Professional Documents
Culture Documents
Approach
1 Introduction
C. Barry et al. (eds.), Information Systems Development: Challenges in Practice, Theory, 753
and Education, Vol.2, doi: 10.1007/978-0-387-78578-3_13,
© Springer Science+ Business Media, LLC 2009
75 Brian Shields and Owen Molloy
4
In a typical RBAC system, the individual roles are granted access to resources.
Resources can be processes or information. Each relevant file must be accounted
for in the role permissions, if it is not then it is usually assumed that role lacks the
appropriate permissions to access the file. With the development and now wide-
spread adoption of XML as an information representation, particularly in Web
environments, the task of permission assigning has become extensively more diffi-
cult. There is a large body of research investigating XML access control, which
will be discussed in Section 6. All of this work proposes different ways of grant-
ing and restricting access to individual attributes and element of the XML file. In a
large system this can increase the security workload exponentially.
This chapter proposes another solution to this problem. A solution we regard
as reducing a lot of the time-intensive activities of assigning role permissions to
the elements and attributes of an XML file. We present a way of writing rules
which will determine the permissions for each role. This activity is carried out at a
schema level, yet different permissions may be assigned to alternative documents,
or document elements, of the same schema. Most XML access control systems re-
quire the user to specify permissions at both a schema and instance level as, after
all, a role may have permissions to access one document and not another, yet both
are instances of the same schema. For example, a doctor may access one patient
record and not another, while both patient records have the same schema.
We propose an intelligent authorisation system that can decide the permissions
for an individual at the time they request information. We use description logic
and decidable rules to provide the necessary intelligence for this. In this chapter
we apply this system to the Electronic P atient Record (EP R) from the area
of Health Informatics.
This chapter is organised as follows. Section 2 provides an overview of the
two main technologies: description logics and rules. Section 3 is an overview of
our security framework including a detailed description of our system architecture.
Section 4 presents our access control system, the main components involved and
how they interact with one another. Section 5 explores some related research in
XML access control. We conclude the chapter and detail some potential future
avenues for our research in Section 6.
2 Overview of Technologies
In this chapter we propose the use of some less well-known technologies as part of
our authorisation system. In this section we attempt to introduce two research areas:
description logic and rules or rule-based systems. We then present the application
of these research areas which we apply to our work, the Web Ontology Language
(OWL) (McGuinness & van Harmelen, 2004) and the Semantic Web Rule
Language (SWRL) (Horrocks et al., 2004), respectively.
Securing Systems Intelligently: The Logical Approach 75
5
2.1 Description Logic
2.2 Rules
For the purpose of our system, and most logic systems, we will be exclusively
using derivation or deduction rules. The nature of this type of rule is to examine
certain information and assert new information based on its findings.
The number of rule languages available today is getting larger. According to
Tim Berners-Lees semantic technology stack (Berners-Lee, 2000), rules are the
next step in knowledge engineering systems. We have chosen Semantic Web Rule
Language (SWRL) as the language in which to represent our rules. SWRL is a
combination of the OWL and the work done by the RuleML community. It extends
OWL by adding simple Horn style rules. A rule of this nature states that if the
antecedent, or if part, of the rule is true then the consequent, or then part, of the
rule must also hold true. SWRL is a W3C proposed standard.
3 F ramework Architecture
The security framework will provide a service which will create, manage and store
X.509 digital certificates. These certificates will be used as security tokens in
requesting SOAP message headers to provide a non-repudiative user identity.
The Key Management Service will be designed and implemented using the
XKMS (XML Key Management Specification) Standard from OASIS (Ford et al.,
2001). This provides two principle services:
XML Key Information Service Specification (XKISS) This service locates a
public key in order to encrypt information for an individual or to verify signed
information.
Securing Systems Intelligently: The Logical Approach 75
7
XML Key Registration Service Specification (XKRSS) This provides a
number of services to register, recover, reissue and revoke keys
4 .1 Design T ime
From Figure 2 we can see that the architecture of our system is composed of two
distinct areas. This section attempts to explain the first of these sections, design
time. The section has three parts, each one dealing with one of the components of
the design time area; ontology design, access control rules specification and XML
Schema to OWL DL mappings.
