Computer Standards & Interfaces 30 (2008) 341–350

Contents lists available at ScienceDirect

Computer Standards & Interfaces

j ourna l homepage: www.e lsev ie r.com/ locate /cs i

Building a secure star schema in data warehouses by an extension of the relationalpackage from CWM

Emilio Soler a,⁎, Juan Trujillo b, Eduardo Fernández-Medina c, Mario Piattini c

a Department of Computer Science, University of Matanzas, Autopista de Varadero km 3, Matanzas, Cubab Department of Software and Computing Systems, University of Alicante, C/San Vicente S/N 03690 Alicante, Spainc ALARCOS Research Group, Information Systems and Technologies Department, UCLM-Soluziona Research and Development Institute, University of Castilla-La Mancha,Paseo de la Universidad 4, 13071 Ciudad Real, Spain

a r t i c l e i n f o

⁎ Corresponding author.E-mail addresses: emilio.soler@umcc.cu (E. Soler), jt

eduardo.fdezmedina@uclm.es (E. Fernández-Medina), m(M. Piattini).

0920-5489/$ – see front matter © 2008 Elsevier B.V. Aldoi:10.1016/j.csi.2008.03.002

a b s t r a c t

Available online 10 March 2008

Data Warehouses (DWs) are widely accepted as the core of current decision support systems. Therefore, it isvital to incorporate security requirements from the early stages of the DWs projects and enforce them in thefurther design phases. Very few approaches specify security and audit measures in the conceptual modeling ofDWs. Furthermore, these security measures are specified in the final implementation on top of commercialsystems as there is not a standard relational representation of security measures for DWs (i.e. the well-knownstar schema does not allow us to specify security and audit measures on its multidimensional representationof data; instead, they must be specified on top of the implemented relational tables). On the other hand, theCommon Warehouse Metamodel (CWM) has been accepted as the standard for the exchange and theinteroperability of metadata. Nevertheless, it does not allow us to specify security measures for DWs. In thispaper, we make use of the own extension mechanisms provided by the CWM to extend the relational packagein order to build a star schema that represents the security and audit rules captured during the conceptualmodeling phase of DWs. Finally, in order to show the benefits of our extension, we apply it to a case studyrelated to the management of the pharmacy consortium business.

© 2008 Elsevier B.V. All rights reserved.

Keywords:SecurityStar schemeCWMData Warehouses

1. Introduction

Data Warehouses (DWs) play a central role in current decisionsupport systems because they provide crucial business informationthrough which to improve strategic decision-making processes [8].Organizations have begun to adopt more and more computerizedinformation systems, which rely upon databases and DWs that requiremore security, because the very survival of the organization dependson the appropriate manipulation, security and confidentiality ofinformation [4]. On the other hand, it is widely accepted that thedesign of DWs is based on multidimensional (MD) modeling whichstructures the information into facts and dimensions.

As for traditional databases, we follow the three design phasesproposed by ANSI/SPARC [2] in the design of data warehouses fromuser requirements to the final implementation, i.e. the business(requirement analysis), conceptual, logical and physical levels.

Following this procedure, we align the design of DWs with theModel Driven Architecture (MDA) [21]. MDA allows us to achieve theportability and interoperability of software systems by means of

rujillo@dlsi.ua.es (J. Trujillo),ario.piattini@uclm.es

l rights reserved.

transformations between models. To help us with these transforma-tions, the Query/View/Transformation (QVT) Language [22] is pro-posed in order to allow us to accomplish automatic transformationsbetween models. MDA proposes several models at different levels:Computation Independent Model (CIM), Platform Independent Model(PIM), Platform Specific Model (PSM) and Code. In our context, theCIM correspondswith thework [15], which is based on an extension ofthe i⁎ framework considered [36]. The proposal will be extended toconsider security at the business level (see 7: Future work section).The PIM corresponds with an extension of the Unified ModelingLanguage (UML) profile [11] presented in [34] which allows us toconsider the main properties of secure MDmodeling at this stage. ThePSM corresponds with our extension of the Common WarehouseMetamodel (CWM) at the logical level and the Code with implemen-tation at the physical level, i.e. with a Database Management System(DBMS). Fig. 1 shows the relationship between MDA and the DWslifecycle in detail. In this paper, we focus on the logical level. It is out ofthe scope of this paper to consider the business and physical levels.See, the 7: Future work section.

As we will describe in the related work section, security has hardlybeen contemplated in literature. Normally in DWs projects, securityaspects are implemented in the final stages of the design. However,information security is a serious requirement which must be givencareful thought, not as an isolated aspect, but as an element which is

Fig. 1. Aligning the design of DWs with MDA.

342 E. Soler et al. / Computer Standards & Interfaces 30 (2008) 341–350

in all development lifecycle stages, from requirement analysis toimplementation and maintenance [3].

The works [6,7,34] extend the proposal presented in [11] toincorporate security aspects to the DWs design at the conceptual level.In order to align our architecture with MDAwe need to build a securePSM that allows us to represent security and auditing aspects. On theother hand, MDA does not provide security specific modeling facilitiesand its general modeling facilities fail to satisfy one or more of thesecurity protocol modeling aspects [16].

