Mark Strembeck

Institute for Complex Networks

xoRBAC - Brief Description:

xoRBAC is an open source software component that provides a policy monitor (in particular: a policy decision point with an integrated policy repository) for Role-Based Access Control (RBAC) policies. xoRBAC is implemented in Extended Object Tcl (XOTcl) and can be integrated with applications providing C or Tcl linkage. The above figure depicts the conceptual structure of the xoRBAC component. Permissions, roles, and subjects are the basic elements of xoRBAC. The Subject Management subcomponent provides means to manage subjects, that is, the entities that may actively initiate an operation. xoRBAC comprises static and dynamic constraint management as individual subsystems. The Static Constraint Management of xoRBAC is based on permissions and roles and enables the definition of static mutual exclusion (SME) constraints and cardinalities. The Dynamic Constraint Management allows for the definition of context conditions and context constraints. The Role Hierarchy Management uses the static constraint management component to prevent the creation of role hierarchies that are disallowed by the SME constraints or cardinalities within the system. The Access Control Policy Management additionally includes the decision component and the Assignment Unit for permission/role and user/role assignment and activation. The Decision Component contains the Environment Mapping, which captures context information via sensors, and the Constraint Evaluation, which checks if the collected values match the context constraints associated with a certain conditional permission.

xoRBAC Main Features (in Version 0.7.0):

• Many-to-many user-role and permission-role assignment (and revocation).
• Arbitrary (DAG) role-hierarchies (permission-inheritance).
• Definition of conditional permissions via context constraints.
• Static mutual exclusion constraints for both roles and permissions (SME constraint-inheritance via the role-hierarchy).
• Maximum and minimum cardinalities for both roles and permissions.
• Extensive review functions (introspection), e.g. subject-role review, permission-role review, subject-permission review.
• Serialization (import and export) of xoRBAC policies as RDF metadata in XML Syntax.
• Basic administration GUI supporting all xoRBAC functions.
• Basic XACML export for xoRBAC policy rule sets (see xoRBAC API reference for details)

API Reference:

xoRBAC API Reference, version 0.7.0, July 2009 (ps, pdf)

Related Papers and Articles:

(author names on publications before June 2004 appear in alphabetical order)

Copyright policy:The papers obtained from this Web site are included by the contributing authors as a means to ensure timely dissemination of scholarly and technical work on a non-commercial basis. Copyright and all rights therein are maintained by the authors or by other copyright holders, notwithstanding that they have offered their works here electronically. It is understood that all persons copying this information will adhere to the terms and constraints invoked by each author's copyright. These works may not be reposted without the explicit permission of the copyright holder.

