![Page 1: Semantic Access Control Ashraful Alam Dr. Bhavani Thuraisingham](https://reader036.vdocument.in/reader036/viewer/2022072016/56649ef25503460f94c04207/html5/thumbnails/1.jpg)
Semantic Access Control
Ashraful AlamDr. Bhavani Thuraisingham
![Page 2: Semantic Access Control Ashraful Alam Dr. Bhavani Thuraisingham](https://reader036.vdocument.in/reader036/viewer/2022072016/56649ef25503460f94c04207/html5/thumbnails/2.jpg)
Semantic Access Control (SAC)
Traditional Access Control
Traditional Access Control Semantic WebSemantic Web
Semantic Access ControlSemantic Access Control
![Page 3: Semantic Access Control Ashraful Alam Dr. Bhavani Thuraisingham](https://reader036.vdocument.in/reader036/viewer/2022072016/56649ef25503460f94c04207/html5/thumbnails/3.jpg)
Motivation
Shortcomings of Traditional Access Control • Proprietary systems
• Lack of modularity
• Changes in access control schemas break the system
• Changes in data schemas break the system
• Path to resources (e.g., XPATH) is clumsy
//school/department/professor/personal/ssn – LONG!
• Non-optimal for distributed/federation environment
![Page 4: Semantic Access Control Ashraful Alam Dr. Bhavani Thuraisingham](https://reader036.vdocument.in/reader036/viewer/2022072016/56649ef25503460f94c04207/html5/thumbnails/4.jpg)
Modularity Problem
People this policy applies to
Resources this policy applies to
Actions allowed for this policyTarget
Box
![Page 5: Semantic Access Control Ashraful Alam Dr. Bhavani Thuraisingham](https://reader036.vdocument.in/reader036/viewer/2022072016/56649ef25503460f94c04207/html5/thumbnails/5.jpg)
SAC Ontology
Written in OWL (Web Ontology Language) User-centric Modular Easily extensible Available at : http://utd61105.campus.ad.utdallas.edu/geo/voc/newaccessonto
![Page 6: Semantic Access Control Ashraful Alam Dr. Bhavani Thuraisingham](https://reader036.vdocument.in/reader036/viewer/2022072016/56649ef25503460f94c04207/html5/thumbnails/6.jpg)
SAC Components
Subjects: Software Agents or Human clients Resources: Assets exposed through WS Actions: Read, Write, Execute Conditions: Additional constraints (e.g., geospatial parameters) on policy enforcement
Resources
Subjects
ActionsCondition
Policy Set
![Page 7: Semantic Access Control Ashraful Alam Dr. Bhavani Thuraisingham](https://reader036.vdocument.in/reader036/viewer/2022072016/56649ef25503460f94c04207/html5/thumbnails/7.jpg)
Application: Geo-WS Security
Data providers (e.g., geospatial clearinghouses, research centers) need access control on serviceable resources.
Access policies have geospatial dimension • Bob has access on Building A
• Bob does NOT have access on Building B
• Building A and B have overlapping area Current access control mechanisms are static and non-
modular.
![Page 8: Semantic Access Control Ashraful Alam Dr. Bhavani Thuraisingham](https://reader036.vdocument.in/reader036/viewer/2022072016/56649ef25503460f94c04207/html5/thumbnails/8.jpg)
Geo-WS Security: Architecture
ClientClientDAGIS
DAGIS
Geospatial Semantic WS Provider
Enforcement Module
Decision Module
Authorization Module
Semantic-enabled Policy DB
Web Service Client Side Web Service Provider Side
![Page 9: Semantic Access Control Ashraful Alam Dr. Bhavani Thuraisingham](https://reader036.vdocument.in/reader036/viewer/2022072016/56649ef25503460f94c04207/html5/thumbnails/9.jpg)
Geo-WS Security: Semantics
Policy rules are based on description logic (DL). DL allows machine-processed deductions on policy base. Example 1:
• DL Rule: ‘Stores’ Inverse ‘Is Stored In’
• Fact: Airplane_Hanger(X) ‘stores’ Airplane(Y) Example 2:
• DL Rule: ‘Is Located In’ is Transitive.
• Fact: Polygon(S) ‘Is Located In’ Polygon(V)
Polygon(V) ‘Is Located In’ Polygon(T)
![Page 10: Semantic Access Control Ashraful Alam Dr. Bhavani Thuraisingham](https://reader036.vdocument.in/reader036/viewer/2022072016/56649ef25503460f94c04207/html5/thumbnails/10.jpg)
Secure Inferencing
Geospatial DataStore
Semantic-enabled Policy DB
Inferencing Module
Obvious facts
Deduced facts
![Page 11: Semantic Access Control Ashraful Alam Dr. Bhavani Thuraisingham](https://reader036.vdocument.in/reader036/viewer/2022072016/56649ef25503460f94c04207/html5/thumbnails/11.jpg)
Geo-WS Security: Example
Resource :=
Washington, Oregon, California, West Coast Rule:=
West Coast = WA Union OR Union CA Policy:=
• Subject:= Bob
• Resources:= WA, OR, CA
• Action:=Read Query: Retrieve Interstate Highway topology of West
Coast
![Page 12: Semantic Access Control Ashraful Alam Dr. Bhavani Thuraisingham](https://reader036.vdocument.in/reader036/viewer/2022072016/56649ef25503460f94c04207/html5/thumbnails/12.jpg)
SAC in Action
Environment: University Campus Campus Ontology http://utd61105.campus.ad.utdallas.edu/geo/voc/campusonto
Main Resources• Computer Science Building
• Pharmacy Building
• Electric Generator in each Building
![Page 13: Semantic Access Control Ashraful Alam Dr. Bhavani Thuraisingham](https://reader036.vdocument.in/reader036/viewer/2022072016/56649ef25503460f94c04207/html5/thumbnails/13.jpg)
SAC in Action
User Access: • Bob has ‘execute’ access to all Building
Resources
• Bob doesn’t have any access to CS Building
• Bob has ‘modify’ access to Building resources within a certain geographic extent
Policy File located athttp://utd61105.campus.ad.utdallas.edu/geo/voc/policyfile1
![Page 14: Semantic Access Control Ashraful Alam Dr. Bhavani Thuraisingham](https://reader036.vdocument.in/reader036/viewer/2022072016/56649ef25503460f94c04207/html5/thumbnails/14.jpg)
SAC Improvements
Subjects, Resources, Actions and Conditions are defined independently
Reduced policy look-up cost -- only policies related to the requester is processed
No long path name!
![Page 15: Semantic Access Control Ashraful Alam Dr. Bhavani Thuraisingham](https://reader036.vdocument.in/reader036/viewer/2022072016/56649ef25503460f94c04207/html5/thumbnails/15.jpg)
Distributed Access Control
Travel Site Reimbursement Site Bank Site
Travel Data& Ontology
ReimbursementData
Bank Site& Ontology
Client Query Interface
Middleware