The previous work presented in [14] employs MDA for DWsdevelopment, choosing the relational metamodel from CWM [19]. Therelational package of CWM enables mediated interchange betweenrelational databases from the majority of relational commercialsystems [26]. CWM also offers the On-Line Analytical Processing(OLAP) package for the essential OLAP concepts common to mostOLAP systems. However, the OLAP package is a general metamodelwith which to exchange metadata information, and therefore, it onlyconsiders general aspects of multidimensional modeling. Thus, we donot consider it to be appropriate for the conceptual modeling ofcomplex and real case DWs. For the conceptual modeling phase, wehave based our proposal on UML [11], which offers a greater level ofexpressiveness of MD modeling at the conceptual level. The CWMoffers facilities through which to access and exchange datawarehousemetadata. However, security and audit measures cannot be modeledin the CWM because it does not provide the modeling constructorsthrough which to represent data security related to issues such asaccess rights, users or roles [18]. Most data access control approachesare based on the proprietary metadata structures of specific softwareproducts [25]. Thus, integrating security related to metadata into theCWM improves the security support and facilitates the establishmentof a standardized access control mechanism for data warehouses [18].According to the MDA we do not need the metadata of a DBMS; weneed a metamodel that allows us to represent security and auditmeasures at the logical level, i.e., a PSMwhich in our case correspondswith a relational platform. In order to achieve this goal we haveextended the relational package from the CWM.

Hence, in this paper we present an extension of the relationalmetamodel from CWM by using its own extension mechanisms. Byusing QVT, we automatically transform all the security and auditmeasures captured from the conceptual modeling phase of the DWsdesign at the logical level. Our main contribution is that the proposedextension allows us to represent all the requirements of security andaudit captured during the conceptual modeling phase at the logicallevel.

The remainder of this paper is structured as follows. The worksrelated to our proposal are discussed in Section 2. Secure MDmodeling is introduced in Section 3. Section 4 shows an overview ofthe CWM. Section 5 presents our extension of the relationalmetamodel from CWM. Then, in Section 6, we develop a case studyin order to build a secure star scheme using our extension in the

design of secure DWs. Finally, Section 7 draws the main conclusionsand outlines our immediate future work.

2. Related work

Relevant literature on this subject comprises several initiatives toinclude security in the DW design. In [9] the authors describe aprototype model for DWs security based on metadata, which enablesthe definition of views of data for each group of users. However, thisdoes not permit the specification of complex restrictions of con-fidentiality. Rosenthal and Sciore [27] extend SQL grants and create amechanism of inferences through which to establish security. Anotherattempt is the architecture for both Federated Information Systems(FIS) and DWs that preserve MultiLevel security integration betweenFIS and DWs [28]. These approaches [9,27,28] are attractive but onlyfocus on practical issues such as acquisition, storage and access controlon the OLAP side. None of them examine the representation ofsecurity at both a conceptual and a logical stage.

On the other hand, there are more elaborate initiatives thatpropose authorization models for the design of DWs. For instance, in[10], the authors propose a security concept for OLAP, which is a rolebased security model for data warehouses. Priebe and Pernul [25]propose a security design methodology similar to that of the classicaldatabase design (requirement analysis, conceptual, logical, andphysical design) which covers requirements and concrete implemen-tations in commercial systems. The same authors extend the ADAPTedUML model for the previous conceptual phase [24], specifying amethodology and a MD security constraint language for theconceptual modeling of OLAP security. In [5], the authors show thataccess privileges for DWs and OLAP can be expressed more intuitivelythan by using SQLs grant statements. Their access control modelfocuses specifically on expressiveness and usability. These proposals[10,25,24] offer security models at the conceptual level by means ofsecurity constraints, but basically deal with OLAP operations. Theseproposals [25,24] are one of the best references in this area. As asummary, these works implement the security rules considered intheir conceptual approach to commercial database systems. On theother hand, we base our approach on the works of [6,7,34] in whichthe authors call for the design of the security rules at all stages of theDWs design, from requirement analysis to final implementation.Therefore, in this paper, we formally extend the CWM in order to allowus to automatically transform the security rules considered at theconceptual level in the logical representation of the DW.

Some proposals related to the access and preservation of theconfidential information in the analysis at the data cube level haverecently appeared. In [35] the authors proposed a method forprotecting sensitive data in OLAP cubes from unauthorized accessand malicious inferences of sensitive values. Other proposals forpreserving data privacy and range queries in data cubes in DWs arethe zero-sum and the cubic-wise balance methods (respectively)

343E. Soler et al. / Computer Standards & Interfaces 30 (2008) 341–350

which can be found in [12,32]. Theseworks ascertain that security in DWsis of ever-increasing interest, especially in areas where data are sold inpieces to third parties for data-mining practices. None of these proposalsattempt to define security in all of the DWs development stages.

Numerous proposals exist that extend CWM with differentobjectives for: the modeling of logical object-orientated relationaldata storage and the corresponding Extract, Transform and Load (ETL)processes [13], a universal data-mining library that implements data-mining methods and algorithms [33], recording the trace informationof metadata evolution and maintaining consistency during metaclassevolution [37], representing and integrating the metadata generatedby data and metadata lineage implementation [29], providing qualityinformation to DW client tools [1], and the construction of aconceptual model for data quality and cleaning, both of which areapplicable to the operational and data warehousing context. However,none of the aforementioned proposals extend the relational meta-model from CWM with security aspects. Only the work presented in[31] shows how the CWMmight be adequate for representing securityissues for DWs at the logical level. In this paper the CWM is notformally extended through formal extension mechanisms.

