ABSTRACT
There have been two parallel themes in access control research in recent years. On the one hand there are efforts to develop new access control models to meet the policy needs of real world application domains. In parallel, and almost separately, researchers have developed policy languages for access control. This paper is motivated by the consideration that these two parallel efforts need to develop synergy. A policy language in the abstract without ties to a model gives the designer little guidance. Conversely a model may not have the machinery to express all the policy details of a given system or may deliberately leave important aspects unspecified. Our vision for the future is a world where advanced access control concepts are embodied in models that are supported by policy languages in a natural intuitive manner, while allowing for details beyond the models to be further specified in the policy language.
This paper studies the relationship between the Web Ontology Language (OWL) and the Role Based Access Control (RBAC) model. Although OWL is a web ontology language and not specifically designed for expressing authorization policies, it has been used successfully for this purpose in previous work. OWL is a leading specification language for the Semantic Web, making it a natural vehicle for providing access control in that context. In this paper we show two different ways to support the NIST Standard RBAC model in OWL and then discuss how the OWL constructions can be extended to model attribute-based RBAC or more generally attribute-based access control. We further examine and assess OWL's suitability for two other access control problems: supporting attribute based access control and performing security analysis in a trust-management framework.
- M. Al-Kahtani and R. Sandhu. A model for attribute-based user-role assignment. Computer Security Applications Conference, 2002. Proceedings. 18th Annual, pages 353--362, 2002. Google ScholarDigital Library
- F. Baader. Restricted role-value-maps in a description logic with existential restrictions and terminological cycles. Proc. DL 2003.Google Scholar
- F. Baader. The Description Logic Handbook: Theory, Implementation, and Applications. Cambridge University Press, 2003. Google ScholarDigital Library
- E. Barka and R. Sandhu. Framework for role-based delegation models. In Annual Computer Security Applications Conference, 2000. Google ScholarDigital Library
- S. Bechhofer, F. van Harmelen Jim Hendler, I. Horrocks, D. L. McGuinness, P. F. Patel-Schneider, and L. A. Stein. Owl web ontology language reference, February 2004. http://www.w3.org/TR/owl-ref.Google Scholar
- T. Berners-Lee, D. Connolly, L. Kagal, J. Hendler, and Y. Schraf. N3Logic: A Logical Framework for the World Wide Web. Journal of Theory and Practice of Logic Programming (TPLP), Special Issue on Logic Programming and the Web, 2008. Google ScholarDigital Library
- N. Damianou, N. Dulay, E. Lupu, and M. Sloman. The ponder policy specification language. Lecture Notes in Computer Science, 1995, 2001. Google ScholarDigital Library
- W. Di, L. Jian, D. Yabo, and Z. Miaoliang. Using semantic web technologies to specify constraints of rbac. Parallel and Distributed Computing, Applications and Technologies, 2005. PDCAT 2005. Sixth International Conference on, pages 543--545, 05-08 Dec. 2005. Google ScholarDigital Library
- D. Ferraiolo, R. Sandhu, S. Gavrila, D. Kuhn, and R. Chandramouli. Proposed NIST standard for role-based access control. ACM Transactions on Information and System Security (TISSEC), 4(3):224--274, 2001. Google ScholarDigital Library
- D. F. Ferraiolo, R. Sandhu, S. Gavrila, D. R. Kuhn, and R. Chandramouli. Proposed nist standard for role-based access control. ACM Transactions on Information and System Security, 4(3):224--274, August 2001. Google ScholarDigital Library
- S. Godik and T. Moses. OASIS extensible access control markup language (XACML). OASIS Committee Secification cs-xacml-specification-1.0, November 2002.Google Scholar
- P. Hayes and B. McBride. RDF Semantics. http://www.w3.org/TR/rdf-mt/, 2004.Google Scholar
- N. Heilili, Y. Chen, C. Zhao, Z. Luo, and Z. Lin. An owl based approach for rbac with negative authorization. Lecture Notes in Computer Science, 4092:164, 2006.Google ScholarDigital Library
- I. Horrocks, P. Patel-Schneider, H. Boley, S. Tabet, B. Grosof, and M. Dean. SWRL: A semantic web rule language combining OWL and RuleML. W3C Member Submission, 21, 2004.Google Scholar
- S. Jajodia, P. Samarati, and V. Subrahmanian. A Logical Language for Expressing Authorizations. Proceedings of the 1997 IEEE Symposium on Security and Privacy, page 31, 1997. Google ScholarDigital Library
