Model-Driven Design and Administration
of Access Control in Enterprise Applications
April 2005
Access Control in Enterprise Applications
•
•
•
•
•
Serves as façade for external authentication,
single sign on, naming and identity services, user
directories
Managing access control is the key requirement,
role based model (RBAC) is natural choice
Multiple points for permissions checks – user
interface, middleware, data access
Data Filtering Based on access control policy
Conditional and domain-related policies are
common “Only dedicated agents may access
sensitive accounts”
Proprietary and Confidential Exigen Properties, Inc.
2
The Focus is The Model…
•
•
•
•
•
Application is Modeled as a set of related UML
Models
Specific UML Profiles used to model different
aspects of the system, including Access Control
Application code is generated from set of related
UML models using MDA approach
Access control is checked in the points, autogenerated in the code according to Access Control
Model
Security Policy Administration Model drives the
implementation of administration capabilities
Proprietary and Confidential Exigen Properties, Inc.
3
Model Driven Architecture Approach
Design Time
W hat?
Domain Model
used by
Run Time
Runtime Model
creates
used by
Application Code
generates
Vertical
How?
Model Transformation
Code Generation
uses
Infrastructure
Horizontal
based on
Tools:
eclipse,
UML,
BOM
J2EE,
JAAS,
XACML
Foundation
Proprietary and Confidential Exigen Properties, Inc.
4
MDA is between "What?" and "How?"
What is … ?
•
•
•
•
•
•
•
Protected Resource
Data Access Constraint
Policy Management
Model
Administered Object
Organizational
Structure
Audit Event
Actionable Notification
Proprietary and Confidential Exigen Properties, Inc.
How to … ?
•
•
•
•
•
•
•
•
Enforce Security Policy
Filter Data
Control Data Access
Manage Policy
Administer Users
Generate Events
Record and Monitor
Events
Generate Notifications
5
“What is … ?” is Specified by Models
Business
Domain
Model
protect
Access
Control
Model
Proprietary and Confidential Exigen Properties, Inc.
monitor
use
protect
Monitoring
Events
Model
monitor
Security
Administration
Model
6
“How to … ?” Is Specified by
Transformations
Source Model
Business
Domain
Model
Transformations
Implementation
Strategy
Data
Model
Functional
Model
Security
Administration
Model
Access
Control
Model
Target Model
Access Control
Strategy
Permissions
Model
Constraint Filters
Model
Monitoring
Model
Business Activity
Monitoring Strategy
Events
Model
Monitors
Model
Proprietary and Confidential Exigen Properties, Inc.
7
Access Control Transformation
Source Model
Only dedicated agents may access sensitive accounts
<<dataObject>>
Account
<<permission>>
<<constraint>>
-ID
-dedicatedAgent : Agent
AccountPermission
AccountConstraint
Target Model
AccountDO
+getID()
+getDedicatedAgent() : Agent
Proprietary and Confidential Exigen Properties, Inc.
AccountDOHelper
+search()
+getFilter()
+getByID()
<<constraint>>
AccountConstraintImpl
+filter()
8
Security Policy Administration Model
PolicyDomain
RBAC
Administration
Model
-identificator
-resources0..*
-parent
0..1
ResourcePermission
Resource
-path
-name
-children
0..*
-resource -action [0..*]
-permissions
Role
0..*
-conditionName
-positive
-role -description -ascendants
0..*
-name
-id
-descendants
0..*
XACMLPolicySet
XACML
Implementation
Model
XACMLPolicy
XACMLRule
Proprietary and Confidential Exigen Properties, Inc.
XACMLTarget
9
Security Administration Console
Proprietary and Confidential Exigen Properties, Inc.
10
Working Togerther at Runtime
Security
Administration
Model
applied
uses
protect
Admin
Access
Control
Model
monitor
Security
Administration manage XACMLPolicy
Console
use
applied
protect
uses
Business
Domain
Model
Application
User
monitor
Monitoring
Events
Model
Proprietary and Confidential Exigen Properties, Inc.
Activity Monitoring
11
Where we are?
•
•
•
•
Permission checks are generated in the
application code
Data filtering is generated, interface for
filters implementation is generated
Security policy applied uniformly to the
application and security administration
console
User interface for security administration is
based on the model
Proprietary and Confidential Exigen Properties, Inc.
12
Lessons Learned
+ Developers of vertical solutions do not
implement security related code
+ Model provides good visibility and reduces
perceivable complexity
+ Policy applied uniformly to multiple tiers of
application
- “Hello World” application is close to
impossible
- Code generation takes time
- Generated code looks bad - hard to debug
- Extra artifacts in development
Proprietary and Confidential Exigen Properties, Inc.
13
What is Next?
•
•
•
•
•
•
XACML policy generation
Code generation for security administration
console
Developing model transformations as
models
Defining meta-models as formal languages
Formal proof of model correctness
Unit tests generation
Proprietary and Confidential Exigen Properties, Inc.
14