ANDREA WESTERINEN CA TECHNOLOGIES APR 28, 2011 Policy Language Overview 1.

Slides:



Advertisements
Similar presentations
ROWLBAC – Representing Role Based Access Control in OWL
Advertisements

May 24, 2004 SWSL outbrief 1 Outbrief from SWSL group at SWSI F2F May 24, 2004.
Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität.
Copyright © 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 5 More SQL: Complex Queries, Triggers, Views, and Schema Modification.
RDF Schemata (with apologies to the W3C, the plural is not ‘schemas’) CSCI 7818 – Web Technologies 14 November 2001 Van Lepthien.
1 Authorization XACML – a language for expressing policies and rules.
1 Ontology Language Comparisons doug foxvog 16 September 2004.
Production Rule Representation Team Response Presentation to BEIDTF OMG Montreal Aug 2004 Ruleml.org.
1 © 2003, Cisco Systems, Inc. All rights reserved. IEEE Policy Conference 2004 CIM and Ponder Andrea Westerinen, Cisco June, 2004.
Policy Description & Enforcement Languages Anis Yousefi
Using the Semantic Web to Construct an Ontology- Based Repository for Software Patterns Scott Henninger Computer Science and Engineering University of.
Approaches to generalization of XACML New challenges for access control 27 th April 2005 Tim Moses.
Pranam Kolari – Policy 2005 Enhancing Web Privacy Protection Through Declarative Policies Pranam Kolari 1 Li Ding 1, Lalana Kagal 2, Shashi Ganjugunte.
© 2005 Franz J. Kurfess Expert System Examples 1 CPE/CSC 481: Knowledge-Based Systems Dr. Franz J. Kurfess Computer Science Department Cal Poly.
Advanced Topics COMP163: Database Management Systems University of the Pacific December 9, 2008.
FI-WARE – Future Internet Core Platform FI-WARE Security July 2011 High-level Description.
XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.
1 HTML’s Transition to XHTML. 2 XHTML is the next evolution of HTML Extensible HTML eXtensible based on XML (extensible markup language) XML like HTML.
1 of 30 Declarative Policies for Describing Web Service Capabilities and Constraints Lalana Kagal Tim Finin Anupam Joshi University of Maryland Baltimore.
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.
Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.
XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
XACML Briefing for PMRM TC Hal Lockhart July 8, 2014.
C++ Object Oriented 1. Class and Object The main purpose of C++ programming is to add object orientation to the C programming language and classes are.
Katanosh Morovat.   This concept is a formal approach for identifying the rules that encapsulate the structure, constraint, and control of the operation.
Overview of Previous Lesson(s) Over View  ASP.NET Pages  Modular in nature and divided into the core sections  Page directives  Code Section  Page.
Pranam Kolari – Policy 2005 Enhancing Web Privacy Protection Through Declarative Policies Pranam Kolari 1 Li Ding 1, Lalana Kagal 2, Shashi Ganjugunte.
Notes for Chapter 12 Logic Programming The AI War Basic Concepts of Logic Programming Prolog Review questions.
Authorization Infrastructure, a Standards View Hal Lockhart OASIS.
Switch off your Mobiles Phones or Change Profile to Silent Mode.