3. Secure Multidimensional Modeling

The main properties of multidimensional modeling are repre-sented by a UML profile [11], which is based on Object-Orientated(OO) conceptual modeling. In [7], the aforementioned profile is reusedin order to be able to design an MD conceptual model. The profileallows us to classify both information and users in order to representthe main security aspects in the conceptual modeling of DWs.Therefore, we can classify the security information that will be usedin our conceptual modeling of data warehouses. Security informationis defined for each element of the model (Fact, Dimension,FactAttribute, etc.), specifying a sequence of security levels, a set ofuser compartments and user roles. Security constraint is considered tospecify security in attributes and classes. The security information andthese constraints indicate the security properties that users have to beable to access in order to access information. The description of theprofile is represented as a UML package [34].

The main feature of the Secure Multidimensional Modeling (SMDmodeling) considered are the many-to-many relationships betweenfacts and one specific dimension, degenerated dimensions, multiple

Fig. 2. An example of MD modeling

classification and alternative path hierarchies, and the non-strict andcomplete hierarchies. In this approach, the structural properties of MDmodeling are represented by means of a UML class diagram in whichthe information is clearly organized into Fact and Dimension. Thesefacts and dimensions are represented by SFact and SDimension classesrespectively, in which S is an abbreviation for secure.

SFact classes are defined as composite classes in shared aggrega-tion relationships of SDimension classes. The minimum cardinality inthe role of the SDimension classes is 1 to indicate that every fact mustalways be related to all the dimensions. The many-to-many relation-ships between a SFact and a specific SDimension are established bymeans of the cardinality 1…⁎ in the role of the correspondingdimension class. A SFact is composed of measures or SFactAttributes.By default, all measures in the SFact class are considered to beadditive. For non-additive measures, additive rules are defined asconstraints and are included in the SFact class. Furthermore, derivedmeasures can also be explicitly represented (indicated by /) and theirderivation rules are placed between braces near the fact class.

With respect to SDimensions, each level of a classificationhierarchy is specified by a SBase class. An association of SBase classesspecifies the relationship between two levels of a classificationhierarchy. The only prerequisite is that these classes must define aDirected Acyclic Graph (DAG) rooted in the SDimension class (DAGrestriction is defined in the stereotype SDimension). The DAGstructure can represent both multiple and alternative path hierar-chies. Every SBase class must also contain an identifying SAttributeOID (SOID) and a SDescriptor attribute (SD). All constraints (AuditRule,AuthorizationRule and SecurityRule) aremodeled by using UML notes.The class called UserProfile will contain information about all userswho are entitled to access the multidimensional model.

Fig. 2 shows an example of the MD modeling of a hotel. Bookingrepresents a Fact (customers that book a room). This Fact containsseveral measures (FactAttributes) to be analyzed (Price, Quantity,Discount, and Total). Furthermore, we specify an invoice number(invoiceN) as a Degenerate dimension. On the other hand, we alsoconsider the following dimensions as contexts through which toanalyze measures: Customer, Check in date (i.e. the date when thecustomer checks in), Check out date (i.e. the date when the customerchecks out), and Room. Customer dimension, with the following basesor hierarchy levels: Customer data, City, and Country. Each of theselevels may have a Descriptor or Dimension attributes.

without considering security.

344 E. Soler et al. / Computer Standards & Interfaces 30 (2008) 341–350

In the following section,wepresent a general descriptionof theCWM,emphasizing its structure and the different extension mechanisms.

4. An overview of the CWM

Themainpurpose of the CWM[19] is to enable the easy interchangeof warehouse and business intelligence metadata betweenwarehousetools, warehouse platforms and warehouse metadata repositories indistributed heterogeneous environments. CWM is based on three keyindustry standards:

– UML (Unified Modeling Language), an OMG standard specifica-tion language for object modeling.–MOF (Meta Object Facility), an OMGmetamodeling andmetadatarepository standard.– XMI (XMLMetadata Interchange), an OMGmetadata interchangestandard.

The UML standard defines a rich, object-orientated modelinglanguage that is supported by a range of graphical design tools. TheMOF standard defines an extensible framework for defining modelsfor metadata, and providing tools with programmatic interfaces withwhich to store and access metadata in a repository. The XMI standardallowsmetadata to be interchanged as streams or files with a standardformat based on XML. CWM has been designed to conform to the“MOF model”. It belongs to the M2 layer metamodel, and we refer thereader to [19,23,26] for further details on the different metamodellayers of the CWM.

4.1. Organization of the CWM

In [17] the authors showed the organization of CWM in detail.CWM is organized into 21 separate packages which are grouped intofive stackable layers by means of similar roles. See Fig. 3.

From the organization represented in Fig. 3, we will mainly focusour work on the Resource layer and, more precisely, on the relationalpackage as a relational metamodel that describes the correspondingmetadata of the relational data resources. The Resource layerdescribes the structure of data resources that act as either sourcesor targets of a CWM mediated interchange. The relational packagedescribes data which are accessible through a relational interfacesuch as a native Relational Database Management System (RDBMS),Object Database Connectivity (ODBC), or Java Database Connectivity(JDBC).

The relational package depends on the following:

– org.omg::OMG::ObjectModel::Behavioral– org.omg::OMG::ObjectModel::Core– org.omg::OMG::ObjectModel::Instance– org.omg::OMG::Foundation::DataTypes– org.omg::OMG::Foundation::KeysIndexes

The relational package, as do the other data packages, defines toplevel containers (Catalog, Schema), that extend the ObjectModelPackage class. Schema is a collection of tables. A ColumnSet

Fig. 3. CWM metamodel lay

represents any form of relational data. A Table is a cataloged versionof a ColumnSet, which contains Columns. A ForeignKey associatescolumns from one table with columns from another table. ThePrimaryKey class inherits from the UniqueConstraint. The Primary-Key and ForeignKey metaclasses are owned by the Table metaclass[19].

