"DAGIS Automatic Discovery of Geospatial Information Services"
Semantic Access Control Ashraful Alam Dr. Bhavani Thuraisingham Semantic Access Control (SAC) Traditional Access Semantic Web Control Semantic Access Control Motivation Shortcomings of Traditional Access Control • Proprietary systems • Lack of modularity • Changes in access control schemas break the system • Changes in data schemas break the system • Path to resources (e.g., XPATH) is clumsy //school/department/professor/personal/ssn – LONG! • Non-optimal for distributed/federation environment Modularity Problem People this policy applies to Resources this policy applies to Target Actions allowed for this policy Box SAC Ontology Written in OWL (Web Ontology Language) User-centric Modular Easily extensible Available at : http://utd61105.campus.ad.utdallas.edu/geo/voc/newaccessonto SAC Components Policy Set Subjects Condition Resources Actions Subjects: Software Agents or Human clients Resources: Assets exposed through WS Actions: Read, Write, Execute Conditions: Additional constraints (e.g., geospatial parameters) on policy enforcement Application: Geo-WS Security Data providers (e.g., geospatial clearinghouses, research centers) need access control on serviceable resources. Access policies have geospatial dimension • Bob has access on Building A • Bob does NOT have access on Building B • Building A and B have overlapping area Current access control mechanisms are static and non- modular. Geo-WS Security: Architecture Geospatial Semantic WS Provider Client D Enforcement Module A G I Decision Authorization S Module Module Semantic-enabled Policy DB Web Service Client Side Web Service Provider Side Geo-WS Security: Semantics Policy rules are based on description logic (DL). DL allows machine-processed deductions on policy base. Example 1: • DL Rule: ‘Stores’ Inverse ‘Is Stored In’ • Fact: Airplane_Hanger(X) ‘stores’ Airplane(Y) Example 2: • DL Rule: ‘Is Located In’ is Transitive. • Fact: Polygon(S) ‘Is Located In’ Polygon(V) Polygon(V) ‘Is Located In’ Polygon(T) Secure Inferencing Semantic-enabled Policy DB Obvious Deduced facts facts Inferencing Module Geospatial Data Store Geo-WS Security: Example Resource := Washington, Oregon, California, West Coast Rule:= West Coast = WA Union OR Union CA Policy:= • Subject:= Bob • Resources:= WA, OR, CA • Action:=Read Query: Retrieve Interstate Highway topology of West Coast SAC in Action Environment: University Campus Campus Ontology http://utd61105.campus.ad.utdallas.edu/geo/voc/campusonto Main Resources • Computer Science Building • Pharmacy Building • Electric Generator in each Building SAC in Action User Access: • Bob has ‘execute’ access to all Building Resources • Bob doesn’t have any access to CS Building • Bob has ‘modify’ access to Building resources within a certain geographic extent Policy File located at http://utd61105.campus.ad.utdallas.edu/geo/voc/policyfile1 SAC Improvements Subjects, Resources, Actions and Conditions are defined independently Reduced policy look-up cost -- only policies related to the requester is processed No long path name! Distributed Access Control Client Query Interface Middleware Travel Site Reimbursement Site Bank Site Travel Data Reimbursement Bank Site & Ontology Data & Ontology