Scalable and E cient Reasoning for ffiEnforcing Role-Based Access

Control

Tyrone Cadenhead

Murat Kantarcioglu, and Bhavani Thuraisingham

1

Overview

Motivation Contributions Approach Theoretical Background:

– RBAC, TRBAC, Description Logics, SWRL

Detailed Overview of Approach and Optimizations Example Experimental Results

2

Motivation

Organizations tend to generate large amount of data (or resources)

Users need only partial access to resources Pairs: (user, role) (role, permission) (action, resource) nu users and nr roles at most nu ×nr mappings

Scalable access control model

Exchange expertise among experts, between systems Heterogeneity in system

Make decision with data Formal Semantics of Data

3

Motivation (cont’d)

RBAC simplifies Security Management

– But Roles are statically defined

TRBAC extends RBAC

– Roles are dynamically defined and have a temporal dimension

– Does not address Heterogeneity inherent in organization information systems

Ontology has a Common Vocabulary

– Conforms to a Description Logic (DL) formalism

• Description Logic (DL) Reasoning Service

– Can be Distributed as over a set of Knowledge Bases

4

Why Flexible RBAC

• Physician SamSam allowed access to BobBob record– When Bob is under is care

• Emergency: SamSam is off duty, KellyKelly in emergency room:– BobBob needs immediate treatment

– KellyKelly not pre-assigned to view/update BobBob’s record

Temporal RBAC

5

Why Flexible TRBAC

KellyKelly needs to collaborate with different specialist from different expertise Sharing of data across wards, departments Seamless and unambiguous exchange of information

Ontologies Common Vocabulary Enable reconciliation and translation between different standards

6

Automation

KellKelly and team make decisions Using Bob medical history Access is needed Temporarily Accuracy and efficiency critical

Automated Tool Access granted in Emergency sessionApply policy rules over relevant data in Bob’s recordVerify the decisions based on formal logicMake access decisions efficiently

7

Main Contributions

TRBAC Implementation using existing semantic technologies

Reasoning Service for access control over large numbers of data instances in DL Knowledge Bases (KBs)

E ciently and accurately reason about access rightsffi

8

Approach

Transform temporal access control policies to rules :Semantic web rule language (SWRL)

Partitioning the Knowledge Base (KB)

- Terminological Box (TBox) - Assertional Box (ABox)A Knowledge Base consists of a TBox and ABox

9

Approach (cont’d)

Achieves:1. Scalability – support many users, roles, sessions,

permissions; combinations w.r.t access control policies

2. E ciencyffi - determines the response time to make a decision in milliseconds

3. Correct reasoning – ensure all data assertions available when applying the security policies

10

Theoretical Background

• RBAC

• TRBAC

• Description Logic Language (ALCQ)

• SWRL

11

RBAC

12

(Mappings)

• Connect individuals from two domain modules: RBAC assignments:

• Think of mappings as relations of form P(i, j) with valid pairs (i, j)

user-role, role-user, role-permission, permission-role, session-user, role-role and session-role

• a binary relationship of form P(x, y), a restriction on values assigned to (x, y) pairs

Hospital extensions: • the mappings patient-user, user-patient and patient-session

Patient-Record constraint: • the one-to-one mappings patient-record and record-patient

13

TRBAC

Extension of RBAC Supports temporal access Expressed by means of role triggers Constrains the set of roles that a particular user can activate at a

given time instant

Triggers Firing a trigger cause a role to be enabled/disabled

Conflict Resolution Simultaneous enabling and disabling of a role Priorities

14

Description Logics

• Formally build our domain concepts and the relationships between them.

• Add semantics (reasoning)

• Use a knowledge representation language

• We can formally say a doctor is a user, a surgeon is a doctor, a doctor has a medical degree.

15

Description Logics

16

SWRL

Semantic Web Rule language (SWRL)

• W3C recommendation.

• A SWRL rule has the form:

hi, bj are atoms of the form C(x), P(x, y) , sameAs(x,y), or differentFrom(x,y), where C is an OWL description, P is an OWL property, and x, y are Datalog variables, OWL individuals, or OWL data values

17

Overview

18

Intuition

• a user assigned to role : – User attributes (name, sex, id) in partition

– Details relating to role in partition

– Session related details in partition

• • Query :

• Optimization:

19

Step 1

Build step offline Restrict each partition size: ensures each KB fits into the memory on the machine

20

Step 2

• Load the policy rules into a new knowledge base . – Rules determine which assertions are relevant to determine any

policy objective.

• Adding rules to more efficient

• Experimental results:– Impact on the reasoning time vs. adding rules to

– Rules apply to a small subset of triples

– Reduced number of symbols in the ABox

21

Step 3

RBAC:

22

Inference Stage

• When there is an access request for a specific patient, start executing steps 2 and 3.

• Steps 2 and 3 are our inferencing stages where we enforce the security policies.

• These can also be executed concurrently for many patients, as desired.

23

TBox

• RBAC:– The sets and are atomic

concepts in

– Mappings and are formalized as DL roles

• Employees are Users

• Primary Physicians are employees with at least one patient

• We can Conclude primary physicians are users.

24

ABox

25

RDF

• W3C recommendation • Make assertions about any resources on the

semantic Web

• We can say Bob is a doctor– Doctor(Bob) (Bob rdf:type Doctor)

• Bob attended Harvard– (Bob, attended, “Harvard”)

26

Distributed Reasoning

27

Home Partition

28

Connecting Partitions

29

Distributed Reasoning

• Physicians can be both a primary or emergency-room physician, and restricted to two roles.

• Verify Bob does not exceed two roles–

– Execute query over is sufficient

• Primary Physicians attend to at most five patients at a time

– Query each one at a time is sufficient

30

Temporal RBAC Reasoning

• Implement TRBAC as triggers– TBox

– ABox

31

Temporal RBAC Reasoning

• Periodic Event

• Trigger: – doctor-on-day-duty must be enabled during the night

– nurse-on-night-duty must be enabled whenever the role doctor-on-night-duty is

32

Advantages

33

Optimization

Two types of indexing:

1. indexing the assertions• Allow finding triple by subject (s), a predicate (p) or an

object (o),

• without the cost of a linear search over all the triples in a partition

2. creating a high level index.• points to the location of the partitions on disk

• At most linear with respect to the number of partitions

34

Policy Query

35

Example

36

Trace

37

Experiments

38

Experiments

39