scholarly journals PEP4Django A Policy Enforcement Point for Python Web Applications

2019 ◽  
Author(s):  
Carlos Eduardo Da Silva ◽  
Welkson De Medeiros ◽  
Silvio Sampaio
Keyword(s):  
Access Control ◽  
Web Application ◽  
Web Applications ◽  
Policy Enforcement ◽  
Control Mechanisms ◽  
Business Logic ◽  
Control Policies ◽  
Control Rules ◽  
Access Control Policies ◽  
Policy Enforcement Point

Traditionally, access control mechanisms have been hard-coded into application components. Such approach is error-prone, mixing business logic with access control concerns, and affecting the flexibility of security policies, as is the case with IFRN SUAP Django-based system. The externalization of access control rules allows their decoupling from business logic, through the use of authorization servers where access control policies are stored and queried for computing access decisions. In this context, this paper presents an approach that allows a Django Web application to delegate access control decisions to an external authorization server. The approach has been integrated into an enterprise level system, which has been used for experimentation. The results obtained indicate a negligible overhead, while allowing the modification of access control policies without interrupting the system.

VeRA: Verifying RBAC and Authorization Constraints Models of Web Applications

2021 ◽  
Vol 31 (05) ◽  
pp. 655-675
Author(s):  
Thanh-Nhan Luong ◽  
Hanh-Phuc Nguyen ◽  
Ninh-Thuan Truong
Keyword(s):  
Access Control ◽  
Programming Languages ◽  
Web Application ◽  
Web Applications ◽  
Implementation Process ◽  
Record Management ◽  
Role Based Access Control ◽  
Security Issue ◽  
Control Policies ◽  
Access Control Policies

The software security issue is being paid great attention from the software development community as security violations have emerged variously. Developers often use access control techniques to restrict some security breaches to software systems’ resources. The addition of authorization constraints to the role-based access control model increases the ability to express access rules in real-world problems. However, the complexity of combining components, libraries and programming languages during the implementation stage of web systems’ access control policies may arise potential flaws that make applications’ access control policies inconsistent with their specifications. In this paper, we introduce an approach to review the implementation of these models in web applications written by Java EE according to the MVC architecture under the support of the Spring Security framework. The approach can help developers in detecting flaws in the assignment implementation process of the models. First, the approach focuses on extracting the information about users and roles from the database of the web application. We then analyze policy configuration files to establish the access analysis tree of the application. Next, algorithms are introduced to validate the correctness of the implemented user-role and role-permission assignments in the application system. Lastly, we developed a tool called VeRA, to automatically support the verification process. The tool is also experimented with a number of access violation scenarios in the medical record management system.

Modelling the Impact of Administrative Access Controls on Technical Access Control Measures

2017 ◽  
Vol 30 (4) ◽  
pp. 53-70
Author(s):  
Winfred Yaokumah
Keyword(s):  
Access Control ◽  
Structural Equation ◽  
Partial Least Square ◽  
Least Square ◽  
Control Measures ◽  
Control Mechanisms ◽  
Control Policies ◽  
Access Control Policies ◽  
Access Controls ◽  
The Impact

Almost all computing systems and applications in organizations include some form of access control mechanisms. Managing secure access to computing resources is an important but a challenging task, requiring both administrative and technical measures. This study examines the influence of administrative access control measures on technical access control mechanisms. Based on the four access control clauses defined by ISO/IEC27002, this study develops a model to empirically test the impact of access control policies on systems and applications control activities. The study employs Partial Least Square Structural Equation Modelling (PLS-SEM) to analyze data collected from 223 samples through a survey questionnaire. The results show that the greatest significant impact on applications and systems access control measures is through access control policies mediated by users' responsibilities and accountability and user access management activities. But the direct impact of access control policies on applications and systems access control measures is not significant.

Analysis of Healthcare Workflows in Accordance with Access Control Policies

2016 ◽  
Vol 11 (1) ◽  
pp. 1-20 ◽  
Author(s):  
Sandeep Lakaraju ◽  
Dianxiang Xu ◽  
Yong Wang
Keyword(s):  
Access Control ◽  
Sensitive Information ◽  
Control Mechanisms ◽  
Healthcare Organizations ◽  
Sensitive Data ◽  
Healthcare Information ◽  
Control Policies ◽  
Crucial Element ◽  
Access Control Policies ◽  
Context Element

Healthcare information systems deal with sensitive data across complex workflows. They often allow various stakeholders from different environments to access data across organizational boundaries. This elevates the risk of exposing sensitive healthcare information to unauthorized personnel, leading ‘controlling access to resources' a major concern. To prevent unwanted access to sensitive information, healthcare organizations need to adopt effective workflows and access control mechanisms. Many healthcare organizations are not yet considering or do not know how to accommodate the ‘context' element as a crucial element in their workflows and access control policies. The authors envision the future of healthcare where ‘context' will be considered as a crucial element. They can accommodate context through a new element ‘environment' in workflows, and can accommodate context in policies through well-known attribute based access control mechanism (ABAC). This research mainly addresses these problems by proposing a model to integrate workflows and access control policies and thereby identifying workflow activities that are not being protected by access control policies and improving the workflow activities and/or existing access control policies using SARE (Subject, Action, Resource, and environment) elements.

