sac 1 semantic access control

8/14/2019 Sac 1 Semantic Access Control

1/38

Semant ic Access ControlSemant ic Access Control

Mariemma Yage, Antonio Maa

Computer Science Department

University of Mlagae-mai l: [email protected]


2/38

AgendaAgenda

? Introduction? SAC, Semantic Access Control Model

? Semantic Integration of a PMI

? Example? Implementation

? Conclusions

? Future Work


3/38

AgendaAgenda

? Introduction

? SAC, Semantic Access Control Model


? Example? Implementation

? Conclusions

? Future Work


4/38

Traditional Access Control SchemesTraditional Access Control Schemes

DAC, Discret ionary Acc ess Con trol

Multi-user DBs Reduced number of previously known users. Changes are not frequent. Resources under a unique entity.

Control based on identity. Rules stating what a user can do or not.


5/38


MAC, Mandatory Access Contro l

Military environments High number of users Linear and Static Hierarchical classification.

Control based on Security Levels. Rules established by a central authority. Definition of Security Levels Allocation of levels to resources and users


6/38


RBAC, Role-based Ac cess Con trol

Business. Corporative Intranets. Hierarchical structures. Access Permissions depending on the user

position (role) in the hierarchy. Control based on roles played

Rules establishing permissions of access to roles. Allocation of roles to users.


7/38

Open and Distributed EnvironmentsOpen and Distributed Environments

?

Heterogeneity Open Access Control Scheme

?Interoperability Separation of the Responsibilities of Authorization and

Access Control

?Flexibility Independence of the Application Domain

?Scalability Completely Distributed Scheme

?Dynamism Adaptation transparently and automatically


8/38

AgendaAgenda


Semantic Policy Language


? Example

? Implementation

? Conclusions

? Future Work


9/38

SemanticSemantic

ModellingModelling

Basis for a New AC ModelBasis for a New AC Model

Semantic Integration of Authorization andAccess Control Applications

Separation of responsibilities ofAuthorization andAccess Control is widely accepted as a Flexible andInteroperable Solution

SemanticSemantic

ModellingModelling

Access

ControlAuthorization

Entities

Semantic

Connection


10/38

SAC, Semantic Access ControlSAC, Semantic Access Control

? Schema based on theconcept of attribute

?Access based onsemantics

?No ambiguity in policies? Semantic Correction?Dynamic Allocation of

Policies?

Modularization? Parameterization?Reuse

?Mandatory PreviousSubscription

?Mandatory Identification? Previous Establishment

of Elements for thesupport of accesscontrol Users Hierarchy Roles

Groups SecurityClassification

...

AVOIDSAVOIDSPROVIDESPROVIDES


11/38

MechanismsMechanisms inin SPL,SPL, Semantic Policy LanguageSemantic Policy Language

?To reduce the AC policies definition complexity:

Modular i ty, Parameterisationand Abstract ion.

?Modularity in SPL implies:

The separation of specification in three parts: access control criteria

allocation of policies to resources

semantic information (properties about resources andcontext)

The abstraction of access control components

The ability to reuse these access controlcomponents


12/38


13/38

MetadataMetadata inin SPLSPL

?Metadata applied at different levels:

Semantic and contextual validation of access controlpolicies.

Dynamic policy allocation and instantiation.

Creation of policies

For the specification and acquisition of certification rules

Management of policies Any change in the authorization rules or the context is

detected and the consequences are revealed.


14/38

SAC,SAC, SemanticSemantic Access ControlAccess Control

?Attribute Certificate Based Approach.

? Supported by XML related technologies for metadata.

?Modular Language.

? Policy Composition.

? Parameterised Policies.

?Content-aware access control (content introspection).

?Means for the semantic integration of an external PMI. Authorization becomes interoperable.


15/38

AgendaAgenda



?

Example? Implementation

? Conclusions

? Future Work


16/38

Semantic Integration of a PMISemantic Integration of a PMI

AuthenticationAuthentication

Personal Identity

AuthorizationAuthorization

Role, status, social-economic attributes

Who am I dealing with?Who am I dealing with? Is she a student of MlagaUniversity?

Is she a student of MlagaUniversity?Is the client an adult?

Is the client an adult?

Solution: Attribute Certificates

PUBLIC KEYPUBLIC KEYINFRASTRUCTUREINFRASTRUCTURE

PRIVILEGE MANAGEMENTPRIVILEGE MANAGEMENTINFRAESTRUCTUREINFRAESTRUCTURE

PKI: Certification Authority(CA)

Certificates only identity

PKI: Certification Authority

(CA)

Certificates only identityPMI: Source of Authorization (SOA)Certificates a set of semantically

related attributes

PMI: Source of Authorization (SOA)

Certificates a set of semanticallyrelated attributes


17/38


SOAD Model (Source of Authorization Descript ion)

?Describes the semantics of the certificatesissued by the SOA.

?Describes relationships among thecertificates

and between attributes certified by this SOA and otherssources of authorization.

?Helps to the specification of access criteria.

?Enables the semantic validation.


18/38

AgendaAgenda



?

