A domain-specific language for the specification of UCON policies

Security policies constrain the behavior of all users of an information system. In any non-trivial system, these security policies go beyond simple access control rules and must cover more complex and dynamic scenarios while providing, at the same time, a fine-grained level decision-making ability. The Usage Control model (UCON) was created for this purpose but so far integration of UCON in mainstream software engineering processes has been very limited, hampering its usefulness and popularity among the software and information systems communities. In this sense, this paper proposes a Domain-Specific Language to facilitate the modeling of UCON policies and their integration in (model-based) development processes. Together with the language, an exploratory approach for policy evaluation and enforcement of the modeled policies via model transformations has been introduced. These contributions have been defined on top of the Eclipse Modeling Framework, the de-facto standard MDE (Model-Driven Engineering) framework making them freely available and ready-to-use for any software designer interested in using UCON for the definition of security policies in their new development projects. •A domain-specific language for UCON policies is defined.•The domain-specific language is validated with a complex, running example.•Policy evaluation and enforcement are introduced by means of a model transformation framework.