RP RDF Access control Policies Pavan Reddiavri Ebiquity
“R♫P” RDF Access control Policies Pavan Reddiavri (Ebiquity Labs)
R♫P Motivation n Semantic Web Layer Cake (Berners-Lee 2004)* Pavan Reddiavri (Ebiquity Labs) 2 *Semantic web layer cake (Berners-Lee, 2004) http: //www. w 3. org/2004/Talks/0412 -RDF-functions/slide 4 -0. html
R♫P Motivation n Semantic Web would enable the a global social information sharing space. There is need for a preset agreements between users to create and share this knowledge. Current implementations have a coarse granularity of control (Photo sharing) inhibiting users. Pavan Reddiavri (Ebiquity Labs) 3
R♫P Access Controls n Identity Based Access Control n Role Based Access Control n Rule/Policies based Access Control Pavan Reddiavri (Ebiquity Labs) 4
R♫P Why Policies ? n n Role based system will not provided the granularity Policies can be described with respect to time (allow on Birth. Day) Difficult to create transient roles In a Role based system Policy based access controls are also being used other fields (databases, operating systems) Pavan Reddiavri (Ebiquity Labs) 5
R♫P “R♫P” n n n RAP looks at solving the problem of defining and implementing Access Control for a RDF store Current RDF either ignore or provide very basic access control Expressive control (Triple level) Pavan Reddiavri (Ebiquity Labs) 6
R♫P “R♫P” is “The basic RAP framework will allow an agent (person or program) to perform various actions inserting, deleting, searching on a RDF store and the policy is used to decide if the action is permitted or prohibited. ” Pavan Reddiavri (Ebiquity Labs) 7
R♫P Acts on RDF Graph n n n Add new Node-Link-Node. Add a new Node, Link to a old Node Add a new Link between two old Nodes. Delete/ Update or Search for triples Infer Triples Pavan Reddiavri (Ebiquity Labs) 8
R♫P RDFS Graph n n RDFS graph have a inherent structure The Action On a RDFS graph can also be confined( Schema or Instance modification) Create a Class u Create Properties for a class u Create an Instance u Create property instance u n Does this Structure help us? Pavan Reddiavri (Ebiquity Labs) 9
R♫P RAP: Actions n n See (A, T): Agent A sees triple T if it returned in the response to one of P's queries. Use (A, T): Agent A uses triple T if it is used in answering one of P's queries. Pavan Reddiavri (Ebiquity Labs) 10
R♫P RAP: Actions n n Insert (A, T): Agent A directly inserts triple T into the graph. Infer. Insert (A, T): Agent A Infer. Insert triple T If Agent A Insert (A, T 1) that implies T at a time when T is not in the graph. Pavan Reddiavri (Ebiquity Labs) 11
R♫P RAP: Actions n n n Remove (A, T): Agent A directly remove triple T into the graph. Infer. Remove (A, T): Agent A Infer. Remove triple T If Agent A Remove (A, T 1) that implies T, such T existence in the graph depends on T 1. update(A, T 1, T 2): Agent A directly replaces triple T 1 with T 2. Pavan Reddiavri (Ebiquity Labs) 12
R♫P RAP : Example policies n You want to prevent people from modifying schema i. e. defining classes or properties modifying their definitions “prohibited(insert(A, (_, P, _)) : schema. Predicate(P)” n schema. Predicate(P): true of P is a predicate used to define schema level information (e. g. , rdfs: sub. Class, rdfs: domain, etc). Pavan Reddiavri (Ebiquity Labs) 13
R♫P RAP : Example policies n You want to prevent people from modifying schema i. e. defining classes or properties modifying their definitions “prohibited(insert(A, (_, P, _)) : schema. Predicate(P)” n schema. Predicate(P): true of P is a predicate used to define schema level information (e. g. , rdfs: sub. Class, rdfs: domain, etc). Pavan Reddiavri (Ebiquity Labs) 14
R♫P RAP : Example policies n Agents are permitted to create instances of classes they created “permitted(insert(A, (_, rdfs: type, C))) : created. Node(A, C)” n Agents are permitted to delete any triples that they had inserted “permitted(remove(A, T)) : - created. Triple(A, T)” Pavan Reddiavri (Ebiquity Labs) 15
R♫P Employer Data Store n No one change the schema u n User can create Instances of employer u n “permitted(insert(A, (_, rdfs: type, RAP: employee))) : registered(A). ” You assert/see anything about things you created u u n “prohibited(insert(A, (_, P, _)) : - schema. Predicate(P)” “permitted(insert(A, (C, _, _)) : - created. Node(A). ” “permitted(see(A, (C, _, _)) : created. Node(A). ” You cannot see any ones salary u u “prohibited(see(A, (_, emp: salary, _)). ” “prohibited(see(A, (_, P, _)) : rdfs: sub. Property(P, emp: salary)). ” Pavan Reddiavri (Ebiquity Labs) 16
R♫P RAP : Prototype Data/Policies Access Protocol RDF client n RAP Policy Engine RDF Store n RAP Policy Engine Data/Policies Access Protocol n RDF store u u REI Extend Http (webdav) u Redland u Prolog based Engine fromtoscratc « GET with SPARQL in the body u Kowari search the store u Cwm u Jena Models « PUT with RDF data in the body to add data. Pavan Reddiavri (Ebiquity Labs) 17
R♫P Other Considerations n Policy representation Prolog , N 3 , Custom…. u Expressiveness of policies u n n Delegation Handling Depth of Delegation. Can a club bouncer allow him self into the club? RDF store still in Naissance Performance and Scalability Pavan Reddiavri (Ebiquity Labs) 18
R♫P Applications n Enterprise level knowledge bases (RDF store) u n Enterprise level blogger controlling creation and access of blogs Application requiring collaborative creation of a knowledge store u Alan Hollander’s application for in SPIRE Pavan Reddiavri (Ebiquity Labs) 19
R♫P Thank You Pavan Reddiavri (Ebiquity Labs) 20
- Slides: 20