Download presentation
Presentation is loading. Please wait.
Published byHarvey Hutchinson Modified over 5 years ago
1
Scalable and Efficient Reasoning for Enforcing Role-Based Access Control
Tyrone Cadenhead Advisors: Murat Kantarcioglu, and Bhavani Thuraisingham
2
Overview Motivation Contributions Approach Theoretical Background:
RBAC, TRBAC, Description Logics, SWRL Detailed Overview of Approach and Optimizations Example Experimental Results
3
Motivation Organizations tend to generate large amount of data
Users need only partial access to resources nu users and nr roles = at most nu ×nr mappings Scalable access control model and easy management Handle heterogeneity in information system
4
Motivation (cont’d) RBAC simplifies Security Management
But Roles are statically defined TRBAC extends RBAC Roles are dynamically defined and have a temporal dimension Does not address Heterogeneity inherent in organization information systems Ontology has a Common Vocabulary Conforms to a Description Logic (DL) formalism As a result, ontology Knowledge Bases (KBs) has a Description Logic (DL) Reasoning Service Can be Distributed as different Knowledge Bases
5
Main Contributions TRBAC Implementation using existing semantic technologies Reasoning Service access control over large numbers of data instances in DL Knowledge Bases (KBs) Efficiently and accurately reason about access rights
6
Approach Transform the access control policies into the semantic web rule language (SWRL) Partitioning the Knowledge Base into a set of smaller Knowledge Bases, which have the same TBox but a subset of the original Abox A Knowledge Base consists of a TBox and ABox
7
Approach (cont’d) Achieves:
1. Scalability – support many users, roles, sessions, permissions; combinations w.r.t access control policies 2. Efficiency - determines the response time to make a decision in milliseconds 3. Correct reasoning - ensures that all the data assertions are available when applying the security policies
8
Theoretical Background
RBAC TRBAC Description Logic Language (ALCQ) SWRL
9
RBAC
10
TRBAC An extension of RBAC models that supports temporal constraints on the enabling/disabling of roles. Supports periodic role enabling and disabling, and temporal dependencies among such actions. Such dependencies are expressed by means of role triggers that can also be used to constrain the set of roles that a particular user can activate at a given time instant. The firing of a trigger may cause a role to be enabled/disabled either immediately, or after an explicitly specified amount of time. The enabling/disabling actions may be given a priority that may help in solving conflicts, such as the simultaneous enabling and disabling of a role
11
Description Logics
12
SWRL Also the Semantic Web Rule language (SWRL) is a W3C recommendation. A SWRL rule has the form are atoms of the form C(i) or atoms of the form P(i,j)
13
Detailed Overview
14
Step 1
15
Step 2
16
Step 3
17
Inference Stage When there is an access request for a specific patient, start executing steps 2 and 3. Steps 2 and 3 are our inferencing stages where we enforce the security policies. These can also be executed concurrently for many patients, as desired.
18
Advantages Adding SWRL rules to KBinf does not have a huge impact on the reasoning time as indicated by our experimental results. This is due to the fact that we are only retrieving a small subset of triples which reduces the number of symbols in the ABox when the rules are applied
19
Advantages (cont’d)
20
Definition of a Knowledge Base (KB)
21
(Mapping Function) Connects two domain modules so that we have:
RBAC assignments: the mappings user-role, role-user, role-permission, permission-role, user-session, role-role and role-session Hospital extensions: the mappings patient-user, user-patient and patient-session Patient-Record constraint: the one-to-one mappings patient-record and record-patient
22
Home Partition
23
(P-link)
24
Policy Query
25
Example
26
Trace
27
Optimization Two types of indexing: indexing the assertions
to find a triple by a subject (s), a predicate (p) or an object (o), without the cost of a linear search over all the triples in a partition creating a high level index. points to the location of the partitions on disk At most linear with respect to the number of partitions
28
Experiments
29
Experiments
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.