Title: SBAC: A Semantic Based Access Control Model
1SBAC A Semantic Based Access Control Model
NordSec 2006
2Motivation
- Access Control is a mechanism that allows owners
of resources define, manage and enforce access
conditions applicable to each resource. - But, how powerful are the current access control
models and mechanisms? - Are they able to express complex access control
policies?
3Motivation (cntd.)
- A complex access control policy example
- How to represent this policy in a computer?
- How can a computer understand whether X is a
friend of Y? - How can a computer decide whether to permit or
deny X from settling money to the Z account of Y? - How computers can understand the Semantics of
these kinds of policies? - How the computer can use these semantics to do
inferences in making access control decisions.
A Bank authority is not allowed to settle money
to accounts of his friends in that bank.
4Outline
- Semantics representation mechanisms
- SBAC
- Introduction
- Authorization rules
- Semantic Authorization inference
- Authorization Propagation
- Using rules for better expressivity
- Experimental results
5Semantic-awareness
- For semantic-aware access control, we need a
means for representing semantics.
6Vocabulary
7Taxonomy
8Ontology
9SBAC
10SBAC
- Makes its decisions in three domains
- Objects domain
- Objects are entities that are accessed and/or
modified. - Subjects domain
- Subjects are active entities that require access
to objects. - Actions domain
- Actions are operations that subjects perform on
objects. - Each domain is represented by an ontology
- Subject Ontology (SO)
- Object Ontology (OO)
- Action Ontology (AO)
11An Example Object Ontology
12An Example Subject Ontology
13An Example Action Ontology
14Authorization Rules
- An authorization rule is in the form of
in which s is an entity defined in SO, o
is an entity defined in OO, and a is an entity
defined in AO. - This rule determines whether a subject which
presents credential s can have the access right a
on object o or not. - Authorization rules are stored in an
Authorization Base (AB).
15Implicit Authorization rules
(S, Account, read)
(S, Long Term Deposit, read)
16Semantic Authorization Inference
17Ontology Languages
- Graphical notations
- Semantic networks
- Topic maps
- UML
- RDF
- Logic based
- Description Logics (e.g., OIL, DAMLOIL, OWL)
- Rules (e.g., RuleML, Prolog)
- First Order Logic
18OWL (Ontology Web Language)
- OWL is an XML based ontology language and is now
a W3C (World Wide Web Consortium) Recommendation.
19An Example OWL ontology
- ltowlClass rdfIDPerson /gt
- ltowlClass rdfIDMangt
- ltrdfssubClassOf rdfresourcePerson /gt
- ltowldisjointWith rdfresourceWoman /gt
- lt/owlClassgt
- ltowlClass rdfIDWomangt
- ltrdfssubClassOf rdfresourcePerson /gt
- ltowldisjointWith rdfresourceMan /gt
- lt/owlClassgt
- ltowlClass rdfIDFathergt
- ltrdfssubClassOf rdfresourceMan /gt
- lt/owlClassgt
- ltowlClass rdfIDMothergt
- ltrdfssubClassOf rdfresourceWoman /gt
- lt/owlClassgt
- ltowlClass rdfIDParentgt
- ltowlunionOf rdfparseType"Collection"gt
- ltowlClass rdfabout"Father"/gt
- ltowlClass rdfabout"Mother"/gt
20Inference on OWL Ontologies
- A lot of different relationships can be defined
between concepts in an OWL ontology - subClassOf
- equivalentClass
- disjointWith
- intersectionOf
- unionOf
- complementOf
-
- Therefore complex inference engines are required
for reasoning on all of these relationships. - From an access control point of view all of these
relationships can be reduced to the subClassOf
relation.
21Reduction to subClassOf
- A equivalentClass B
- A subClassOf B
- B subClassOf A
- A unionOf B,C,D
- B subClassOf A
- C subClassOf A
- D subClassOf A
22Authorization Propagation
- Propagation in the subject domain
(Credit Card, Account, withdraw)
(Master Card, Account, withdraw)
23Authorization Propagation
- Propagation in the object domain
(Credit Card, Account, withdraw)
(Credit Card, Short Term Deposit, withdraw)
24Authorization Propagation
- Propagation in the action domain
(Credit Card, Account, FullAccess)
(Credit Card, Account, Withdraw)
25Authorization Propagation
- Propagation in the action domain
(Credit Card, Account, -Withdraw)
(Credit Card, Account, -FullAccess)
26Using Rules for Better Expressivity
A Bank authority is not allowed to settle money
to accounts of his friends in that bank.
27Using Rules for Better Expressivity
A Bank authority is not allowed to settle money
to accounts of his friends in that bank.
X is_A Person Y is_A Person X friendOf Y B is_A
Bank Y bankAuthorityOf B Z accountIn B X ownerOf Z
(Y,Z,-settlement)
Note that, e.g. if in your knowledge base you
have John is_A Parent, the computer itself must
deduce that John is_A Person.
28Some Experimental Results
29Smaller Ontologies
- Triples are used for storing ontologies in
memory - (Bob, is_A, Person)
- (Alice, is_A, Person)
- (Alice, friendOf, Bob)
30Smaller Ontologies (cntd.)
- More complex constructs such as unionOf are also
translated to triples - A unionOf B,C,D
- (A, unionOf, A0) (A0, first, B) (A0, rest,
A1) (A1, first, C) - (A1, rest, A2) (A2, first, D) (A2, rest,
nil)
31Smaller Ontologies (cntd.)
Number of triples 2n1
Number of triples n
32Smaller Ontologies (cntd.)
33Lower reasoning time
Times are in milliseconds
34Summary Conclusions
- We showed how ontologies can be used in
representing semantics of access control domains. - We showed how these semantics can be used for
inferring new implicit rules. - We also showed how rules can be used for
increasing the expressivity. - The experimental results showed better reasoning
time when working with reduced ontologies.
35Thanks for your attention!
36Definitions
- Semantic Web is an extension of the current Web
which gives information a well-defined meaning,
makes machines capable of interpreting and
processing the information. - An access control mechanism should assure that
- Only eligible users are authorized to be granted
an access right. - Each eligible user must be able to access all the
resources that s/he is authorized for.
37Reduction in the scope of OWL class axioms
38Reduction in the scope of OWL individual axioms
39Reduction in the scope of OWL property
restrictions
40Actions in SBAC