Authors: Gonçalo Borrega, Lúcio Ferrão, António Melo, João Costa Seco, Luís Caires
Date:2012
This prototype was developed under a collaborative project between FCT/DI and OutSystems SA, it was developed within the OutSystems R&D team. It follows from the US submitted patent Systems, methods, and apparatus for model-based security control and a joint paper describing the theoretical framework [1].
In this work, we designed and implemented an extension of the OutSystems development environment, Service Studio. In this model we allow for the definition of model-based access control policies, by attaching boolean checks to the capabilities of programming elements, which are then used to automatically generate code to dynamically and implicitly check the appropriate security conditions. The prototype also allows the definition of custom capabilities that encode business oriented security conditions. For example, the approval condition for a document may be defined as a business oriented capability, which defines a set of dynamic checking mechanisms that can be explicitly used in the application code. Another core mechanism incorporated in this prototype is the notion of data-role, which extends the standard notion of security role with conditions over the data model (e.g. a document owner is a user for which one can establish a ownership relation on the underlying model).
Note: The actual code for the prototype was included in a branch of the OutSystems's development tool, Service Studio, and is not publicly available.
[1] Caires, L., Jorge A. Perez, J. C. Seco, Hugo T. Vieira, and Lúcio Ferrão. "Type-based Access Control in Data-Centric Systems." Programming Languages and Systems, 20th European Symposium on Programming, ESOP 2011. Ed. Gilles Barthe. Lecture Notes in Computer Science. Springer-Verlag, 2011.