Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Ontology based Policy Interoperability Dr. Latifur Khan Tahseen Al-Khateeb Mohammad Alam Mohammad Farhan Husain.

Published byJerome Waters Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Ontology based Policy Interoperability Dr. Latifur Khan Tahseen Al-Khateeb Mohammad Alam Mohammad Farhan Husain."— Presentation transcript:

1 1 Ontology based Policy Interoperability Dr. Latifur Khan Tahseen Al-Khateeb Mohammad Alam Mohammad Farhan Husain

2 2 Outline  Motivating example ←  XACML Recap  The problem of heterogeneity  OPI: Our solution to the problem  Demonstration  Future Works

3 3 An example scenario  Suppose there are two organizations: OrgA and OrgB, both having geo-spatial data.  Access control policy in XACML.  They form a federation and want that subjects (e.g. People, client s/w etc.) of one organization will be able to access resources (e.g. Data, file etc.) of other organization based on existing policies without any modification & human assistance

4 4 Problem faced  Both organizations have policies based on their own naming convention, data type Not recognized by other organization  Access request will contain organization specific keywords and data type  Requests will fail if evaluated by existing XACML processing model

5 5 Geo-spatial data specific improvement  For some data in case full permission cannot be given, Partial Permit can be provided  Partial Permit will essentially mean getting a part of data the request wanted to get

6 6 Outline  Motivating example  XACML Recap ←  The problem of heterogeneity  OPI: Our solution to the problem  Demonstration  Future Works

7 7 XACML: brief introduction  XACML stands for eXtensible Access Control Markup Language.  It is a declarative access control policy language implemented in XML  It also includes a processing model, describing how to interpret the policies.  Latest version 2.0 was ratified by OASIS standards organization on 1 February 2005.

8 8 XACML Request processing rule PDP PEP Decision request (Premise) Decision response (Conclusion) 3 2 Access request 1 5 Attributes Decision, Obligations rule PEP fulfills obligations 4 PDP – Policy Decision Point PEP – Policy Enforcement Point

9 9 More about XACML  Elements Attribute Function Rule Policy Policy Set  Rule effects Permit Deny

10 10 Rule combination algorithms Combination AlgorithmExpected Behavior Deny Override A policy is denied if a rule is encountered the effect of which is “Deny” Permit Override A policy is permitted if a rule is encountered the effect of which is “Permit” First-one-applicable The combined result is the same as the result of the first rule Only-one-applicable The combined result corresponds to the result of the unique rule which applies to the request.  If there are multiple rules in a policy, they must be combined to get a single decision. The XACML normative rule combination algorithms are :

11 11 An example policy  Here is a simple example Policy in the following slide. Policy target says that Policy applies to requests for High access objects (e.g. sys-admin) Policy has a Rule which applies to viewing Airport data. A request is permitted if Subject is trying to view data between 10am and 2pm.

12 12 Policy Target Rule Effect

13 13 Rule Condition

14 14 Outline  Motivating example  XACML Recap  The problem of heterogeneity ←  OPI: Our solution to the problem  Demonstration  Future Works

15 15 The problem of heterogeneity  Types of heterogeneity Naming heterogeneity Data type heterogeneity  Subjects, resources and attributes can be differently defined in different organizations  For example Network Administrator = System Admin Read = View Directory = Folder  In such case, policy of one organization is not applicable to another when they form a federation

16 16 Heterogeneity

17 17 Outline  Motivating example  XACML Recap  The problem of heterogeneity  OPI: Our solution to the problem ←  Demonstration  Future Works

18 18 OPI: our approach to solve the problem  In case a directly applicable policy or rule is not found for a request, we will use a domain ontology for Subjects Resources Actions

19 19 New rule effect: Partial Permit  We have added new rule effect: “Partial Permit” to XACML to grant request partially.  Example Grant only the outer boundary of some object e.g. airport Return a map with lower resolution than requested

20 20 Steps taken: Suppose, a subject of OrgA sends request to OrgB. Following steps will be taken:  Within all the policies and rules of OrgB, find the rule which has a subject of minimum semantic distance from the subject of the request in the ontology of subjects. In case of ties, find the rule among the tied rules which has a resource of minimum semantic distance from the resource of the request in the ontology of resources. In case of ties, find the rule among the tied rules which has an action of minimum semantic distance from the action of the request in the ontology of actions

21 21 Steps taken: (continued)  Use a semantic distance score formula to get a match score  If Score ≥ Full-effect threshold  use its effect as the outcome.  If Score ≤ Full-effect threshold & Score ≥ Partial-effect threshold & Rule-effect == Permit  Partial-permit  If Score < Partial-permit threshold  Deny  In case of multiple rules having tie, we will use rule combination algorithm specified in the policy to break the tie.

