Supporting Role Based Provisioning with Rules Using OWL and F-Logic.
ABSTRACT The rule-based RBAC (RB-RBAC) model has been proposed to dynamically assign users to roles based on a set of rules. We identify
two problems of this model: simplified rule language with limited expressiveness and the lack of rule reasoning capabilities.
In this paper we propose an expressive and extensible provisioning framework that overcomes these drawbacks. Our framework
supports complex user-role assignment rules and provides rule reasoning capabilities using OWL DL and F-Logic. Furthermore,
we show how our approach supports (i) weak and strong negation to enhance expressiveness and strictness, (ii) defining static
SoD constraints, and (iii) detecting conflicts. Finally, the paper describes a mechanism to deduce well-formed SPML requests
from rules to provision policy systems with entitlements.
[Show abstract] [Hide abstract]
ABSTRACT: Understanding and using the data and knowledge encoded in semantic web documents requires an inference engine. F-OWL is an inference engine for the semantic web language OWL language based on F-logic, an approach to defining frame-based systems in logic. F-OWL is implemented using XSB and Flora-2 and takes full advantage of their features. We describe how F-OWL computes ontology entailment and compare it with other description logic based approaches. We also describe TAGA, a trading agent environment that we have used as a test bed for F-OWL and to explore how multiagent systems can use semantic web concepts and technology.01/2005: pages 238-248;
Conference Paper: RelBAC: Relation Based Access Control[Show abstract] [Hide abstract]
ABSTRACT: The Web 2.0, GRID applications and, more recently, semantic desktop applications are bringing the Web to a situation where more and more data and metadata are shared and made available to large user groups. In this context, metadata may be tags or complex graph structures such as file system or web directories, or (lightweight) ontologies. In turn, users can themselves be tagged by certain properties, and can be organized in complex directory structures, very much in the same way as data. Things are further complicated by the highly unpredictable and autonomous dynamics of data, users, permissions and access control rules. In this paper we propose a new access control model and a logic, called RelBAC (for Relation Based Access Control) which allows us to deal with this novel scenario. The key idea, which differentiates RelBAC from the state of the art, e.g., Role Based Access Control (RBAC), is that permissions are modeled as relations between users and data, while access control rules are their instantiations on specific sets of users and objects. As such, access control rules are assigned an arity which allows a fine tuning of which users can access which data, and can evolve independently, according to the desires of the policy manager(s). Furthermore, the formalization of the RelBAC model as an Entity-Relationship (ER) model allows for its direct translation into Description Logics (DL). In turn, this allows us to reason, possibly at run time, about access control policies.Semantics, Knowledge and Grid, 2008. SKG '08. Fourth International Conference on; 01/2009