4.2. CWM extensibility mechanism

CWM provides extension mechanisms with which to build specificmetamodels. According to [20], there are two general techniquesthrough which to extend CWM:

– Use of the general extension mechanisms provided by the UMLObject Model, by means of tagged values and stereotypes. Thisapproach is usually used forminor extensions (for example additionalattributes to objects model) that are not significant enough to requirethe creation of a specific model.– Non-normative model extensions or modeled extensions (some-times called subclass or modeled extensions [26]) documented asadditional metamodel packages that extend the CWMmetamodel.This proposal is used for more complex extensions, and the CWMitself is built by following this extension type.

An additional extension technique is available to the CWMdeveloper-XMI extension [23]. However, using XMI extensionsmight be best left as a technique intended for professional program-mers who are interested in building tool-specific CWM interchangedefinitions. To represent security aspects at the logical level we needto introduce new classes and associations, hence, the non-normativeextension is the preferred mechanism, because it is not a simpleextension [26].

In the following section, we use the non-normative extensionmechanism to extend the relational package, in order to representsecurity and audit rules at the logical level.

5. The SECRDW extension

The extension of the relational package from CWM defines newclasses which will permit the representation of all the security andaudit requirements captured during the conceptual modeling phase ofDWs design at the logical level. This extension will be called theSECure Relational Data Warehouses (SECRDW) metamodel, whichdepends on the following packages: Relational, Core and Data Types.

5.1. Inheritance

In Fig. 4 the new classes that conform to the SECRDW package areshown in grey, whereas classes from the CWM metamodel remainin white. The SSchema (SCatalog) classes specialize in the schema(catalog) classes to allow a secure schema (catalog). STable and theUserProfile specializes in the Tablemetaclass. The SColumn specializesin the Column metaclass. The UserProfile table is a special tablethat stores information about users who have access to the systems,

ering and its packages.

Fig. 4. SECRDW Package Inheritance.

345E. Soler et al. / Computer Standards & Interfaces 30 (2008) 341–350

and these rights are specified by SecurityProperty (securityLevel,securityCompartment and securityRole). STable and SColumn haveassociated security information by means of SecurityProperty (secur-ityLevel, securityCompartment and securityRole). SecurityPropertyspecializes in the Class (from Core) metaclass and with it we establish,by means of securityLevel, securityCompartment and securityRole,access properties over tables and columns that the user must fulfill ifs/he is to access them.

AuditConstraint is useful both as a deterrent against misbehaviorand as a means by which to analyze user behavior by employing thesystem to find out possible attempted or actual violations. AuditCon-straint is essential to record the accesses to tables and columns whichare performed by users. ARConstraint allows us to define rules for

Fig. 5. New data types fo

specifying multilevel security policies in tables and columns.AURConstraint, may coexist with ARConstraint, and enable us tospecify access to the tables and columns, thus permitting us to specifymuch more elaborate security models. The SecurityConstraint classlogically inherits properties of the Constraint class from Core. The datatypes are studied in greater depth in the following section.

5.2. New data types

In general, the CWM packages only support data type attributesthat are considered necessary for information interchange betweensystems [19]. If we are to represent security and audit information atthe logical level then we need new data types. In Fig. 5 new classes

r SECRDW package.

346 E. Soler et al. / Computer Standards & Interfaces 30 (2008) 341–350

appear that inherit from DataType or from Enumeration classes. Thenew classes that represent new data types appear in grey in Fig. 5.These new data types are necessary to model the access properties(SecurityProperty) and the constraints (SConstraint) to STable,UserProfile and SColumn.

The SequenceType class represents a data type that allows thespecification of all the levels of security that can be used by theelements of the model (ordered from minor to the most restrictive).Level is an ordered enumeration composed of all the security levelsthat have been considered (unclassified, confidential, secret and topSecret). Compartment is the enumeration composed of all the usercompartments that have been considered. Privilege will be an orderedenumeration composed of all the different privileges that have beenconsidered (read, insert, delete, update, all). Attempt will be anordered enumeration composed of all the different access attemptsthat have been considered (all, frustratedAttempt, successfullAccess,none). Levels will be an interval of levels composed of a lower leveland an upper level. If the upper and lower security levels coincide, allinstances will have the same security level; otherwise, the specificlevel will be defined according to a SecurityConstraint. OCLExpressionspecifies an Object Constraint Language (OCL) expression that fulfilssome conditions for the users of the system. Role will represent thehierarchy of user roles that can be defined. SetRoleType specifies a setof users; each role is the root of a subtree of the hierarchy of user rolesconsidered. SetCompartmentType represents a set of compartments.SetPrivilegeType specifies the privileges the user can receive orremove. SetOCLType specifies the tables involved in a queryperformed by the user, in order to establish a new requirement fortables or columns by means of SecurityConstraint (ARConstraint orAURConstraint). SetLogInfo specifies the elements that we wish toregister for a future audit, and usually refers to the subject requestingaccess (subjectID), tables or columns to be accessed (objectID), theoperation requested (action), the time of the request (time) and theaccess control response (response).