22 22 Steps taken:  Request Subject: SystemAdmin Resource: AIRPORT_area Action: View  Rule-1 Subject: GISAdmin Resource: AIRPORT_area Action: View Effect: Permit  Rule-2 Subject: Lkhan Resource: EMPLOYERS_point Action: View Effect: Deny  Rule-3 Subject: LowAccessSubjects Resource: AIRPORT_area Action: View Effect: Deny

23 23 The ontology

24 24 Semantic distance score formula  To find the matching similarity score between two nodes C1 and C2, we first determine their closes common parent C. Then the score S(C1,C2) is formulated as follows: S(C1, C2) =  Where len is a length operator that calculates the shortest distance between two nodes in an ontology tree and D is the overall depth of the tree.

25 25 Semantic distance score formula (continued)  We calculate there different score values, S S (C1, C2), S R (C1, C2), and S A (C1, C2) for subject, resource and action parameters, respectively. The score values are combined by an aggregation function where is a set of 3-ary tuples and is the set of real numbers. The function, henceforth referred to as Aggregation function, is represented as  Aggregation function result is compared against a pre-determined threshold value to resolve the policy decision. The decision could be either one of the three effects: Permit, Deny, and Partial- Permit.

26 26 A complete example

27 27

28 28

29 29 Outline  Motivating example  XACML Recap  The problem of heterogeneity  OPI: Our solution to the problem  Demonstration ←  Future Works

30 30 Outline  Motivating example  XACML Recap  The problem of heterogeneity  OPI: Our solution to the problem  Demonstration  Future Works ←

31 31 Future works:  Take all policies of all organizations into account  Address data type heterogeneity

32 32 Future Works:  GML rendering API in java ArcGIS shows GML data but the process is cumbersome ArcGIS does not provide API for GML display Currently, no API in any language for displaying GML data

Download ppt "1 Ontology based Policy Interoperability Dr. Latifur Khan Tahseen Al-Khateeb Mohammad Alam Mohammad Farhan Husain."

Similar presentations

XML-XSL Introduction SHIJU RAJAN SHIJU RAJAN Outline Brief Overview Brief Overview What is XML? What is XML? Well Formed XML Well Formed XML Tag Name.

XML-XSL Introduction SHIJU RAJAN SHIJU RAJAN Outline Brief Overview Brief Overview What is XML? What is XML? Well Formed XML Well Formed XML Tag Name.
Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität.

Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität.
News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics

News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics
1 Authorization XACML – a language for expressing policies and rules.

1 Authorization XACML – a language for expressing policies and rules.
New Challenges for Access Control April 27, 2005 1 Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.

New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.
Using XACML Policies to Express OAuth Scope Hal Lockhart Oracle June 27, 2013.

Using XACML Policies to Express OAuth Scope Hal Lockhart Oracle June 27, 2013.
Approaches to generalization of XACML New challenges for access control 27 th April 2005 Tim Moses.

Approaches to generalization of XACML New challenges for access control 27 th April 2005 Tim Moses.
An Approach to Evaluate Data Trustworthiness Based on Data Provenance Department of Computer Science Purdue University.

An Approach to Evaluate Data Trustworthiness Based on Data Provenance Department of Computer Science Purdue University.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
1 Draft of a Matchmaking Service Chuang liu. 2 Matchmaking Service Matchmaking Service is a service to help service providers to advertising their service.

1 Draft of a Matchmaking Service Chuang liu. 2 Matchmaking Service Matchmaking Service is a service to help service providers to advertising their service.
Distributed Systems CS 15-440 Naming – Part II Lecture 6, Sep 26, 2011 Majd F. Sakr, Vinay Kolar, Mohammad Hammoud.

Distributed Systems CS Naming – Part II Lecture 6, Sep 26, 2011 Majd F. Sakr, Vinay Kolar, Mohammad Hammoud.
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.
Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.
XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.

XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.
XACML 2.0 in the Enterprise: Use- Cases and Deployment Challenges Prateek Mishra, Frank Villavicencio, Rich Levinson Oracle Identity Management Group 02/07/2006.

XACML 2.0 in the Enterprise: Use- Cases and Deployment Challenges Prateek Mishra, Frank Villavicencio, Rich Levinson Oracle Identity Management Group 02/07/2006.

Similar presentations

Ads by Google