In recent years we have seen significant advances in the technology used to both publish and consume, structured data using the existing web infrastructure, commonly referred to as the Linked Data Web. However, in order to support the next generation of e-business applications on top of Linked Data suitable forms of access control need to be put in place. In this talk we will examine the various access control models, standards and policy languages, and the different access control enforcement strategies for the Resource Description Framework (the data model underpinning the Linked Data Web). We propose a set of access control requirements that can be used to categorise existing access control strategies and identify a number of challenges that still need to be overcome.
Access Control for Linked Data: Past, Present and Future
1. Access Control for Linked Data:
Past, Present and Future
Sabrina Kirrane
Insight Centre for Data Analytics, NUIG
Department of Maths and Computing, GMIT
11. Mandatory Access Control
Models
TOP SECRET
SECRET
CONFIDENTIAL
PUBLIC
Access Labels
Subjects
Resources
Yagüe et al, Applying the semantic web to access control, 2003
Kodali et al, An authorization model for multimedia digital libraries, 2004
13. Role Based Access Control
DELETE
UPDATE
CREATE
READ
Sales Marketing
Roles
Permissions
Employee
Subjects
Resources
Finin et al, Rowlbac: Representing role based access control in owl, 2008
Models
14. Attribute Based Access Control
Age > 21
Affiliation
= Insight
DELETE
UPDATE
CREATE
READ
Attributes
Permissions
Subjects
Resources
Priebe et al, A pattern system for access control, 2004
Models
15. Context Based Access Control
Device
= mobile
Near
= Insight
Attributes
DELETE
UPDATE
CREATE
READ
Permissions
Subjects
Resources
Luca Costabello et al, Linked data access goes mobile: Context-aware authorization for
graph stores, 2012
Models
17. eXtensible Access Control Markup
Language
Policy Administration Point (PAP))
Policy Enforcement Point (PEP)
Policy Decision Point (PDP)
Policy Information Point (PIP)
Ferrini and Bertino, Supporting rbac with xacml+owl, 2009
https://www.oasis-
open.org/committees/tc_home.php?wg_
abbrev=xacml
18. Web Access Control
Serena Villata et al, An access control model for linked data, 2011
Sacco and Passant, A privacy preference ontology (ppo) for linked data, 2011
1. Give read access to the WebID profile
document /2013/card to everyone.
2. Gives read access to the /2013/protected
resource, to the members of a group that
went to a particular conference.
http://www.w3.org/wiki/WebAccessControl
http://www.w3.org/2005/Incubator/webid/spec/
WebID Profile
19. Platform for Privacy Preferences
Garcia and Toledo, A web service privacy framework based on
a policy approach enhanced with ontologies, 2008
http://www.w3.org/TR/P3P/
21. Ontology Based Enforcement - KAoS
actors (human and agents)
actions
e.g. accessing, communication and monitoring
authorisations and obligations
positive and negative
entities associated with actions
Bradshaw et al, KAoS: Toward an Industrial-strength Open Agent Architecture, 1997
22. Policy Administration
Tool
Guards Enforcers
Domain
Managers
Ontology Based Enforcement - KAoS
Policy Admin Tool
User friendly interface for those
that are not familiar with DAML and
OWL
Domain Managers
Manage membership and distribute
policies to Guards
Guards
Enforce platform independent
policies
Enforcers
Enforce platform dependent
policies (Interface for developers)
Bradshaw et al, KAoS: Toward an Industrial-strength Open Agent Architecture, 1997
23. Policy Administration
Tool
Guards Enforcers
Domain
Managers
Ontology Based Enforcement - KAoS
Policies can easily be
merged / adopted by others
Deductive Reasoning
infer new policies based on
relationship between access
control entities
Abductive reasoning
determine the access rights
required to meet a given policy
Bradshaw et al, KAoS: Toward an Industrial-strength Open Agent Architecture, 1997
24. Rule Based Enforcement - Rei
users and agents
speech acts
delegation, revocation, request,
cancel, promise and command
deontic logic
permissions, prohibitions,
obligations and dispensations
services and resources
Kagal and Finin, A policy language for a pervasive computing environment, 2003
25. Rule Based Enforcement - Rei
Client Mode Server Mode
The server:
1. retrieves the relevant policies
2. requests the credentials
necessary to access the
resource from the client
3. verifies the client credentials
against the policies
1. The server returns a link to a
policy which the client must
satisfy
2. The client generates a proof
that the requester can satisfy
the policy
3. The client forwards the proof to
the server.
Kagal and Finin, A policy language for a pervasive computing environment, 2003
26. Rule Based Enforcement - Protune
users and agents
Decision predicates
outcome of the policy
Provisional predicates
conditions- credentials and declarations
Abbreviation predicates
Abstractions used for simplification
services and resources
Bonatti et al, Protune: A rule-based provisional trust negotiation framework
27. Rule Based Enforcement - Protune
inference
engine
execution
handler
negotiation
handler
Framework
Bonatti et al, Protune: A rule-based provisional trust negotiation framework
Negotiation handler
sending conditions and
processing responses
Execution handler
interact with external systems and
data sources
Inference Engine
enforcing policies (deduction) and
retrieving evidences (abduction)
28. Rule Based Enforcement - Protune
• How-to queries (provide a
description of the policy)
• What-if queries (give foresight
into potential policy outcomes)
• Why queries (give explanations
for positive negotiations outcomes)
• Why-not queries (give
explanations for negative
outcomes)
Explanations
inference
engine
execution
handler
negotiation
handler
Framework
Bonatti et al, Protune: A rule-based provisional trust negotiation framework
29. Combining Description Logic
And Rules
Like KAoS
ontologies to model both domain information
and policies - conflict resolution and
harmonisation at design time
Like Rei
rules used to support dynamic constraints
and run time variables - access control
based on dynamic context pertaining o the
requester or the environment
Like Protune
policy disclosure and policy negotiation
Toninelli et al, Rule-based and
ontology-based policies
Kolovski et al, Analyzing web
access control policies
Use defeasible description logic
Strict Rules that cannot be overwritten
Defeasible rules that may be overwritten
by a higher priority rule
to understand the effect and
the consequence of sets of
XACML access control
policies
Toninelli et al, Rule-based and ontology-based policies: Toward a hybrid approach, 2005
Kolovski et al, Analyzing web access control policies, 2007
31. Specification – Patterns, Views &
Ontologies
entx:EmployeeData {
entx:JB rdf:type foaf:Person .
entx:JB foaf:givenName "Joe".
…
}
?X rdf:type foaf:Person ?G Construct & Describe
Queries
Reddivari et al, Policy-
based access control
for an rdf store., 2005
Gabillon and Letouzey,
A view based access control
model for sparql, 2010
Sacco and Passant, A privacy
preference ontology (ppo) for
linked data, 2011
32. Reasoning – Based on ontology
concepts
entx:EmployeeData {
entx:JB rdf:type entx:Employee .
entx:JB foaf:givenName "Joe".
entx:JB foaf:lastName "Bloggs".
entx:JB entx:salary “40000".
entx:MR rdf:type entx:Employee .
entx:MR foaf:givenName “May“ .
entx:MR foaf:lastName “Ryan".
entx:MR entx:salary “80000".
entx:Employee rdfs:subClassOf foaf:Person.
}
?X rdf:type foaf:Person .
Class -> SubClass
Property -> SubProperty
Class->Instances
Qin et al, Concept-level access control for the semantic web, 2003
Javanmardi et al, Sbac: A semantic based access control model, 2006
33. Partial Query Results
Query Rewriting
Data Filtering
Dietzold and Auer, Access control on rdf triple stores from a semantic wiki perspective, 2006.
Abel et al, Enabling advanced and context dependent access control in rdf stores, 2007
41. Yagüe et al.
Access control and the layers of the Semantic Web
Damiani et al.
Weitzner et al.
Paradigms where privacy is a key requirement
De Coi et al.
Bonatti and Olmedilla
Interplay between trust, access control and policy languages
Ryutov et et
Access should be based on the Graph structure
Access Control for Linked Data – The Future
Seevl music discovery and personalisation
BBC integration of large amounts of content online, as text, audio and video. Search engines.
Talis Aspire resource management solutions and services for universities, learners and educators.
Marbles browser
Sindice Search Engine , Sigma browser
Swoogle search engine
The user places their WebID profile document URI in the Subject Alternative Names field of their certificate. Once the certificate has been generated the user adds the public key details to their WebID profile document.