Before we can begin reasoning about access to the information system, we
must first develop an ontology representing the information stored. There are six
steps which we use to create the ontology:
1. D etermine the scope The ontology for our system must include any in-
formation which can be shared with users.
2. R euse ex isting ontologies If any of the information in the scope
has been previously defined in an ontology then this can be imported and
re- used.
76 Brian Shields and Owen Molloy
0
3. D efine the classes and class hierarchy The concepts of the domain are
specified. In our example we have the classes Medic, Surgeon, Nurse,
ClinicalInformation, etc. These are then organised into a hierarchical
structure by specifying relationships between them. We use three general
relationships for creating the ontology hierarchy: subsumtion, disj oint
and equivalent.
4. D efine the properties of the classes Classes alone will not
provide enough information. Once the main concepts are represented by
classes we must define the internal structure of these concepts. Two
types of properties may be defined: Obj ectP roperties which relate two
classes to each other and DatatypeP roperties which are common simple
types such as integer and string.
5. D efine the facets of the properties The property facets refer to
the property type, cardinality and possible legal values it may store.
6. C reate instances Once the ontology is designed, instances of each
class must be created. Each of these instances is referred to as an obj ect
of its class.
One of the most important functions of an access control system, second only
to their enforcement, is the design and deployment of the access control rules.
There is a module in our system architecture called the Rule P arsing Engine.
This module accepts rules, written in SWRL, parses them for correctness and
completeness, and loads them into the reasoning engine for later assertion. We use
deduction rules (also called derivation or if-then rules) in our access control sys-
tem. Deduction rules, as described in section 3, present a number of assertions (an-
tecedent), all of which must be true for the resulting assertion (consequent) to be
true. All rules in our system currently have a consequent hasAccessToInforma-
tion(p, o) where p is some defined user of the system and o is the obj ect they have
access to. hasAccessToInformation is an OWL Obj ect P roperty. It is defined in
our ontology as having a domain of P erson and a range of Information. This is
read P erson hasAccessToInformation Information. This can be explained further
by example. The following rule says that a doctor may access the details of a pa-
tient if he/ she is the treating physician of that patient.
Doctor and P atient are OWL classes as defined in our ontology. Doctor(?
p) asserts that the variable p is an instance of Doctor. treats is an OWL Obj ect
P roperty and is defined in our ontology as having the Doctor class as its
domain and a range P atient. treats(? p, ? o) asserts that the instance p and the
instance o are a legal domain and range of the obj ect property. In keeping with
the nature of deduction rules, if the three assertions on the antecedent, or left
side, of the rule are true, then our reasoning engine will verify that the assertion
on the consequent,
Securing Systems Intelligently: The Logical Approach 76
1
or right side, of the rule will also hold true. In reality, rules in a health care system
would be far more complex, and therefore we have developed some more multi-
farious examples. One such example is:
which reads: A medic has access to results of all tests requested by anyone they
supervise.
The ontology or ontologies defining the elements of the system do j ust
that, define the elements of the system and their relationships to one another. This
must now be linked in some way to the data structures that pass in and out of the
system so the access control rules can be applied to it. For example, using our
EP R, we must take each individual element from it and tell the security engine
what that element means in terms of our ontological description of our
system. Naming conventions can be an issue as one hospital system may call j
unior doctor medics where another hospital may call them interns. These
differences become irrelevant as long as they are mapped to the appropriate item
in the ontology. The mappings take place from the schema of the XML file in
question. Schema to ontology mappings or XSD to OWL mappings have
received a lot of interest recently. One can create a mapping from the schema to
the ontology which will hold true for all XML instances of that schema which
may be created. Three types of mappings ex- ist: Class Mappings, Obj ect P
roperty Mappings and Datatype P roperty Mappings.
