The Community for Technology Leaders
RSS Icon
Issue No.01 - January/February (2010 vol.8)
pp: 28-35
Mark Strembeck , Vienna University of Economics and Business
Access control deals with eliciting, specifying, enforcing, and maintaining access control policies in software-based systems. Recently, role-based access control (RBAC)—together with various extensions—has developed into a de facto standard for access control. Scenario-driven role engineering is a systematic approach for defining customized RBAC models, including roles, permissions, constraints, and role hierarchies. Since its first publication in 2002, the author gained considerable experience with scenario-driven role engineering, and several consulting firms and international projects have adopted the approach. Based on these experiences, the author enhanced the approach and now has a much deeper understanding of the relations between different role-engineering artifacts, the need for process tailoring, and the use of preexisting documents in role-engineering activities.
role-based access control, role engineering, security management
Mark Strembeck, "Scenario-Driven Role Engineering", IEEE Security & Privacy, vol.8, no. 1, pp. 28-35, January/February 2010, doi:10.1109/MSP.2010.46
1. D.F. Ferraiolo and D.R. Kuhn, "Role-Based Access Controls," Proc. 15th Nat'l Computer Security Conf., NIST, 1992, pp. 554–563; ferraiolo-kuhn-92.pdf.
2. R.S. Sandhu et al., "Role-Based Access Control Models," Computer, vol. 29, no. 2, 1996, pp. 38–47.
3. D.F. Ferraiolo, D.R. Kuhn, and R. Chandramouli, Role-Based Access Control, 2nd ed., Artech House, 2007.
4. G. Neumann and M. Strembeck, "A Scenario-Driven Role-Engineering Process for Functional RBAC Roles," Proc. 7th ACM Symp. Access Control Models and Technologies (SACMAT 02), ACM Press, 2002, pp. 33–42.
5. J.M. Carroll ed., Scenario-Based Design: Envisioning Work and Technology in System Development, John Wiley &Sons, 1995.
6. M. Jarke, X.T. Bui, and J.M. Carroll, "Scenario Management: An Interdisciplinary Approach," Requirements Eng. J., vol. 3, nos. 3–4, 1998, pp. 155–173.
7. M. Strembeck and G. Neumann, "An Integrated Approach to Engineer and Enforce Context Constraints in RBAC Environments," ACM Trans. Information and System Security, vol. 7, no. 3, 2004, pp. 392–427.
8. J. Mendling et al., "An Approach to Extract RBAC Models from BPEL4WS Processes," Proc. 13th IEEE Int'l Workshop Enabling Technologies: Infrastructures for Collaborative Enterprises (WETICE 04), IEEE CS Press, 2004, pp. 81–86.
9. M. Strembeck, "Embedding Policy Rules for Software-Based Systems in a Requirements Context," Proc. 6th IEEE Int'l Workshop Policies for Distributed Systems and Networks (POLICY 05), IEEE CS Press, 2005, pp. 235–238.
10. O. Gotel and A. Finkelstein, "An Analysis of the Requirements Traceability Problem," Proc. IEEE Int'l Conf. Requirements Eng. (ICRE 94), IEEE CS Press, 1994, pp. 94–101.
11. B. Ramesh and M. Jarke, "Toward Reference Models for Requirements Traceability," IEEE Trans. Software Eng., vol. 27, no. 1, 2001, pp. 58–93.
12. M. Strembeck, "A Role Engineering Tool for Role-Based Access Control," Proc. 3rd Symp. Requirements Eng. for Information Security (SREIS 05), 2005; .
13. E.J. Coyne et al., "Role Engineering in Healthcare: Process, Results, and Lessons Learned," Dec. 2004,
14. E.J. Coyne and J.M. Davis, Role Engineering for Enterprise Security Management, Artech House, 2008.
12 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool