A Declarative Fine-grained Role-based Access Control Model and Mechanism for the Web Application Domain

Seyed Hossein Ghotbi, Bernd Fischer


Access control policies such as role-based access control (RBAC) enforce desirable security properties, in particular for Web-based applications with many different users. A fine-grained RBAC model gives the developers of such systems more customization and administrative power to control access to fine-granular elements such as individual cells of a table. However, the definition and deployment of such policies is not straightforward, and in many Web applications, they are hand-coded in the database or scattered throughout the application’s implementation, without taking advantage of underlying central elements, such as the data model or object types. This paper presents FRBAC, a fine-grained RBAC model for the Web application domain. FRBAC achieves separation of concerns for enforcing access to a range of objects with mixed-granularity levels. Moreover, it provides a unique testing mechanism that gives a guarantee to the developer about the correctness, completeness, and sufficiency of the defined FRBAC model, both internally and in the context of its target application. We use code generation techniques to compile the specification of a FRBAC model down to the existing tiers of an existing domain-specific Web programming language, WebDSL. We show the benefits of FRBAC on the development of a departmental Web site.


  1. Abi Haidar, D., Cuppens-Boulahia, N., Cuppens, F., and Debar, H. (2006). An extended RBAC profile of XACML. SWS 7806, pp. 13-22, ACM.
  2. Brittain, J. and Darwin, I. F. (2007). Tomcat: the definitive guide, 2nd edition. O'Reilly.
  3. Chen, K. and Huang, C.-M. (2005). A practical aspect framework for enforcing fine-grained access control in web applications. ISPEC 7805, LNCS 3439, pp. 156- 167.
  4. Connor, A. and Loomis, R. (2010). Economic analysis of role-based access control. Technical report, National Institute of Standards and Technology.
  5. Dalai, A. K. and Jena, S. K. (2011). Evaluation of web application security risks and secure design patterns. CCS 7811, pp. 565-568, ACM.
  6. Damianou, N., Dulay, N., Lupu, E., and Sloman, M. (2001). The ponder policy specification language. POLICY 2001, LNCS 1995, pp. 18-38. Springer.
  7. de Moura, L. M. and Bjørner, N. (2008). Z3: An Efficient SMT Solver. TACAS 7808, LNCS 5195, pp. 337-340. Springer.
  8. Ferraiolo, D. and Kuhn, R. (1992). Role-Based Access Control. NIST-NCSC 7892, pp. 554-563.
  9. Ferraiolo, D. F., Barkley, J. F., and Kuhn, D. R. (1999). A role-based access control model and reference implementation within a corporate intranet. ISS 7809, pp. 34-64, ACM.
  10. Gofman, M. I., Luo, R., Solomon, A. C., Zhang, Y., Yang, P., and Stoller, S. D. (2009). RBAC-PAT: A policy analysis tool for role based access control. TACAS 7809, LNCS 5505, pp. 46-49.
  11. Gorodetski, V. I., Skormin, V. A., and Popyack, L. J., editors (2001). Information Assurance in Computer Networks: Methods, Models, and Architectures for Network Security, LNCS 2052.
  12. Groenewegen, D. and Visser, E. (2009). Integration of data validation and user interface concerns in a DSL for web applications. SLE 7809, LNCS 5969, pp. 164-173.
  13. Groenewegen, D. M., Hemel, Z., Kats, L. C. L., and Visser, E. (2008). Webdsl: a domain-specific language for dynamic web applications. OOPSLA 7808, pp. 779- 780. ACM.
  14. Groenewegen, D. M. and Visser, E. (2008). Declarative access control for WebDSL: Combining language integration and separation of concerns. ICWE 7808, pp. 175-188. IEEE.
  15. Heering, J., Hendriks, P. R. H., Klint, P., and Rekers, J. (1989). The syntax definition formalism SDF - reference manual. SIGPLAN Notices, 24(11):43-75.
  16. Hemel, Z., Kats, L. C. L., Groenewegen, D. M., and Visser, E. (2010). Code generation by model transformation: a case study in transformation modularity. Software and System Modeling, 9(3):375-402.
