Semantic Access Control

Ashraful AlamDr. Bhavani Thuraisingham

Semantic Access Control (SAC)

Traditional Access Control

Traditional Access Control Semantic WebSemantic Web

Semantic Access ControlSemantic Access Control

Motivation

Shortcomings of Traditional Access Control • Proprietary systems

• Lack of modularity

• Changes in access control schemas break the system

• Changes in data schemas break the system

• Path to resources (e.g., XPATH) is clumsy

//school/department/professor/personal/ssn – LONG!

• Non-optimal for distributed/federation environment

Modularity Problem

People this policy applies to

Resources this policy applies to

Actions allowed for this policyTarget

Box

SAC Ontology

Written in OWL (Web Ontology Language) User-centric Modular Easily extensible Available at : http://utd61105.campus.ad.utdallas.edu/geo/voc/newaccessonto

SAC Components

Subjects: Software Agents or Human clients Resources: Assets exposed through WS Actions: Read, Write, Execute Conditions: Additional constraints (e.g., geospatial parameters) on policy enforcement

Resources

Subjects

ActionsCondition

Policy Set

Application: Geo-WS Security

Data providers (e.g., geospatial clearinghouses, research centers) need access control on serviceable resources.

Access policies have geospatial dimension • Bob has access on Building A

• Bob does NOT have access on Building B

• Building A and B have overlapping area Current access control mechanisms are static and non-

modular.

Geo-WS Security: Architecture

ClientClientDAGIS

DAGIS

Geospatial Semantic WS Provider

Enforcement Module

Decision Module

Authorization Module

Semantic-enabled Policy DB

Web Service Client Side Web Service Provider Side

Geo-WS Security: Semantics

Policy rules are based on description logic (DL). DL allows machine-processed deductions on policy base. Example 1:

• DL Rule: ‘Stores’ Inverse ‘Is Stored In’

• Fact: Airplane_Hanger(X) ‘stores’ Airplane(Y) Example 2:

• DL Rule: ‘Is Located In’ is Transitive.

• Fact: Polygon(S) ‘Is Located In’ Polygon(V)

Polygon(V) ‘Is Located In’ Polygon(T)

Secure Inferencing

Geospatial DataStore

Semantic-enabled Policy DB

Inferencing Module

Obvious facts

Deduced facts

Geo-WS Security: Example

Resource :=

Washington, Oregon, California, West Coast Rule:=

West Coast = WA Union OR Union CA Policy:=

• Subject:= Bob

• Resources:= WA, OR, CA

• Action:=Read Query: Retrieve Interstate Highway topology of West

Coast

SAC in Action

Environment: University Campus Campus Ontology http://utd61105.campus.ad.utdallas.edu/geo/voc/campusonto

Main Resources• Computer Science Building

• Pharmacy Building

• Electric Generator in each Building

SAC in Action

User Access: • Bob has ‘execute’ access to all Building

Resources

• Bob doesn’t have any access to CS Building

• Bob has ‘modify’ access to Building resources within a certain geographic extent

Policy File located athttp://utd61105.campus.ad.utdallas.edu/geo/voc/policyfile1

SAC Improvements

Subjects, Resources, Actions and Conditions are defined independently

Reduced policy look-up cost -- only policies related to the requester is processed

No long path name!

Distributed Access Control

Travel Site Reimbursement Site Bank Site

Travel Data& Ontology

ReimbursementData

Bank Site& Ontology

Client Query Interface

Middleware