integrated development environment for policies anjali b shah department of computer science and...
TRANSCRIPT
Integrated Development Environment for Policies
Anjali B Shah
Department of Computer Science and Electrical Engineering
University of Maryland Baltimore County
Presentation Outline
Problem Description Related Work Thesis Contribution RIDE Framework RIDE Policy Toolkit
Namespace Manager Policy Creation Interface Policy Test-case Creation Interface
Future Work Conclusion
Problem Description
Policy-based governing frameworks are being increasingly used in a wide range of systems
These range from simple and static to increasingly complex, open, dynamic distributed environments
There is not much work in policy development that meets the requirements of these wide range of policy-based environments
Problem Description (Cont.)
Some of these requirements that outline features for policy management tools to support: User-friendly and extensible interface Simplification of the inherently error-prone and
complex policy creation process Ability to accommodate information spanning several
domains Facility for group policy specification Ability to test policy conformance Support to facilitate dynamic policy modification
Related Work
IBM’s P3P Policy Editor Editor for EPAL Policy language Ponder Policy Management Toolkit KPAT – The KAoS Policy Administration Toolkit Policy-Editor for KeyNote
Thesis Contribution Prior two iterations in UI development for policies RIDE (Rei Integrated Development Environment)
– A Wizard-based IDE for Policies. Comprises of: Namespace Manager Policy Creation Interface Policy Test-case Creation Interface
RIDE supports a unique combination of following features: Policy creation about speech acts that are used for
dynamic policy management Provision of support to test policy conformance
Thesis Contribution (Cont.) Ability to accommodate information spanning multiple
domains by allowing the domain knowledge to be expressed using ontology languages
Automation of the policy creation process by automatically generating user-defined policies in Rei
Ability to express individual as well as group policies Ease of management of domain information by offering
the option of namespace template creation User-friendly and extensible user interface
RIDE Framework Eclipse Framework
RIDE is developed as a pluggable component of the Eclipse framework
It uses Eclipse SWT, Jface API for UI development Jena Toolkit Rei Policy Specification Language Model-View-Controller Architecture
Model: Stores data for components in the GUI View: Creates visual representation of the components Controller: Updates model and/or view in response to
user interactions with the GUI
RIDE Framework (cont.)
PolicyRuleModel
PolicyUnitTest
PolicyCreation
PolicyNamespace
Actor Action
DLPolicy
Updates
Notifies
Contains
Interacts
RIDE Framework based on MVC Architecture
RIDE Framework (cont.)
PolicyRuleModel: As per the MVC paradigm, this class represents the model in RIDE framework
PolicyNamespace: Represents integrated view-controller pair
PolicyCreation: Represents an integrated view-contoller pair and consists of following nested views: Actor Action Deontic Literal Policy
RIDE Framework (cont.) PolicyUnitTest: Represents an integrated view-
controller pair and provides an interface with Rei Engine
Behavior described by Observer Design Pattern exists between following pairs of views: PolicyNamespace – Actor PolicyNamespace – Action Actor – Action Actor – Policy Action – Policy PolicyNamespace – PolicyUnitTest
Namespace Manager Namespace Manager supports the following
features to facilitate domain information specification: Pre-specified Domain Independent Information
Furnishes necessary information about domain independent ontologies
Namespace Templates Provides options to create and delete namespace domains, add
to and remove from namespace domains Direct Namespace Loading
Provides the option to enter namespace information without adding it to templates.
Namespace Manager (Cont.)
Namespace Manager (Cont.)
Template Creation using Namespace Manager
Namespace Manager (Cont.)
Namespace Addition to Template
Namespace Manager (Cont.)
Namespace Deletion from Template
Namespace Manager (Cont.)
Direct Namespace Loading
Policy Creation Interface
Rule Creation Process Involves making selections in Rules’ section of Actor, Deontic
Literal and Action tab pages
Speech Act Creation Process First half of speech act creation is similar to rule creation process Second half requires users to make selections on Policy tab page
Constraint Creation Process Involves making selections in Constraints’ section of Actor and
Action tab pages
Rule Creation Process
Actor Selection for Rule Creation
Rule Creation Process (Cont.)
