1

T. Hill Review of:ROWLBAC – Representing Role Based Access Control in OWL

T. Finin, A. Joshi L. Kagal, B. Thuraisingham, J. Niu, R. Sandhu, W. Winsborough 10/13/2008 Problem: Using the hierarchy diagram below, describe how OWL (Web Ontology Language) can be used to specify the following RBAC security model access control functions; assign the role of Person and two sub-class roles of Citizen and Visitor, assign to Citizen the permitted actions of Vote, Work, Jury, assign to Visitor a prohibited action of Work. Make Alice an active Citizen and Bob an active Visitor. [note - general descriptive language is acceptable, exact RDF/OWL syntax is not necessary].

• Motivation•Applications – sophisticated, intelligent, open and dynamic environments•Future – Grid computing, intelligent agents, negotiate exchange of information•Security – of future applications, regardless of infrastructure, including the cloud

• Bring together two parallel themes•Access Control Models – RBAC96, NIST Standard, RT, Usage Control•Policy Languages – XACML, Ponder, Rei, KAoS

2

ROWLBAC – Semantic Web and OWL

• Semantic Web•Berners-Lee vision

•Knowledge published so humans and computers can understand and reason•Technology

•W3C standards RDF (Resource Description Framework) triple•//..html has a creation-date whose value is August 16, 1999

•Description Logic

3

ROWLBAC – Roles as Classes, Permissions, Activation, Enforcing• Hierarchy of roles

Citizen rdfs:subclassOf Person. Visitor rdfs:subClassOf Person.

BobVisitor a rbac:ActivateRole;rbac:subject data:Bob;rbac:object ex:Visitor.

• Associating permissions with rolesPermittedVoteAction a rdfs:Class; rdfs:subClassOf rbac:PermittedAction; owl:equivalentClass [ a owl:Class; owl:intersectionOf ( Vote [ a owl:Restriction; owl:allValuesFrom ex:ActiveCitizen; owl:onProperty rbac:subject ] ) ]

• Assigning roles and activation in a session

• Enforcing RBAC activation rule{ ?ACTION a ActivateRole; subject ?SUBJ; object ?ROLE. ?SUBJ a ?ROLE. ?ROLE activeForm ?AROLE. ?AROLE rdfs:subClassOf ActiveRole.} =>

{ ?ACTION a PermittedRoleActivation; subject ?SUBJ; object ?ROLE. ?SUBJ a ?AROLE }.

AliceCitizen a rbac:ActivateRole;

rbac:subject data:Alice;rbac:object ex:Citizen.

4

ROWLBAC – A Proposed Solution

Problem: Using the hierarchy diagram below, describe how OWL (Web Ontology Language) can be used to specify the following RBAC security model access control functions; assign the role of Person and two sub-class roles of Citizen and Visitor, assign to Citizen the permitted actions of Vote, Work, Jury, assign to Visitor a prohibited action of Work. Make Alice an active Citizen and Bob an active Visitor. [note - general descriptive language is acceptable, exact RDF/OWL syntax is not necessary].

Proposed solution: 1. Use RDF/OWL to define Citizen as a subclass of Person and Visitor as a subclass of Person2. Use RDF/OWL to define Vote as a permitted action of Citizen and Work as a permitted action of Citizen and Jury as a permitted action of Citizen And Work as a prohibited action of Visitor3. At run time, set Alice as an active Citizen and Bob as an active Visitor

Person

CitizenPermitted: Vote,Work, Jury

VisitorProhibited: Work

Alice active Bob active