1 Strassner-Policy Theory and Practice – IM2001 Purpose of the PCIM Provide a set of classes and relationships that provide an extensible means for defining.
SAWA: An Assistant for Higher-Level Fusion and Situation Awareness Christopher J. Matheus, Mieczyslaw M. Kokar, Kenneth Baclawski, Jerzy A. Letkowski,
Templates. The Problem Supplier X A range on the data sheet.
JSTL, XML and XSLT An introduction to JSP Standard Tag Library and XML/XSLT transformation for Web layout.
Elisa Bertino Purdue University Pag. 1 Security of Distributed Systems Part II Elisa Bertino CERIAS and CS &ECE Departments Purdue University.
Rei and Rules Tim Finin, UMBC Lalana Kagal, MIT Tim Finin, UMBC Lalana Kagal, MIT.
1 Vigil : Enforcing Security in Ubiquitous Environments Authors : Lalana Kagal, Jeffrey Undercoffer, Anupam Joshi, Tim Finin Presented by : Amit Choudhri.
Rules, RIF and RuleML.
A Policy Based Approach to Security for the Semantic Web Lalana Kagal, Tim Finin and Anupam Joshi.
Module 11 Authorizing Users to Access Resources. Module Overview Authorizing User Access to Objects Authorizing Users to Execute Code Configuring Permissions.
Dictionary based interchanges for iSURF -An Interoperability Service Utility for Collaborative Supply Chain Planning across Multiple Domains David Webber.
16/11/ Semantic Web Services Language Requirements Presenter: Emilia Cimpian
Dr. Bhavani Thuraisingham September 24, 2008 Building Trustworthy Semantic Webs Lecture #9: RDF and RDF Security.
1 Access Control Policies: Modeling and Validation Luigi Logrippo & Mahdi Mankai Université du Québec en Outaouais.
An Object-Oriented Approach to Programming Logic and Design Chapter 5 Making Decisions.
Of 35 lecture 17: semantic web rules. of 35 ece 627, winter ‘132 logic importance - high-level language for expressing knowledge - high expressive power.
NSF Cyber Trust Annual Principal Investigator Meeting September 2005 Newport Beach, California UMBC an Honors University in Maryland Trust and Security.
Selected Semantic Web UMBC CoBrA – Context Broker Architecture  Using OWL to define ontologies for context modeling and reasoning  Taking.
Semantic Interoperability in GIS N. L. Sarda Suman Somavarapu.
1 Authorization Sec PAL: A Decentralized Authorization Language.
Access Control Policy Languages in XML Lê Anh Vũ Võ Thành Vinh
Authorization PDP GE Course (R4) FIWARE Chapter: Security FIWARE GE: Authorization PDP FIWARE GEri: AuthZForce Authorization PDP Owner: Cyril Dangerville,
NEDA ALIPANAH, MARIA ADELA GRANDO DBMI 11/19/2012.
Anupam Joshi University of Maryland, Baltimore County Joint work with Tim Finin and several students Computational/Declarative Policies.
COP Introduction to Database Structures
More SQL: Complex Queries, Triggers, Views, and Schema Modification
Building Trustworthy Semantic Webs
XACML and the Cloud.
NOVI: Networking innovations Over Virtualized Infrastructures
Rules, RIF and RuleML.
Lecture #6: RDF and RDF Security Dr. Bhavani Thuraisingham
Scalable and Efficient Reasoning for Enforcing Role-Based Access Control
Model-Driven Semantic Web Rule Engineering
Scalable and Efficient Reasoning for Enforcing Role-Based Access Control
Access Control What’s New?
Ponder policy toolkit Jovana Balkoski, Rashid Mijumbi
C++ Object Oriented 1.
Presentation transcript:

