1 / 14

Semantically Enriching Access Control Rules for Web Services

This research study explores the use of Semantic Web rules to enforce access control in a Web Services security framework. The study evaluates the implementation and benefits of using Semantic Web rules in the health informatics industry.

estellel
Download Presentation

Semantically Enriching Access Control Rules for Web Services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Semantically Enriching Access Control Rules for Web Services Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland, Galway

  2. Overview • Using Semantic Web rules to enforce access control in a Web Services security framework • Semantic Web Rule Language (SWRL) • OWL-DL fact base • Existing reasoning engine used • W3C and OASIS standards and recommendations • XML Signature • XML Encryption • XML Key Management Specification (XKMS) • WS-Security • Evaluated using Health Informatics industry • Health Level 7 ISWDS 2005, Galway, Ireland Brian Shields

  3. Description of Purpose • Growth • Information available over the Web • Ways to access it • Popularity of Web Services • Concern for security, particularly authorisation • Current access control models • Access control lists (ACLs) • Role Based Access Control • Access definition • Rules? • Benefits of Semantic Web rules • Added support for complex relationships between properties • “uncle(?x, ?y)” ISWDS 2005, Galway, Ireland Brian Shields

  4. Goal Statement • Build a Web Service security framework • Web Service access control rules written in SWRL • Encorporate SWRL rules and a SWRL and OWL reasoner into a Web Service security framework • Build a OWL-DL ontology of the Health Level 7 Reference Information Model (HL7 RIM) • Will it work for the health informatics industry? • Addresses the issue of data protection • Particularly within the Web Service space • Novel approach to access control • A solution to authorisation within the health industry ISWDS 2005, Galway, Ireland Brian Shields

  5. Methodology • Research part of the iWise project • Statistical Processes Monitoring, event emulation, legacy system integration • Security framework • Message Security • Access control • Technologies • XML Signature • XML Encryption • XML Key Management Specification (XKMS) • WS-Security • Web Ontology Language (OWL) • Semantic Web Rule Language (SWRL) ISWDS 2005, Galway, Ireland Brian Shields

  6. iWISE Security Architecture • SOAP Message Interceptor • Apache Axis Filters • Authentication • Signature Validation • Encryption/Decryption engine • Apache WSS4J • Key Management • Access Control at two levels • Initial access control to verify requested endpoints and schema validation • Fine grained, semantically aware access control model • Management Console ISWDS 2005, Galway, Ireland Brian Shields

  7. Key Store Key Generation Framework Management Console Key Request Key Registration Key Management Encryption/ Decryption Engine Knowledge Base (OWL) Authentication SOAP Message Interceptor 1st Tier Access Control Policy Enforcement Point Policy Decision Point Policies (SWRL) Policy Administration Point 2nd Tier Access Control iWISE Security Architecture ISWDS 2005, Galway, Ireland Brian Shields

  8. iWISE Access Control • Level One • Verify that Web Service exists • Validate all documents against schemas • Level Two • Request made to the Policy Decision Point for authorisation • Three types of response • “Authorisation failed” • “Authorisation limited” • “Authorisation granted” • Policy Decision Point response result of Semantic reasoning of ontology and rules • doctor(?x1)  patient(?x2)  isTreatingPhysican(?x1,x2)  hasReadRecordAccess(?x1,?x2) ISWDS 2005, Galway, Ireland Brian Shields

  9. SWRL Rule <ruleml:imp> <ruleml:_rlab ruleml:href=“#readRecordAccess”/> <ruleml:_body> <swrlx:classAtom> <owlx:Class owlx:name=“Doctor”/> <ruleml:var>x1</ruleml:var> </swrlx:classAtom> <swrlx:classAtom> <owlx:Class owlx:name=“Patient”/> <ruleml:var>x2</ruleml:var> </swrlx:classAtom> <swrlx:individualPropertyAtom swrlx:property=“isTreatingPhysican”> <ruleml:var>x1</ruleml:var> <ruleml:var>x2</ruleml:var> </swrlx:individualPropertyAtom> </ruleml:_body> <ruleml:_head> <swrlx:individualPropertyAtom swrlx:property=“hasReadRecordAccess”> <ruleml:var>x1</ruleml:var> <ruleml:var>x2</ruleml:var> </swrlx:individualPropertyAtom> </ruleml:_head> <ruleml:imp> ISWDS 2005, Galway, Ireland Brian Shields

  10. Rule Reasoning • Numerous options available • Jena • Pellet • Racer • Involve restricting expressiveness of SWRL • Hoolet has been extended to handle SWRL rules • WonderWeb for parsing and processing OWL • Vampire used for reasoning, first order prover ISWDS 2005, Galway, Ireland Brian Shields

  11. Restricted Document Access • Fine grained access control • An an XML element level • Organisational level • Many people with access to same document • Should all people have the same authorisation? • Propose limited access • Documents must be defined semantically at an element level • All users are defined semantically • iWISE access control rules define who can access what • Semantic Reasoner will enforce these rules ISWDS 2005, Galway, Ireland Brian Shields

  12. Act Relationship RoleLink 0..* 0..* 0..* 0..* Plays 1 1 1 1 0..* Entity Role 0..* Participation Act 0..* 0..1 0..* 1 0..1 0..1 Scopes Performer Author Witness Subject Destination … Observation Procedure Referral Supply Act content …etc Participation Type Code Organisation Person Material Place …etc Patient Employee Practitioner Specimen …etc Case Study: Health Sector • Security and access control critical. • Access control usually achieved by defining static rule sets. • Poor adoption of standards. • Health Level 7 – HL7 • Standard for information representation in health ISWDS 2005, Galway, Ireland Brian Shields

  13. Client_1 Client_2 SOAP Request SOAP Request a b a b Access Filtering Authentication iWISE Secure Case Study: Health Sector • Member of hospital staff requests patient files. • Staff member is first authenticated, then access rights are determined • Doctor on case gets full access • Admin staff get personal/billing information • Consulting doctor gets clinical data but not personal data ISWDS 2005, Galway, Ireland Brian Shields

  14. Conclusions • Completed • Soap message interceptor • Basic authentication • Encryption/Decryption engine • Basic key management • Access control level one • To do • Management Framework • Advanced key management (XKMS) • Semantic access control ISWDS 2005, Galway, Ireland Brian Shields

More Related