“r♫p”
DESCRIPTION
“R♫P”. RDF Access control Policies. Motivation. Semantic Web Layer Cake (Berners-Lee 2004)*. *Semantic web layer cake (Berners-Lee,2004) http://www.w3.org/2004/Talks/0412-RDF-functions/slide4-0.html. Motivation. Semantic Web would enable the a global social information sharing space. - PowerPoint PPT PresentationTRANSCRIPT
Pavan Reddiavri (Ebiquity Labs)
“R♫P”RDF Access control Policies
Pavan Reddiavri (Ebiquity Labs) 2
R♫P
Motivation Semantic Web Layer Cake (Berners-Lee 2004)*
*Semantic web layer cake (Berners-Lee,2004) http://www.w3.org/2004/Talks/0412-RDF-functions/slide4-0.html
Pavan Reddiavri (Ebiquity Labs) 3
R♫P
Motivation Semantic Web would enable the a
global social information sharing space.
There is need for a preset agreements between users to create and share this knowledge.
Current implementations have a coarse granularity of control (Photo sharing) inhibiting users.
Pavan Reddiavri (Ebiquity Labs) 4
R♫P
Access Controls
Identity Based Access Control
Role Based Access Control
Rule/Policies based Access Control
Pavan Reddiavri (Ebiquity Labs) 5
R♫P
Why Policies ? Role based system will not
provided the granularity Policies can be described with
respect to time (allow on BirthDay) Difficult to create transient roles In
a Role based system Policy based access controls are
also being used other fields (databases, operating systems)
Pavan Reddiavri (Ebiquity Labs) 6
R♫P
“R♫P”
RAP looks at solving the problem of defining and implementing Access Control for a RDF store
Current RDF either ignore or provide very basic access control
Expressive control (Triple level)
Pavan Reddiavri (Ebiquity Labs) 7
R♫P
“R♫P” is
“The basic RAP framework will allow an agent (person or program) to perform various actions inserting, deleting, searching on a RDF store and the policy is used to decide if the action is permitted or prohibited.”
Pavan Reddiavri (Ebiquity Labs) 8
R♫P
Acts on RDF -Graph
Add new Node-Link-Node. Add a new Node, Link to a old
Node Add a new Link between two old
Nodes. Delete/ Update or Search for
triples Infer Triples
Pavan Reddiavri (Ebiquity Labs) 9
R♫P
RDFS Graph
RDFS graph have a inherent structure
The Action On a RDFS graph can also be confined( Schema or Instance modification) Create a Class Create Properties for a class Create an Instance Create property instance
Does this Structure help us?
Pavan Reddiavri (Ebiquity Labs) 10
R♫P
RAP: Actions
See (A,T): Agent A sees triple T if it returned in the response to one of P's queries.
Use (A,T): Agent A uses triple T if it is used in answering one of P'squeries.
Pavan Reddiavri (Ebiquity Labs) 11
R♫P
RAP: Actions
Insert (A,T): Agent A directly inserts triple T into the graph.
InferInsert (A,T): Agent A InferInsert triple T If Agent A Insert (A,T1) that implies T at a time when T is not in the graph.
Pavan Reddiavri (Ebiquity Labs) 12
R♫P
RAP: Actions
Remove (A,T): Agent A directly remove triple T into the graph.
InferRemove (A,T): Agent A InferRemove triple T If Agent A Remove (A,T1) that implies T, such T existence in the graph depends on T1.
update(A,T1,T2): Agent A directly replaces triple T1 with T2.
Pavan Reddiavri (Ebiquity Labs) 13
R♫P
RAP : Example policies You want to prevent people from
modifying schema i.e. defining classes or properties modifying their definitions
“prohibited(insert(A,(_,P,_)) :- schemaPredicate(P)”
schemaPredicate(P): true of P is a predicate used to define schemalevel information (e.g., rdfs:subClass, rdfs:domain, etc).
Pavan Reddiavri (Ebiquity Labs) 14
R♫P
RAP : Example policies
You want to prevent people from modifying schema i.e. defining classes or properties modifying their definitions “prohibited(insert(A,(_,P,_)) :- schemaPredicate(P)”
schemaPredicate(P): true of P is a predicate used to define schemalevel information (e.g., rdfs:subClass, rdfs:domain, etc).
Pavan Reddiavri (Ebiquity Labs) 15
R♫P
RAP : Example policies Agents are permitted to create instances
of classes they created
“permitted(insert(A,(_,rdfs:type,C))) :- createdNode(A,C)”
Agents are permitted to delete any triples that they had inserted
“permitted(remove(A,T)) :- createdTriple(A,T)”
Pavan Reddiavri (Ebiquity Labs) 16
R♫P
Employer Data Store No one change the schema
“prohibited(insert(A,(_,P,_)) :- schemaPredicate(P)”
User can create Instances of employer “permitted(insert(A,(_,rdfs:type,RAP:employee))) :-
registered(A).”
You assert/see anything about things you created “permitted(insert(A,(C,_,_)) :-
createdNode(A).” “permitted(see(A,(C,_,_)) :- createdNode(A).”
You cannot see any ones salary “prohibited(see(A,(_,emp:salary,_)).” “prohibited(see(A,(_,P,_)) :-
rdfs:subProperty(P,emp:salary)).”
Pavan Reddiavri (Ebiquity Labs) 17
R♫P
RAP : Prototype
RAP Policy Engine REI Prolog based Engine from scratch Cwm
RAPPolicy Engine
RDF client Data/Policies Access Protocol
Data/Policies Access Protocol
RDF Store
RDF store Redland Kowari Jena Models
Data/Policies Access Protocol Extend Http (webdav)
GET with SPARQL in the body to search the store
PUT with RDF data in the body to add data.
Pavan Reddiavri (Ebiquity Labs) 18
R♫P
Other Considerations
Policy representation Prolog , N3 , Custom…. Expressiveness of policies
Delegation Handling Depth of Delegation. Can a club
bouncer allow him self into the club?
RDF store still in Naissance Performance and Scalability
Pavan Reddiavri (Ebiquity Labs) 19
R♫P
Applications
Enterprise level knowledge bases (RDF store) Enterprise level blogger controlling
creation and access of blogs Application requiring collaborative
creation of a knowledge store Alan Hollander’s application for in
SPIRE
Pavan Reddiavri (Ebiquity Labs) 20
R♫P
Thank You