Conference PaperPDF Available

Delegated Attribute-Based Access Control (DABAC) for Contextual Linked Data



Security is an inevitable part of every information system. It is a cross-cutting concern that affects every part of the system. There is a constant trade-off between a secured system and convenient security management, and this management gets more demanding when the permissions are context dependent. The delegation of authorization is one way to make this process more convenient, by including and allowing multiple individuals to contribute. We provide a solution for combining multiple security rules such that data owners can delegate a part of their permissions over their data, and can validate the overall allowed data during the security permissions design process.
Delegated attribute-based access control
(DABAC) for contextual Linked Data
Riste Stojanov*, Sasho Gramatikov*, Milos Jovanovik*, Dimitar Trajanov*
* Faculty of Computer Science and Engineering, Skopje, Macedonia
Abstract—Security is an inevitable part of every information
system. It is a cross-cutting concern that affects every part
of the system. There is a constant trade-off between a
secured system and convenient security management, and
this management gets more demanding when the
permissions are context dependent. The delegation of
authorization is one way to make this process more
convenient, by including and allowing multiple individuals
to contribute.
We provide a solution for combining multiple security rules
such that data owners can delegate a part of their
permissions over their data, and can validate the overall
allowed data during the security permissions design process.
The management of security in an information system
is a lengthy and tedious process, where the security
administrator should create access rules, represented as a
security policies. The main role of the security manager is
to define the permissions of the users in the system.
However, this process becomes very complex when there
is a hierarchy of numerous users with different access
levels, since the manager has to be aware of all the
peculiarities when defining the policies. In many
situations the manager is in direct control of only the top-
level users. In every system, there may be multiple
security requirements relating different users and different
contextual scenarios.
Another requirement that emerged with the wide
penetration of the mobile devices and the Internet of
Things is the contextual dependence of the security
policies. Data has become more personal, more
distributed, and hence, more vulnerable. Therefore, on one
hand, our goal is to provide context-aware, attribute-based
access control of the protected data, by using complex and
diverse policies; on the other hand, we aim at simplifying
the task of policy definition and reducing the human error
factor in protecting the data.
We achieve the first goal by taking our previous work
[1] as a starting point for context-aware attribute-based
protection of the data by combining multiple policies with
different priorities. In order to achieve our second goal,
i.e. to simplify the access-control definition, we extend the
LDA platform by proposing delegated access-control. The
security manager defines policies only for the top-level
security users and lets them delegate a subset of their
access rights to the next level of subordinate users. The
subordinate users can proceed with the same principle of
delegation. Each user with delegated rights defines new
policies that are combined with all inherited policies up to
that level. With this, the complexity of securing the system
is distributed to a larger number of users which imposes
fewer errors, better control and protection of the data.
Moreover, the approach guarantees that users cannot grant
access to data that they themselves are not allowed to
access. The possibility of potential human errors in
defining the policies is further reduced by employing the
validation tools of the LDA platform.
The authorization process generally enforces the
policies, which are formalized requirements.
Policy enforcement can be grouped into three main
- Permitted data filtering/annotation is storage level
protection. It is most commonly implemented using a
graph that contains the permitted data [4, 5] or by
permitted data annotation [6]. This enforcement method
introduces significant performance degradation if it is
executed on every request [2, 4].
- Query rewriting enforcement adds additional
constructs to each query that enters the system in order to
ensure that only the permitted resources can be obtained.
This approach requires complex algorithms for the
rewriting process, and thus it needs extensive correctness
and performance testing, as discussed in [2].
- Per action enforcement is the most commonly used,
due to its simplicity. It permits or denies the domain
actions. The downside of this enforcement method is that
its policies are not able to filter out the forbidden
The policy format definition is generalized in [2] as:
<Subject, Resource, Access Right>
The Subject from this tuple describes for whom this
policy will be active. The Resource is intended to describe
the resources that are protected by the policies, while the
AccessRight describes whether the policy allows or denies
for certain action.
The access rights should define whether the policy
permits or denies access to an action to interact with
resources on behalf of a requester in a given context. It is
defined as a condition expressiveness in [3], with
additional obligation value that requires something to be
executed. This paper focuses only on access control, and
the obligation is left out to be incorporated in the business
The Access Control Model is the most widely used
description for authorization systems. It can be closely
related to the previous policy formalization. The following
access control models can be find in the literature
(including their combinations): - MAC: Mandatory
Access Control [7] defines a policy for each combination
Figure 1. The LDA platform architecture
of subject and resource. The policies are stored and
managed by central authorities. In the context of semantic
web authorization, the approaches presented in [10, 11]
can be categorized as MAC.
- DAC: Discretionary Access Control [8] enables
policy delegation, and they are stored and managed in a
distributed manner.
- RBAC: Role Based Access Control [9] introduces
user grouping into roles [5, 2], which significantly
simplifies the policy management, through the reduction
of the number of policies.
- ABAC: Attribute Based Access Control [12] is
another model that focuses on the requester specification
and provides more flexibility through dynamic grouping
of the requesters using their attributes [13, 14, 15]. This
model is suitable in the scenarios where dynamic
separation of duty is required.
- VBAC: View Based Access Control [16] model
groups the resources into views, and authorizes the
requesters based on these groups [5, 15, 4, 17]. Similar to
RBAC, it simplifies the policy management through the
reduction of the number of policies.
- CBAC: Context Based Access Control [18] model
enables contextual policy definition [14, 15, 19, 6].
The correctness of semantic authorization systems is
analyzed in [2], where the query rewriting implementation
correctness is tested against a permitted data annotation
approach. However, the possible errors in the policy
design and definition processes are not considered in this
When both permit and deny policies are available, their
definition is simpler, but conflicts may arise [3, 17, 15].
There are various ways to solve these conflicts, such as:
default behavior [19, 17], meta-policies [11], priorities
[20], and detection and prevention [14, 4].
The main challenge in each system that needs to be
secured is the trade-off between the protection and the
maintenance convenience. The policy management
process requires a flexibility to protect an arbitrary part of
the data, for every particular user or group of users in a
specific context. Furthermore, the policies are managed by
human beings, and as such, are prone to errors and
mistakes. Therefore, a secure policy management system
should provide design-time security rules validation. All
these issues are addressed in our previous work [1].
However, this work does not provide a convenient
delegation of access rights. There are systems that allow
access rights delegation [2, 3], but they are focused on
delegating access based on user roles, which is not as
flexible as using the attributes.
In this paper we are extending our previous work [1] by
allowing policy combination such that the users can
delegate rights for their data to other entities. The
architecture of the platform is shown in Figure 1. The goal
of the platform is to ensure the security requirements
defined as policies against the Guarded Data. This
platform accepts the user requests that hold the
information about who the requester is, from which
context it is accessing the platform and the action it is
intending to perform. This request is first intercepted by
the Intent Provider component, which authenticates the
user based on the provided information in the request and
builds a semantic representation of the request referred to
as Intent.
The policy Enforcement Module provides the
machinery that ensures the appropriate data protection. It
first combines the configured security policies relevant for
the current Intent, and then filters only the data allowed in
that given scenario. The results are then handled to the
Result Interpreter component, which serializes the results
in the requested format.
The Policy Management Module is the administrative
part of the system that allows the security officers to
specify the policies. During the policy design time, this
module provides evaluation of the data being protected by
each policy and presents the relevant Intents for which the
policy will be activated. It also enables detection of
potential conflicts among the defined policies, as well as
detection whether a portion of the data is not protected.
Figure 3 shows the policy administration interface that
also allows design-time validation of the allowed data for
the policy for different Intents.
In this work we also defined a policy language that
extends the SPARQL query language with constructs that
describe whether a data portion is allowed or denied for a
certain Intent. The term Intent is used to represent the
condition against the requester and its context. An
example policy that describes the ability of our policy
language to provide a contextual protection with respect to
the user attributes, is shown in Figure 2. This policy
corresponds to the following security requirement:
ALLOW READ { ?s ?p ?o ?g }
GRAPH <http://intent> {
?r a int:Requester.
?ag a int:Agent; int:address ?ip.
?ip int:network ?n
?r sm:works at ?v8.
?v8 sm:network address ?n.
?v9 sm:has doctor ?r; sm:for patient ?v11.
?v10 sm:owner ?v11.
GRAPH ?g {
?s sm:sensor ?v10; ?p ?o
Figure 2. Example Policy
Figure 3. Example Policy
The doctors can read all sensor observations of their
patients, but only from their hospital network.
The ability to model this requirement shows that this
policy language is able to link the requester with its
context and the data that is being protected in the same
policy, which significantly improves the administration
effort. The graph <http://intent> shown in this policy is the
semantic representation of the user Intent injected as a
temporal graph during the enforcement of the policies for
each request.
The main extension in this paper is in the Policy
Management Module. Here, we allow each user to define
a policy that delegates the access of its allowed data to
other users, using the standard interface and policy syntax.