Modality Selection for Rule Creation
Rule Creation Process (Cont.)
Action Selection for Rule Creation
Rule Creation Process (Cont.)
Completion of Rule Creation Process
Policy Creation Interface (Cont.)
Rule Creation Process Involves making selections in Rules’ section of Actor, Deontic
Literal and Action tab pages
Speech Act Creation Process First half of the process is similar to rule creation process Second half requires users-selections on Policy tab page
Constraint Creation Process Involves making selections in Constraints’ section of Actor and
Action tab pages
Speech Act Creation Process
First Step in Speech Act Creation Process
Speech Act Creation Process
Second Step in Speech Act Creation Process
Policy Creation Interface (Cont.)
Rule Creation Process Involves making selections in Rules’ section of Actor, Deontic
Literal and Action tab pages
Speech Act Creation Process First half of speech act creation is similar to rule creation process Second half requires users to make selections on Policy tab page
Constraint Creation Process Involves making selections in Constraints’ section of Actor and
Action tab pages
Constraint Creation Process
Simple Constraint Creation Process
Constraint Creation Process
Booelan Constraint Creation Process
Policy Creation Interface (Cont.)
Granting Object Creation Process Adds a constraint to an existing rule to form a new rule.
Allows re-use of rules in different policies with varied constraints
Policy Creation Process Entails prior creation of rules, constraints, speech acts, granting
objects Allows individual as well as group policies to be created Has ability to create security, management and conversation
policies
Meta-policy Creation Process Creates meta-policies over policies that are found to be conflicting
Granting Object Creation Process
Granting Object Creation Process
Policy Creation Interface (Cont.)
Granting Object Creation Process Adds a constraint to an existing rule to form a new rule. Allows re-
use of rules in different policies with varied constraints
Policy Creation Process Entails prior creation of rules, constraints, speech acts,
granting objects Allows individual as well as group policies to be created Has ability to create security, management and conversation
policies
Meta-policy Creation Process Creates meta-policies over policies that are found to be conflicting
Policy Creation Process
Policy Creation Process
Policy Creation Interface (Cont.)
Granting Object Creation Process Adds a constraint to an existing rule to form a new rule. Allows re-
use of rules in different policies with varied constraints
Policy Creation Process Entails prior creation of rules, constraints, speech acts, granting
objects Allows individual as well as group policies to be created Has ability to create security, management and conversation
policies
Meta-policy Creation Process Creates meta-policies over policies that are found to be
conflicting
Meta-policy Creation Process
Meta-policy Creation Process
Policy Creation Interface (Cont.)
Policy File Creation Process
Policy Creation Interface (Cont.)
Policy File showing Auto-generated OWL Code
Policy Test-case Creation Interface
Provides an interface to create test-cases over policy files generated through the policy creation interface
Verifies the correctness of individual test-cases (policy units/modules) to test policy conformance
Interface with Rei Engine helps compute results for the test-cases
Policy File Verification for Correctness
Policy Test-case Creation Process
Policy Test-Case Creation Process
Policy Test-case Creation Process (Cont.)
Policy Test-Case Results
Future Work
Some of the useful features that future work on RIDE can provide: Extension of RIDE’s interface to support creation and
manipulation of domain related ontologies Extension of the interface to support a graphical
domain browser to view relationships between policies for a given domain
Ability to create and modify policies using such a browser that automatically detects inconsistencies arising among policies
Provision for meta-policy creation to declare default behavior or priority between rules
Conclusion RIDE, the main contribution of this thesis,
provides a user-friendly and extensible graphical user interface
Provides support to test policy conformance Automates and simplifies the error-prone and
complex policy creation process Provides options such as template creation to
facilitate domain information specification Has the ability to create policies over specific
instances or groups of actors and actions
Conclusion (Cont.) Being a plug-in extension of Eclipse gives it the
advantage of being easily extensible, but cannot be used as a stand-alone application
Supports no graphical interface for creating, modifying and browsing domain ontologies and browsing, modifying the policies created through the wizard
Supports no automatic detection of conflicts that arise out of inconsistencies between policies