ROWLBAC Representing Role Based Access Control in OWL

Similar documents
Semantic Technologies

FOUNDATIONS OF SEMANTIC WEB TECHNOLOGIES

The ISO D approach

Web Ontology Language: OWL

Semantic Web. Ontology and OWL. Morteza Amini. Sharif University of Technology Fall 95-96

Table of Contents. iii

Deep integration of Python with Semantic Web technologies

Reasoning with the Web Ontology Language (OWL)

Short notes about OWL 1

Supporting Authorization Reasoning Based on Role and Resource Hierarchies in an Ontology-Enriched XACML Model

Lecture 8 OWL: Web Ontology Language

KDI OWL. Fausto Giunchiglia and Mattia Fumagallli. University of Trento

Web Ontology Language: OWL

The Semantic Web RDF, RDF Schema, and OWL (Part 2)

OWL and tractability. Based on slides from Ian Horrocks and Franz Baader. Combining the strengths of UMIST and The Victoria University of Manchester

Semantic Web Test

Querying Data through Ontologies

Web Ontology Language: OWL

Semantic Web in Depth: Web Ontology Language (OWL) Dr Nicholas Gibbins 32/3019

Appendix B: The LCA ontology (lca.owl)

Web Ontology Language: OWL by Grigoris Antoniou Frank van Harmelen

TMCL and OWL. Lars Marius Garshol. Bouvet, Oslo, Norway

Description Logic. Eva Mráková,

Chapter 2 AN INTRODUCTION TO THE OWL WEB ONTOLOGY LANGUAGE 1. INTRODUCTION. Jeff Heflin Lehigh University

Chapter 4 Web Ontology Language: OWL

Making BioPAX SPARQL

INF3580 Semantic Technologies Spring 2012

X STROWL: A Generalized Extension of XACML for Context-aware Spatio-Temporal RBAC Model with OWL

INF3580/4580 Semantic Technologies Spring 2017

CC LA WEB DE DATOS PRIMAVERA Lecture 4: Web Ontology Language (I) Aidan Hogan

Semantic Web Technologies: Web Ontology Language

LINKING BACKGROUND INFORMATION

Access Control Mechanisms

A Rule-based Method for Extracting RDF(S) and OWL Sub-ontologies

OWL a glimpse. OWL a glimpse (2) requirements for ontology languages. requirements for ontology languages

DEVELOPING AN OWL ONTOLOGY FOR E- TOURISM

Access Control. Discretionary Access Control

Forward Chaining Reasoning Tool for Rya

08 OWL SEMANTIC WEB ONTOLOGY WEB LANGUAGE IMRAN IHSAN ASSISTANT PROFESSOR, AIR UNIVERSITY, ISLAMABAD

Web Data and Declarative Programming

CIS433/533 - Introduction to Computer and Network Security. Access Control

An Introduction to the Semantic Web. Jeff Heflin Lehigh University

Introduction to OWL. Marco Ronchetti Università di Trento Italy

Teil IV: Wissensrepräsentation im WWW. Kap.11: Semantic Web

Intelligent Agents. Pınar Yolum Utrecht University. Spring 2018 Pınar Yolum

Efficient Querying of Web Services Using Ontologies

Ontological Modeling: Part 7

Linked data basic notions!

Controlled Natural Language as Interface Language to the Semantic Web

Main topics: Presenter: Introduction to OWL Protégé, an ontology editor OWL 2 Semantic reasoner Summary TDT OWL

Semantic Web Technologies Web Ontology Language (OWL) Part II. Heiko Paulheim

Ontological Modeling: Part 15

Genea: Schema-Aware Mapping of Ontologies into Relational Databases

OWL & SPARQL - 웹정보시스템

Teil IV: Wissensrepräsentation im WWW. Kap.11: Semantic Web. The semantic web layer cake

What is the Semantic Web?

