Transcript Industry Alignment of the EDS Fellows and Distinguished SEs

T. Hill Review of:
ROWLBAC – Representing Role Based Access Control in OWL
T. Finin, A. Joshi L. Kagal, B. Thuraisingham, J. Niu, R. Sandhu, W. Winsborough 10/13/2008
Problem:
Using the hierarchy diagram below, describe how OWL (Web Ontology Language) can
be used to specify the following RBAC security model access control functions; assign the role of
Person and two sub-class roles of Citizen and Visitor, assign to Citizen the permitted actions of
Vote, Work, Jury, assign to Visitor a prohibited action of Work. Make Alice an active Citizen and
Bob an active Visitor. [note - general descriptive language is acceptable, exact RDF/OWL syntax is
not necessary].
• Motivation
•Applications – sophisticated, intelligent, open and dynamic environments
•Future – Grid computing, intelligent agents, negotiate exchange of information
•Security – of future applications, regardless of infrastructure, including the cloud
• Bring together two parallel themes
•Access Control Models – RBAC96, NIST Standard, RT, Usage Control
•Policy Languages – XACML, Ponder, Rei, KAoS
1
ROWLBAC – Semantic Web and OWL
• Semantic Web
•Berners-Lee vision
•Knowledge published so humans and computers can understand and reason
•Technology
•W3C standards RDF (Resource Description Framework) triple
•//..html has a creation-date whose value is August 16, 1999
•Description Logic
2
ROWLBAC – Roles as Classes, Permissions, Activation, Enforcing
• Hierarchy of roles
• Enforcing RBAC activation rule
Citizen rdfs:subclassOf Person.
Visitor rdfs:subClassOf Person.
• Associating permissions with roles
PermittedVoteAction a rdfs:Class;
rdfs:subClassOf rbac:PermittedAction;
owl:equivalentClass
[
a owl:Class;
owl:intersectionOf
( Vote
[ a owl:Restriction;
owl:allValuesFrom ex:ActiveCitizen;
owl:onProperty rbac:subject
]
)
]
{ ?ACTION a ActivateRole;
subject ?SUBJ;
object ?ROLE.
?SUBJ a ?ROLE.
?ROLE activeForm ?AROLE.
?AROLE rdfs:subClassOf ActiveRole.
} =>
{ ?ACTION a PermittedRoleActivation;
subject ?SUBJ; object ?ROLE.
?SUBJ a ?AROLE
}.
• Assigning roles and activation in a session
AliceCitizen a rbac:ActivateRole;
rbac:subject data:Alice;
rbac:object ex:Citizen.
BobVisitor a rbac:ActivateRole;
rbac:subject data:Bob;
rbac:object ex:Visitor.
3
ROWLBAC – A Proposed Solution
Problem: Using the hierarchy diagram below, describe how OWL (Web Ontology Language) can be
used to specify the following RBAC security model access control functions; assign the role of Person
and two sub-class roles of Citizen and Visitor, assign to Citizen the permitted actions of Vote, Work,
Jury, assign to Visitor a prohibited action of Work. Make Alice an active Citizen and Bob an active
Visitor. [note - general descriptive language is acceptable, exact RDF/OWL syntax is not necessary].
Proposed solution:
1. Use RDF/OWL to define Citizen as a subclass of Person
Person
and Visitor as a subclass of Person
2. Use RDF/OWL to define Vote as a permitted action of Citizen
and Work as a permitted action of Citizen
and Jury as a permitted action of Citizen
And Work as a prohibited action of Visitor
Citizen
Visitor
Permitted: Vote,
Work, Jury
Prohibited: Work
Alice active
Bob active
3. At run time, set Alice as an active Citizen
and Bob as an active Visitor
4