ANDREA WESTERINEN CA TECHNOLOGIES APR 28, 2011 Policy Language Overview 1

Topics Overview and comparison of:  DMTF’s CIM and CIM-SPL (Simplified Policy Language)  Ponder2 from Imperial College  XACML  AIR from MIT  REI from UMBC  RuleML  OMG’s SBVR  TMForum’s SID  KAoS from IHMC 2

UNCLASSIFIED // FOR OFFICIAL USE ONLY Language Comparison EncodingStructureOblig/ Perm Sem Web Support? Std? CIM-SPLDSL; UTF-8If-thenObligationNo~ Ponder2DSL (Derived from Small- talk); UTF- 8 and XML ECA and Pos/Neg Authoriz Obligation and Permission No XACMLXMLCondition- Effect (Permit/ Deny) Permission with related Obligations Yes, via 3 rd party code (Clark & Parsia) Yes 3

UNCLASSIFIED // FOR OFFICIAL USE ONLY Language Comparison (Continued) EncodingStructureOblig/ Perm Sem Web Support? Std? AIR (Account- ability in RDF) TurtleCondition- Assertion ~Permission (Validation) YesNo REI (Japanese for “universal”) OWL-Lite + Variables Condition- Action with Starting and Ending Conditions Obligation and Permission YesNo 4

UNCLASSIFIED // FOR OFFICIAL USE ONLY Language Comparison (Continued) EncodingStructureOblig/ Perm Sem Web Support? Std? RuleMLVarious encodings (focus on interop between the encodings) Horn clauses (Head <- Body), Evolution toward event- condition-action N/AYes~Yes OMG’s SBVR XMI encoding of UML instances Instances of quantifications, atomic formulations, role bindings, fact types, … Obligation and Permission Not directly, via mapping to ISO Common Logic Yes 5

UNCLASSIFIED // FOR OFFICIAL USE ONLY Language Comparison (Continued) EncodingStructureOblig/ Perm Sem Web Support? Std? TMForum’s SID XMI encoding of UML instances Complex set of inter-related instances (supporting Event- Condition- Action) ObligationNo (?)Yes IHMC’s KAoS OWL/RDFSituation (event or history) -> Authorization and/or Obligations/ Actions Obligation and Permission YesNo 6

Language Overviews 7

CIM and CIM-SPL Constructs:  PolicyGroup (set of rules)  PolicyRule (set of conditions and actions)  PolicyCondition (broad set of operators defined, but extensible only as macros)  PolicyAction Supports definition of rules whose conditions consist of CIM data properties, and whose actions invoke CIM operations or function calls  Actions include operations on the CIM data repository to change properties, create an instance, etc. 8

PolicyGroup Structure (CIM-SPL) Import CIM_V _ _ :: : ; Strategy [Execute_All_Applicable | Execute_First_Applicable] ; Declaration { (Optional)  (Optional) } Policy { … } : Priority; … PolicyGroup:[Association Name(Property1,Property2)] { … }: Priority; … 9

Example (CIM-SPL) Import SAMPLE CIM_V_2_8_CIM_Core28-Final::PhysicalElement;  May further filter target instances via the specification of a condition Strategy Execute_All_Applicable; Declaration {  InstallDate="ManagedSystemElement.InstallDate";  Macro { Name = Age; Type = Long; Arguments Born:DATETIME;  Procedure = getYear(CurrentDate) – getYear(Born) } } Policy {  Condition { 4 > Age(InstallDate) AND  VendorEquipmentType == "switch“ }  Decision { Upgrade (SKU) } }:1 Target Variables and Procs Rule Priority If Multiple Policies Defined 10

Ponder2 Combines:  Domain Service (for managing objects)  Obligation Policy Interpreter (for handling Event-Condition-Action rules)  Command Interpreter (accepts commands written in PonderTalk to perform actions against objects registered in the Domain Service)  Authorization Enforcement (supports positive and negative authorization and conflict resolution) Constructs  Policies are sets of rules  Rules address either obligation or permission  Obligation policies consist of condition/action definitions Infrastructure resolves conflicts between policies that apply to the same (subject, target, action)-triple  Based on “more specific” rule (“more specific” type in the hierarchy) 11

Obligation Policy (Ponder2) template := root/factory/event create: #( "monitor" "value" ). root/event at: "monitor" put: template. policy := root/factory/ecapolicy create. policy event: root/event/monitor;  condition: [ :value | value > 100 ];  action: [ :monitor :value | root print:  "Monitor " + monitor + " has value " + value 6 ];  active: true. 12

Authorization Policy (Ponder2) root/tauthdom at: "a3" put: (newauthpol  subject: root/personnel/nurse/ward1/nurse1  action: "getrecord“  target: root/patient/ward1/patient1  focus:"t" ).  root/tauthdom/a3 reqneg.  root/tauthdom/a3 reqcondition:  [ :nurselevel | nurselevel < 3].  root/tauthdom/a3 repneg.  root/tauthdom/a3 repcondition:  [ :patrecord | patrecord =="[name= Harry;age= 12;symptom=BonelessArm]"]. root/tauthdom/a3 active: true. Rule name Rule Where enforced Positive/Neg Authz Additional conditions on subject/target Active (T/F) 13

