1 / 32

Ontology based Policy Interoperability

Ontology based Policy Interoperability. Dr. Latifur Khan Tahseen Al-Khateeb Mohammad Alam Mohammad Farhan Husain. Outline. Motivating example ← XACML Recap The problem of heterogeneity OPI: Our solution to the problem Demonstration Future Works. An example scenario.

sen
Download Presentation

Ontology based Policy Interoperability

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Ontology based Policy Interoperability Dr. Latifur Khan Tahseen Al-Khateeb Mohammad Alam Mohammad Farhan Husain

  2. Outline • Motivating example ← • XACML Recap • The problem of heterogeneity • OPI: Our solution to the problem • Demonstration • Future Works

  3. An example scenario • Suppose there are two organizations: OrgA and OrgB, both having geo-spatial data. • Access control policy in XACML. • They form a federation and want that • subjects (e.g. People, client s/w etc.) of one organization will be able to access resources (e.g. Data, file etc.) of other organization based on existing policies without any modification & human assistance

  4. Problem faced • Both organizations have policies based on their own naming convention, data type • Not recognized by other organization • Access request will contain organization specific keywords and data type • Requests will fail if evaluated by existing XACML processing model

  5. Geo-spatial data specific improvement • For some data in case full permission cannot be given, Partial Permit can be provided • Partial Permit will essentially mean getting a part of data the request wanted to get

  6. Outline • Motivating example • XACML Recap ← • The problem of heterogeneity • OPI: Our solution to the problem • Demonstration • Future Works

  7. XACML: brief introduction • XACML stands for eXtensible Access Control Markup Language. • It is a declarative access control policy language implemented in XML • It also includes a processing model, describing how to interpret the policies. • Latest version 2.0 was ratified by OASIS standards organization on 1 February 2005.

  8. rule rule rule PDP 2 3 Decision request (Premise) Decision response (Conclusion) Attributes Decision, Obligations 1 4 Access request Access request PEP PDP – Policy Decision Point PEP – Policy Enforcement Point PEP fulfills obligations 5 XACML Request processing

  9. More about XACML • Elements • Attribute • Function • Rule • Policy • Policy Set • Rule effects • Permit • Deny

  10. Rule combination algorithms • If there are multiple rules in a policy, they must be combined to get a single decision. The XACML normative rule combination algorithms are:

  11. An example policy • Here is a simple example Policy in the following slide. • Policy target says that Policy applies to requests for High access objects (e.g. sys-admin) • Policy has a Rule which applies to viewing Airport data. • A request is permitted if Subject is trying to view data between 10am and 2pm.

  12. Policy Target Rule Effect

  13. Rule Condition

  14. Outline • Motivating example • XACML Recap • The problem of heterogeneity ← • OPI: Our solution to the problem • Demonstration • Future Works

  15. The problem of heterogeneity • Types of heterogeneity • Naming heterogeneity • Data type heterogeneity • Subjects, resources and attributes can be differently defined in different organizations • For example • Network Administrator = System Admin • Read = View • Directory = Folder • In such case, policy of one organization is not applicable to another when they form a federation

  16. Heterogeneity

  17. Outline • Motivating example • XACML Recap • The problem of heterogeneity • OPI: Our solution to the problem ← • Demonstration • Future Works

  18. OPI: our approach to solve the problem • In case a directly applicable policy or rule is not found for a request, we will use a domain ontology for • Subjects • Resources • Actions

  19. New rule effect: Partial Permit • We have added new rule effect: “Partial Permit” to XACML to grant request partially. • Example • Grant only the outer boundary of some object e.g. airport • Return a map with lower resolution than requested

  20. Steps taken: Suppose, a subject of OrgA sends request to OrgB. Following steps will be taken: • Within all the policies and rules of OrgB, find the rule which has a subject of minimum semantic distance from the subject of the request in the ontology of subjects. • In case of ties, find the rule among the tied rules which has a resource of minimum semantic distance from the resource of the request in the ontology of resources. • In case of ties, find the rule among the tied rules which has an action of minimum semantic distance from the action of the request in the ontology of actions

  21. Steps taken: (continued) • Use a semantic distance score formula to get a match score • If Score ≥ Full-effect threshold  use its effect as the outcome. • If Score ≤ Full-effect threshold & Score ≥ Partial-effect threshold & Rule-effect == Permit  Partial-permit • If Score < Partial-permit threshold  Deny • In case of multiple rules having tie, we will use rule combination algorithm specified in the policy to break the tie.

  22. Steps taken: • Rule-1 • Subject: GISAdmin • Resource: AIRPORT_area • Action: View • Effect: Permit • Request • Subject: SystemAdmin • Resource: AIRPORT_area • Action: View • Rule-2 • Subject: Lkhan • Resource: EMPLOYERS_point • Action: View • Effect: Deny • Rule-3 • Subject: LowAccessSubjects • Resource: AIRPORT_area • Action: View • Effect: Deny

  23. The ontology

  24. Semantic distance score formula • To find the matching similarity score between two nodes C1 and C2, we first determine their closes common parent C. Then the score S(C1,C2) is formulated as follows: S(C1, C2) = • Where len is a length operator that calculates the shortest distance between two nodes in an ontology tree and D is the overall depth of the tree.

  25. Semantic distance score formula (continued) • We calculate there different score values, SS(C1, C2), SR(C1, C2), and SA(C1, C2) for subject, resource and action parameters, respectively. The score values are combined by an aggregation function where is a set of 3-ary tuples and is the set of real numbers. The function, henceforth referred to as Aggregation function, is represented as • Aggregation function result is compared against a pre-determined threshold value to resolve the policy decision. The decision could be either one of the three effects: Permit, Deny, and Partial-Permit.

  26. A complete example

  27. Outline • Motivating example • XACML Recap • The problem of heterogeneity • OPI: Our solution to the problem • Demonstration ← • Future Works

  28. Outline • Motivating example • XACML Recap • The problem of heterogeneity • OPI: Our solution to the problem • Demonstration • Future Works ←

  29. Future works: • Take all policies of all organizations into account • Address data type heterogeneity

  30. Future Works: • GML rendering API in java • ArcGIS shows GML data but the process is cumbersome • ArcGIS does not provide API for GML display • Currently, no API in any language for displaying GML data

More Related