Nicoletta Fornara, Fabio Marfia
Università della Svizzera italiana (USI) – http://www.usi.ch
13th September 2016
Modeling and Enforcing
Access Control Obligations for
SPARQL-DL queries

13/09/2016
Page 2/27
Università della Svizzera italiana (USI)
SPARQL-DL… hey, what?
SPARQL-DL is a SPARQL-like query language for conjunctive
ABox-RBox-TBox queries for OWL 2 DL ontologies
It is thought to be as much similar as possible to SPARQL,
while allowing complex queries on the knowledge that can
be inferred from an OWL 2 ontology using standard DL
reasoning algorithms
A formal description can be found in E. Sirin and B. Parsia.
SPARQL-DL: SPARQL Query for OWL-DL. Proceedings of the
Third International Workshop on OWL: Experiences and
Directions (OWLED '07).
A Java prototype of a SPARQL-DL query interface for OWL 2
has been developed by the DERIVO company (2009)

13/09/2016
Page 3/27
Università della Svizzera italiana (USI)
Examples of SPARQL-DL queries
Get all Classes:
SELECT ?c WHERE { Class(?c) }
Ask class A is a subclass of B:
ASK { SubClassOf(ex:A, ex:B) }
Get all transitive properties that have John as subject:
SELECT ?p WHERE {
PropertyValue(ex:john, ?p, ?o),
Transitive(?p)}

13/09/2016
Page 4/27
Università della Svizzera italiana (USI)
AND, OR operands
Conjunctive conditions are expressed with the use of a
comma separator, as in the last example
Disjunctive conditions can be expressed with the
OR WHERE clause
Get all transitive or symmetric properties that
have John as subject:
SELECT ?p WHERE {
PropertyValue(ex:john, ?p, ?o),
Transitive(?p)}
OR WHERE {
PropertyValue(ex:john, ?p, ?o),
Symmetric(?p)}

13/09/2016
Page 5/27
Università della Svizzera italiana (USI)
SPARQL-DL syntax
The SPARQL-DL query language allows the expression of
composite conjunctions and disjunctions between 18
different atoms:
Type(a,C)
ProperyValue(a,p,v)
SameAs(a,b)
DifferentFrom(a,b)
EquivalentClass(C1,C2)
SubClassOf(C1,C2)
DisjointWith(C1,C2)
ComplementOf(C1,C2)
EquivalentProperty(p1,p2)
SubPropertyOf(p1,p2)
InverseOf(p1,p2)
ObjectProperty(p)
DatatypeProperty(p)
Functional(p)
InverseFunctional(p)
Transitive(p)
Symmetric(p)
Annotation(s,p,o)

13/09/2016
Page 6/27
Università della Svizzera italiana (USI)
Managing Access Control for
DL Inferred Knowledge
Different works specify techniques for managing high level
and fine-grained access control for RDF graphs
Such works do not rely on reasoning algorithms for
protecting data. But using the specification of complex DL
expressions for identifying the different pieces of data to be
protected appears to represent an interesting approach, as
already showed by Sacco et al. (2011), Masoumzadeh et al.
(2011)
This is the first time that such interesting approach is
applied to a SPARQL-DL query interface

13/09/2016
Page 7/27
Università della Svizzera italiana (USI)
Why applying Access Control paradigms to a
SPARQL-DL query interface?
?
1. It allows mixed ABox-RBox-TBox queries that
can not be handled by other query languages
2. It has a clear syntax and semantics
3. The SPARQL-DL Java API released by the DERIVO
company is available under LGPL license
4. The same reasoner instance that is used to obtain
the results of a SPARQL-DL query can be used for
inferring fine-grained access permissions

13/09/2016
Page 8/27
Università della Svizzera italiana (USI)
Our chosen Access Control approach:
Formal Specification of Obligations
We define the general form of an obligation O as a triple
O = <D, A, C>
Where D is a description of the requesting user, A is the
activation condition of the obligation and C the content of
the obligation
The activation condition of the obligation is the formal
specification of a set of condition according to which the
obligation activates, in the form of a set of logical axioms
The content of the policy is the set of actions that have to
be performed as a consequence of the activation of the
obligation

13/09/2016
Page 9/27
Università della Svizzera italiana (USI)
Obligation Definition Example
(Hospital Use Case)
When a user submits a query for statistical purposes, the ID
of patients with a diabetic disease have to be anonymized
In our O = <D, A, C> paradigm, D is a description of the
requesting user, as, e.g., a statisticalPurposes attribute
(we did not focus on such part)
A can be a DL Class axiom identifying each patient with a
diabetic disease:
Class: AC01
SubClassOf: AC
EquivalentTo: Patient and hasRecord
some (hasInfoAbout value diabetes)