UNCLASSIFIED // FOR OFFICIAL USE ONLY XACML 3 Concepts Permit/Deny First applicable Deny overrides Permit overrides Only one applicable … Attributes defined as name/value pairs Broad set of operators and extensible Action before or after access 14

Example (XACML)   SampleServer   15

Rule in a Policy (XACML)   login   16

Condition in a Rule (XACML)     09:00:00   As above, but the time is 17:00:00  17

Multiple Rules in a Policy (XACML) 18

AIR Allows control over reasoning by invoking rules according to pattern matching, dependency tracking (explanations), nesting of rules and goal direction Rule types:  Belief – forward chaining deduction  Goal – means to limit the application of rules  Hidden – not shown as step in the deduction/explanation Rule actions:  Assertions (statement added to beliefs)  Subrules  Alternatives 19

UNCLASSIFIED // FOR OFFICIAL USE ONLY AIR Concepts 20

Example :PERSON, :CITY, :STATE. :ny_neighbor_state_residency_policy a air:Policy; air:rule :non-ny-residency-rule. :non-ny-residency-rule a air:Belief-rule;  rdfs:label "Non NY residency rule";  air:pattern {:PERSON tamip:Lives_in_city :CITY.};  air:rule [ air:pattern {:CITY tamip:Has_state :NY.}; air:alt [air:rule :neighbor-state-rule] ]. :neighbor-state-rule a air:Belief-rule;  rdfs:label "neighbor state rule";  air:pattern { :CITY tamip:Has_state :STATE. :NY tamip:Neighbor_state :STATE.};  air:assert { :PERSON air:compliant-with :ny_neighbor_state_residency_policy. }. Rules in Policy Subrules in Rule 21

REI Supports deontic objects  Permissions, Prohibitions, Obligations, Dispensations (waiver for obligations)  Common Properties : Actor, Action, Constraint {StartingConstraint, EndingConstraint}  StartingConstraint subproperty of Constraint Uses speech acts for dynamic policy modification  Delegation, Revocation, Request, Cancel  Properties : Sender, Receiver, Content (Deontic object/Action), Conditions Focused on security and privacy Uses meta policies for conflict resolution 22

UNCLASSIFIED // FOR OFFICIAL USE ONLY REI Concepts 23

UNCLASSIFIED // FOR OFFICIAL USE ONLY REI Ontologies 24

Example (REI)  Constraints that define the domain Associates deontic obj Explicit/implicit permission/prohibition Whether pos/neg rules take precedence Or Priority Resource defining ruleOfGreater/LesserPriority 25

Example Deontic Object (REI) If you borrow a book from the library, you’re obliged to return it before the due date, otherwise you must pay a fine <deontic:StartingConstraint rdf:resource="#IsMemberAndBorrowedBook"/> 26

Example Speech Act (REI) ’Marty' revokes the permission to use a specific action ’HP123Printing from 'George' 27

RuleML Concerned with rule interop “between industry standards  Such as JSR 94, SQL'99, OCL, BPMI, WSFL, XLang, XQuery, RQL, OWL, DAML-S, and ISO Prolog)  As well as established systems (CLIPS, Jess, ILOG JRules, Blaze Advisor, Versata, MQWorkFlow, BizTalk, Savvion, etc.)”  Developed a base RuleML specification and a hierarchy of rule types  Based on Datalog/Horn clauses and n-ary relations  Unary/binary form of these clauses used in OWL/SWRL Developed transformations from and to other rule standards/systems Also addressing coordinated tool development  Such as an XSLT normalizer to check syntax, add role tags and missing attributes 28