5.3. New secure classes and main association

The SECRDW package defines a container SCatalog and SSchemawhich are inherited from Schema and Catalog respectively. SCatalog is

Fig. 6. New classes a

a local repository of meta data which describes all the databasesmaintained by the relational database engine. SSchema is a collectionof STables and securityProperties and is aimed at security at themodellevel. A ColumnSet represents any form of relational data. A STable andUserProfile are inherited from Table, which contains Columns. Notethat in Fig. 6 the table UserProfile contains columns through which tospecify the access properties (SecurityProperty) that the user has.UserProfile, unlike STable, is unique and has no association with therest of the tables of the system. A ForeignKey associates columns fromone table with columns from another table. The PrimaryKey classinherits from the UniqueConstraint. The PrimaryKey and ForeignKeymetaclasses are owned by the STable metaclass (see Fig. 6).

In order to represent security and audit measures in the newmetamodel, we have added some metaclasses.

The SecurityProperty metaclass inherits from the Class (from Core)metaclass and specializes in securityLevels, securityCompartmentsand securityRoles metaclasses. Furthermore, in order to representsecurity constraints, authorization rules and audit rules in themetamodel we have added the AuditConstraint class, the ARCon-straint class and the AURConstraint class, which inherit fromSecurityConstraint. To specify constraints, depending on particularinformation of a user or a group of users, we have introduced theUserProfile metaclass. Observe in Fig. 6 the new classes that we haveadded to the relational package from CWM, as well as the newassociations between classes. The new classes contain attributes ofeach of the types specified in Fig. 5. These attributes allow us torepresent all the security information captured during the conceptualmodeling of the DWs design. The objectCond attribute refersparticularly to an additional condition imposed upon the STable orSColumn object. The subjectCond attribute allows us to specify acondition for the users of the system.

In the following section, we show howwe use the extension in therepresentation at the logical level of a secure MDmodel related to themanagement of pharmacy consortium businesses.

6. A case study

In this section, we apply our extension of the CWM relationalmetamodel to the context of a pharmaceutical consortium. This

nd associations.

347E. Soler et al. / Computer Standards & Interfaces 30 (2008) 341–350

consortium manages several pharmacies which offer various types ofservices to the community, andwishes to control all aspects relating tothe sales of medicines through prescriptions. We have defined aclassification of data and users that is typical for this type of business(the most general is Pharmacy Employee, which is then specializedinto the Pharmacist and nonPharmacist roles, and which are in turnspecialized into the assistant and technician roles in the former case,and into maintenance and administrative in the latter). At securitylevels, we have considered confidential, secret and topSecret. Apharmacovigilance group exists within the company, which isresponsible for the security of the use of certain medicaments and athere is also committee which guards the health of the company'sclients. We have defined four security compartments for this:pharmacovigilanceCenter, generalCenter, healthOversightCenter andcommercialManagerCenter.

6.1. Defining the PIM

In Fig. 7 we show an instance of the Secure MultidimensionalModel, i.e., our SMD PIM, which illustrates a part of the DWs that isrequired for the previous problem. The SFact Sales Prescription(stereotype SFact) contain all the sales information in one or morepharmacies, and can be accessed by users who have secret ortopSecret security levels, play an Administrative or Pharmacist roleand belong to pharmacovigilanceCenter, healthOversightCenter andcommercialManagerCenter compartments. The sales attribute canonly be accessed by users who perform the administrative role(tagged values SR of sales attribute) and belong to the commercial-ManagerCenter compartment, and therefore access to this attributewill be forbidden to other users who are (pharmacist and main-tenance employees or belong to other different commercialManager-Center compartments). The income attributes can be only accessed byusers who perform the administrative role (tagged value SR of income

Fig. 7. Example of MD model with sec

attribute). Others static user classifications for the conceptual modelclasses defined in Fig. 7 are:

The SFact Sales Prescription contains four dimensions (Pharmacy,Patient, Medication and Time), which contain SBase hierarchies.Access to these SBase hierarchies is established in the sameway aswasdone with the SFact. The UserProfile class contains the informationabout all users who will have access to this secure MD model. Eachuser has securityLevels (SL), securityRoles (SR) and securityCompart-ments (SC) associated with them.

Several security constraints have been specified by using thepreviously defined constraints, stereotypes and tagged values.

The followingparagraphs correspond to notes 1, 2, 3, 4 and 5 in Fig. 7:

1. For each instance of the SFact class Sales Prescription, if the type ofpayment is through insurance then the security compartment willbe commercialManagerCenter (commercialC, tagged value SC).This constraint is only applied if the user makes a query whoseinformation comes from the DataPh.

2. We wish to record the subject, object and time for every frustratedaccess attempt to DataM (DataMedication) of the drug description.

3. Patient could be special users of the system. In this case, it might bepossible for patients to access their own information as patient (forinstance, to query their personal data). This situation can be specifiedas a constraint, composed of the except Sign and exceptCond taggedvalues in the Patient class.

4. We would like to record, for future audit, the subject, object, timeand response for all access to Sales Prescription out of work time.The tagged values logType, logInfor and logCond have beendefined for the Sales Prescription class.

5. For each instance of the SBase class DataM (DataMedication), if it isqueried together with the SBase class Medication group, if thedescription of the Medication group is “Psychotropic” or “Drug”,then the security compartment will be commercialC and pharmaC,otherwise it will be generalC (generalCenter).

urity information and constraints.

Fig. 9. Implementing our constraints in Oracle 10g.

Fig. 8. A star scheme representing an instance of SECRDW metamodel at the logical level.

348 E. Soler et al. / Computer Standards & Interfaces 30 (2008) 341–350

6.2. Defining the PSM

By using the PIM in Fig. 7 as a starting point, we apply a set of QVTrelations [30] through which to achieve an instance of the SECRDW,i.e., our secure PSM. The transformation assures that SFact andSDimensions are transformed into STables with their associatedsecurity information. The UserProfile class is transformed into aclassical Table from CWM. Fig. 8 represents a star schema at the logicallevel, which corresponds with an instance of themetamodel extendedin subsection 5.3. With the extension of CWMwe have formalized theconcepts for a relational platform Although they are closest to the MDeven when the logical paradigm used was not so similar to therelational model, the transformation is very interesting from the MDto the relational model with respect to security.

The SFact Sales Prescription is represented in Fig. 8 bymeans of theSTable Sales Prescription. In this table we represent all its columns, aswell as all the associated security information, that restricts access tothe table itself and to its columns. All of the hierarchy that conform toa SDimension must be represented by means of a single STable.Observe in Fig. 8 that the STable Pharmacy contains as SColumn theattributes from the SBase DataPh and Pharmacy type classes fromFig. 7. This occurs analogously with the SBases Patient, Time andMedication classes. In order to build a star scheme the SalesPrescription table must contain columns such as Foreign Key(FK)which represent Primary Key (PK) in the tables that correspond withSDimensions at the PIM level. Hence, the STable Sales Prescriptioncontain the columns typeAmount, sales, numberPrescriptionUnit,income, numPh (the PK in the STable Pharmacy), ssnPat (the PK in theSTable Patient), SDate (the PK in the STable Time) and codeMed (thePK in the STable Medication).

The security information (SL, SR and SC) represented in the SalesPrescription class constitutes instances of the metaclass security

property that appears in Fig. 6. This security information is modeled atthe logical level in the title of the table itself (See Fig. 8). The security inthe SBases DataPh and Pharmacy_type is the same. Observe in Fig. 8that the STable Pharmacy contains the corresponding securityinformation (i.e., SL= C) in its heading.

349E. Soler et al. / Computer Standards & Interfaces 30 (2008) 341–350

In order to establish the security in the STable Patient we note thatthe attributes from the SBase City class has a security (SL= C, i.e.,Confidential), whereas the attributes from the SBase DataP has morerestricted security. Hence, the security (in its heading) for the STablePatient will be the least restricted (i.e., SL= C). The columns thatcorrespond with attributes from DataP will have the security of theSBase DataP itself. Observe in Fig. 8 that the SColumns ssn, name,dateOfBirth have the security SL= S; SR= Pharma, Admin; SC=pharmaC. The attribute race has the security SL= TS; SR= Adminwhereas the SBase DataP class has SL= S; SR= Pharma, Admin; SC=pharmaC so, the security for the SColumn race is SL= TS; SR= Admin;SC= pharmaC. The same reasoning is valid for the attribute address. Inthis way, in the STable Patient, a user with SL= S can only access theSColumns codeCity and population. The security for the STableMedication is established in the same way.

The security constraints SecurityRule 1, AuthorizationRule 3 andAuditRule 4 that appear in Fig. 7 are transformed into instances of theSecurityConstraint class which appears in Fig. 6. These instances aremodeled in Fig. 8 bymeans of notes of UMLwith the names ARConst 1,AURConst 3 and AudConst 4 respectively. The AuditRule 2 includes areference to the class SBaseMedication group in the logCond attribute,so the logCond condition for the STable Medication is adapted, i.e., bygiving a reference to the SColumn description. The SecurityRule 5attempts to change the security for the SBase DataM class, thusestablishing new values for securityCompartment (SC). We observedin Fig. 7 that the security of the SBase DataM class has been assigned tothe SColumns codeMed, nameMed and stock. Hence, the constraint istransformed and applied to SColumns codeMed, nameMed and stock,but the SColumn stock has the SC= commercial, thus the constraintdoes not modify the security value for this attribute. Consequently, theSecurityRule 5 is transformed into two ARConstraints that appear inFig. 8 with the names ARConst 5.1 and ARConst 5.2 which areassociated with the SColumns nameMed and codeMed respectively.

6.3. Code Example in Oracle DBMS

To finish our case study we shall show some implementations ofthe security aspects modeled in the star scheme that appears in Fig. 8.The current standard from OMG used to apply the transformationsmodel-code is MOF Model to Text Transformation Language MOF2-Text. However, we shall briefly show the possibilities that Oracle 10 gDBMS offers in order to implement security and audit measures bymeans of Oracle Label Security (OLS10g), Virtual Private Databases(VPD) and Oracle Fine-Grained Auditing (FGA). We shall only explainthe security aspects that our extension contemplates, and to do thiswe first created a security policy named “MyPolicy” and valid levels,compartments and hierarchical groups.

In Fig. 9a) we show how the User1 satisfies the security propertiesfor the Sales Prescription table. Fig. 9b) shows how we define andestablish the security information for the Sales Prescription table bylabeling functions from OLS, although it is not possible to considersecurity at the column level. The ARConst 1 is implemented by meansof the labeling function represented in Fig. 9c). The FGA allows us todefine and implement the AudConst 2 (see Fig. 9d)). In AudConst 2 wecannot implement the logType and logCond 2 because the FGA doesnot allow us to choose the audit type (logType).

7. Conclusions and future work

In this work, we have defined an extension of the relational packagefrom CWMwhich has been applied to the construction of a star schemefor DWs. This star sheme permits the representation of all the securityand audit measures captured during the conceptual modeling phase ofthe design of DWs. The proposal is aligned with MDA, and thanks to itskindnesses we can establish security aspects in all the design phases oftheDWs, from the secure PIM,with theproposal of conceptualmodeling

based on UML, and its corresponding representation at the logical levelbased on the extension discussed in this paper. In order to show thevalidity of our extension we have developed a case study to illustratehow we modeled the security and audit requirements representedduring the conceptual modeling stage at the logical level. Thecontribution of our proposal is: the use of an accepted standard forthe interoperability and themetadata interchange between commercialtools and, theextendedmetamodel fromCWMwhichpermits a rigorousintegration of MDA and security in the context of DWs design. Ourimmediate future work consists of implementing the extendedrelational to some commercial tools and of developing the correspond-ing transformations between the different metamodels involved.Moreover, we shall extend the i⁎ framework [36] in order to elicitsecurity requirement for DWs at the business level and we shallaccomplish this with the MDA in order to cover the whole lifecycle ofDWs.

Acknowledgements

This work has been partially supported by the METASIGN project(TIN2004-00779) from the Spanish Ministry of Education and Science,and by the DIMENSIONS (PBC-05-012-1) and DADS projects (PBC-05-012-2) from the Regional Science and Technology Ministry of Castilla-La Mancha (Spain).

References

[1] G.C.M. Amaral, M.L.M. Campos, AQUAWARE: a data quality support environmentfor DataWarehousing, XIX Simpóosio Brasileiro de Banco de Dados (SBBD'04),Brasília, DF, Brasil, 2004, pp. 121–133.

[2] ANSI/SPARC Report, ACM SIGMOD Newsletter 7 (2) (1975).[3] P. Devanbu, S. Stubblebine, Software engineering for security: a roadmap, presented

at The Future of Software Engineering, Limerick, Ireland, 2000, pp. 227–239.[4] G. Dhillon, J. Backhouse, Information systems security management in the new

millenium, Communications of the ACM 43 (7) (2000) 125–128.[5] W. Essmayr, E. Weippl, F. Lichtenberger, W. Winiwarter, O. Mangisengi, An

authorization model for data warehouses and OLAP, Workshop On Security InDistributed Data Warehousing, in conjunction with 20th IEEE Symposium onReliable Distributed Systems (SRDS'2001), USA, 2001, pp. 9–13.

[6] E. Fernández-Medina, J. Trujillo, R. Villarroel, M. Piattini, Access control and auditmodel for the multidimensional modeling of data warehouses, Decision SupportSystems 42 (3) (2006) 1270–1289.

[7] E. Fernández-Medina, J. Trujillo, R. Villarroel, M. Piattini, Developing secure datawarehouses with a UML extension, Information Systems 32 (6) (2007) 826–856.

[8] W.H. Inmon, Building the Data Warehouse, 3er EditionWiley & Sons, New York,2002.

[9] N. Katic, G. Quirchmayr, J. Schiefer, M. Stolba, A.M. Tjoa, A prototype model for datawarehouse security based on metadata, Proceedings of the 9th InternationalWorkshop on Database and Expert Systems Applications (DEXA'98), Vienna,Austria, 1998, pp. 300–309.

[10] R. KirkgÄoze, N. Katic, M. Stolda, A.M. Tjoa, A Security Concept for OLAP, 8thInternational Workshop on Database and Expert System Applications (DEXA'97),Toulouse, France, 1997, pp. 619–626.

[11] S. Luján-Mora, J. Trujillo, I.Y. Song, A UML profile for multidimensional modeling indata warehouses, Data & Knowledge Engineering (DKE) 59 (3) (2006) 725–769.

[12] Y. Liu, S.Y. Sung, H. Xiong, A cubic-wise balance approach for privacy preservationin data cubes, Information Sciences 176 (9) (2006) 1215–1240.

[13] T. Maier, A formal model of the ETL process for OLAP-based web usage analysis,KDD Workshop on Web Mining and Web Usage Analysis (WebKDD'04), Seatle,Washington, USA, 2004, pp. 23–34.

[14] J.-N. Mazón, J. Trujillo, M. Serrano, M. Piattini, A MDA approach for thedevelopment of data warehouses, Decision Support Systems 45 (1) (2008) 41–58.

[15] J.N. Mazón, J. Pardillo, J. Trujillo, A Model-Driven Goal-Oriented EngineeringApproach for Data Warehouses. Workshop on Requirements, Intentions and Goalsin Conceptual Modeling (RIGiM) in conjunction with the Twenty-Sixth Interna-tional Conference on Conceptual Modeling (ER'07), Auckland, New Zealand, 2007,pp. 255–264.

[16] J. McDermott, Visual security protocol modeling, Proceedings of the 2005workshop on New security paradigms NSPW'05, Lake Arrowhead, California,USA, 2005, pp. 97–109.

[17] E. Medina, J. Trujillo, A standard for representing multidimensional properties: theCommonWarehouse Metamodel (CWM), presented at 6th East-European Con-ference on Advances in Databases and Information Systems (ADBIS02), Bratislava,Slovakia, 2002.

[18] F. Melchert, A. Schwinn, C. Herrmann, R. Winter, Using reference models for datawarehouse metadata management, 11th Americas Conference on InformationSystems (AMCI'05), Omaha, NE, USA, 2005, pp. 1316–1326.

[19] OMG, Common Warehouse Metamodel Specification 1.1, 2003.

350 E. Soler et al. / Computer Standards & Interfaces 30 (2008) 341–350

[20] OMG, CommonWarehouseMetamodel (CWM) Specification 1.1, vol. 2, Extensions,2002.

