-structured schema in UML with the addition of the modeling of access control requirements (RBAC, LBAC, DAC) on said data for implementation solutions such as XML, JSON, and RDF. There were main contributions presented in the paper. The first contribution Sect. 3 supported the modeling of tree-structured data and schemas with the proposal of a new UML Document Schema Class Diagram (DSCD) in Sect. 3 that allowed generalized design from which target schemas/instances in XML, JSON, RDF, etc., can be generated. The second contribution in Sect. 4 proposed new UML diagrams for RBAC, LBAC, and DAC via the Secure Information Diagram (SID), the Document Role-Slice Diagram (DRSD), the LBAC Secure Information Diagram (LSID), the User Diagram (UD), the Delegation Diagram (DD), and the Authorization Diagram (AD). The combination of DSCD in Sect. 3 along with the security diagrams presented in Sect. 4 allowed the automatic generation of enforcement code via XACML as presented in Sect. 5. The end result is an underlying information security model that abstracts away from specific document formats and considers their most basic form as tree-structured containers while supporting access control capabilities as an integrated solution; and abstracting the comprehensive information security model with new UML diagrams that are capable of modeling tree-structured schemas and their associated RBAC, LBAC, and DAC.
- 1.HITECH act enforcement interim final rule (2014). http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/hitechenforcementifr.html
- 2.UML ISO standard. Object Management Group (2014). http://www.omg.org/spec/UML/
- 4.Baumer, D., Earp, J.B., Payton, F.C.: Privacy of medical records: IT implications of HIPAA, pp. 137–152 (2006)Google Scholar
- 5.Bernauer, M., Kappel, G., Kramler, G.: Representing XML schema in UML–A comparison of approaches, pp. 767–769 (2004)Google Scholar
- 6.Bernauer, M., Kappel, G., Kramler, G.: Representing XML schema in UML-an UML profile for XML schema (2003)Google Scholar
- 7.Boudreau, T., Glick, J., Greene, S., Spurlin, V., Woehr, J.J.: NetBeans: The Definitive Guide. O’Reilly Media Inc., Sebastopol (2002)Google Scholar
- 8.Bray, T., Paoli, J., Sperberg-McQueen, C.M., Maler, E., Yergeau, F.: Extensible markup language (XML) (1998)Google Scholar
- 9.Crockford, D.: JSON: the fat-free alternative to XML (2006)Google Scholar
- 15.Fowler, M.: UML distilled: a brief guide to the standard object modeling language. Addison-Wesley Professional, Boston (2004)Google Scholar
- 16.Guideline, M.: Model minimum uniform crash criteria. 811, 631 (2012)Google Scholar
- 17.Klyne, G., Carroll, J.J., McBride, B.: Resource description framework (RDF): Concepts and abstract syntax. 10 (2004)Google Scholar
- 18.Lee, M., Kim, H., Kim, J., Lee, J.: StarUML 5.0 developer guide’ (2005)Google Scholar
- 19.McGuinness, D.L., Van Harmelen, F.: OWL web ontology language overview. 10, 10 (2004)Google Scholar
- 20.Merkow, M.: cXML: a new taxonomy for E-commerce (1999)Google Scholar
- 21.Moore, B., Dean, D., Gerber, A., Wagenknecht, G., Vanderheyden, P.: Eclipse development. 379 (2004)Google Scholar
- 22.OFX, Open Financial Exchange SpecificationGoogle Scholar
- 23.Ogle, J.H., Alluri, P., Sarasua, W.: MMUCC and MIRE: the role of segmentation in safety analysis (2011)Google Scholar
- 24.Pavlich-Mariscal, J., Michel, L., Demurjian, S.: Enhancing UML to model custom security aspects (2007)Google Scholar
- 25.Pavlich-Mariscal, Jaime A., Michel, Laurent, Demurjian, Steven A.: A formal enforcement framework for role-based access control using aspect-oriented programming. In: Briand, Lionel C., Williams, Clay (eds.) MoDELS 2005. LNCS, vol. 3713, pp. 537–552. Springer, Heidelberg (2005)CrossRefGoogle Scholar
- 27.Poernomo, I.: The meta-object facility typed, pp. 1845–1849 (2006)Google Scholar
- 28.Ramirez, A., Vanpeperstraete, P., Rueckert, A., Odutola, K., Bennett, J., Tolke, L., van der Wulp, M.: ArgoUML user manual: a tutorial and reference description (2003)Google Scholar
- 29.Randolph, N., Gardner, D., Anderson, C., Minutillo, M.: Professional Visual Studio 2010. Wiley, Hoboken (2010)Google Scholar
- 32.Warmer, J.B., Kleppe, A.G.: The object constraint language: Precise modeling with uml (addison-wesley object technology series) (1998)Google Scholar