RuleML Rule Hierarchy Basic structure dealing with implications (head <- body), with details in relationships between variables Most work in this area 29

RuleML Example "A customer is premium if their spending has been min 5000 euro in the previous year.“ premium customer spending customer min 5000 euro previous year Derivation Conclusion Premises 30

SBVR Semantics of Business Vocabularies and Business Rules Based on semantic and first-order logic concepts Defines UML constructs to represent vocabularies & rules Assumed multi-lingual  Separates “symbols” from their concepts/semantics Defines basic vocabulary/rule exchange structure using MOF/XMI Includes approach to convert “structured English” to SBVR concepts in (non-normative) Annex C  Annex “describes one … way of using English that maps mechanically to SBVR concepts.”  “It is not meant to offer all of the variety of common English, but rather, it uses a small number of English structures and common words to provide a simple and straightforward mapping.” 31

UNCLASSIFIED // FOR OFFICIAL USE ONLY SBVR Details (Core Definitions to Instances) 32

UNCLASSIFIED // FOR OFFICIAL USE ONLY Major Areas Addressed by SBVR 33

UNCLASSIFIED // FOR OFFICIAL USE ONLY SBVR Community 34

UNCLASSIFIED // FOR OFFICIAL USE ONLY SBVR Meanings 35

UNCLASSIFIED // FOR OFFICIAL USE ONLY SBVR Semantic/Logical Formulations 36

UNCLASSIFIED // FOR OFFICIAL USE ONLY SBVR Policies and Rules 37

SBVR Example Very complex instantiation, even for simple rules …  For example … Definition: the age of the driver is at least the EU-Rent Minimum Driving Age Results in a complex set of variables, quantifications, atomic formulations, role bindings, fact types, …  The definition is represented by a projection  The projection is on a first variable  The first variable ranges over the concept ‘driver’ … The first variable maps to the one role of the characteristic.  The projection is constrained by a first universal quantification …  Continued on the next slide XML formulation even more complex 38

SBVR Example (Continued)  The first universal quantification introduces a second variable.... The second variable ranges over the concept ‘age’.... The second variable is unitary.... The second variable is restricted by an atomic formulation..... The atomic formulation is based on the fact type ‘driver has age’..... The atomic formulation has a role binding The role binding is of the role ‘driver’ of the fact type The role binding binds to the first variable..... The atomic formulation has a second role binding The second role binding is of the role ‘age’ of the fact type The second role binding binds to the second variable.  The first universal quantification scopes over a second universal quantification.... The second universal quantification introduces a third variable..... The third variable ranges over the concept ‘EU-Rent Minimum Driving Age’..... The third variable is unitary.  The second universal quantification scopes over an atomic formulation..... The atomic formulation is based on the fact type ‘quantity1 > quantity2’ The atomic formulation has a role binding The role binding is of the role ‘quantity1’ of the fact type The role binding binds to the second variable The atomic formulation has a second role binding The second role binding is of the role ‘quantity2’ of the fact type The second role binding binds to the third variable. 39

UNCLASSIFIED // FOR OFFICIAL USE ONLY SID Policy Domains Invariant definitions Instance-specific definitions Infrastructure components 40

UNCLASSIFIED // FOR OFFICIAL USE ONLY SID Policy – Big Picture 41

UNCLASSIFIED // FOR OFFICIAL USE ONLY SID Policy – Digging into Rules Execution strategy – Do all actions, until failure, etc. Sequenced actions – Mandatory to best effort XxxCriteria are OCL-based restrictions on actions, etc. in derived rules 42

SID – Policy Details SID – Shared Information/Data Model  Described in Publication GB922, NGOSS Release 4, Addendum 1-POL Constructs:  Policy – a set of rules  Policy Rule  Policy Set – a group of policies  Policy Event – an occurrence  Policy Condition – an aggregation of individual PolicyConditions; boolean expression  Policy Action – an aggregation of individual PolicyActions; “actions to be applied” 43

