Supporting Authorization Policy Modification in Agile Development of Web Applications

Abstract

Web applications are increasingly developed in Agile development processes. Business-centric Web applications need complex authorization policies to securely implement business processes. As part of the Agile process, integrating domain experts into the development of RBAC authorization policies improves the policies, but remains difficult. For policy modifications, high numbers of options need to be considered. To ease the management task and integrate domain experts, we propose an algorithm and prototype tool. The AI-based change-support algorithm helps to find the suitable modification actions according to desired changes that are given in policy test cases. We also present a prototype GUI for domain experts to employ the algorithm and report on early results of non-security experts using the tool in a real-world business Web application.