A Contextual Model to Integrate Healthcare Workflows and Access Control Policies

2018 ◽  
pp. 82-103
Author(s):  
Sandeep Kumar Lakkaraju ◽  
Dianxiang Xu ◽  
Yong Wang
Keyword(s):  
Access Control ◽  
World Health ◽  
Critical Element ◽  
Control Mechanisms ◽  
Healthcare Organizations ◽  
Sensitive Data ◽  
Organizational Boundaries ◽  
Control Policies ◽  
Access Control Policies ◽  
Access To Data

In a complex healthcare world, health information technology integrated workflows play a crucial role in improving healthcare workflow efficiency. Healthcare organizations often allow various stakeholders to access sensitive data across organizational boundaries. This increases the need to secure and restrict access to this sensitive data. In a complex environment like healthcare, the need for access to data highly depends on context, and many of the traditional access control mechanisms cannot accommodate “context.” In this process, there is need for healthcare organizations to look for more efficient access control mechanisms which work in accordance with workflows and accommodates “context” as a critical element. As a solution to this problem, this chapter presents a model to integrate workflows and access control policies and thereby identifying workflow activities that are not being protected by access control policies and improving the workflow activities and/or existing access control policies using SARE (subject, action, resource, and environment) elements.

Analysis of Healthcare Workflows in Accordance with Access Control Policies

2020 ◽  
pp. 1378-1400
Author(s):  
Sandeep Lakaraju ◽  
Dianxiang Xu ◽  
Yong Wang
Keyword(s):  
Access Control ◽  
Sensitive Information ◽  
Control Mechanisms ◽  
Healthcare Organizations ◽  
Organizational Boundaries ◽  
Healthcare Information ◽  
Control Policies ◽  
Crucial Element ◽  
Access Control Policies ◽  
Attribute Based Access Control

Healthcare information systems deal with sensitive data across complex workflows. They often allow various stakeholders from different environments to access data across organizational boundaries. This elevates the risk of exposing sensitive healthcare information to unauthorized personnel, leading ‘controlling access to resources' a major concern. To prevent unwanted access to sensitive information, healthcare organizations need to adopt effective workflows and access control mechanisms. Many healthcare organizations are not yet considering or do not know how to accommodate the ‘context' element as a crucial element in their workflows and access control policies. The authors envision the future of healthcare where ‘context' will be considered as a crucial element. They can accommodate context through a new element ‘environment' in workflows, and can accommodate context in policies through well-known attribute based access control mechanism (ABAC). This research mainly addresses these problems by proposing a model to integrate workflows and access control policies and thereby identifying workflow activities that are not being protected by access control policies and improving the workflow activities and/or existing access control policies using SARE (Subject, Action, Resource, and environment) elements.

Analysis of Healthcare Workflows in Accordance with Access Control Policies

2020 ◽  
pp. 277-299
Author(s):  
Sandeep Lakaraju ◽  
Dianxiang Xu ◽  
Yong Wang
Keyword(s):  
Access Control ◽  
Sensitive Information ◽  
Control Mechanisms ◽  
Healthcare Organizations ◽  
Organizational Boundaries ◽  
Healthcare Information ◽  
Control Policies ◽  
Crucial Element ◽  
Access Control Policies ◽  
Attribute Based Access Control

Healthcare information systems deal with sensitive data across complex workflows. They often allow various stakeholders from different environments to access data across organizational boundaries. This elevates the risk of exposing sensitive healthcare information to unauthorized personnel, leading ‘controlling access to resources' a major concern. To prevent unwanted access to sensitive information, healthcare organizations need to adopt effective workflows and access control mechanisms. Many healthcare organizations are not yet considering or do not know how to accommodate the ‘context' element as a crucial element in their workflows and access control policies. The authors envision the future of healthcare where ‘context' will be considered as a crucial element. They can accommodate context through a new element ‘environment' in workflows, and can accommodate context in policies through well-known attribute based access control mechanism (ABAC). This research mainly addresses these problems by proposing a model to integrate workflows and access control policies and thereby identifying workflow activities that are not being protected by access control policies and improving the workflow activities and/or existing access control policies using SARE (Subject, Action, Resource, and environment) elements.

scholarly journals Automated reverse engineering of role-based access control policies of web applications

2021 ◽  
pp. 111109
Author(s):  
Ha Thanh Le ◽  
Lwin Khin Shar ◽  
Domenico Bianculli ◽  
Lionel Claude Briand ◽  
Cu Duy Nguyen
Keyword(s):  
Access Control ◽  
Reverse Engineering ◽  
Web Applications ◽  
Role Based Access Control ◽  
Control Policies ◽  
Access Control Policies ◽  
Role Based
Sign in / Sign up

Export Citation Format

Share Document