A cyberinfrastructure (CI) is an Internet-based collection of computing services dedicated to providing data storage, computations, and visualizations to a stakeholder ecosystem. A major CI function is to execute workflows on behalf of stakeholders. Each stakeholder will participate in the CI only if the workflows incorporate certain requirements, which may vary from stakeholder to stakeholder. Additionally, because successful CI use by one stakeholder depends on the results of successful use by other stakeholders, a failure of the CI to enforce stakeholder requirements risks the viability of the entire CI. A critical enabler for CIs is the efficient elicitation of stakeholder requirements, called policies, and their accurate and timely enactment. This paper presents a technique that combines UML Activity Diagrams and a Domain Specific Language (DSL) to enable stakeholders to formulate identity- and environment-based access control policies in the context of a workflow. To demonstrate the technique, we recruited exposure biologists as domain experts interested in inserting access control policies into a workflow in the PALMS CI, a health monitoring system currently used at UC San Diego. We found that not only could the experts successfully formulate their policies, but that translation of these policies to the implementation level was quick and accurate. This work extends work in design-level security engineering techniques (UMLsec and SecureUML), Activity Diagram formalisms, and DSLs. In leveraging workflow visualization, efficient policy articulation, and timely enactment, this technique encourages exploration of the requirement space by domain experts.
The authors of these documents have submitted their reports to this technical report series for the purpose of non-commercial dissemination of scientific work. The reports are copyrighted by the authors, and their existence in electronic format does not imply that the authors have relinquished any rights. You may copy a report for scholarly, non-commercial purposes, such as research or instruction, provided that you agree to respect the author's copyright. For information concerning the use of this document for other than research or instructional purposes, contact the authors. Other information concerning this technical report series can be obtained from the Computer Science and Engineering Department at the University of California at San Diego, firstname.lastname@example.org.
[ Search ]