200 likes | 365 Views
“R♫P”. RDF Access control Policies. Motivation. Semantic Web Layer Cake (Berners-Lee 2004)*. *Semantic web layer cake (Berners-Lee,2004) http://www.w3.org/2004/Talks/0412-RDF-functions/slide4-0.html. Motivation. Semantic Web would enable the a global social information sharing space.
E N D
“R♫P” RDF Access control Policies Pavan Reddiavri (Ebiquity Labs)
Motivation • Semantic Web Layer Cake (Berners-Lee 2004)* Pavan Reddiavri (Ebiquity Labs) *Semantic web layer cake (Berners-Lee,2004) http://www.w3.org/2004/Talks/0412-RDF-functions/slide4-0.html
Motivation • Semantic Web would enable the a global social information sharing space. • There is need for a preset agreements between users to create and share this knowledge. • Current implementations have a coarse granularity of control (Photo sharing) inhibiting users. Pavan Reddiavri (Ebiquity Labs)
Access Controls • Identity Based Access Control • Role Based Access Control • Rule/Policies based Access Control Pavan Reddiavri (Ebiquity Labs)
Why Policies ? • Role based system will not provided the granularity • Policies can be described with respect to time (allow on BirthDay) • Difficult to create transient roles In a Role based system • Policy based access controls are also being used other fields (databases, operating systems) Pavan Reddiavri (Ebiquity Labs)
“R♫P” • RAP looks at solving the problem of defining and implementing Access Control for a RDF store • Current RDF either ignore or provide very basic access control • Expressive control (Triple level) Pavan Reddiavri (Ebiquity Labs)
“R♫P” is “The basic RAP framework will allow an agent (person or program) to perform various actions inserting, deleting, searching on a RDF store and the policy is used to decide if the action is permitted or prohibited.” Pavan Reddiavri (Ebiquity Labs)
Acts on RDF -Graph • Add new Node-Link-Node. • Add a new Node, Link to a old Node • Add a new Link between two old Nodes. • Delete/ Update or Search for triples • Infer Triples Pavan Reddiavri (Ebiquity Labs)
RDFS Graph • RDFS graph have a inherent structure • The Action On a RDFS graph can also be confined( Schema or Instance modification) • Create a Class • Create Properties for a class • Create an Instance • Create property instance • Does this Structure help us? Pavan Reddiavri (Ebiquity Labs)
RAP: Actions • See (A,T): Agent A sees triple T if it returned in the response to one of P's queries. • Use (A,T): Agent A uses triple T if it is used in answering one of P'squeries. Pavan Reddiavri (Ebiquity Labs)
RAP: Actions • Insert (A,T): Agent A directly inserts triple T into the graph. • InferInsert (A,T): Agent A InferInsert triple T If Agent A Insert (A,T1) that implies T at a time when T is not in the graph. Pavan Reddiavri (Ebiquity Labs)
RAP: Actions • Remove (A,T): Agent A directly remove triple T into the graph. • InferRemove (A,T): Agent A InferRemove triple T If Agent A Remove (A,T1) that implies T, such T existence in the graph depends on T1. • update(A,T1,T2): Agent A directly replaces triple T1 with T2. Pavan Reddiavri (Ebiquity Labs)
RAP : Example policies • You want to prevent people from modifying schema i.e. defining classes or properties modifying their definitions “prohibited(insert(A,(_,P,_)) :- schemaPredicate(P)” • schemaPredicate(P): true of P is a predicate used to define schemalevel information (e.g., rdfs:subClass, rdfs:domain, etc). Pavan Reddiavri (Ebiquity Labs)
RAP : Example policies • You want to prevent people from modifying schema i.e. defining classes or properties modifying their definitions“prohibited(insert(A,(_,P,_)) :- schemaPredicate(P)” • schemaPredicate(P): true of P is a predicate used to define schemalevel information (e.g., rdfs:subClass, rdfs:domain, etc). Pavan Reddiavri (Ebiquity Labs)
RAP : Example policies • Agents are permitted to create instances of classes they created “permitted(insert(A,(_,rdfs:type,C))) :- createdNode(A,C)” • Agents are permitted to delete any triples that they had inserted “permitted(remove(A,T)) :- createdTriple(A,T)” Pavan Reddiavri (Ebiquity Labs)
Employer Data Store • No one change the schema • “prohibited(insert(A,(_,P,_)) :- schemaPredicate(P)” • User can create Instances of employer • “permitted(insert(A,(_,rdfs:type,RAP:employee))) :- registered(A).” • You assert/see anything about things you created • “permitted(insert(A,(C,_,_)) :- createdNode(A).” • “permitted(see(A,(C,_,_)) :- createdNode(A).” • You cannot see any ones salary • “prohibited(see(A,(_,emp:salary,_)).” • “prohibited(see(A,(_,P,_)) :- rdfs:subProperty(P,emp:salary)).” Pavan Reddiavri (Ebiquity Labs)
RDF Store RAP : Prototype • RAP Policy Engine • REI • Prolog based Engine from scratch • Cwm RDF client Data/Policies Access Protocol RAP Policy Engine • Data/Policies Access Protocol • Extend Http (webdav) • GET with SPARQL in the body to search the store • PUT with RDF data in the body to add data. • RDF store • Redland • Kowari • Jena Models Pavan Reddiavri (Ebiquity Labs)
Other Considerations • Policy representation • Prolog , N3 , Custom…. • Expressiveness of policies • Delegation Handling • Depth of Delegation. Can a club bouncer allow him self into the club? • RDF store still in Naissance • Performance and Scalability Pavan Reddiavri (Ebiquity Labs)
Applications • Enterprise level knowledge bases (RDF store) • Enterprise level blogger controlling creation and access of blogs • Application requiring collaborative creation of a knowledge store • Alan Hollander’s application for in SPIRE Pavan Reddiavri (Ebiquity Labs)
Thank You Pavan Reddiavri (Ebiquity Labs)