νActionGUI

Data Model

The data model defines the state space of the application. One can think of it as defining the classes and attributes in an object-oriented programming language like Java or C++.

The νActionGUI language for modeling application domains is a textual language, which provides a subset of the ComponentUML metamodel, which is in turn a subset of the UML class diagram. In particular, the main modeling elements of the νActionGUI data model language are:

• Entities: They model the data in the application domain. They are declared with the entity keyword. Attributes, association-ends, and methods are declared within the entity's declaration, enclosed in brackets.
• Attributes: They model the properties of the entities. They are always declared with their type. Types can be Boolean, Integer, String, another entity, an enumerated type, or a Set/Bag of these types.
• Association-ends: They model the associations between entities. They are declared with their type and the name of their opposite association-end (using oppositeTo). Multiplicity can be 0..* or 0..1.
• Enumerated types: They model lists of values of a certain type. They are declared with the enum keyword. Values are listed within the declaration, enclosed in brackets.
• Methods: They model the possible behavior of entities. There are two types of methods:
  • methods that represent potential entrypoints of the application (i.e., methods that can handle an HTTP request). This has a special keyword @entry as prefix.
  • methods that are invoked within the application.

Grammar

grammar DataModel;

dataModel: (components)+;

components: component (components)?;

component:  
      entity  # EntityComponent
    | enumm   # EnumComponent
;

entity: 'entity' TypeName '{' (entityBody)? '}'; 

entityBody: property entityBody?;

property: 
    propertyType propertyName                                             # Attribute
| propertyType propertyName ('oppositeTo' propertyName | 'in' TypeName) # End
| ('@entry')? (retType = propertyType)? propertyName 
    '(' (argTypes += propertyType argName += propertyName 
        (','  argTypes += propertyType argName += propertyName)* )? ')' # Method
;

propertyType: collectionType | basicType;

collectionType: collectionTypeName '(' propertyType ')';

basicType: primitiveTypeName | TypeName; 

enumm: 'enum' TypeName '{' enumBody '}';

enumBody: (EnumLiteral | TypeName) enumBody?;

TypeName: [A-Z][a-z_0-9]*;

EnumLiteral: [A-Z][A-Z_0-9]*;

propertyName: ID;

collectionTypeName:
    'Bag'           
|   'OrderedSet'    
|   'Sequence'      
|   'Set'           
;

primitiveTypeName:
    'String'            
|   'Integer'           
|   'Real'              
|   'Boolean'           
;

ID: [a-zA-Z_][a-zA-Z_0-9]*;
WS: [ \t\n\r]+ -> skip;
COMMENT: '//' ~[\r\n]* -> skip;

Example

entity Person {
    String name
    String email
    Role role
    Set(Post) posts oppositeTo author
    @entry getFeeds()
    recommendedPosts()
}

entity Post {
    String title
    String content
    Person author oppositeTo posts
}

enum Role {
    ADMIN
    EDITOR
    VIEWER
}

Security Model

A security model defines the application’s authorization policy in terms of allowed actions on the resources provided by the data model. The νActionGUI language for modeling the application’s security is a textual language that provides the following elements:

• User entity: Represents the type of instances that interact with the application. In the security model, at most one entity from the defined data model is assigned as the user class.
• Roles: Named in all-caps, they model a job or function within the system. Each role groups all the permissions needed to fulfill the respective function. Users of the system can have one of the roles. Roles are declared with the keyword Role followed by the role’s name and its permissions. At most one permission per entity from the underlying data model may be declared.
• Permissions: Each permission represents the authorization to execute an operation on some of the objects in the system. Permissions are grouped by the entities from the data model. They are of the form action(subresource) [constraint] where subresource can be the attribute or association end of the entity whose permission is grouped under, and constraint is an Object Constraint Language (OCL) formula. If the subresource is omitted, the action is a composite action that applies to all subresources. If the constraint is omitted, it is assumed to be the true OCL expression.
• Role modifiers:
  • anonymous before a role name declares that this is the role of unauthenticated users.
  • default before a role name declares that this is the role a user gets once they register to the application.
  • extends followed by an existing role after a role name specifies role inheritance.

