-1

I'm trying to figure out what I need to specify in UML for a role-based access control system. Basically I have a Database and only specific people are supposed to access specific functions or informations from that database. My academic helper told me to use a role-based access control system and scribbled some stuff onto a paper.

enter image description here

On the left you can see the 3 roles, and connected to it the database, both in the model part of the Model-View-Control. My question basically: Which functions/variables do I need in the class Role and the role classes so the access control system works and why? Generally this is supposed to be written in Java.

EDIT: Each Role has its own login credentials, so they will be identified upon login. With this login they are supposed to get one of those roles, but I don’t know how to give them that role.

xenoterracide
  • 16,274
  • 24
  • 118
  • 243
Yannick Ziener
  • 21
  • 2
  • There are sooo many ways you can model this. And you did not mention even one constraint. How should we know what rules access to the system? – qwerty_so Nov 18 '18 at 20:27
  • @qwerty_so I hate to tell you this but RBAC standardized model. Meaning that without adding any extensions to set model there is really more or less only one way to represent it, in it's totality. A small variance may exist from where your framework session integrates with the RBAC model. I have seen several systems claim to be our back but none of them implemented it fully. – xenoterracide Oct 05 '21 at 01:44

2 Answers2

1

I was looking for some diagram I found via google a long time ago, long before this question.

RBAC is a standardized model, it doesn't really contain multiple representations. You can extend it with additional security models, and it's multilevel, so higher levels are optional.

Flat RBAC, the first level, requires the following

  • users acquire permissions through roles
  • many to many user role assignment
  • many to many permission role assignment
  • user-role assignment review (user - role mapping can be changed, not hardcoded)
  • users can use permissions of multiple roles simultaneously

I have never seen a full implementation of RBAC in the wild. In a previous job we ultimately had to add point 2 to the application to enable administrators to go into a "support" mode, to view an accounts profile as they would.

This diagram gives a largely complete level 4 representation.

RBAC UML

Here is the source of this diagram, it has a lot more information than what I'm saying.

I think the biggest variance you'll have (besides naming) is what object has "check access" and the general naming of these objects and methods.

For further reading on the subject, I would suggest these

There are other documents including some criticisms, I usually find that simply using RBAC is not sufficient, as there are often more complex requirements than just "manager can do X", for example.

xenoterracide
  • 16,274
  • 24
  • 118
  • 243
  • Well, that diagram shows "at least" a crude UML (Looking at the source the authors obviously struggled with TeX; what are those vertical bars everywhere?) Btw. I said my example is _a_ way, not _the_ way. – qwerty_so Oct 05 '21 at 15:42
  • Further: this is not a standard. It's a university paper. You can for sure take it as reference but by far this is not a standard. – qwerty_so Oct 05 '21 at 15:45
  • @qwerty_,so It is a standard however you are correct that this is not a reference to the standard. I believe this blog post contains references to the NIST standard. https://blog.ansi.org/2018/05/role-based-access-control-rbac-incits-359/ Yes it's not the greatest you I'm out in the world but it's definitely better than most other things I've seen. I highly doubt that the standards that have developed used UML for specification. – xenoterracide Oct 06 '21 at 10:24
  • You should probably fix your answer with the correct link then... – qwerty_so Oct 06 '21 at 10:26
  • I can add that link and a link to the standard However the other link is essentially a citation for the image. I can add a number of references. Your diagram though is missing mandatory parts of the standard – xenoterracide Oct 06 '21 at 10:27
  • @qwerty_,so I added additional sources. happy now? – xenoterracide Oct 06 '21 at 11:01
  • Almost ;-) You clobbered the UML diagram from the paper... – qwerty_so Oct 06 '21 at 12:20
  • 1
    @qwerty_so oops, fixed it – xenoterracide Oct 24 '21 at 00:14
-1

Well, still there are many, many ways to model this. And basically it's not an UML but a design issue. Anyway, here's a possibility:

enter image description here

A user has a single Role which is permanently assigned during a login. Of course a user with admin privilege could alter this role to something else. The Role holds a list of assigned Applications where the association class RoleApplication can hold attributes about what the role can do with the application.

Now how you control that an admin can change rights and all these pretty things that come along with a security system are definitely too broad to go here.

qwerty_so
  • 35,448
  • 8
  • 62
  • 86
  • Thank you for your answer. I think I now have a better understanding of how I need to proceed. – Yannick Ziener Nov 20 '18 at 20:54
  • @qwerty_so I updated my answer further, and removed the direct criticism there. the main criticism of this answer I that it doesn't actually implement NIST level 1 RBAC requirements. – xenoterracide Oct 24 '21 at 03:05
  • @xenoterracide No offense taken. I never intended to show that this will implement RBAC. It's just a point to start thinking about it. In practice your implementation will differ anyway. (Just looking at the way many companies handle passwords makes me drop my yaw. So I really don't want to know how their access implementation looks like.) – qwerty_so Oct 24 '21 at 09:03
  • @qwerty_so hah, yeah... as I mentioned I've never actually seen a correct RBAC implementation in the wild, most of them are groups where they call it a *Role*. I would argue your example is amongst those; again, no offense. Access Control is hard ™ – xenoterracide Oct 24 '21 at 22:15