Semantic Web Ontologies

OWL-based reasoning with retractable inference

Chapter 4 OWL. Outline. A Brief History of OWL: SHOE. The OWL Family Tree

Access Control Models

9 The Ontology UML Profile

Contents. G52IWS: The Semantic Web. The Semantic Web. Semantic web elements. Semantic Web technologies. Semantic Web Services

Chapter 4: Access Control

The Semantic Web. Web Programming. Uta Priss ZELL, Ostfalia University. The Semantic Web RDF and OWL Ontologies

BaseVISor: A Triples-Based Inference Engine Outfitted to Process RuleML and R-Entailment Rules

Defining Several Ontologies to Enhance the Expressive Power of Queries

The P2 Registry

Easing the Definition of N Ary Relations for Supporting Spatio Temporal Models in OWL

JOURNAL OF OBJECT TECHNOLOGY

Semantic Web and Linked Data

7.2 OWL. the OWL versions use certain DL semantics:

XML and Semantic Web Technologies. III. Semantic Web / 2. Web Ontology Language (OWL)

Chapter 4 OWL. Outline. The OWL Family Tree. A Brief History of OWL: SHOE

<?xml version='1.0' encoding='iso '?> <!DOCTYPE rdf:rdf [ <!ENTITY rdf ' <!

Metamodels for RDF Schema and OWL

Describing Ontology Relationships

Ontological Modeling: Part 2

Knowledge management. OWL Web Ontology Language

OWL Web Ontology Language

$ A. Ontology%&'( Ontology A.1Kq (target.owl)

ANALYSIS AND SEMANTIC DESCRIPTION OF ROLE BASED ACCESS CONTROL MODELS

Formalising the Semantic Web. (These slides have been written by Axel Polleres, WU Vienna)

BeliefOWL An Evidential Extension to OWL

Semantic Services. Michael Wollowski

Building Blocks of Linked Data

RDF Schema. Mario Arrigoni Neri

CS 356 Lecture 7 Access Control. Spring 2013

Linguaggi Logiche e Tecnologie per la Gestione Semantica dei testi

Policy, Models, and Trust

For return on 19 January 2018 (late submission: 2 February 2018)

Development of University Ontology for aspocms

2 nd International Semantic Web Conference (ISWC2003)

BaseVISor: A Triples-Based Inference Engine Outfitted to Process RuleML & R-Entailment Rules *

RuleML and SWRL, Proof and Trust

Extracting Ontologies from Standards: Experiences and Issues

IR Models based on predicate. logic. Norbert Fuhr, Henrik Nottelmann University of Duisburg-Essen. POOL: a probabilistic object-oriented logic

Logic and Reasoning in the Semantic Web (part I RDF/RDFS)

Ontologies, OWL, OWL profiles

ORM and Description Logic. Dr. Mustafa Jarrar. STARLab, Vrije Universiteit Brussel, Introduction (Why this tutorial)

Developing markup metaschemas to support interoperation among resources with different markup schemas

Transcription:

T. Finin A. Joshi J. Niu R. Sandhu W. Winsborough B. Thuraisingham a presentation by Jeremy Clark ROWLBAC Representing Role Based Access Control in OWL

Introduction This paper examines the relationship between RBAC Role-based Access Control OWL Web Ontology Language

Outline 1. OWL DL + RDFS 2. N3 Rules 3. Access Control in general and RBAC 4. ROWLBAC putting it together

Part 1 OWL

OWL A web ontology language built from DAML+OIL Three species of OWL: OWL Lite SHOIN(D) OWL DL SHIF(D) OWL Full OWL DL + arbitrary RDFS triples

OWL

OWL: Concept Constructors Note: P is property (i.e., role) Can also do things like hasvalue Can use concrete properties

OWL: Axioms

Part 2 N3

N3 Notation3 is a human readable and non-xml language for expressing RDF/RDFS triples. x : C y : D (x,y) : R Is expressed as, :C x R :D y. [ :firstname "Ora" ] dc:read [ dc:title "Moby Dick" ].

N3 Notation3 also includes notation for: Anonymous nodes Renaming/Tags Domain/Range Equivalence Quoting Et cetera...

N3Logic N3Logic extends RDF to allow rule expression. For formulas F, G: F log:includes G F log:notincludes G F log:implies G

How is the weather in Boston? A Rule: Assertions: @forall x, y, z. { x wrote y. y log:includes {z weather w}. x home z } log:implies { z weather w } Bob lives Boston. Alice lives Adelaide. Bob wrote { Boston weather sunny }. Alice wrote { Boston weather cold }.

How is the weather in Boston? A Rule: Assertions: @forall x, y, z. { x wrote y. y log:includes {z weather w}. x home z } log:implies { z weather w } Bob lives Boston. Alice lives Adelaide. Bob wrote { Boston weather sunny }. Alice wrote { Boston weather cold }. Valid Inference: Boston weather sunny.

N3Logic More... F log:supports G F log:conclusion G c log:semantics F c log:says F

Part 3 ACCESS CONTROL

Access Control Given subjects and resources: who gets to access what (and how)? Answer: Access Control Access Control exists at many scales: 1) Computer: Kernel/OS 2) Building: Locks/RFID Cards/Biometrics 3) Organization: Intranet/Branch Communication 4) Internet

Example Access Control Policies Unix filesystem: rwxrwxrwx, chmod, sudo Military classification: Top Secret, Secret, Confidential, Unclassified

Access Control Matrix Printer File Account Network Closet Payroll Jiang 100 pages R/W Deposit Access N/A Alice N/A RO W/D N/A N/A Sanjay Unlimited X N/A N/A N/A Mohammad N/A R/W W/D N/A N/A Carol 200 pages RO N/A N/A N/A Bob 100 pages RO N/A N/A N/A Jerome N/A R/W N/A N/A N/A Kira 100 pages X N/A Access N/A David 200 pages RO W/D N/A Access O(mn)

Using Languages Goal: Optimize among one of these lines Compactness Expressiveness, fine-grain control Fast or easy management: Reasoning, adding new users, revoking users, delegation, etc. Compatibility (cross, backward,...) Ability to enforce

Using Languages Goal: Optimize among one of these lines Compactness Expressiveness, fine-grain control Fast or easy management: Reasoning, adding new users, revoking users, delegation, etc. Compatibility (cross, backward,...) Ability to enforce

Policy Enforcement An access control policy is just words on paper if there is no means to enforce it There are technical limits to what can be enforced There the expressiveness of a policy needs to be constrained to the limits of enforceability

Policy Enforcement Point (PEP) Subject Request Decision Resource Subject Attributes Resource Attributes Environmental Attributes Policy Attributes

RBAC Concepts Subjects and Roles Permissions (anti-permissions) Role Hierarchy Role Assignment, Revocation, and Delegation Role Activation and Deactivation Separation of Duties: 1. Static: Two role assignments are mutually exclusive 2. Dynamic: Two role activations are mutually exclusive

RBAC S,R,P: Subjects, Roles, Permissions PA P R (permission assignment) SA S R (subject assignment) Subjects: 100, Resources: 1000, Permissions: 10 AC List: 1,000,000 Rules Roles: 2, Resource Groups: 4 Generalized RBAC: 80 Rules

Part 4 ROWLBAC

ROWLBAC An effort to combine OWL and RBAC Why OWL? Used in policy languages, want to constrain roles/properties, want translational properties for analysis/execution. Why RBAC? Widely deployed.

T-Box Subject a rdfs:class. Object a rdfs:class. Action a rdfs:class. subject a rdfs:property, owl:functionalproperty; rdfs:domain Action; rdfs:range Subject. object a rdfs:property, owl:functionalproperty; rdfs:domain Action; rdfs:range Object.

T-Box (2) PermittedAction rdfs:subclassof Action; owl:disjointwith ProhibitedAction. ProhibitedAction rdfs:subclassof Action; owl:disjointwith PermittedAction. Action owl:equivalentclass [ a owl:class; owl:unionof (PermittedAction ProhibitedAction) ].

Approach 1 The first approach defines roles as classes: rbac:role a owl:class. rbac:activerole a owl:class. Then we can formulate an A-Box: <RoleName> rdfs:subclassof rbac:role. <ActiveRoleName> rdfs:subclassof rbac:activerole; rdfs:subclassof <RoleName>. <RoleName> rbac:activeform <ActiveRoleName>.