However, in this scenario, some user may give access to
data that is not allowed for him/her. In order to prevent
this scenario, each policy is stored by removing the data
that is not allowed for the given user.
We are going to explain the policy modification using
an example, where the data owner has gained access to the
data Down obtained with the query qown from the guarded
data Dall. The query parts that are discussed here are the
one that describe the protected data, i.e. the WHERE block
from the policy without the GRAPH <http://intent> block
element. Let this user create a policy that protects the data
Dd with the query qd for the intents that are suitable for the
query id. In this scenario, the resulting policy should
protect the data Dd that intersects with Down. Since the
SPARQL syntax does not support the intersection
operation, we are using the following set transformation
which can be implemented with SPARQL operators:
Dd ∩ Down Dd \ (Dall \ Down)
The right-side expression can be implemented with the
following SPARQL construction:
qd MINUS {
qall MINUS { qown }
where the qall query selects all the data from the dataset
using the pattern ?s ?p ?o.
The Policy Management Module transforms each
policy that delegates access such that it has the following
WHERE block:
id .
qall MINUS { qown }
} …
This transformation allows the Enforcement Module to
operate without modification, and when a certain intent
activates the policy (satisfies the query id), it will
allow/deny the data Dd ∩ Down. In this case, the portion of
the data Down will be constructed with respect to the
current intent, which will preserve the context awareness
of the authentication process. If one of the policies that
construct Down is not suitable for the given intent, it will
return an empty set of triples, and therefore it will not
influence the final result. The Enforcement Module uses
the id part of the delegated policy for optimization, where
it filters only the applicable policies for the intent in
advance, and then activates and combines only the ones
that are suitable in the given context.
The proposed extension to the existing LDA platform
enables delegation of the configuration effort from the
owners toward other users, which significantly distributes
the maintenance effort.
The Enforcement module provides implicit security,
since its implementation first creates a temporal dataset
that contains the allowed data in the given context, and
then executes the requests against this data. This
implementation has a performance trade-off, since it is not
suitable in a scenarios when there are huge amounts of
data allowed for the user. However, in most of the real-life
application, each regular user has access only to a portion
of the overall data, where this approach has acceptable
performance, as discussed in [1].
Another unique feature provided with this extension is
the possibility for a user to inherit data from multiple
owners, since each owner embeds its ownership rights in
the delegating policy.
As in every long-leaving application, the policies may
change over the time. Our extension keeps track of the
policy delegation path, storing information about the user
that has created it. Therefore, every time there is a
modification of a policy, all policies originating from the
creator are updated. In the worst-case scenario, when the
system administrator updates a general policy, all
delegated policies are updated. In order to prevent some
major downtime, all requests that have started will use the
old version of the policies, while the new requests will
wait for the updated version of the policies. However,
since the policy update is performed in-memory, this
operation finishes in milliseconds, even if there are
thousands of policies in the system.
In this paper, we provide a flexible policy language that
enables protection to arbitrary data parts in relation to the
requester and its context. The design-time policy
validation ensures the proper protection of the data. This
paper focuses on the policy transformation in the process
of delegation of the access rights. The intent query part of
the policy provides that the delegation can be temporary
for a given context with respect to the requester attributes,
while the protected data part ensures that the data owner
can only specify policies for a subset of its owned data.
The policy enforcement module provides activation and
combination of the defined policies such that the data
owners can have a convenience to protect multiple parts of
their data with separate policies, that can be validated
during the design time.
The work in this paper was partially financed by the
Faculty of Computer Science and Engineering, Ss. Cyril
and Methodius University in Skopje, as part of the
“DataGEM: Data science Based Global Economy
Modeling and Forecasting” research project.
[1] R. Stojanov, S. Gramatikov, I. Mishkovski, D. Trajanov. "Linked
Data Authorization Platform." IEEE Access 6 (2018): 1189-1213.
[2] S. Kirrane, A. Mileo, and S. Decker. "Access Control and the
Resource Description Framework: A Survey." Semantic Web 8.2
(2017): 311-352.
[3] S. Kirrane, A. Abdelrahman, A. Mileo, S. Decker. "Secure
Manipulation of Linked Data." International Semantic Web
Conference. Springer, Berlin, Heidelberg, 2013.
[4] H. Muhleisen, M. Kost, J. C. Freytag. "SWRL-based access
policies for linked data." Procs of SPOT 80 (2010).
[5] S. Dietzold, S. Auer. "Access control on RDF triple stores from a
semantic wiki perspective." ESWC Workshop on Scripting for the
Semantic Web. 2006.
