Pavan Reddiavri (Ebiquity Labs) “R ♫ P” RDF Access control Policies
R♫PR♫P Pavan Reddiavri (Ebiquity Labs)2 Motivation Semantic Web Layer Cake (Berners-Lee 2004)* *Semantic web layer cake (Berners-Lee,2004)
R♫PR♫P Pavan Reddiavri (Ebiquity Labs)3 Motivation Semantic Web would enable the a global social information sharing space. There is need for a preset agreements between users to create and share this knowledge. Current implementations have a coarse granularity of control (Photo sharing) inhibiting users.
R♫PR♫P Pavan Reddiavri (Ebiquity Labs)4 Access Controls Identity Based Access Control Role Based Access Control Rule/Policies based Access Control
R♫PR♫P Pavan Reddiavri (Ebiquity Labs)5 Why Policies ? Role based system will not provided the granularity Policies can be described with respect to time (allow on BirthDay) Difficult to create transient roles In a Role based system Policy based access controls are also being used other fields (databases, operating systems)
R♫PR♫P Pavan Reddiavri (Ebiquity Labs)6 “R♫P” RAP looks at solving the problem of defining and implementing Access Control for a RDF store Current RDF either ignore or provide very basic access control Expressive control (Triple level)
R♫PR♫P Pavan Reddiavri (Ebiquity Labs)7 “R♫P” is “The basic RAP framework will allow an agent (person or program) to perform various actions inserting, deleting, searching on a RDF store and the policy is used to decide if the action is permitted or prohibited.”
R♫PR♫P Pavan Reddiavri (Ebiquity Labs)8 Acts on RDF -Graph Add new Node-Link-Node. Add a new Node, Link to a old Node Add a new Link between two old Nodes. Delete/ Update or Search for triples Infer Triples
R♫PR♫P Pavan Reddiavri (Ebiquity Labs)9 RDFS Graph RDFS graph have a inherent structure The Action On a RDFS graph can also be confined( Schema or Instance modification) Create a Class Create Properties for a class Create an Instance Create property instance Does this Structure help us?
R♫PR♫P Pavan Reddiavri (Ebiquity Labs)10 RAP: Actions See (A,T): Agent A sees triple T if it returned in the response to one of P's queries. Use (A,T): Agent A uses triple T if it is used in answering one of P's queries.
R♫PR♫P Pavan Reddiavri (Ebiquity Labs)11 RAP: Actions Insert (A,T): Agent A directly inserts triple T into the graph. InferInsert (A,T): Agent A InferInsert triple T If Agent A Insert (A,T1) that implies T at a time when T is not in the graph.
R♫PR♫P Pavan Reddiavri (Ebiquity Labs)12 RAP: Actions Remove (A,T): Agent A directly remove triple T into the graph. InferRemove (A,T): Agent A InferRemove triple T If Agent A Remove (A,T1) that implies T, such T existence in the graph depends on T1. update(A,T1,T2): Agent A directly replaces triple T1 with T2.
R♫PR♫P Pavan Reddiavri (Ebiquity Labs)13 RAP : Example policies You want to prevent people from modifying schema i.e. defining classes or properties modifying their definitions “prohibited(insert(A,(_,P,_)) :- schemaPredicate(P)” schemaPredicate(P): true of P is a predicate used to define schema level information (e.g., rdfs:subClass, rdfs:domain, etc).
R♫PR♫P Pavan Reddiavri (Ebiquity Labs)14 RAP : Example policies You want to prevent people from modifying schema i.e. defining classes or properties modifying their definitions “prohibited(insert(A,(_,P,_)) :- schemaPredicate(P)” schemaPredicate(P): true of P is a predicate used to define schema level information (e.g., rdfs:subClass, rdfs:domain, etc).
R♫PR♫P Pavan Reddiavri (Ebiquity Labs)15 RAP : Example policies Agents are permitted to create instances of classes they created “permitted(insert(A,(_,rdfs:type,C))) :- createdNode(A,C)” Agents are permitted to delete any triples that they had inserted “permitted(remove(A,T)) :- createdTriple(A,T)”
R♫PR♫P Pavan Reddiavri (Ebiquity Labs)16 Employer Data Store No one change the schema “prohibited(insert(A,(_,P,_)) :- schemaPredicate(P)” User can create Instances of employer “permitted(insert(A,(_,rdfs:type,RAP:employee))) :- registered(A).” You assert/see anything about things you created “permitted(insert(A,(C,_,_)) :- createdNode(A).” “permitted(see(A,(C,_,_)) :- createdNode(A).” You cannot see any ones salary “prohibited(see(A,(_,emp:salary,_)).” “prohibited(see(A,(_,P,_)) :- rdfs:subProperty(P,emp:salary)).”
R♫PR♫P Pavan Reddiavri (Ebiquity Labs)17 RAP : Prototype RAP Policy Engine REI Prolog based Engine from scratch Cwm RAP Policy Engine RDF client Data/Policies Access Protocol Data/Policies Access Protocol RDF Store RDF store Redland Kowari Jena Models Data/Policies Access Protocol Extend Http (webdav) GET with SPARQL in the body to search the store PUT with RDF data in the body to add data.
R♫PR♫P Pavan Reddiavri (Ebiquity Labs)18 Other Considerations Policy representation Prolog, N3, Custom…. Expressiveness of policies Delegation Handling Depth of Delegation. Can a club bouncer allow him self into the club? RDF store still in Naissance Performance and Scalability
R♫PR♫P Pavan Reddiavri (Ebiquity Labs)19 Applications Enterprise level knowledge bases (RDF store) Enterprise level blogger controlling creation and access of blogs Application requiring collaborative creation of a knowledge store Alan Hollander’s application for in SPIRE
R♫PR♫P Pavan Reddiavri (Ebiquity Labs)20 Thank You