13/09/2016
Page 10/27
Università della Svizzera italiana (USI)
Obligation Definition Example
(Hospital Use Case)
C is a pre-defined function to be called passing as an
argument p each piece of data identified by the class AC01:
C = anonymize(p, someAnonimizationAlgorithm)
We identified three main types of content functions in our
experiments. Such list can be extended:
Remove(p)
Anonymize(p, someAnonimizationAlgorithm)
WriteLogEvent(requestingUser, p, timestamp)

13/09/2016
Page 11/27
Università della Svizzera italiana (USI)
Obligation Enforcement Module:
An Access Control Middle-Layer

13/09/2016
Page 12/27
Università della Svizzera italiana (USI)
Obligation Enforcement in 4 steps
1. When the Access Control Layer receives a SPARQL-DL
query, it is rewritten before submitting it to the final
endpoint, in order to retrieve the access control
conditions also for each piece of returned data
2. The modified query is submitted to the SPARQL-DL
endpoint and executed on both collections of original data
and activation conditions
3. The result is returned to the Access Control Layer. Each
piece of data on which an obligation is active, is changed
according to each obligation content function.
4. The final result is returned to the Data Consumer

13/09/2016
Page 13/27
Università della Svizzera italiana (USI)
1. SPARQL-DL Query Rewriting
For each variable and individual in the query, information
must be added in order to retrieve the conditions that are
active for each piece of data
Example query: identifying all people living in Oxford or
Birmingham
SELECT ?x
WHERE {PropertyValue(?x, livesIn, oxford),
Type(?x, Person)}
OR WHERE {PropertyValue(?x, livesIn, birmingham),
Type(?x, Person)}

13/09/2016
Page 14/27
Università della Svizzera italiana (USI)
1. SPARQL-DL Query Rewriting
For each variable in in each WHERE clause, another WHERE
clause is added for identifying its activated conditions.
Example:
SELECT ?x
WHERE {PropertyValue(?x, livesIn, oxford),
Type(?x, Person)}
OR WHERE {PropertyValue(?x, livesIn, birmingham),
Type(?x, Person)}

13/09/2016
Page 15/27
Università della Svizzera italiana (USI)
1. SPARQL-DL Query Rewriting
For each variable in in each WHERE clause, another WHERE
clause is added for identifying its activated conditions.
Example:
SELECT ?x, ?xAC
WHERE {PropertyValue(?x, livesIn, oxford),
Type(?x, Person)}
OR WHERE {PropertyValue(?x, livesIn, birmingham),
Type(?x, Person)}
OR WHERE {PropertyValue(?x, livesIn, oxford),
Type(?x, Person),
SubClassOf(?xAC, AC), Type(?x, ?xAC)}

13/09/2016
Page 16/27
Università della Svizzera italiana (USI)
1. SPARQL-DL Query Rewriting
For each variable in in each WHERE clause, another WHERE
clause is added for identifying its activated conditions.
Example:
SELECT ?x, ?xAC
WHERE {PropertyValue(?x, livesIn, oxford),
Type(?x, Person)}
OR WHERE {PropertyValue(?x, livesIn, birmingham),
Type(?x, Person)}
[…]
OR WHERE {PropertyValue(?x, livesIn, birmingham),
Type(?x, Person),
SubClassOf(?xAC, AC), Type(?x, ?xAC)}

13/09/2016
Page 17/27
Università della Svizzera italiana (USI)
1. SPARQL-DL Query Rewriting
For each named individual, a WHERE clause is added for
identifying its own activated conditions:
SELECT ?x, ?xAC, ?oxfAC
WHERE {PropertyValue(?x, livesIn, oxford),
Type(?x, Person)}
OR WHERE {PropertyValue(?x, livesIn, birmingham),
Type(?x, Person)}
[…]
OR WHERE {SubClassOf(?oxfAC, AC),
Type(oxford, ?oxfAC)}

13/09/2016
Page 18/27
Università della Svizzera italiana (USI)
1. SPARQL-DL Query Rewriting
For each named individual, a WHERE clause is added for
identifying its own activated conditions:
SELECT ?x, ?xAC, ?oxfAC, ?birAC
WHERE {PropertyValue(?x, livesIn, oxford),
Type(?x, Person)}
OR WHERE {PropertyValue(?x, livesIn, birmingham),
Type(?x, Person)}
[…]
OR WHERE {SubClassOf(?birAC, AC),
Type(birmingham, ?birAC)}

