Verification of Authorization Policies Modified by Delegation
| Autor: | Marina Egea, Fabian Büttner |
|---|---|
| Rok vydání: | 2014 |
| Předmět: | |
| Zdroj: | Engineering Secure Future Internet Services and Systems ISBN: 9783319074511 Engineering Secure Future Internet Services and Systems |
| DOI: | 10.1007/978-3-319-07452-8_12 |
| Popis: | Delegation is widely used in large organizations where access to systems needs to be controlled and often depends on the role of a user within the organization. Delegation allows to grant access rights under certain, often temporal conditions. Usually, a delegation policy specifies the authority to delegate, and an administrative delegation operation performs the changes in the authorization policy accordingly. Unfortunately, the consequences of these changes are not checked in common practice before delegation is ‘in-effect.’ In this work, we present a systematic, automated approach to verify, before the actual enforcement in the system, whether a subject has the right to perform delegation, and that this delegation will not introduce Separation of Duties’ (SoD) conflicts. We implement the delegation operation as an ATL transformation and apply our previous work on automatic transformation verification to check an authorization policy that is modified by a delegation policy. Our approach allows us to check, following an automated process: i) that delegation is only performed when conditions, for legitimate delegation, that we formalize using OCL, hold; ii) that the output of our transformation is always a valid authorization policy when it is obtained by executing the delegation operation using as input a valid authorization and delegation policy; iii) the absence of SoD’ conflicts in the resulting authorization policy, for which we provide patterns that can be instantiated following policy’s rules, as we illustrate. |
| Databáze: | OpenAIRE |
| Externí odkaz: |
|