[21] OMG, in: J.M.a.J. Mukerji (Ed.), MDA Guide Version 1.0.1, OMG, 2003.[22] OMG, MOF 2.0 QVT Final Adopted Specification, 2005.[23] J. Poole, D. Chang, D. Tolbert, D. Mellor, Common Warehouse Metamodel, John

Wiley & Sons, Inc., New York, 2002.[24] T. Priebe, G. Pernul, A pragmatic approach to conceptualmodeling of OLAP security,

20th International Conference on Conceptual Modeling (ER'01), Yokohama, Japan,2001, pp. 311–324.

[25] T. Priebe, G. Pernul, Towards OLAP security design — survey and research issues,Proceedings of the 3rd ACM international workshop on Data Warehousing andOLAP (DOLAP'00), Virginia, USA, 2000, pp. 33–40.

[26] J. Poole, D. Chang, D. Tolbert, D. Mellor, Common Warehouse MetamodelDevelopers Guide, Wiley Publishing, Inc, Indianapolis, Indiana, 2003.

[27] A. Rosenthal, E. Sciore, View security as the basic for data warehouse security,Workshop on Design and Management of Data Warehouse (DMDW'00), Sweden,2000.

[28] F. Saltor, M. Oliva, A. Abelló, J. Samos, Building secure DataWarehouse schemasfrom federated information systems, Heterogeneous Information Exchange andOrganizational Hubs, 2002, pp. 123–134, KA.

[29] A.S. Santana, A.M.d.C. Moura, Metadata to support transformations and data &metadata lineage in awarehousing environment, DataWarehousing and KnowledgeDiscovery (DAWAK'04), Zaragoza, Spain, 2004, pp. 249–258.

[30] E. Soler, J. Trujillo, E. Fernández-Medina, M. Piattini, A set of QVT relations totransform PIM to PSM in the design of secure data warehouses, Second InternationalConference on Availability, Reliability and Security (ARES'07), Vienna, Austria, 2007,pp. 644–654.

[31] E. Soler, R. Villarroel, J. Trujillo, E. Fernández-Medina, M. Piattini, Representingsecurity and audit rules for DW at the logical level by using the CWM, FirstInternational Conference on Availability, Reliability and Security (ARES'06),Vienna, Austria, 2006, pp. 914–921.

[32] S.Y. Sung, Y. Liu, H. Xiong, P.A. Ng, Privacy preservation for data cubes, Knowledgeand Information Systems 9 (1) (2006) 38–61.

[33] M. Thess, M. Bolotnicov, XELOPES Library Documentation Version 1.2.3, PrudsysAG, 2004.

[34] R. Villarroel, E. Fernández-Medina, M. Piattini, J. Trujillo, A UML 2.0/OCL extensionfor designing secure DWs, Journal of Research and Practice in InformationTechnology 1 (38) (2006) 31–43.

[35] L.Wang, J. Sushil, W. Duminda, Securing OLAP data cubes against privacy breaches,presented at IEEE Symposium on Security and Privacy, Berkeley, California, USA,2004.

[36] E. Yu, Modelling Strategic Relationships for Process Reengineering. PhD thesis,University of Toronto, Canada (1995).

[37] X. Zhao, Z. Huang, A formal framework for reasoning on metadata based on CWM,25th International Conference on Conceptual Modeling (ER'06), Tucson, AZ, USA,2006, pp. 371–384.

Emilio Soler is a graduate in mathematics from thePedagogical University of Matanzas (Cuba) and is also anassistant professor at the Computer Science Department ofthe Matanzas University (Cuba). He is currently a Ph.D.student at the School of Computer Science at theUniversity ofAlicante (Spain), and his research activity is in the field ofsecurity in data warehouses, MDA and information systems.

Juan Trujillo received a Ph.D. in Computer Science from theUniversity of Alicante (Spain) in 2001. His research interestsinclude database modeling, the conceptual design of datawarehouses, MD databases, OLAP, as well as object-oriented analysis and design with UML. With paperspublished in international conferences and journals suchas ER, UML, AD-BIS, CAiSE, WAIM, Journal of DatabaseManagement (JDM)and IEEE Computer, Trujillo has servedas a Program Committeemember of several workshops andconferences such as ER, DOLAP, DSS, and SCI and has alsospent some time as a reviewer for several journals such asJDM, KAIS, ISOFT and JODS.

Eduardo Fernández-Medina holds a Ph.D. in ComputerScience from the University of Castilla-LaMancha. His researchactivity is in thefield of security in databases, datawarehouses,web services and information systems, and also in securitymetrics. Fernandez-Medina is co-editor of several books andchapter books on these subjects, and has presented several

dozen papers at national and international conferences (DEXA,CAISE, UML, ER, etc.). He is the author of severalmanuscripts innational and international journals (Information SoftwareTechnology, Computers And Security, Information SystemsSecurity, etc. and belongs to various professional and researchassociations (ATI, AEC, ISO, IFIP WG11.3 etc.).

Mario Piattini has an MSc and a Ph.D in Computer Sciencefrom the Politechnic University of Madrid. He is a CertifiedInformation System Auditor from the ISACA (InformationSystem Audit and Control Association). The author of severalbooks and papers on databases, software engineering andinformation systems, Piattini leads the ALARCOS research

group of the Department of Computer Science at theUniversity of Castilla-La Mancha. His research interests are:advanced database design, database quality, software me-trics, object-oriented metrics and software maintenance.