  17. Hortsmann, C. (2012). Scala for the Impatient. AddisonWesley Professional.
  18. Hsieh, G., Foster, K., Emamali, G., Patrick, G., and Marvel, L. M. (2009). Using XACML for embedded and finegrained access control policy. ARES 7809, pp. 462-468. IEEE.
  19. Lorch, M., Proctor, S., Lepro, R., Kafura, D., and Shah, S. (2003). First experiences using XACML for access control in distributed systems. XMLSEC 7803, pp. 25- 37, ACM.
  20. Martin, E., Xie, T., and Yu, T. (2006). Defining and measuring policy coverage in testing access control policies. ICICS 7806, LNCS 4307, pp. 139-158, Springer.
  21. Masood, A., Bhatti, R., Ghafoor, A., and Mathur, A. P. (2009). Scalable and effective test generation for role-based access control systems. Software Eng., 35(5):654-668, IEEE.
  22. McCollum, C., Messing, J., and Notargiacomo, L. (1990). Beyond the Pale of MAC and DAC Defining new forms of access control. RSP 7890, pp. 190 -200, IEEE.
  23. Montrieux, L., Wermelinger, M., and Yu, Y. (2011). Tool support for UML-based specification and verification of role-based access control properties. ESEC 7811, pp. 456-459. ACM.
  24. Samarati, P. and di Vimercati, S. D. C. (2000). Access control: Policies, models, and mechanisms. FSAD 7801, LNCS 2171, pp. 137-196.
  25. Sanderson, D. (2009). Programming Google App Engine: Build and Run Scalable Web Apps on Google's Infrastructure. O'Reilly Media, Inc.
  26. Sandhu, R., Ferraiolo, D., and Kuhn, R. (2000). The NIST Model for Role-Based Access Control: Towards a Unified Standard. Workshop on RBAC 7800, pp. 47-63, ACM.
  27. Steele, R. and Min, K. (2010). Healthpass: Fine-grained access control to portable personal health records. AINA 2010, pp. 1012-1019, IEEE.
  28. Sujansky, W. V., Faus, S. A., Stone, E., and Brennan, P. F. (2010). A method to implement fine-grained access control for personal health records through standard relational database queries. Journal of Biomedical Informatics 5-Supplement-1, pp. S46-S50.
  29. Tondel, I., Jaatun, M., and Jensen, J. (2008). Learning from software security testing. ICSTW 7808, pp. 286 -294. IEEE.
  30. Visser, E. (2003). Program transformation with Stratego/XT: Rules, strategies, tools, and systems in Stratego/XT 0.9. Domain-Specific Program Generation, LNCS 3016, pp. 216-238.
  31. Visser, E. (2007). WebDSL: A case study in domainspecific language engineering. GTTSE 7807, LNCS 5235, pp. 291-373.
  32. Wang, L., Wong, E., and Xu, D. (2007). A threat model driven approach for security testing. SESS 7807, pp. 10-17.
  33. Win, B. D., Piessens, F., Joosen, W., De, B., Frank, W., Joosen, P. W., and Verhanneman, T. (2002). On the importance of the separation-of-concerns principle in secure software engineering. Workshop AEPSSD 7802.
  34. Wurster, G. and Van Oorschot, P. C. (2009). The developer is the enemy. NSP 7808, pp. 89-97, ACM.
  35. Zhu, H. and Lu, K. (2007). Fine-grained access control for database management systems. BNCOD'07, LNCS 4587, pp. 215-223.

Paper Citation

in Harvard Style

Hossein Ghotbi S. and Fischer B. (2012). A Declarative Fine-grained Role-based Access Control Model and Mechanism for the Web Application Domain . In Proceedings of the 7th International Conference on Software Paradigm Trends - Volume 1: ICSOFT, ISBN 978-989-8565-19-8, pages 80-91. DOI: 10.5220/0004083400800091

in Bibtex Style

author={Seyed Hossein Ghotbi and Bernd Fischer},
title={A Declarative Fine-grained Role-based Access Control Model and Mechanism for the Web Application Domain},
booktitle={Proceedings of the 7th International Conference on Software Paradigm Trends - Volume 1: ICSOFT,},

in EndNote Style

JO - Proceedings of the 7th International Conference on Software Paradigm Trends - Volume 1: ICSOFT,
TI - A Declarative Fine-grained Role-based Access Control Model and Mechanism for the Web Application Domain
SN - 978-989-8565-19-8
AU - Hossein Ghotbi S.
AU - Fischer B.
PY - 2012
SP - 80
EP - 91
DO - 10.5220/0004083400800091