Class Mappings are mappings between elements or attributes of the XML file
and OWL DL Classes from the ontology. The snippet of XML in Listing 1 is an
example of a simple Class Mapping. We noticed when designing the mapping
module of our security engine that OWL classes often mapped to parent elements
in the XML schema, i.e. class elements contained only child elements, they did
not contain any text element or attributes. Therefore in order to uniquely identify
an obj ect of this class mapping when an XML file is presented, we allow the
user to specify data from somewhere else in the XML file to act as the identifier.
The unique identifier must be an ancestor of the class element in question and is
identi- fied using an XP ath expression.
Obj ect P roperty Mappings are mappings between elements or attributes of
the XML file and OWL DL Obj ect P roperties from the ontology. Listing 2
contains an example of a simple obj ect property mapping. As with the class
mappings, obj ect property mappings must specify the element of the XML
Schema which is being mapped and the obj ect property in the ontology it is
being mapped to. We must also specify the appropriate domain and range of the
obj ect property, this is neces- sary for some complex assertions about an
individuals access rights. Listing 2 shows that the XML item in question is
being mapped to madeBy obj ect prop- erty of the ontology. It is important to
specify that we mean the madeBy prop- erty from the statement that
ClinicalObservation madeBy Medic as the obj ect property madeBy can exist with
other domains such as ClinicalDirection.
76 Brian Shields and Owen Molloy
2
Datatype P roperty Mappings are the mappings between elements or
attributes of the XML file and OWL-DL Datatype P roperties of the ontology.
Listing 3 con- tains an example of a simple datatype property mapping. Datatype
property map- pings are the least complex of the three mappings. They contain
three elements, the element of the XML Schema which is being mapped, the
datatype property from the ontology it is being mapped to and the type of the
property, i.e. string, int, etc. Datatype properties will be leaf elements or
attributes in the XML file. They are used when providing temporal access control
for the data.
4 .2 Runtime
This section explains the processes involved in the runtime area of the system ar-
chitecture of our system as seen in Figure 2. There are three areas which we cover
in this section: the compilation of XML Mappings from our Schema mappings in
the previous subsection, formatting and executing queries on our access control
system and pruning the XML document before it is sent to the requesting client.
We explained in the previous subsection how the XML Schema to OWL Map-
pings are created and used. This alone would have been sufficient to provide the
access control of a basic RBAC system. We can restrict access according to the
group or role a person belongs to. However, in this section we describe how to
further specify this access control. To achieve this we must be able to reason on
the instance information and not on general concepts. When an XML file is re-
quested and is awaiting return, its appropriate schema mapping configurations are
loaded. The XML file is then parsed and the instance information added to the
mappings. Care is needed when parsing instance information. The XML file is ac-
cessed for the information according to XP ath information supplied in the
map- pings configuration.
< ClassMapping>
< xmlItem> P atientRecord/ P atientInformation< / xmlItem>
< owlItem> P atientInformation< / owlItem>
< identifiedBy> P atientRecord/ P atientInformation/ idNum< / identifiedBy>
< / ClassMapping>
There has been much work done in the area of fine-grained access control of XML
documents. Bertino et al. (1999), Damiani et al. (2000) and Kudo et al. (Kudo &
Hada, 2000) all present ways of securely accessing XML documents at an element
level.
Damiani et al. (2004) describe a means of providing access control, enriched
with semantics, of resources by extending existing policy languages. They present
an extension to XACML (XACML Technical Committee, 2005) which enables
the specification of users and resources in terms of rich ontology-based meta-
data. This approach successfully achieves access control to resources in the tradi-
tional sense, i.e. files and processes.
Q u et al. (2004) propose OREL, an ontology based Rights Expression
Lan- guage (REL) to control a users rights to access digital content. They
essentially add reasoning capabilities to existing RELs such as XrML.
Q in et al. (Q in & Atluri, 2003) define a model for access control
for the semantic Web based on concept definitions. Access control decisions are
at a con- cept level as defined in an OWL ontology. They describe the benefits of
a seman- tically rich access control model in terms of the reduction of
administration efforts in updating the authorisation policies. Although they do
present an intelligent, rich access control model, they apply it to semantic
concepts as defined on a Web page. It is not applied to XML documents.