S. Schefer, M. Strembeck, J. Mendling, A. Baumgrass: Detecting and Resolving Conflicts of Mutual-Exclusion and Binding Constraints in a Business Process Context, In: Proc. of the 19th International Conference on Cooperative Information Systems (CoopIS), Lecture Notes in Computer Science (LNCS), Vol. 7044, Springer Verlag, Crete, Greece, October 2011 (ps, pdf, extended version) A. Baumgrass, T. Baier, J. Mendling, M. Strembeck: Conformance Checking of RBAC Policies in Process-Aware Information Systems, In: Proc. of the Workshop on Workflow Security Audit and Certification (WfSAC), Lecture Notes in Business Information Processing (LNBIP), Vol. 100, Springer Verlag, Clermont-Ferrand, France, August 2011 (ps, pdf) W. Hummer, P. Gaubatz, M. Strembeck, U. Zdun, S. Dustdar: An Integrated Approach for Identity and Access Management in a SOA Context, In: Proc. of the 16th ACM Symposium on Access Control Models and Technologies (SACMAT), Innsbruck, Austria, June 2011 (ps, pdf) M. Strembeck, J. Mendling: Modeling Process-related RBAC Models with Extended UML Activity Models, In: Information and Software Technology, Vol. 53, No. 5, May 2011 (doi, pdf) M. Strembeck, J. Mendling: Generic Algorithms for Consistency Checking of Mutual-Exclusion and Binding Constraints in a Business Process Context, In: Proc. of the 18th International Conference on Cooperative Information Systems (CoopIS), Lecture Notes in Computer Science (LNCS), Vol. 6426, Springer Verlag, Crete, Greece, October 2010 (ps, pdf, extended version) S. Kunz, S. Evdokimov, B. Fabian, B. Stieger, M. Strembeck: Role-Based Access Control for Information Federations in the Industrial Service Sector In: Proc. of the 18th European Conference on Information Systems (ECIS), Pretoria, South Africa, June 2010 (ps, pdf) M. Strembeck: Scenario-Driven Role Engineering, In: IEEE Security & Privacy, Vol. 8, No. 1, January/February 2010 (doi, pdf) M. Strembeck, U. Zdun: An Approach for the Systematic Development of Domain-Specific Languages, In: Software: Practice and Experience (SP&E), Vol. 39, No. 15, October 2009 (doi, pdf) M. Strembeck, U. Zdun: Modeling Interdependent Concern Behavior Using Extended Activity Models, In: Journal of Object Technology (JOT), Vol. 7, No. 6, July-August 2008 (doi, pdf) U. Zdun, M. Strembeck, G. Neumann: Object-based and class-based composition of transitive mixins, In: Information and Software Technology, Vol. 49, No. 8, August 2007 (doi, pdf) M. Strembeck, U. Zdun: Definition of an Aspect-Oriented DSL using a Dynamic Programming Language, In: Proc.of the Workshop on Open and Dynamic Aspect Languages (ODAL), Bonn, Germany, March 2006 (ps, pdf) M. Strembeck, G. Neumann: An Integrated Approach to Engineer and Enforce Context Constraints in RBAC Environments, In: ACM Transactions on Information and System Security (TISSEC), Vol. 7, No. 3, August 2004 (doi, pdf) J. Mendling, M. Strembeck, G. Stermsek, G. Neumann: An Approach to Extract RBAC Models from BPEL4WS Processes, In: Proc. of the 13th IEEE International Workshops on Enabling Technologies: Infrastructures for Collaborative Enterprises (WETICE), Modena, Italy, June 2004 (ps, pdf) M. Strembeck: Conflict Checking of Separation of Duty Constraints in RBAC - Implementation Experiences, In: Proc. of the Conference on Software Engineering (SE2004), Innsbruck, Austria, February 2004 (ps, pdf) S. Guth, G. Neumann, M. Strembeck: Experiences with the Enforcement of Access Rights Extracted from ODRL-based Digital Contracts, In: Proc. of the 3rd ACM Workshop on Digital Rights Management (DRM), Washington D.C., USA, October 2003 (ps, pdf) G. Neumann, M. Strembeck: An Approach to Engineer and Enforce Context Constraints in an RBAC Environment, In: Proc. of 8th ACM Symposium on Access Control Models and Technologies (SACMAT), Como, Italy, June 2003 (ps, pdf) G. Neumann, M. Strembeck: A Scenario-driven Role Engineering Process for Functional RBAC Roles, In: Proc. of 7th ACM Symposium on Access Control Models and Technologies (SACMAT), Monterey, USA, June 2002 (ps, pdf) G. Neumann, M. Strembeck: Design and Implementation of a Flexible RBAC-Service in an Object-Oriented Scripting Language, In: Proc. of the 8th ACM Conference on Computer and Communications Security (CCS), Philadelphia, USA, November 2001 (ps, pdf, presentation)

Download:

• xoRBAC version 0.7.0
• xoRBAC version 0.6.3
• xoRBAC version 0.6.2
• xoRBAC version 0.6.1
• xoRBAC version 0.5.2

Contact:

Mark Strembeck

Mark Strembeck