Role-Based Access Control Using Knowledge Acquisition in Automated Specification
Laen...
Failid
Kuupäev
Autorid
Ajakirja pealkiri
Ajakirja ISSN
Köite pealkiri
Kirjastaja
Tartu Ülikool
Abstrakt
Turvalisust peetakse infosüsteemide üheks aspektiks. RBAC on lähenemine, mis piirab süsteemi ligipääsu ainult autoriseeritud kasutajatele infosüsteemides. Olemasolevad turvalisusmudelite keeled või lähenemised adresseerivad IS-i turvalisust, kuigi olemasolevad keeled või lähenemised tingimata ei kohandu RBAC-i vajadustele. On olemas mitmeid modelleerimiskeeli (nt SecureUML, UMLSec, jne) mis esindavad RBAC-i, kuid nad ei ole koosvõimelised (raske selgitada) ning neid ei ole lihtne võrrelda omavahel. Iga modelleerimiskeel esindab erinevaid perspektiive informatsioonisüsteemides. Pealegi on vajadus ühendada disain ja nõudestaadiumid selleks, et avastada süsteemi turvalisusprobleemid ja analüüsida seotud turvalisuskompromisse varasemates staadiumites. KAOS on eesmärgipõhine nõue tehnikavaatenurgast, et paika panna tarkvara nõuded. Sellel hetkel, KAOS on tulevikus võtmelahendus selleks, et kombineerida nõuded disainipõhimõtetega.
Selles teesis me analüüsime KAOS-e võimet kohaneda RBAC-ile. Täpsemalt, me kasutame süstemaatilist lähenemist selleks, et aru saada kuidas KAOS-t on võimalik kasutada nii, et see kohanduks RBAC-ile. Meie uurimistöö põhineb transformatsioonireeglitel KAOS-SecureUML-i ja KAOS-UMLSec-i vahel. Pealegi, läbi nende muutuste näitame me kuidas sobitasime KAOS-e RBAC-ile.
Selle uurimistöö esitamisel on mitmeid kasutegureid. Esiteks, see aitab potentsiaalselt mõista kuidas KAOS toimib koos RBAC-iga. Teiseks, see defineerib lähenemise välja meelitada turvanõuetele IS-i varajastes arendusfaasides RBAC-i jaoks. See rakendab meie tulemused juhtumuuringus selleks, et mõõta määratletud lähenemise õigsust. Kolmandaks, see transformatsioon KAOS-est/KAOS-eni aitaks IS arendajaid ja teistel süsteemi osanikel (nt süsteemianalüütikuid, süsteemi administraatoreid jne) mõista kui tähtsad need turvalisuslähenemised on ja millistel on rohkem eeliseid/puudusi. Me planeerime kehtestada oma tulemused selleks, et reegleid ja modeleid muuta olenevalt nende õigsust, mida mõõdetakse. Viimaseks, me oleme võimelised õigustama oma disainistaadiumit nõudmise staadiumiga.
Security is considered to be an aspect of information systems. Role-based access control (RBAC) is an approach to restricting system access to authorized users in information systems. Existing security modeling languages and/or approaches address the security of the IS, however existing languages or approaches do not necessarily conforms to the needs of RBAC. There are several modeling languages (e.g. SecureUML, UMLSec, etc.) to represent RBAC but they are not interoperable and it is not easy to compare one with another. Each modeling language represents different perspectives on information systems. Besides, there is a need to merge design and requirement stages in order to discover system security concerns and analyze related security trade-offs at the earlier stages. Knowledge acquisition in automated specification (KAOS) is a goal oriented requirement engineering approach to elicit software requirements. In this point, KAOS will be a key solution in order to combine requirements with design principles. In this thesis, we will analyze KAOS to apply RBAC. More specifically, we will apply a systematic approach to understand how KAOS can be used to apply RBAC. Our research work will be based on the transformation rules between KAOS-SecureUML and KAOS-UMLSec, and vice versa. Moreover, through these transformations we will show how we aligned KAOS to RBAC. The contribution of this research has several benefits. Firstly, it will potentially help to understand how KAOS could deal with RBAC. Secondly it will define the approach to elicit security requirements for RBAC at early stages of the IS development. This will apply our results in a case study to measure the correctness of the defined approach. Thirdly, the transformations from/to the KAOS would help IS developers and the other system stakeholders (e.g. system analysts, system administrators, etc.) to understand how important these security approaches (KAOS, SecureUML and UMLSec) are and which one has more advantages/disadvantages. We plan to validate our results for transformation rules and the models regarding their correctness that will be measured. Last but not least, we will be able to justify the design stage with requirement stage.
Security is considered to be an aspect of information systems. Role-based access control (RBAC) is an approach to restricting system access to authorized users in information systems. Existing security modeling languages and/or approaches address the security of the IS, however existing languages or approaches do not necessarily conforms to the needs of RBAC. There are several modeling languages (e.g. SecureUML, UMLSec, etc.) to represent RBAC but they are not interoperable and it is not easy to compare one with another. Each modeling language represents different perspectives on information systems. Besides, there is a need to merge design and requirement stages in order to discover system security concerns and analyze related security trade-offs at the earlier stages. Knowledge acquisition in automated specification (KAOS) is a goal oriented requirement engineering approach to elicit software requirements. In this point, KAOS will be a key solution in order to combine requirements with design principles. In this thesis, we will analyze KAOS to apply RBAC. More specifically, we will apply a systematic approach to understand how KAOS can be used to apply RBAC. Our research work will be based on the transformation rules between KAOS-SecureUML and KAOS-UMLSec, and vice versa. Moreover, through these transformations we will show how we aligned KAOS to RBAC. The contribution of this research has several benefits. Firstly, it will potentially help to understand how KAOS could deal with RBAC. Secondly it will define the approach to elicit security requirements for RBAC at early stages of the IS development. This will apply our results in a case study to measure the correctness of the defined approach. Thirdly, the transformations from/to the KAOS would help IS developers and the other system stakeholders (e.g. system analysts, system administrators, etc.) to understand how important these security approaches (KAOS, SecureUML and UMLSec) are and which one has more advantages/disadvantages. We plan to validate our results for transformation rules and the models regarding their correctness that will be measured. Last but not least, we will be able to justify the design stage with requirement stage.