Model-Driven Design and Administration of Access Control in Enterprise Applications April 2005

Proprietary and Confidential Exigen Properties, Inc. 2 Access Control in Enterprise Applications Serves as façade for external authentication, single sign on, naming and identity services, user directories Managing access control is the key requirement, role based model (RBAC) is natural choice Multiple points for permissions checks – user interface, middleware, data access Data Filtering Based on access control policy Conditional and domain-related policies are common “Only dedicated agents may access sensitive accounts”

Proprietary and Confidential Exigen Properties, Inc. 3 The Focus is The Model… Application is Modeled as a set of related UML Models Specific UML Profiles used to model different aspects of the system, including Access Control Application code is generated from set of related UML models using MDA approach Access control is checked in the points, auto- generated in the code according to Access Control Model Security Policy Administration Model drives the implementation of administration capabilities

Proprietary and Confidential Exigen Properties, Inc. 4 Model Driven Architecture Approach

Proprietary and Confidential Exigen Properties, Inc. 5 MDA is between "What?" and "How?" What is … ? Protected Resource Data Access Constraint Policy Management Model Administered Object Organizational Structure Audit Event Actionable Notification How to … ? Enforce Security Policy Filter Data Control Data Access Manage Policy Administer Users Generate Events Record and Monitor Events Generate Notifications

Proprietary and Confidential Exigen Properties, Inc. 6 “What is … ?” is Specified by Models

Proprietary and Confidential Exigen Properties, Inc. 7 “How to … ?” Is Specified by Transformations

Proprietary and Confidential Exigen Properties, Inc. 8 Access Control Transformation

Proprietary and Confidential Exigen Properties, Inc. 9 Security Policy Administration Model

Proprietary and Confidential Exigen Properties, Inc. 10 Security Administration Console

Proprietary and Confidential Exigen Properties, Inc. 11 Working Togerther at Runtime

Proprietary and Confidential Exigen Properties, Inc. 12 Where we are? Permission checks are generated in the application code Data filtering is generated, interface for filters implementation is generated Security policy applied uniformly to the application and security administration console User interface for security administration is based on the model

Proprietary and Confidential Exigen Properties, Inc. 13 Lessons Learned + Developers of vertical solutions do not implement security related code + Model provides good visibility and reduces perceivable complexity + Policy applied uniformly to multiple tiers of application - “Hello World” application is close to impossible - Code generation takes time - Generated code looks bad - hard to debug - Extra artifacts in development

Proprietary and Confidential Exigen Properties, Inc. 14 What is Next? XACML policy generation Code generation for security administration console Developing model transformations as models Defining meta-models as formal languages Formal proof of model correctness Unit tests generation