Supporting Role Based Provisioning with Rules Using OWL and F-Logic

The rule-based RBAC (RB-RBAC) model has been proposed to dynamically assign users to roles based on a set of rules. We identify two problems of this model: simplified rule language with limited expressiveness and the lack of rule reasoning capabilities. In this paper we propose an expressive and extensible provisioning framework that overcomes these drawbacks. Our framework supports complex user-role assignment rules and provides rule reasoning capabilities using OWL DL and F-Logic. Furthermore, we show how our approach supports (i) weak and strong negation to enhance expressiveness and strictness, (ii) defining static SoD constraints, and (iii) detecting conflicts. Finally, the paper describes a mechanism to deduce well-formed SPML requests from rules to provision policy systems with entitlements.

[1]  Keith L. Clark,et al.  Negation as Failure , 1987, Logic and Data Bases.

[2]  James A. Hendler,et al.  N3Logic: A logical framework for the World Wide Web , 2007, Theory and Practice of Logic Programming.

[3]  Fausto Giunchiglia,et al.  RelBAC: Relation Based Access Control , 2008, 2008 Fourth International Conference on Semantics, Knowledge and Grid.

[4]  Georg Lausen,et al.  Ontologies in F-logic , 2004, Handbook on Ontologies.

[5]  Michael Kifer,et al.  Logical foundations of object-oriented and frame-based languages , 1995, JACM.

[6]  Jos de Bruijn,et al.  On the Relationship between Description Logic-based and F-Logic-based Ontologies , 2008, Fundam. Informaticae.

[7]  Enrico Motta,et al.  The Semantic Web - ISWC 2005, 4th International Semantic Web Conference, ISWC 2005, Galway, Ireland, November 6-10, 2005, Proceedings , 2005, SEMWEB.

[8]  Lora Aroyo,et al.  The Semantic Web: Research and Applications , 2009, Lecture Notes in Computer Science.

[9]  Isabel F. Cruz,et al.  A Constraint and Attribute Based Security Framework for Dynamic Role Assignment in Collaborative Environments , 2008, CollaborateCom.

[10]  James A. Hendler,et al.  The Semantic Web — ISWC 2002 , 2002, Lecture Notes in Computer Science.

[11]  John C. Shepherdson,et al.  Negation as Failure: A Comparison of Clark's Completed Data Base and Reiter's Closed World Assumption , 1984, J. Log. Program..

[12]  Jorge Lobo,et al.  Automating role-based provisioning by learning from examples , 2009, SACMAT '09.

[13]  Michael Kifer,et al.  Flora-2: A Rule-Based Knowledge Representation and Inference Infrastructure for the Semantic Web , 2003, OTM.

[14]  Axel Kern,et al.  Rule support for role-based access control , 2005, SACMAT '05.

[15]  Ravi S. Sandhu,et al.  A model for attribute-based user-role assignment , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[16]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[17]  Marianne Winslett,et al.  Ontology-Based Policy Specification and Management , 2005, ESWC.

[18]  Ravi S. Sandhu,et al.  Induced role hierarchies with attribute-based RBAC , 2003, SACMAT '03.

[19]  Stefan Decker,et al.  TRIPLE - A Query, Inference, and Transformation Language for the Semantic Web , 2002, SEMWEB.

[20]  Phillip J. Windley Digital identity , 2005 .

[21]  Ian Horrocks,et al.  A proposal for an owl rules language , 2004, WWW '04.

[22]  Bijan Parsia,et al.  Pellet: An OWL DL Reasoner , 2004, Description Logics.

[23]  Ian Horrocks,et al.  Description logic programs: combining logic programs with description logic , 2003, WWW '03.

[24]  Ravi Sandhu,et al.  Rule-based RBAC with negative authorization , 2004, 20th Annual Computer Security Applications Conference.

[25]  Wolfgang May,et al.  Combining OWL with F-Logic Rules and Defaults , 2007, ALPSWS.

[26]  Ian Horrocks,et al.  Combining logic programs with description logics , 2003, The Web Conference.

[27]  Christopher A. Rouff,et al.  Formal Approaches to Agent-Based Systems , 2001, Lecture Notes in Computer Science.

[28]  Bhavani M. Thuraisingham,et al.  ROWLBAC: representing role based access control in OWL , 2008, SACMAT '08.

[29]  Haiyan Che,et al.  Research on Description Logic Based Conflict Detection Methods for RB-RBAC Model , 2006, AMT.

[30]  Martin Wirsing,et al.  Theoretical Aspects of Computing - ICTAC 2005, Second International Colloquium, Hanoi, Vietnam, October 17-21, 2005, Proceedings , 2005, ICTAC.

[31]  H. Lan,et al.  SWRL : A semantic Web rule language combining OWL and ruleML , 2004 .

[32]  Harry Chen,et al.  F-OWL: An Inference Engine for Semantic Web , 2004, FAABS.

[33]  Ian Horrocks,et al.  From SHIQ and RDF to OWL: the making of a Web Ontology Language , 2003, J. Web Semant..

[34]  Chen Zhao,et al.  Representation and Reasoning on RBAC: A Description Logic Approach , 2005, ICTAC.

[35]  Fausto Giunchiglia,et al.  Design and Run Time Reasoning with RelBAC , 2008 .