Approach 1 Hierarchical Roles: <RoleName> rdfs:subclassof <SuperRoleName>. Separation of Duties: <RoleName> owl:disjointwith <RoleName>. <ActiveRoleName> owl:disjointwith <ActiveRoleName>.

Approach 1 Add Permission to a Role: SomePermittedAction a rdfs:class; rdfs:subclassof rbac:permittedaction; owl:equivalentclass [ a owl:class; owl:intersectionof ( SomeAction [ a owl:restriction; owl:allvaluesfrom ex:activerolename; owl:onproperty rbac:subject ] ) ].

Approach 1 Enforce Separation of Duties with N3Logic: {?A a ActivateRole; subject?s; object?rnew.?rnew activeform?arnew.?s a?rcurrent.?rcurrent activeform?arcurrent.?arnew owl:disjointwith?arcurrent. } => {?A a ProhibitedRoleActivation; subject?s; object?rnew; role?rcurrent; justification "Violates DSOD constraint".}.

Approach 1 Role Activation with N3Logic: {?ACTION a ActivateRole; subject?subj; object?role.?subj a?role.?role activeform?arole.?arole rdfs:subclassof ActiveRole. } => {?ACTION a PermittedRoleActivation; subject?subj; object?role.?subj a?arole }.

Approach 2 The second approach defines roles as values: rbac:role a owl:class. rbac:role a owl:objectproperty; rdfs:domain rbac:subject; rdfs:range rbac;role. rbac:activerole rdfs:subpropertyof rbac:role. Then we can formulate an A-Box: <RoleName> a rbac:role.

Approach 2 Hierarchical Roles: rbac:subrole a owl:transitiveproperty; rdfs:domain rbac:role; rdfs:range rbac:role. <RoleName> rbac:subrole <SuperRoleName> Separation of Duties: rbac:ssod a owl:symmetricproperty, owl:transitiveproperty; rdfs:domain rbac:role; rdfs:range rbac:role. rbac:dsod a owl:symmetricproperty, owl:transitiveproperty; rdfs:domain rbac:role; rdfs:range rbac:role.

Approach 2 Add Permission to a Role: rbac:permitted a rdfs:property; rdfs:domain Role; rdfs:range Action. rbac:prohibited a rdfs:property; rdfs:domain Role; rdfs:range Action.

Approach 2 Enforce Separation of Duties with N3Logic: {?S role?role1,?role2.?role1 ssod?role2. } => { [] a SSODConflict; subject?s; ssod-role?role1; ssod-role?role2}. {?A a?raction; subject?s.?raction a Action.?ROLE permitted?raction.?s activerole?role. } => {?A a PermittedAction; role?role; action?raction; subject?s }.

Approach 2 Role Activation with N3Logic: # role inheritance. {?S role?r.?r subrole?r2 } => {?S role?r2.}. # activerole inheritance. {?S activerole?r.?r subrole?r2 } => {?S activerole?r2.}.

Comparison Approach 1: More complex but faster DL reasoning Approach 2: More concise but slower rule-based reasoning

Limits to RBAC Subjects: Known and Concrete Roles: Predefined Resources: Predefined and atomic Actions: Predefined and atomic ABAC Attribute-based access control allows for permissions to be granted to sets of attributes

ABAC Example: University member can use any device located in her office {?A a rbac:action; rbac:subject?s; rbac:object?o.?s a UniversityPerson; office?l,?o a Device; location?l. } => {?A a rbac:permittedaction }. Trouble: Role-value-map which is undecidable

Security Properties Security Properties: Safety and Availability Safety: Can a resource ever be accessed by a role even if a set of changes is made? Availability: Can a resource ever be prevented from access even if a set of changes is made? Restrictions: Grow and shrink restricted roles RT: Distributed trust language with set of 4 rules

Take home message

1. something as seemingly simple as access control runs against the wall quickly

2. open world assumption creates problems

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback