Semantic role-based access control

Macfie, A. 2014. Semantic role-based access control. PhD thesis University of Westminster Faculty of Science and Technology

TitleSemantic role-based access control
TypePhD thesis
AuthorsMacfie, A.
Abstract

In this thesis we propose two semantic ontological role-based access control (RBAC) reasoning processes. These processes infer user authorisations according to a set of role permission and denial assignments, together with user role assignments. The first process, SO-RBAC (Semantic Ontological Role-Based Access Control) uses OWL-DL to store the ontology, and SWRL to perform reasoning. It is based mainly on RBAC models previously described using Prolog. This demonstrates the feasibility of writing an RBAC model in OWL and performing reasoning inside it, but is still tied closely to descriptive logic concepts, and does not effectively exploit OWL features such as the class hierarchy. To fully exploit the capabilities of OWL, it was necessary to enhance the SO-RBAC model by programming it in OWL-Full. The resulting OWL-Full model, ESO-RBAC (Enhanced Semantic Ontological Role-Based Access Control), uses Jena for performing reasoning, and allows an object-oriented definition of roles and of data items. The definitions of roles as classes, and users as members of classes representing roles, allows user-role assignments to be defined in a way that is natural to OWL. All information relevant to determining authorisations is stored in the ontology. The resulting RBAC model is more flexible than models based on predicate logic and relational database systems.

There are three motivations for this research. First, we found that relational database systems do not implement all of the features of RBAC that we modelled in Prolog. Furthermore, implementations of RBAC in database management systems is always vendor-specific, so the user is dependent on a particular vendor's procedures
when granting permissions and denials. Second, Prolog and relational database systems cannot naturally represent hierarchical data, which is the backbone of any semantic representation of RBAC models. An RBAC model should be able to infer user authorisations from a hierarchy of both roles and data types, that is, determine
permission or denial from not just the type of role (which may include sub-roles), but also the type of data (which may include sub-types). Third, OWL reasoner-enabled ontologies allow us to describe and manipulate the semantics of RBAC differently, and consequently to address the previous two problems efficiently.

The contribution of this thesis is twofold. First, we propose semantic ontological reasoning processes, which are domain and implementation independent, and can be run from any distributed computing environment. This can be developed through integrated development environments such as NetBeans and using OWL APIs. Second, we have pioneered a way of exploiting OWL and its reasoners for the purpose of defining and manipulating the semantics of RBAC. Therefore, we automatically infer OWL concepts according to a specific stage that we define
in our proposed reasoning processes. OWL ontologies are not static vocabularies of terms and constraints that define the semantics of RBAC. They are repositories of concepts that allow ad-hoc inference, with the ultimate goal in RBAC of granting permissions and denials.

Year2014
FileAlexander_MACFIE_2014.pdf
Publication dates
Completed2014

Related outputs

Ontology based access control derived from dynamic RBAC and its context constraints
Macfie, A., Kataria, P., Koay, N., Dagdeviren, H., Juric, R. and Madani, K. 2008. Ontology based access control derived from dynamic RBAC and its context constraints. Proceedings of the 11th International Conference on Integrated Design and Process Technology (IDPT 2008), Taichung, Taiwan, June 1-6, 2008.

Research issues in access control for pervasive healthcare
Macfie, A., Juric, R. and Madani, K. 2008. Research issues in access control for pervasive healthcare. Proceedings of the 11th International Conference on Integrated Design and Process Technology (IDPT 2008), Taichung, Taiwan, June 1-6, 2008.

Ontology for supporting context aware applications for the intelligent hospital ward
Kataria, P., Macfie, A., Juric, R. and Madani, K. 2008. Ontology for supporting context aware applications for the intelligent hospital ward. Proceedings of the 11th International Conference on Integrated Design and Process Technology (IDPT 2008), Taichung, Taiwan, June 1-6, 2008.

Ontology for supporting context aware applications for the intelligent hospital ward
Kataria, P., Macfie, A., Juric, R. and Madani, K. 2008. Ontology for supporting context aware applications for the intelligent hospital ward. Transactions of the SDPS / Journal of Integrated Design and Process Science. 12 (3), pp. 35-44.

Role based access control for a medical database
Slevin, L. and Macfie, A. 2007. Role based access control for a medical database. IASTED Software Engineering and Applications Conference. Cambridge, Massachusetts, USA 19 - 21 Nov 2007

Permalink - https://westminsterresearch.westminster.ac.uk/item/964y2/semantic-role-based-access-control


Share this
Tweet
Email