An OrBAC security policy editor

Abstract policy creation

creating a new policy

When creating a new OrBAC policy, the user can choose from available implementations. The API version bundled with MotOrBAC contains two implementations

Abstract policy editing

editing a policy

Specifying an OrBAC policy consists in defining an organization hierarchy as well as roles, activities and views hierarchies. Then contexts can be added and used in security rules specification. You can see the organization and role hierarchies on the image

Contexts specification

specifying contexts

Several languages are available to express contextual conditions. On this screenshot you can see in the dialog box a Prova context, expressed using an implementation of Prolog. In the main MotOrBAC GUI you can see a BeanShell context

Abstract rules specification

specifying abstract rules

Abstract rules specification. Seven permissions are displayed, you can notice that the violation context column being irrelevant for permissions, no context is displayed in it. You can also see the prohibition and obligtation tabs

Conflicts management

conflicts detection

MotOrBAC can display abstract and concrete conflicts. You can see on the image above the abstract conflicts detected in an abstract policy. The different colors show couples of conflicting rules. The contextual menu shown contains solutions proposed to the policy designer to solve a conflict

Entity definitions

entity definition

Entity definitions can be used to define constraints that the policy must satisfy. Several languages can be used to express those definitions. For example on this image a role definition is shown. The constraint states that a subject can only be assigned to the "extern" role in the "rennes_hospital" organization if he/she has an attribute called "internat" which value should be "obtenu"

Concrete policy simulation

concrete policy simulation

In the OrBAC model, a concrete policy which applies to the subjects, actions and objects of a system is derived from an abstract policy specified at the organizationnal level. MotOrBAC can show the concrete policy infered from an abstract policy and for each concrete rule show its activation state



The OrBAC API can manage plug-ins. This plug-in architecture is used by MotOrBAC to provide a mean to extend MotOrBAC. The above screenshot shows the plug-in selection dialog box

Last updated March 23th 2017