Are you tired of the lengthy encoding of your access control policies in your favorite realization technology? If so, the work presented in this paper may be very interesting to you. The authors demonstrate the benefits of the model-driven development approach for access control policies: users specify only six roles and 60 permissions in the security model instead of 5,000 lines of Extensible Markup Language (XML) code (plus an additional 2,000 lines of Java code if you use Enterprise JavaBeans (EJBs)). In addition, the specification is platform independent, and thus can be mapped to either an EJB or a C# environment.

The authors present a generic concept for systematically extending modeling languages that provides a unified modeling language (UML)-compatible meta-model, a UML-compatible concrete syntax, and an explicit notion of users to enable the modeling of control access policies. The required integration at the meta-model, concrete! syntax, and semantics levels is outlined for a simple modeling language. The authors describe how the specified control access policy model can, in a subsequent step, be used to generate, for specific platforms such as EJB or C#, the configuration data that realizes the most basic access constraints, as well as additional code fragments that check, at the entrance of methods, whether access should be granted.