SID Policy – Related Constructs Policy Subject – set of entities that is the “focus of the policy” (as Roles) Policy Targets – set of entities that the policy will be applied to (as Roles) But not further related in the model, except that Entities have EntityRoles, and PolicyApplications also have Roles 44

SID Example Not Provided Cannot be compactly displayed Complex set of inter-related instances For example, …  PolicyRules have 1 or more PolicyConditions  Which ultimately have to be defined as PolicyConditionAtomics  Which are related 1-to-1 to PolicyStatements  Which have 1 or more PolicyVariables  Which are made up of 1 or more values with 1 or more operators  Most concepts include related constraints (OCL)  See detailed UML diagrams in backup In addition, domain-specific extensions require corresponding UML definitions 45

KAoS Overview From IHMC – Florida Institute for Human Machine Cognition Infrastructure and ontology for policy specification, analysis, disclosure and enforcement  Backing software implemented using Java Agent Services (JAS) Based on OWL-DL (OWL 1) for extensibility  Base ontology defines general policy concepts  Domain interpretations/extensions necessary for specific environments  Includes generic reasoner interface (for example, Stanford Java Theory Prover or Pellet Reasoner) Incorporates concepts of both positive/negative authorization and obligation 46

KAoS Architecture (3 Layer) Policies distributed to Guards Implemented by enforcers 47

UNCLASSIFIED // FOR OFFICIAL USE ONLY Policy Decision Point 48

KAoS Policies Starting from a Situation …  Where the situation has variables describing its state, and has a history  Use of history: When [the actor] has performed [an action] which has [attributes] at least [some number] of times within the last [some number] [time period], then …  Use of state: When the [situation] has [state] with [attributes], then … Evaluate a Rule: An [Actor] is [constrained] to perform [an action] which has [attributes]  Where an actor can be a specific instance, a type/class or role, or a logical union/complement/… of other instances or types (concepts all natively supported by OWL)  Where the constraint defines +/- authorization or obligation  Where the action is a type/class (such as movement)  … 49

KAoS Policies (Continued) Evaluate a Rule: An [Actor] is [constrained] to perform [an action] which has [attributes]  …  Where the attributes are the parameters of the action and can be:  Simple value restrictions (all/some values within a set of enumerated instances or of a certain type) – OR  A relation (equals, subset of/superset of, at least one, none) of 2 or more attributes Business logic calls KAoS Policy Service in the context of a given situation to:  Test permission to perform an action  Get obligations  Get configuration (details allowed for action to be authorized) 50

KAoS Concepts Entity, Attribute, Group Actor Situation Condition Action, ActionStatus, ActionHistory Event, EventHistory Place Message Policy Other concepts included by subclassing (for example, W3C time) 51

UNCLASSIFIED // FOR OFFICIAL USE ONLY KAoS Policy Ontology 52

UNCLASSIFIED // FOR OFFICIAL USE ONLY KAoS Example 53

UNCLASSIFIED // FOR OFFICIAL USE ONLY Addressing Policy Conflicts Found by semantic (subsumption-based) reasoning 54

KAoS Infrastructure De-Confliction Remove Policy  One of the overlapping policies can be completely removed Change Priority  Priorities of the policies can be modify so they either do not conflict or they alter the precedence relation Harmonize Policy  Controlled action of the selected overlapping policy can be modified using an automatic harmonization algorithm to eliminate their overlap Split Policy  Controlled action of the selected overlapping policy can be split into two parts: one part that overlaps with the other policy and the other which does not. Then the priorities of these parts can be modified independently. (The splitting algorithm is similar to the harmonization and is currently in development.) 55

Backup 56

UNCLASSIFIED // FOR OFFICIAL USE ONLY SID Policy Conditions 57

UNCLASSIFIED // FOR OFFICIAL USE ONLY SID Policy Statements 58

UNCLASSIFIED // FOR OFFICIAL USE ONLY SID Policy Variables 59

UNCLASSIFIED // FOR OFFICIAL USE ONLY SID Policy Values 60