1 t. hill review of: rowlbac – representing role based access control in owl t. finin, a. joshi l....
DESCRIPTION
3 ROWLBAC – Roles as Classes, Permissions, Activation, Enforcing Hierarchy of roles Citizen rdfs:subclassOf Person. Visitor rdfs:subClassOf Person. BobVisitor a rbac:ActivateRole; rbac:subject data:Bob; rbac:object ex:Visitor. Associating permissions with roles PermittedVoteAction a rdfs:Class; rdfs:subClassOf rbac:PermittedAction; owl:equivalentClass [ a owl:Class; owl:intersectionOf ( Vote [ a owl:Restriction; owl:allValuesFrom ex:ActiveCitizen; owl:onProperty rbac:subject ] ) ] Assigning roles and activation in a session Enforcing RBAC activation rule { ?ACTION a ActivateRole; subject ?SUBJ; object ?ROLE. ?SUBJ a ?ROLE. ?ROLE activeForm ?AROLE. ?AROLE rdfs:subClassOf ActiveRole. } => { ?ACTION a PermittedRoleActivation; subject ?SUBJ; object ?ROLE. ?SUBJ a ?AROLE }. AliceCitizen a rbac:ActivateRole; rbac:subject data:Alice; rbac:object ex:Citizen.TRANSCRIPT
1
T. Hill Review of:ROWLBAC – Representing Role Based Access Control in OWL
T. Finin, A. Joshi L. Kagal, B. Thuraisingham, J. Niu, R. Sandhu, W. Winsborough 10/13/2008 Problem: Using the hierarchy diagram below, describe how OWL (Web Ontology Language) can be used to specify the following RBAC security model access control functions; assign the role of Person and two sub-class roles of Citizen and Visitor, assign to Citizen the permitted actions of Vote, Work, Jury, assign to Visitor a prohibited action of Work. Make Alice an active Citizen and Bob an active Visitor. [note - general descriptive language is acceptable, exact RDF/OWL syntax is not necessary].
• Motivation•Applications – sophisticated, intelligent, open and dynamic environments•Future – Grid computing, intelligent agents, negotiate exchange of information•Security – of future applications, regardless of infrastructure, including the cloud
• Bring together two parallel themes•Access Control Models – RBAC96, NIST Standard, RT, Usage Control•Policy Languages – XACML, Ponder, Rei, KAoS
2
ROWLBAC – Semantic Web and OWL
• Semantic Web•Berners-Lee vision
•Knowledge published so humans and computers can understand and reason•Technology
•W3C standards RDF (Resource Description Framework) triple•//..html has a creation-date whose value is August 16, 1999
•Description Logic
3
ROWLBAC – Roles as Classes, Permissions, Activation, Enforcing• Hierarchy of roles
Citizen rdfs:subclassOf Person. Visitor rdfs:subClassOf Person.
BobVisitor a rbac:ActivateRole;rbac:subject data:Bob;rbac:object ex:Visitor.
• Associating permissions with rolesPermittedVoteAction a rdfs:Class; rdfs:subClassOf rbac:PermittedAction; owl:equivalentClass [ a owl:Class; owl:intersectionOf ( Vote [ a owl:Restriction; owl:allValuesFrom ex:ActiveCitizen; owl:onProperty rbac:subject ] ) ]
• Assigning roles and activation in a session
• Enforcing RBAC activation rule{ ?ACTION a ActivateRole; subject ?SUBJ; object ?ROLE. ?SUBJ a ?ROLE. ?ROLE activeForm ?AROLE. ?AROLE rdfs:subClassOf ActiveRole.} =>
{ ?ACTION a PermittedRoleActivation; subject ?SUBJ; object ?ROLE. ?SUBJ a ?AROLE }.
AliceCitizen a rbac:ActivateRole;
rbac:subject data:Alice;rbac:object ex:Citizen.
4
ROWLBAC – A Proposed Solution
Problem: Using the hierarchy diagram below, describe how OWL (Web Ontology Language) can be used to specify the following RBAC security model access control functions; assign the role of Person and two sub-class roles of Citizen and Visitor, assign to Citizen the permitted actions of Vote, Work, Jury, assign to Visitor a prohibited action of Work. Make Alice an active Citizen and Bob an active Visitor. [note - general descriptive language is acceptable, exact RDF/OWL syntax is not necessary].
Proposed solution: 1. Use RDF/OWL to define Citizen as a subclass of Person and Visitor as a subclass of Person2. Use RDF/OWL to define Vote as a permitted action of Citizen and Work as a permitted action of Citizen and Jury as a permitted action of Citizen And Work as a prohibited action of Visitor3. At run time, set Alice as an active Citizen and Bob as an active Visitor
Person
CitizenPermitted: Vote,Work, Jury
VisitorProhibited: Work
Alice active Bob active