Abstract
In order to develop trustworthy information systems, security aspects should be considered from the early project stages. This is particularly true for authorization and access control services, which decide which users can access which parts of the system and in what ways. Software patterns have been used with success to encapsulate best practices in software design. A good collection of patterns is an invaluable aid in designing new systems by inexperienced developers and is also useful to teach and understand difficult problems. Following in this direction, this paper presents a pattern system to describe authorization and access control models. First, we present a set of patterns that include a basic authorization pattern that is the basis for patterns for the well-established discretionary and role-based access control models. Metadata access control models have appeared recently to address the high flexibility requirements of open, heterogeneous systems, such as enterprise or e-commerce portals. These models are complex and we use the basic patterns to develop a set of patterns for metadata-based access control.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Adam, N.R., Atluri, V., Bertino, E., Ferrari, E.: A Content-based Authorization Model for Digital Libraries. In: IEEE Transactions on Knowledge and Data Engineering, Volume 14, Number 2, March/April 2002.
Biskup, J.: Credential-basierte Zugriffskontrolle: Wurzeln und ein Ausblick. In: 32. Jahrestagung der Gesellschaft für Informatik e.v. (GI), Dortmund, September/October 2002, S. 423–428.
Brown, F., DiVietri, J., de Villegas, G.D., Fernandez, E.B.: The Authenticator Pattern. In: Proc. 6th Conference on Pattern Languages of Programs (PLoP 1999), Urbana, IL, USA, 1999.
Brown, W.J., McCormick III, H.W., Thomas, S.W.: Anti Patterns and Patterns in Software Configuration Management. Wiley, New York, 1999.
Braga, A.M., Rubira C.M.F., Dahab, R.: Tropyc: A Pattern Language for Cryptographic Software. In: Proc. 5th Conference on Pattern Languages of Programs (PLoP 1998), Monticello, IL, USA, 1998.
Buschmann, F., Meunier, R., Rohnert, H., Sommerlad, P., Stal, M.: Pattern Oriented Software Architecture: a System of Patterns. Wiley, Chichester 1996.
Castano, S., Fugini, M., Martella, G., Samarati P.: Database Security. ACM Press, 1994.
Clark, D. and Wilson, D.: A Comparison of Commercial and Military Computer Security Policies. In: Proc. IEEE Symposium on Security and Privacy, Oakland, April 1987.
Dittrich, K.R., Hartig, M., Pfefferle, H.: Discretionary Access Control in Structurally Object-oriented Satabase Systems. In C.E Landwehr (Ed.): Database Security II: Status and Prospects, Esevier Science Publishers B.V. (North-Holland), 1989.
Dridi, F., Fischer, M., Pernul, G.: CSAP-An Adaptable Security Module for the e Government System Webocrat. In: Proc. of the 18th IFIP International Information Security Conference (SEC 2003), Athens, Greece, Mai 2003.
Dridi, F., Muschall, B., Pernul, G.: Administration of an RBAC System. In: Proc. Hawaii International Conference on System Sciences (HICSS-37), Waikoloa Village, Big Island, Hawaii, USA, Januar 2004.
Essmayr, W., Pernul, G., Tjoa, A.M.: Access Controls by Object-oriented Concepts. In: Proc. of 11th IFIP WG 11.3 Working Conf. on Database Security, August 1997.
Ferraiolo, D.F., Kuhn, D.R., Chadramouli, R.: Role-based Access Control. Artech House, Boston et al., 2003.
Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D., and Chandramouli, R.: Proposed NIST Standard for Role-based Access Control. In: ACM Transactions on Information and Systems Security, Volume 4, Number 3, August 2001.
Ferrari, E., Adam, N.R., Atluri, V., Bertino, E., Capuozzo, U.: An Authorization System for Digital Libraries. In: VLDB Journal, Volume 11, Number 1, 2002.
Fernandez, E.B., Pan, R.: A pattern language for security models. In: Proc. 8th Conference on Pattern Languages of Programs (PLoP 2001), Monticello, IL, USA, September 2001.
Fernandez, E.B., Larrondo-Petrie, M.M., Gudes, E.: A method-based authorization model for object-oriented databases. In: Proc. of the OOPSLA 1993 Workshop on Security in Object-oriented Systems, Washington, DC, USA, October 1993, pp. 70–79.
Fernandez, E.B.: Patterns for Operating Systems Access Control. In: Proc. 9th Conference on Pattern Languages of Programs (PLoP 2002), Monticello, IL, USA, 2002.
Fernandez, E.B.: Layers and non-functional patterns. In: Proc. of Chili PLoP 2003, Phoenix, AZ, USA, March 2003.
Fernandez, E.B., Thomsen, M., Fernandez, M.H.: Comparing the security architectures of Sun ONE and Microsoft. NET, Chapter 9 in Bellettini, C., Fugini, M.G. (Eds.): Information Security Policies and Actions in Modern Integrated Systems, Idea Group Publishing, 2004, pp. 317–330.
Fowler, M.: Analysis Patterns: Reusable Object Models. Addison-Wesley-Longman, Reading, MA, USA, 1997.
Gamma, E., Helm, R., Johnson, R., Vlissides, J.: Design Patterns: Elements of Reusable Object-Oriented Software. Addison-Wesley-Longman, New York 1995.
Georg, G., France, R., Ray, I.: An Aspect-Based Approach to Modeling Security Concerns. In: Proceedings of the Workshop on Critical Systems Development with UML, Dresden, Germany, September 2002.
Hays, V., Loutrel, M., Fernandez, E.B.: The Object Filter and Access Control Framework. In: Proc. 7th Conference on Pattern Languages of Programs (PLoP 2000), Monticello, IL, USA.
N.N.: X.509: The Directory-Public Key and Attribute Certificate Frameworks. ITU-T Recommendation, 2000.
LaMacchia, B.A., Lange, S., Lyons, M., Martin, R., Price, K.T.: NET framework security. Addison-Wesley, 2002.
Pernul, G.: Database Security. In: Yovits, M. C. (Eds.): Advances in Computers, Vol. 38. Academic Press, San Diego et al., 1994, pp. 1–74.
Priebe, T., Pernul, G.: Towards Integrative Enterprise Knowledge Portals. In: Proc. of the Twelfth International Conference on Information and Knowledge Management (CIKM 2003), New Orleans, LA, USA, November 2003.
Ray, I., Li, N., Kim, D., France, R.: Using Parameterized UML to Specify and Compose Access Control Models, In: Proceedings of the 6th IFIP WG 11.5 Working Conference on Integrity and Internal Control in Information Systems, Lausanne, Switzerland, November 2003.
Schumacher, M.: Security Engineering with Patterns: Origins, Theoretical Model and New Applications. Springer, Berlin 2003.
Schumacher, M., Fernandez, E.B., Hybertson, D., Buschmann, F. (Eds.): Security Patterns. Wiley, 2004 (to appear).
Yoder, J., Barcalow, J.: Architectural Patterns for Enabling Application Security. In: Proc. 4th Conference on Pattern Languages of Programs (PLoP 1997), Monticello, IL, USA, 1997.
N.N.: Resource Description Framework (RDF) Model and Syntax Specification. W3C Recommendation, 1999. http://www.w3.org/TR/l999/REC-rdf-syntax-19990222/
N.N.: The Platform for Privacy Preferences 1.0 (P3P1.0) Specification. W3C Recommendation, 2002. http://www.w3.org/TR/2002/REC-P3P-20020416/
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer Science + Business Media, Inc.
About this paper
Cite this paper
Priebe, T., Fernandez, E.B., Mehlau, J.I., Pernul, G. (2004). A Pattern System for Access Control. In: Farkas, C., Samarati, P. (eds) Research Directions in Data and Applications Security XVIII. IFIP International Federation for Information Processing, vol 144. Springer, Boston, MA. https://doi.org/10.1007/1-4020-8128-6_16
Download citation
DOI: https://doi.org/10.1007/1-4020-8128-6_16
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4020-8127-9
Online ISBN: 978-1-4020-8128-6
eBook Packages: Springer Book Archive