Comprehensive Two-Level Analysis of Static and Dynamic RBAC Constraints with UML and OCL

Organizations with stringent security requirements like banks or hospitals frequently adopt role-based access control (RBAC) principles to simplify their internal permission management. Authorization constraints represent a fundamental advanced RBAC concept enabling precise restrictions on access rights. Thereby, the complexity of the resulting security policies increases so that tool support for comfortable creation and adequate validation is required. We propose a new approach to developing and analyzing RBAC policies using UML for modeling RBAC core concepts and OCL to realize authorization constraints. Dynamic (i. e., time-dependent) constraints, their visual representation in UML and their analysis are of special interest. The approach results in a domain-specific language for RBAC which is highly configurable and extendable with respect to new RBAC concepts and classes of authorization constraints and allows the developer to validate RBAC policies in an effective way. The approach is supported by a UML and OCL validation tool.