semantic access control ashraful alam dr. bhavani thuraisingham
TRANSCRIPT
Semantic Access Control
Ashraful AlamDr. Bhavani Thuraisingham
Semantic Access Control (SAC)
Traditional Access Control
Traditional Access Control Semantic WebSemantic Web
Semantic Access ControlSemantic Access Control
Motivation
Shortcomings of Traditional Access Control • Proprietary systems
• Lack of modularity
• Changes in access control schemas break the system
• Changes in data schemas break the system
• Path to resources (e.g., XPATH) is clumsy
//school/department/professor/personal/ssn – LONG!
• Non-optimal for distributed/federation environment
Modularity Problem
People this policy applies to
Resources this policy applies to
Actions allowed for this policyTarget
Box
SAC Ontology
Written in OWL (Web Ontology Language) User-centric Modular Easily extensible Available at : http://utd61105.campus.ad.utdallas.edu/geo/voc/newaccessonto
SAC Components
Subjects: Software Agents or Human clients Resources: Assets exposed through WS Actions: Read, Write, Execute Conditions: Additional constraints (e.g., geospatial parameters) on policy enforcement
Resources
Subjects
ActionsCondition
Policy Set
Application: Geo-WS Security
Data providers (e.g., geospatial clearinghouses, research centers) need access control on serviceable resources.
Access policies have geospatial dimension • Bob has access on Building A
• Bob does NOT have access on Building B
• Building A and B have overlapping area Current access control mechanisms are static and non-
modular.
Geo-WS Security: Architecture
ClientClientDAGIS
DAGIS
Geospatial Semantic WS Provider
Enforcement Module
Decision Module
Authorization Module
Semantic-enabled Policy DB
Web Service Client Side Web Service Provider Side
Geo-WS Security: Semantics
Policy rules are based on description logic (DL). DL allows machine-processed deductions on policy base. Example 1:
• DL Rule: ‘Stores’ Inverse ‘Is Stored In’
• Fact: Airplane_Hanger(X) ‘stores’ Airplane(Y) Example 2:
• DL Rule: ‘Is Located In’ is Transitive.
• Fact: Polygon(S) ‘Is Located In’ Polygon(V)
Polygon(V) ‘Is Located In’ Polygon(T)
Secure Inferencing
Geospatial DataStore
Semantic-enabled Policy DB
Inferencing Module
Obvious facts
Deduced facts
Geo-WS Security: Example
Resource :=
Washington, Oregon, California, West Coast Rule:=
West Coast = WA Union OR Union CA Policy:=
• Subject:= Bob
• Resources:= WA, OR, CA
• Action:=Read Query: Retrieve Interstate Highway topology of West
Coast
SAC in Action
Environment: University Campus Campus Ontology http://utd61105.campus.ad.utdallas.edu/geo/voc/campusonto
Main Resources• Computer Science Building
• Pharmacy Building
• Electric Generator in each Building
SAC in Action
User Access: • Bob has ‘execute’ access to all Building
Resources
• Bob doesn’t have any access to CS Building
• Bob has ‘modify’ access to Building resources within a certain geographic extent
Policy File located athttp://utd61105.campus.ad.utdallas.edu/geo/voc/policyfile1
SAC Improvements
Subjects, Resources, Actions and Conditions are defined independently
Reduced policy look-up cost -- only policies related to the requester is processed
No long path name!
Distributed Access Control
Travel Site Reimbursement Site Bank Site
Travel Data& Ontology
ReimbursementData
Bank Site& Ontology
Client Query Interface
Middleware