Specification and Validation of Authorisation
Constraints Using UML and OCL
Karsten Sohr1, Gail-Joon Ahn2,
, Martin Gogolla1, and Lars Migge1
1 Department of Mathematics and Computer Science,
Universita¨t Bremen, Bibliothekstr. 1,
28359 Bremen, Germany
2 Department of Software and Information Systems,
University of North Carolina at Charlotte
Charlotte, NC 28223, USA
Abstract. Authorisation constraints can help the policy architect de-
sign and express higher-level security policies for organisations such as
financial institutes or governmental agencies. Although the importance
of constraints has been addressed in the literature, there does not ex-
ist a systematic way to validate and test authorisation constraints. In
this paper, we attempt to specify non-temporal constraints and history-
based constraints in Object Constraint Language (OCL) which is a con-
straint specification language of Unified Modeling Language (UML) and
describe how we can facilitate the USE tool to validate and test such poli-
cies. We also discuss the issues of identification of conflicting constraints
and missing constraints.
1 Introduction
Today information technology pervades more and more our daily life. This ap-
plies to very different domains such as healthcare, e-government, banking. On
the other hand, new technologies go along with new risks, which must be system-
atically dealt with, such as preventing unauthorised access. Hence it is manda-
tory to establish adequate mechanisms that enforce the security and protection
requirements demanded by the rules and laws relevant to the organisation in
question. For example, in Europe there do exist strong data protection require-
ments as those formulated in the Directive 95/46/EC [7]. This directive among
other areas applies to clinical information systems where in particular the prin-
ciple of patient consent must be enforced [4]. In contrast, in the banking domain
other security requirements such as data integrity are more important such that
often separation of duty policies (SoD) [17,5] must be enforced.
Implementing such higher-level organisational security policies in computer
systems can be cumbersome and inefficient. However, it has turned out that

This work of Gail-J. Ahn was partially supported at the Laboratory of Information
of Integration, Security and Privacy at the University of North Carolina at Charlotte
by the grants from National Science Foundation (NSF-IIS-0242393) and Department
of Energy Early Career Principal Investigator Award (DE-FG02-03ER25565).
S. De Capitani di Vimercati et al. (Eds.): ESORICS 2005, LNCS 3679, pp. 64–79, 2005.
c
© Springer-Verlag Berlin Heidelberg 2005

Specification and Validation of Authorisation Constraints 65
one of the great advantages of role-based access control (RBAC) is that SoD
rules can be implemented in a natural way [9]. Generally speaking, role-based
authorisation constraints are an important means for laying out higher-level
security policies [1,13]. Although there are several works on the specification of
role-based authorisation constraints, e.g., [1,13], there is a lack of appropriate
tool support for the validation, enforcement, and testing of role-based access
control policies. Specifically, tools are needed which can be applied quite easily
by a policy designer without too much deeper training.
As demonstrated in [2,18], the Unified Modeling Language (UML) and the
Object Constraint Language (OCL) can be conveniently used to specify several
classes of role-based authorisation constraints. Moreover, owing to the fact that
OCL has proved its applicability in several industrial applications1, OCL is a
good means for such a practically relevant process like the design of security
policies.
However, as mentioned above, tool support is needed in order to have a
broader practical use. Hence, we demonstrate in this paper how to employ the
USE system (UML Specification Environment) [19,20] to validate and test access
control policies formulated in UML and OCL. In particular, USE is a validation
tool for UML models and OCL constraints, which has been reportedly applied
in industry and research [19]. With the help of this tool, a policy designer can
detect conflicting and missing authorisation constraints.
The paper is now organised as follows: Section 2 gives a short overview of
RBAC, UML/OCL, and introduces the USE system. In Section 3 typical and
partly more complex authorisation constraints are specified in OCL and in a
temporal OCL extension. Section 4 then demonstrates how USE can be employed
to validate and enforce RBAC security policies and test RBAC configurations
while Section 5 sketches related work. Section 6 summarises and gives an outlook
on future work.
2 Related Technologies
We first give a short overview of RBAC, then we briefly describe UML and
OCL, and finally introduce the USE tool, which can be employed to validate
OCL constraints.
2.1 RBAC and Authorisation Constraints
RBAC has received considerable attention as an alternative to traditional dis-
cretionary and mandatory access control. One reason for this increasing in-
terest is that in practice permissions are assigned to users according to their
roles/functions in the organisation (governmental or commercial) [8]. In addi-
tion, the explicit representation of roles greatly simplifies the security manage-
ment and allows one to use well-known security principles like separation of duty
and least privilege.
1 OCL is UML’s constraint specification language and UML has been widely adopted
in software engineering discipline.