Grammar

grammar SecurityModel;
import OclExpression;

securityModel: userClass (roles)+;

userClass: 'USER' ResourceName;

roles: (srole | role) (roles)?;

srole: ('default' | 'anonymous') role;

role: 'Role' RoleName ('extends' RoleName)? '{' (resources | permissions)? '}';

resources: resource (resources)?;

resource: ResourceName '{' (permissions)? '}';

permissions: 
    actions (permissions)?              #ActionUnconstrained
|   actions constraint (permissions)?   #ActionConstrained
;

actions: action (',' actions)?;

action: 
    ActionType                          #ActionResource
|   ActionType ('(' attributeName ')')  #ActionAttribute
;

constraint: '[' oclExp ']';

RoleName: [A-Z][A-Z_0-9]+;

ActionType: 
    'fullAccess'
|   'create'
|   'delete'
|   'read'
|   'update'
|   'add'
|   'remove'
|   'execute'
;

ResourceName: [A-Z][a-z_0-9]*;

attributeName: ID;

ID: [a-zA-Z_][a-zA-Z_0-9]*;
WS: [ \t\n\r]+ -> skip;

Example

USER Person

anonymous Role VIEWER {
    Person {
        read
    }
    Post {
        read
    }
}

default Role EDITOR extends VIEWER {
    Person {
        update(name) [self = caller]
    }
    Post {
        create
        read
        update(title) [self.author = caller]
        update(content) [self.author = caller]
        delete [self.author = caller]
    }
}

Role ADMIN extends EDITOR {
    Person {
        create
        update(role)
        delete
    }
    Post {
        fullAccess
    }
}

Privacy Model

A privacy model identifies an application’s personal data and purposes. It declares the purposes for which personal data will be used and under what conditions, and associates data model methods with purposes. νActionGUI performs purpose-based access control based on the privacy model: any action performed on personal data within a method is checked by comparing the method’s (actual) purpose to the data’s (declared) purpose, and by considering the data owner’s consent for the declared purposes.

The privacy model contains the following elements:

• Personal data: Subresources of the data model that are considered to store personal user data. Declared using the Resource.subresource syntax.
• Purposes: Used in the application, named in all-caps. A purpose declared on its own is a simple purpose. A purpose followed by the includes keyword and a list of purposes is a complex purpose.
• Actual purposes: Declare a mapping from methods in the data model to purposes using the syntax Resource.method purpose.
• Declared purposes: Specify the purposes for which each personal data is used and under what condition, using the syntax Resource.subresource purpose [constraint] <description>, where constraint is an OCL formula and description is a string describing it. Both can be omitted (defaulting to true and an empty string).

Grammar

grammar PrivacyModel;
import OclExpression;

privacyModel: personaldata purposes apurposes dpurposes;

personaldata: 'Personal data' '{' resources? '}';

resources: ResourceName ('.' ms+=methodName)? (',' resources)?;

purposes: 'Purposes' '{' purpose? '}';

purpose: 
    PurposeName (',' purpose)?                               #SimplePurpose
|   PurposeName 'includes' (pss += PurposeName)+ (',' purpose)?   #ComplexPurpose
;

apurposes: 'Actual purposes' '{' apurpose? '}';

apurpose: ('main' PurposeName | ResourceName '.' methodName PurposeName) (',' apurpose)?;

dpurposes: 'Declared purposes' '{' dpurpose? '}';

dpurpose: rs+=ResourceName ('.' ms+=methodName)? (',' rs+=ResourceName ('.' ms+=methodName)?)* (constraint desc)? PurposeName (',' dpurpose)?;

PurposeName: [A-Z][A-Z_0-9]+;

ResourceName: [A-Z][a-z_0-9]*;

methodName: ID;

constraint: '[' oclExp ']';

desc: '<' (words+=ID)+ '>';

ID: [a-zA-Z_][a-zA-Z_0-9]*;
WS: [ \t\n\r]+ -> skip;

Example

Personal data {
    Person.name,
    Person.email
}

Purposes {
    MARKETING,
    DISPLAY,
    ANY includes MARKETING DISPLAY
}

Actual purposes {
    Person.getFeeds DISPLAY,
    Person.recommendedPosts MARKETING
}

Declared purposes {
    Person.name, Person.email DISPLAY,
    Person.name MARKETING [self.posts.size() > 0] <has at least one post>,
    Person.email MARKETING
}