access control for linked data: past, present and future
TRANSCRIPT
Access Control for Linked Data: Past, Present and Future
Sabrina Kirrane
Insight Centre for Data Analytics, NUIG
Department of Maths and Computing, GMIT
Structure of the Talk
<title> Hello World </title>
She’ll know what to do
with <title>
Ah yes, I display
this at the top.
From document markup (HTML) …
To data markup (XML)…
<time=“10:36”/>
She’ll know what <time>
means
This is what my user
asked for. Thanks!
To arbitrary information exchange ???
<sabrina lecturesAt GMIT/>
This is the data I have. What’s a
sabrina?
<Sabrina lecturesAt GMIT/>
To Semantics…
Publishing and Consuming Linked Data
RDB2RDF
RDB2RDF
RDB2RDFInterface
1.1
Why do we need Access Control?
Access Control and RDF – The Past
Access Control and RDF – The Past
Models
Mandatory Access Control
Models
TOP SECRET
SECRET
CONFIDENTIAL
PUBLIC
Access Labels
SubjectsResources
Yagüe et al, Applying the semantic web to access control, 2003Kodali et al, An authorization model for multimedia digital libraries,
2004
Discretionary Access Control
DELETE
UPDATE
CREATE
READ
Delegate
Permissions
SubjectsResources
Gabillon and Letouzey, A view based access control model for sparql, 2010
Models
Role Based Access Control
DELETE
UPDATE
CREATE
READ
SalesMarketi
ng
Roles
Permissions
Employee
SubjectsResources
Finin et al, Rowlbac: Representing role based access control in owl, 2008
Models
Attribute Based Access Control
Age > 21
Affiliation =
Insight
DELETE
UPDATE
CREATE
READ
Attributes
Permissions
SubjectsResources
Priebe et al, A pattern system for access control, 2004
Models
Context Based Access Control
Device=
mobileNear
= Insight
Attributes
DELETE
UPDATE
CREATE
READ
Permissions
SubjectsResources
Luca Costabello et al, Linked data access goes mobile: Context-aware authorization for graph stores, 2012
Models
Access Control and RDF – The Past
Models
eXtensible Access Control Markup Language
Policy Administration Point (PAP))Policy Enforcement Point (PEP)Policy Decision Point (PDP)Policy Information Point (PIP)
Ferrini and Bertino, Supporting rbac with xacml+owl, 2009
https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml
Web Access Control
Serena Villata et al, An access control model for linked data, 2011Sacco and Passant, A privacy preference ontology (ppo) for linked data,
2011
1. Give read access to the WebID profile document /2013/card to everyone.
2. Gives read access to the /2013/protected resource, to the members of a group that went to a particular conference.
http://www.w3.org/wiki/WebAccessControl
http://www.w3.org/2005/Incubator/webid/spec/
WebID Profile
Platform for Privacy Preferences
Garcia and Toledo, A web service privacy framework based on a policy approach enhanced with ontologies, 2008
http://www.w3.org/TR/P3P/
Access Control and RDF – The Past
Models
Ontology Based Enforcement - KAoS
actors (human and agents)
actionse.g. accessing, communication and monitoringauthorisations and obligationspositive and negative
entities associated with actions
Bradshaw et al, KAoS: Toward an Industrial-strength Open Agent Architecture, 1997
Policy Administration Tool
GuardsEnforcer
s
Domain Manager
s
Ontology Based Enforcement - KAoS
Policy Admin ToolUser friendly interface for those that are not familiar with DAML and OWLDomain ManagersManage membership and distribute policies to GuardsGuardsEnforce platform independent policiesEnforcersEnforce platform dependent policies (Interface for developers)
Bradshaw et al, KAoS: Toward an Industrial-strength Open Agent Architecture, 1997
Policy Administration Tool
GuardsEnforcer
s
Domain Manager
s
Ontology Based Enforcement - KAoS
Policies can easily be merged / adopted by others
Deductive Reasoninginfer new policies based on relationship between access control entities
Abductive reasoningdetermine the access rights required to meet a given policy
Bradshaw et al, KAoS: Toward an Industrial-strength Open Agent Architecture, 1997
Rule Based Enforcement - Rei
users and agents
speech actsdelegation, revocation, request,cancel, promise and commanddeontic logicpermissions, prohibitions, obligations and dispensations
