ROWLBAC: representing role based access control in OWL

There have been two parallel themes in access control research in recent years. On the one hand there are efforts to develop new access control models to meet the policy needs of real world application domains. In parallel, and almost separately, researchers have developed policy languages for access control. This paper is motivated by the consideration that these two parallel efforts need to develop synergy. A policy language in the abstract without ties to a model gives the designer little guidance. Conversely a model may not have the machinery to express all the policy details of a given system or may deliberately leave important aspects unspecified. Our vision for the future is a world where advanced access control concepts are embodied in models that are supported by policy languages in a natural intuitive manner, while allowing for details beyond the models to be further specified in the policy language. This paper studies the relationship between the Web Ontology Language (OWL) and the Role Based Access Control (RBAC) model. Although OWL is a web ontology language and not specifically designed for expressing authorization policies, it has been used successfully for this purpose in previous work. OWL is a leading specification language for the Semantic Web, making it a natural vehicle for providing access control in that context. In this paper we show two different ways to support the NIST Standard RBAC model in OWL and then discuss how the OWL constructions can be extended to model attribute-based RBAC or more generally attribute-based access control. We further examine and assess OWL's suitability for two other access control problems: supporting attribute based access control and performing security analysis in a trust-management framework.

[1]  Nigel Shadbolt,et al.  Resource Description Framework (RDF) , 2009 .

[2]  Lin Jian,et al.  Using Semantic Web Technologies to Specify Constraints of RBAC , 2005, Sixth International Conference on Parallel and Distributed Computing Applications and Technologies (PDCAT'05).

[3]  Ninghui Li,et al.  Beyond proof-of-compliance: security analysis in trust management , 2005, JACM.

[4]  Sushil Jajodia,et al.  A logical language for expressing authorizations , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[5]  André Zúquete,et al.  SPL: An Access Control Language for Security Policies and Complex Constraints , 2001, NDSS.

[6]  Ninghui Li,et al.  RT: a Role-based Trust-management framework , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[7]  Manfred Schmidt-Schauß,et al.  Subsumption in KL-ONE is Undecidable , 1989, KR.

[8]  Deborah L. McGuinness,et al.  OWL Web ontology language overview , 2004 .

[9]  Ravi S. Sandhu,et al.  A model for attribute-based user-role assignment , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[10]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[11]  Joan Feigenbaum,et al.  A practically implementable and tractable delegation logic , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[12]  Jaehong Park,et al.  The UCONABC usage control model , 2004, TSEC.

[13]  Diego Calvanese,et al.  The Description Logic Handbook: Theory, Implementation, and Applications , 2003, Description Logic Handbook.

[14]  Chen Zhao,et al.  An OWL-Based Approach for RBAC with Negative Authorization , 2006, KSEM.

[15]  Sushil Jajodia,et al.  A logic-based framework for attribute based access control , 2004, FMSE '04.

[16]  Jianwei Niu,et al.  Apply Model Checking to Security Analysis in Trust Management , 2007, 2007 IEEE 23rd International Conference on Data Engineering Workshop.

[17]  Ravi S. Sandhu,et al.  Framework for role-based delegation models , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[18]  L. Stein,et al.  OWL Web Ontology Language - Reference , 2004 .

[19]  Franz Baader,et al.  Restricted Role-value-maps in a Description Logic with Existential Restrictions and Terminological Cycles , 2003, Description Logics.

[20]  James A. Hendler,et al.  N3Logic: A logical framework for the World Wide Web , 2007, Theory and Practice of Logic Programming.

[21]  Manfred Schmidt-Schaubß,et al.  Subsumption in KL-ONE is undecidable , 1989, KR 1989.

[22]  Jeffrey M. Bradshaw,et al.  Semantic Web Languages for Policy Representation and Reasoning: A Comparison of KAoS, Rei, and Ponder , 2003, SEMWEB.

[23]  Elisa Bertino,et al.  Achieving privacy in trust negotiations with an ontology-based approach , 2006, IEEE Transactions on Dependable and Secure Computing.

[24]  H. Lan,et al.  SWRL : A semantic Web rule language combining OWL and ruleML , 2004 .

[25]  A. Prasad Sistla,et al.  Analysis of dynamic policies , 2008, Inf. Comput..

[26]  Dan Brickley,et al.  Resource Description Framework (RDF) Model and Syntax Specification , 2002 .

[27]  Diego Calvanese,et al.  The description logic handbook: theory , 2003 .

[28]  Ninghui Li,et al.  Design of a role-based trust-management framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[29]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[30]  Emil C. Lupu,et al.  The Ponder Policy Specification Language , 2001, POLICY.

[31]  Andreas Matheus,et al.  How to Declare Access Control Policies for XML Structured Information Objects using OASIS' eXtensible Access Control Markup Language (XACML) , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[32]  Timothy W. Finin,et al.  A policy language for a pervasive computing environment , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[33]  Tim Moses,et al.  EXtensible Access Control Markup Language (XACML) version 1 , 2003 .