Xiaopeng et al. (2005) present an access control model for grid computing
which uses semantic descriptions. They describe the entities of the system and the
access control policies in the Semantic P olicy Language and then use
semantic reasoning to determine access rights and resolve potential conflicts.
This applica- tion of semantic access control is exclusively applied to grid
resources.
Agarwal and Sprick (2004) (Agarwal et al., 2004) and Y ague et al. (Y
ague & Troya, 2002; Y ague et al., 2003) provide us with examples of how they
ensure ac- cess control for semantic Web services.
Our work is trying to achieve a lot of what has been discussed in this section,
although we are trying to merge it all together. We provide semantic access con-
trol of XML documents, and we provide it to an element level of granularity.
R eferences
Agarwal, S. & Sprick, B. (2004) Access Control for Semantic Web Services. IEEE
International Conference on Web Services. San Diego, CA.
Agarwal, S., Sprick, B. & Wortman, S. (2004) Credential Based Access Control for
Semantic Web Services. In 2004 AAAI Spring Symposium Series, Stanford, CA.
Berners-Lee, T. (2000) Keynote Address. XML 2000. http:/ / www.w3.org/ 2000/ Talks/
1206- xml2k-tbl/ slide10-0.html.
Bertino, E., Castano, S., Ferrari, E. & Mesiti, M. (1999) Controlled Access and Dissemination
of XML Documents. 2nd ACM Workshop on Web Information and Data Management.
Kansas City, MO.
Damiani, E., Capatini di V imercati, S., Fugazzo, C. & Samarati, P . (2004) Extending P
olicy Languages to the Semantic Web. International Conference on Web Engineering.
Munich Germany.
Damiani E., Capatini di V imercati, S., P araboschi, S. & Samarati, P . (2000) Securing
XML Documents. 7th International Conference on Extending Database Technology.
Konstanz, Germany.
Ford, W., Hallam-Baker, P ., Fox, B., Dillaway, B., LaMacchia, B., Epstein, J . & Lapp, J .
(2001) XML Key Management Specification (XKMS). http:/ / www.w3.org/ TR/ 2001/
NOTE-xkms- 20010330/ .
Horrocks, I., P atel-Schneider, P . F., Boley, H., Tabet, S., Grosof, B. & Dean, M. (2004)
SWRL: A Semantic Web Rule Language Combining OWL and RuleML. http:/ /
www.daml.org/ 2003/ 11/ swrl/ .
Kudo, M. & Hada, S. (2000) XML Document Security Based on P rovisional Authorization.
7th ACM Conference on Computer and Communication Security. Athens, Greece.
McGuinness, D. L. & van Harmelen, F. (2004) OWL Web Ontology
Language. http:/ / www.w3.org/ TR/ owl-features/ .
Sandhu, R. S., Coyne, E. J ., Feinstein, H. L. & Y ouman, C. E., (1996) Role-Based Access
Con- trol Models. IEEE Computer. 29(2):38 -47.
The Rule Markup Initiative. http:/ / www.ruleml.org/ .
Q in, L. & Atluri, V . (2003) Concept-Level Access Control for the Semantic Web. 2003
ACM Workshop on XML Security. Fairfax, V A.
Q u, Y ., Z hang, X. & Li, H. (2004) OREL: An Ontology-Based Rights Expression Language.
13th World Wide Web Conference. New Y ork.
XACML Technical Committee (2005) XACML 2.0 Specification Set. http:/ /
docs.oasis- open.org/ xacml/ 2.0/ access\ _ control-xacml-2.0-core-spec-os.pdf.
Xiaopeng, W., J unzhou, L., Aibo, S. & Teng, M (2005) Semantic Access Control in Grid
Com- puting. 11th International Conference on Parallel and Distributed Systems. Fukuoka, J
apan.
Y ague, M. I. & Troya, J . M. (2002) A Semantic Approach to Access Control in Web Services.
EuroWeb 2002. The Web and the GRID: From E-Science to E-Business. Oxford.
76 Brian Shields and Owen Molloy
6
Y ague, M M. (2003) Applying the Semantic Web Layers to
Access Control. 14 th International W ork shop on D atab ase and E x pert S ystems
Applications. P rague. Czech Republic.