- L. Kagal, T. Finin, and A. Joshi. A policy language for pervasive systems. In Fourth IEEE International Workshop on Policies for Distributed Systems and Networks, 2003. Google ScholarDigital Library
- O. Lassila, R. Swick, et al. Resource Description Framework (RDF) Model and Syntax Specification. 1999.Google Scholar
- N. Li, B. N. Grosof, and J. Feigenbaum. A practically implementable and tractable delegation logic. In Proc. of IEEE Symp. on Security and Privacy, Oakland, CA, USA, May 2000, 2000. Google ScholarDigital Library
- N. Li and J. Mitchell. RT: A Role-based Trust-management Framework. DARPA Information Survivability Conference and Exposition (DISCEX), pages 123--139.Google Scholar
- N. Li, J. Mitchell, and W. Winsborough. Design of a role-based trust-management framework. Security and Privacy, 2002. Proceedings. 2002 IEEE Symposium on, pages 114--130, 2002. Google ScholarDigital Library
- N. Li, J. Mitchell, and W. Winsborough. Beyond proof-of-compliance: security analysis in trust management. Journal of the ACM (JACM), 52(3):474--514, 2005. Google ScholarDigital Library
- D. L. McGuinness and F. van Harmelen. Owl web ontology language overview, February 2004. http://www.w3.org/TR/owl-features/.Google Scholar
- T. Moses et al. eXtensible Access Control Markup Language (XACML) Version 2.0. OASIS Standard, 200502, 2005.Google Scholar
- J. Park and R. Sandhu. The UCONABC usage control model. ACM Transactions on Information and System Security, 5(6), 2007.Google Scholar
- A. Pretschner, M. Hilty, and D. Basin. Distributed usage control. Communications of the ACM, 49(9):39--44, 2006. Google ScholarDigital Library
- M. Reith, J. Niu, and W. Winsborough. Model checking to security analysis in trust management. In ICDE Workshop on Security Technologies for Next Generation Collaborative Business Applications, 2007. Google ScholarDigital Library
- C. N. Ribeiro, A. Zuquete, P. Ferreira, and P. Guedes. SPL: An access control language for security policies with complex constraints. In Network and Distributed System Security Symposium (NDSS'01), 2001.Google Scholar
- R. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman. Role-based access control models. IEEE Computer, 29(2):38--47, February 1996. Google ScholarDigital Library
- R. S. Sandhu. Role-based access control. In M. Zerkowitz, editor, Advances in Computers, volume 48. Academic Press, 1998.Google Scholar
- M. Schmidt-Schauss. Subsumption in KL-one is undecidable. Fachber. Informatik, Univ, 1988.Google Scholar
- A. P. Sistla and M. Zhou. Analysis of dynamic policies. Inf. Comput., 206(2-4):185--212, 2008. Google ScholarDigital Library
- A. C. Squicciarini, E. Bertino, E. Ferrari, and I. Ray. Achieving privacy in trust negotiations with an ontology-based approach. IEEE Transactions on Dependable Sec. Comput., 3(1):13--30, 2006. Google ScholarDigital Library
- B. Thuraisingham. Assured information sharing. Technical Report UTDCS-43-06, Computer Science Department, University of Texas Dallas, 2006. to appear as Book Chapter in Security Informatics by Springer, editor: H. Chen.Google Scholar
- G. Tonti, J. M. Bradshaw, R. Jeffers, R. Montanar, N. Suri1, and A. Uszok1. Semantic web languages for policy representation and reasoning: A comparison of kaos, rei, and ponder. In Proceedings of the 2nd International Semantic Web Conference (ISWC2003). Springer-Verlag, 2003.Google ScholarDigital Library
- L. Wang, D. Wijesekera, and S. Jajodia. A logic-based framework for attribute based access control. Proceedings of the 2004 ACM workshop on Formal methods in security engineering, pages 45--55, 2004. Google ScholarDigital Library
Index Terms
- ROWLBAC: representing role based access control in OWL
Recommendations
Supporting RBAC with XACML+OWL
SACMAT '09: Proceedings of the 14th ACM symposium on Access control models and technologiesXACML does not natively support RBAC and even the pecialized XACML profiles are not able to support many relevant constraints such as static and dynamic separation of duty. Extending XACML to support such constraints, however, is an issue that requires ...
Role-Based access control for model-driven web applications
ICWE'12: Proceedings of the 12th international conference on Web EngineeringThe Role-based Access Control (RBAC) model provides a safe and efficient way to manage access to information of an organization, while reducing the complexity and cost of security administration in large networked applications. However, Web Engineering ...
Translating the Foundational Model of Anatomy into OWL
The Foundational Model of Anatomy (FMA) represents the result of manual and disciplined modeling of the structural organization of the human body. It is a tremendous resource in bioinformatics that facilitates sharing of information among applications ...
Comments