Example? Implementation

? Conclusions

? Future Work


19/38

Example: ACS DLExample: ACS DL

? Various Special Interest Groups (SIGs)

? ACS members can be members of the different SIGs, not

mandatory.

? ACS publishes journals and newsletters, directly or through the

SIGs.

? Newsletters can be accessed by the ACS members and also bypeople subscribed to them (ACS members or not).

? Journals can be accessed by users subscribed to them

independently they are members of the ACS or not.

? If the journal is published by an Special Interest Group, all the

members of that group can access that journal.

? An special subscription type called Portal grants access to every

publication in the digital library.


20/38

ExampleExample

s2

j1

n1

p

j2

n2

s1

nnn3

j3

a

jn

...

...

Role Hierarchy for the ACS Digital LibraryRole Hierarchy for the ACS Digital Library

A role foreach journal

A role foreach journal

A role for eachnewsletter

A role for eachnewsletter

SIG1 members can playj2 and j3 roles

SIG1 members can playj2 and j3 roles

A role forportal

A role forportal

A role forACS

A role forACS

Role structure must bepredefined

Role structure must bepredefined


21/38

Policy for JournalsPolicy for Journals

PublicationName

PublicationSOA


22/38

Allocation of Policy to ResourcesAllocation of Policy to Resources

Journal.xml

http://www.acs.org/

PublicationTypeJournal

Allocation of policy for journals(Journal.xml) to the ACSjournals

Allocation of policy for journals(Journal.xml) to the ACSjournals

PAS

PAS


23/38

Description of TOSEC journalsDescription of TOSEC journals

PublicationName

TOSEC

PublicationSOA

SIGSEC

PublicationType

Journal

http://www.acs.org/Journals/TOSEC/

Properties for theInstantiation

Properties for theInstantiation

SRR

SRR


24/38

Policy for the TOSEC journalPolicy for the TOSEC journal


25/38

Semantics of the AttributesSemantics of the Attributes

SIGSEC

SIGMember

SIGSEC

Subscription

SIGSECNewsLetter

Subscription

TOSEC

SOAD of the InterestGroup on Security

SOAD of the InterestGroup on Security

SOAD

SOAD


26/38

Semantics of the AttributesSemantics of the Attributes

SIGMemberSIGSEC

Implies

SubscriptionSIGSECNewsLetter

Subscription

TOSEC

To be a member of the SIG on Security, SIGSEC,

implies the subscription to the SIGSEC newsletters

To be a member of the SIG on Security, SIGSEC,

implies the subscription to the SIGSEC newsletters

SOA

D

SOA

D

and to theTOSEC journal

and to theTOSEC journal


27/38

Example ConclusionsExample Conclusions

?RBAC model presents problems to adapt to changes.

Administrative overload.

?No every problem is easily modelled using RBAC.

? The SAC model enables to express in a more naturaland simple way complex access control situations.

Simple, generic, reusable, dynamically instantiatedspecifications.

?

The semantic integration of external authorizationentities provides additional advantages to SAC.


28/38

AgendaAgenda

? Introduction? SAC, Semantic Access Control Model? Semantic Integration of a PMI

? Example

? Implementation Management Mechanisms in SAC Integration Mechanism of the PMI? Conclusions? Future Work


29/38

AdministrationAdministration

? One of the main objectives of the SAC model is the ease ofadministration.

Validation of the semantic and contextual correction.

Reuse of components.

Ease of implementation. Administrator Supporting tools.

Integrated environment with smart and visual edition,syntactic and semantic validation, control of changes, ...

Authorization Management.

SOADs Client


30/38


Results Information

SPL POLCIESPas & SRR

Policy Summary

Environment Window ofthe Policy Assistant

Environment Window ofthe Policy Assistant


31/38


Context Sensitive

Edition

Context Sensitive

Edition

Change ControlChange Control


32/38

Semantic Integration of PMISemantic Integration of PMI

?SOADs Management at the server andclient side

Publication / Localization History Caducity Edition on the Server and the Client side.


33/38


SOADs Management

System

SOADs Management

System

SOADs ClientSOADs Client


34/38

AgendaAgenda



? Example

? Implementation

? Conclusions

? Future Work


35/38

ConclusionsConclusions

?Semantic Integration of Applications

of Authorization and Access Control.

?Access Control Model based on semantics ofthe contents and the application context.

?High level of Interoperability, Scalability,Flexibility, Adaptability, Applicability.

?Semantic Soundness.

?

Ease of Administration.?Avoids the registration phase.


36/38

AgendaAgenda



? Example

? Implementation

? Conclusions

? Future Work


37/38

Future WorkFuture Work

? Delegation

To maintain the control over the delegationprocess.

Establish semantics of the delegation.

?

DRM Extension of SPL to express rights over digital

contents.

Inclusion of new DRM functions in the XSCDinfrastructure.

? Application of SAC to new environments.


38/38

Presented by: M ariemma YageComputer Science Department

Universi ty of Mlaga

e-mail : [email protected]

Semant ic Access Contro lSemant ic Access Contro l

Thank you for your attention ;Thank you for your attention ;--))

sac 1 semantic access control

Documents