services and resources
Kagal and Finin, A policy language for a pervasive computing environment, 2003
Rule Based Enforcement - Rei
Client Mode Server Mode
The server:1. retrieves the relevant
policies 2. requests the credentials
necessary to access the resource from the client
3. verifies the client credentials against the policies
1. The server returns a link to a policy which the client must satisfy
2. The client generates a proof that the requester can satisfy the policy
3. The client forwards the proof to the server.
Kagal and Finin, A policy language for a pervasive computing environment, 2003
Rule Based Enforcement - Protune
users and agents
Decision predicatesoutcome of the policyProvisional predicatesconditions- credentials and declarationsAbbreviation predicatesAbstractions used for simplification
services and resources
Bonatti et al, Protune: A rule-based provisional trust negotiation framework
Rule Based Enforcement - Protune
inference engine
execution
handler
negotiation handler
Framework
Bonatti et al, Protune: A rule-based provisional trust negotiation framework
Negotiation handlersending conditions and processing responses
Execution handlerinteract with external systems and data sources
Inference Engine enforcing policies (deduction) and retrieving evidences (abduction)
Rule Based Enforcement - Protune
• How-to queries (provide a description of the policy)• What-if queries (give foresight into potential policy outcomes)• Why queries (give explanations for positive negotiations outcomes)• Why-not queries (give explanations for negative outcomes)
Explanations
inference engine
execution
handler
negotiation handler
Framework
Bonatti et al, Protune: A rule-based provisional trust negotiation framework
Combining Description Logic And Rules
Like KAoS ontologies to model both domain
information and policies - conflict
resolution and harmonisation at design
time
Like Reirules used to support dynamic
constraints and run time variables -
access control based on dynamic
context pertaining o the requester or
the environment
Like Protune policy disclosure and policy negotiation
Toninelli et al, Rule-based and ontology-based
policies
Kolovski et al, Analyzing web access control policies
Use defeasible description logic
Strict Rules that cannot be
overwritten
Defeasible rules that may be
overwritten by a higher priority rule
to understand the effect and the consequence of sets of XACML access control policiesToninelli et al, Rule-based and ontology-based policies: Toward a hybrid
approach, 2005Kolovski et al, Analyzing web access control policies, 2007
Access Control and RDF – The Past
Models
Specification – Patterns, Views & Ontologies
entx:EmployeeData {entx:JB rdf:type foaf:Person .entx:JB foaf:givenName "Joe".…}
?X rdf:type foaf:Person ?G Construct & Describe Queries
Reddivari et al, Policy-based access
control for an rdf store., 2005
Gabillon and Letouzey, A view based access
control model for sparql, 2010
Sacco and Passant, A privacy preference
ontology (ppo) for linked data, 2011
Reasoning – Based on ontology concepts
entx:EmployeeData {entx:JB rdf:type entx:Employee .entx:JB foaf:givenName "Joe".entx:JB foaf:lastName "Bloggs". entx:JB entx:salary “40000". entx:MR rdf:type entx:Employee .entx:MR foaf:givenName “May“ .entx:MR foaf:lastName “Ryan".entx:MR entx:salary “80000".entx:Employee rdfs:subClassOf foaf:Person.}
?X rdf:type foaf:Person .
Class -> SubClass
Property -> SubProperty
Class->Instances
Qin et al, Concept-level access control for the semantic web, 2003Javanmardi et al, Sbac: A semantic based access control model, 2006
Partial Query Results
Query Rewriting
Data Filtering
Dietzold and Auer, Access control on rdf triple stores from a semantic wiki perspective, 2006.
Abel et al, Enabling advanced and context dependent access control in rdf stores, 2007
Access Control and Linked Data – The Present
August 2014
Access Control and Linked Data
Models
Access Control and Linked Data
Data
ContextPolicy
Luca Costabello et al, Access control for http operations on linked data, 2013
Access Control and Linked Data
Data
FOAF ProfilePolicy
Sacco and Passant, A privacy preference manager for the social semantic web, 2011
RDB2RDF
RDB2RDF
Kirrane et al, Linked Data with Access Control, 2015
Linked Data Authorisation Architecture
Linked Data Authorisation Architecture
RDB2RDF
RDB2RDF
Kirrane et al, Linked Data with Access Control, 2015.
Access Control and Linked Data – The Future
Yagüe et al. Access control and the layers of the Semantic Web
Damiani et al. Weitzner et al. Paradigms where privacy is a key requirement
De Coi et al. Bonatti and Olmedilla Interplay between trust, access control and policy languages
Ryutov et et Access should be based on the Graph structure
Access Control for Linked Data – The Future
Access Control for Linked Data – The Future
SpecificationGranularityUnderlying FormalismReasoningCondition ExpressivenessAttributes, Context & EvidencesHeterogeneity & Interoperability
ImplementationDelegationConsistency & SafetyUsabilityUnderstandability
AdministrationEffectivenessDistributedFlexibility & Extensibility
EnforcementNegotiationExplanationsConflict Resolution