13/09/2016
Page 19/27
Università della Svizzera italiana (USI)
1. SPARQL-DL Query Rewriting
For each named individual, a WHERE clause is added for
identifying its own activated conditions:
SELECT ?x, ?xAC, ?oxfAC, ?birAC, ?perAC
WHERE {PropertyValue(?x, livesIn, oxford),
Type(?x, Person)}
OR WHERE {PropertyValue(?x, livesIn, birmingham),
Type(?x, Person)}
[…]
OR WHERE {SubClassOf(?perAC, AC),
SubClassOf(Person, ?perAC)}

13/09/2016
Page 20/27
Università della Svizzera italiana (USI)
2. Enhanced response
The query rewriting process obtains a query having as
results all the results of the original query, plus the
information about the activated conditions on each piece
of data
Sample response for the presented original query
?x
bob
carl
alice
eleanor
donald

13/09/2016
Page 21/27
Università della Svizzera italiana (USI)
2. Enhanced response
Sample enhanced response
?x ?xAC ?oxfAC ?birAC ?perAC
bob
carl
alice
eleanor
donald
bob AC01
bob AC02
carl AC02
eleanor AC01
AC03

13/09/2016
Page 22/27
Università della Svizzera italiana (USI)
3. Obligation Enforcement
The table is splitted into two sets
?x ?xAC ?oxfAC ?birAC ?perAC
bob
carl
alice
eleanor
donald
bob AC01
bob AC02
carl AC02
eleanor AC01
AC03
Standard
Response
Enforcement
directives

13/09/2016
Page 23/27
Università della Svizzera italiana (USI)
3. Obligation Enforcement
Data is changed in the standard response according to
obligations functions (e.g. bob is removed…)
?x ?xAC ?oxfAC ?birAC ?perAC
bob
carl
alice
anonym01
donald
bob AC01
bob AC02
carl AC02
eleanor AC01
AC03
Standard
Response
Enforcement
directives
WriteLogAnonymize
Remove

13/09/2016
Page 24/27
Università della Svizzera italiana (USI)
3. Obligation Enforcement
Data is changed in the standard response according to
obligations functions (e.g. bob is removed…)
?x ?xAC ?oxfAC ?birAC ?perAC
alice
anonym01
donald
bob AC01
bob AC02
carl AC02
eleanor AC01
AC03
Standard
Response
Enforcement
directives

13/09/2016
Page 25/27
Università della Svizzera italiana (USI)
4. Final Response
Enforcement directives are removed
?x ?xAC ?oxfAC ?birAC ?perAC
alice
anonym01
donald
Original
variables
Access Control
Variables

13/09/2016
Page 26/27
Università della Svizzera italiana (USI)
4. Final Response
Access Control variables are removed
?x
alice
anonym01
donald
That is our
Final response

13/09/2016
Page 27/27
Università della Svizzera italiana (USI)
Performances

13/09/2016
Page 28/27
Università della Svizzera italiana (USI)
Conclusion and Future Work
We presented an approach for defining and enforcing
expressive data provider obligations for performing fine-
grained protection on OWL 2 DL data
A private-by-default environment can be chosen,
permissions can be expressed at the same manner as the
proposed obligations, and introducing a little change in the
enforcement algorithm
The concept of Institutional power for generating policies
can be added, by studying its relationship with the proposed
model
DL policies can be transmitted as Sticky Policies

Nicoletta Fornara, Fabio Marfia
Università della Svizzera italiana (USI) – http://www.usi.ch
13th September 2016
Modeling and Enforcing
Access Control Obligations for
SPARQL-DL queries

13/09/2016
Page 30/27
Università della Svizzera italiana (USI)
Citations
E. Sirin and B. Parsia. SPARQL-DL: SPARQL Query for
OWL-DL. Proceedings of the Third International Workshop
on OWL: Experiences and Directions (OWLED '07)
O. Sacco, A. Passant, and S. Decker: An access control
framework for the web of data. In 2011IEEE 10th
International Conference on Trust, Security and Privacy in
Computing and Communications (2011)
A. Masoumzadeh and J. Joshi: Ontology-based access
control for social network systems. IJIPSI (2015)
T. T. Nguyen, N. Fornara, and F.Marfia: Automatic policy
enforcement on semantic social data. Multiagent and Grid
Systems Journal (2015)