A Framework for Secure, Obligated, Coordinated and Dynamic Collaboration that Extends NIST RBAC

Date of Completion

January 2011


Engineering, Computer|Information Technology




Traditional security and access control models focus on preventing access to information and limiting what a user is allowed to do at certain times. But there are emergent applications that require not only the limitation of access to information at certain times, but also need the ability to allow a team of individuals to collaborate towards some common goal or objective. For example, the Patient-Centered Medical Home (PCMH) focuses on having a single provider in charge of care for a patient who coordinates all care with other providers. In this situation, there is need for the definition of security that focuses on promoting collaborative activities which require certain individuals (medical providers, patients, care givers, family members, etc.) to interact and coordinate their activities in a process over time. This dissertation presents a formal and integrated collaboration on duty and adaptive workflow (COD/AWF) model that considers security, obligated, team-based and dynamic collaboration by extending the National Institute of Technology (NIST) Role-Based Access Control (RBAC). The proposed model is then transitioned to the unified modeling language (UML) to facilitate a secure software engineering process that combines both existing and new UML diagrams to realize the model at a design level. This involves leveraging UML's meta model to allow existing diagrams to be modified and new ones that support COD/AWF to be defined. Given the COD/AWF model as realized as a set of UML diagrams, it is then possible to map the visual notation for COD/AWF policies to a machine readable representation using the Java programming language using annotations. Next, we utilize Java's meta-programming capability in order to enforce the COD/AWF policies. The contributions of the dissertation are in the areas of security and access control models, secure software engineering, and security enforcement code generation. ^