[6] S. Franzoni, P. Mazzoleni, S. Valtolina, E. Bertino. "Towards a
fine-grained access control model and mechanisms for semantic
databases." IEEE International Conference on Web Services
(ICWS 2007). IEEE, 2007.
[7] P. Samarati, S. C. de Vimercati. "Access control: Policies, models,
and mechanisms." International School on Foundations of Security
Analysis and Design. Springer, Berlin, Heidelberg, 2000.
[8] R. S. Sandhu, P. Samarati. "Access control: principle and
practice." IEEE communications magazine 32.9 (1994): 40-48.
[9] R. S. Sandhu. "Role-based access control." Advances in
computers. Vol. 46. Elsevier, 1998. 237-286.
[10] H. Hollenbach, J. Presbrey, T. Berners-Lee. "Using rdf metadata to
enable access control on the social semantic web." Proceedings of
the Workshop on Collaborative Construction, Management and
Linking of Structured Knowledge (CK2009). Vol. 514. 2009.
[11] L. Kagal, T. Finin, A. Joshi. "A policy language for a pervasive
computing environment." Proceedings POLICY 2003. IEEE 4th
International Workshop on Policies for Distributed Systems and
Networks. IEEE, 2003.
[12] T. Priebe, W. Dobmeier, N. Kamprath. "Supporting attribute-based
access control with ontologies." First International Conference on
Availability, Reliability and Security (ARES'06). IEEE, 2006.
[13] O. Sacco, J. G. Breslin. "PPO & PPM 2.0: Extending the privacy
preference framework to provide finer-grained access control for
the web of data." Proceedings of the 8th International Conference
on Semantic Systems. ACM, 2012.
[14] A. Toninelli, R. Montanari, L. Kagal, O. Lassila. "Proteus: A
semantic context-aware adaptive policy model." Eighth IEEE
International Workshop on Policies for Distributed Systems and
Networks (POLICY'07). IEEE, 2007.
[15] L. Costabello, S. Villata, O. R. Rocha, F. Gandon. "Access control
for http operations on linked data." Extended Semantic Web
Conference. Springer, Berlin, Heidelberg, 2013.
[16] P. P. Griffiths, B. W. Wade. "An authorization mechanism for a
relational database system." ACM Transactions on Database
Systems (TODS) 1.3 (1976): 242-255.
[17] G. Flouris, I. Fundulaki, M. Michou, G. Antoniou. "Controlling
access to RDF graphs." Future Internet Symposium. Springer,
Berlin, Heidelberg, 2010.
[18] A. Corrad, R. Montanari, D. Tibaldi. "Context-based access
control management in ubiquitous environments." Third IEEE
International Symposium on Network Computing and
Applications, 2004.(NCA 2004). Proceedings.. IEEE, 2004.
[19] F. Abel, et al. "Enabling advanced and context-dependent access
control in RDF stores." The Semantic Web. Springer, Berlin,
Heidelberg, 2007. 1-14.
[20] V. Kolovski, J. Hendler, B. Parsia. "Analyzing web access control
policies." Proceedings of the 16th international conference on
World Wide Web. ACM, 2007.
ResearchGate has not been able to resolve any citations for this publication.
Full-text available
The expansion of the smart devices, the growing popularity of the social networks and the wide spread of the corporate services impose huge amounts of heterogeneous data to be generated and stored in separate silos on a daily basis. Parts of this data are private and highly sensitive as they reflect owner’s behavior, obligations, habits, and preferences. On the other hand, the emerging crowd services challenge the owners to expose this data in return to the convenience they offer. Therefore, it is imperative not only to protect the interaction with sensitive data, but also to selectively open it in an unharmful manner for the owner’s personal integrity. One of the main enablers of the crowd services is the emerging Linked Data, which is all about opening heterogeneous knowledge from separate data silos. Its growing popularity encourages the data owners to publish their personal data in linked data format. The fusion of sensor, social and corporate data opens new security challenges which extend the standard security considerations towards more flexible and context aware authorization platforms. In this paper, we propose a Linked Data Authorization (LDA) platform atop a policy language flexible enough to cover all newly emerged requirements, including context awareness. The proposed policy language extends the widely accepted W3C’s SPARQL query language and leverages its expressiveness to protect every part of the data. The novelty of our LDA platform is its unique capability of design time policy validation through stand alone testing, conflict detection and overall protection coverage extraction.
Conference Paper
Full-text available
When it comes to publishing data on the web, the level of access control required (if any) is highly dependent on the type of content exposed. Up until now RDF data publishers have focused on exposing and linking public data. With the advent of SPARQL 1.1, the linked data infrastructure can be used, not only as a means of publishing open data but also, as a general mechanism for managing distributed graph data. However, such a decentralised architecture brings with it a number of additional challenges with respect to both data security and integrity. In this paper, we propose a general authorisation framework that can be used to deliver dynamic query results based on user credentials and to cater for the secure manipulation of linked data. Specifically we describe how graph patterns, propagation rules, conflict resolution policies and integrity constraints can together be used to specify and enforce consistent access control policies.
Conference Paper
Full-text available
Access control is a recognized open issue when interacting with RDF using HTTP methods. In literature, authentication and authorization mechanisms either introduce undesired complexity such as SPARQL and ad-hoc policy languages, or rely on basic access control lists, thus resulting in limited policy expressiveness. In this paper we show how the Shi3ld attribute-based authorization framework for SPARQL endpoints has been progressively converted to protect HTTP operations on RDF. We proceed by steps: we start by supporting the SPARQL 1.1 Graph Store Protocol, and we shift towards a SPARQL-less solution for the Linked Data Platform. We demonstrate that the resulting authorization framework provides the same functionalities of its SPARQL-based counterpart, including the adoption of Semantic Web languages only.
Full-text available
Social applications are one of the fastest growing areas in the Web. However, privacy issues ensue if all information of all users of these applica-tions is stored on a single computer system. With small extensions to Semantic Web technologies and Linked Data concepts, a distributed approach to the social web is possible, where users retain fine-grained control over their data and are still able to combine their data with users on different systems. We describe our concept of a Policy-enabled Linked Data Server (PeLDS) obeying user-defined access policies for the stored information. PeLDS also supports configuration-free distributed authentication. Access policies are expressed in a newly devel-oped compact notation for the Semantic Web Rule Language. Authentication is performed using SSL certificates and the FOAF+SSL verification approach. We evaluate our concept using a prototype implementation and a distributed address book application.
Full-text available
RDF triple stores are used to store and query large RDF models. Semantic Web applications built on top of such triple stores re-quire methods allowing high-performance access control not restricted to per model directives. For the growing number of lightweight, scripted Semantic Web applications it is crucial to rely on access control methods which maintain a balance between expressiveness, simplicity and scal-ability. Starting from a Semantic Wiki application scenario we collect requirements for useful access control methods provided by the triple store. We derive a basic model for triple store access according to these requirements and review existing approaches in the field of policy man-agement with regard to the requirements. Finally, a lightweight access control framework based on rule-controlled query filters is described.
Conference Paper
Full-text available
XACML has emerged as a popular access control language on the Web, but because of its rich expressiveness, it has proved dicult to analyze in an automated fashion. In this paper, we present a formalization of XACML using descrip- tion logics (DL), which are a decidable fragment of First- Order logic. This formalization allows us to cover a more expressive subset of XACML than propositional logic-based analysis tools, and in addition we provide a new analysis service (policy redundancy). Also, mapping XACML to de- scription logics allows us to use o-the-shelf DL reasoners for analysis tasks such as policy comparison, verification and querying. We provide empirical evaluation of a policy anal- ysis tool that was implemented on top of open source DL reasoner Pellet.
In recent years we have seen significant advances in the technology used to both publish and consume structured data using the existing web infrastructure, commonly referred to as the Linked Data Web. However, in order to support the next generation of e-business applications on top of Linked Data suitable forms of access control need to be put in place. This paper provides an overview of the various access control models, standards and policy languages, and the different access control enforcement strategies for the Resource Description Framework (the data model underpinning the Linked Data Web). A set of access control requirements that can be used to categorise existing access control strategies is proposed and a number of challenges that still need to be overcome are identified.
The basic concept of role-based access control (RBAC) is that permissions are associated with roles, and users are made members of appropriate roles, thereby acquiring the roles' permissions. This idea has been around since the advent of multi-user computing. Until recently, however, RBAC has received little attention from the research community. This chapter describes the motivations, results, and open issues in recent MAC research.
Conference Paper
Semantic Web databases allow efficient storage and access to RDF statements. Applications are able to use expressive query languages in order to retrieve relevant metadata to perform different tasks. How-ever, access to metadata may not be public to just any application or service. Instead, powerful and flexible mechanisms for protecting sets of RDF statements are required for many Semantic Web applications. Un-fortunately, current RDF stores do not provide fine-grained protection. This paper fills this gap and presents a mechanism by which complex and expressive policies can be specified in order to protect access to metadata in multi-service environments.