Security RDF graph
By: Sushanta Pradhan.
Inference and Reasoning
RDF
stores information in the form statements, given a set of statements one can
derive additional statements. Inference & reasoning engine makes use of the
class and property definitions, their relationships and additional rules to
derive additional statements. Apart from deriving additional statements, inference
engine also validates the data contained in the RDF graph for example the range
and domain of a property.
Kinds of Reasoner
Ontology Reasoner
This
reasoner derives additional statements by looking into the class/property
definitions and their relations. For example if we have the below class
hierarchy”
And the following RDF statement (Ram’s mother is Kausilya):
An ontology reasoner will derive another RDF
statement (Ram’s parent is Kausilya):
Rule Based Reasoner
A
rule is a representation of knowledge in machine-readable form which a reasoner
makes use of to derive additional information with existing information. For
example the rule:
?person rdf:type
, ?person >60, ?person ‘yes’,
states that all person with age greater that 60 are senior citizens.
A
rule-based reasoner applies such set of rules to RDF data and derives
additional RDF statements. Rules can also be used to validate and secure RDF
data.
Classification of Data from User’s perspective.
Private Data
Data
that is owned only by one user and is accessible only to him. In RDF graph this
data can be one of the following:
● Private Class
Visible only to the owner and instances can be created only by the owner. Can be considered as a database table/collection that is visible only to few users of the system say system administrators.
Visible only to the owner and instances can be created only by the owner. Can be considered as a database table/collection that is visible only to few users of the system say system administrators.
●
Private Instance
An instance of either a Private Class or a Public class. Accessible only to the owner. Can be considered as a protected row in a database table/collection.
An instance of either a Private Class or a Public class. Accessible only to the owner. Can be considered as a protected row in a database table/collection.
●
Private Property (link)
Can be created only by the owner and can be a property of either a public or a private instance. Can be considered as a protected column/attribute in a database table /collection.
Can be created only by the owner and can be a property of either a public or a private instance. Can be considered as a protected column/attribute in a database table /collection.
Public Data
Data
that is accessible to all users in the system. In RDF graph this data can be
one of the following:
● Public Class
Class that is visible to all and instances can be created by all users in the system
Class that is visible to all and instances can be created by all users in the system
● Public Instance
An instance of a Public Class and is accessible to all.
An instance of a Public Class and is accessible to all.
● Public Property (link)
Can be created by anyone in the system and can be associated only to a public instance.
Can be created by anyone in the system and can be associated only to a public instance.
Shared Data
Private
data that is shared by the owner to another user(s) in the system. Only the
owner can share a private object with another user. In RDF graph this data can
be one of the following:
● Shared Class
Visible to all shared members. Instances can be created only by the owner and accessed by all shared members.
Visible to all shared members. Instances can be created only by the owner and accessed by all shared members.
● Shared Instance
An instance of either a Private Class or a Shared class. Can be created only by the owner and accessed by all shared members.
An instance of either a Private Class or a Shared class. Can be created only by the owner and accessed by all shared members.
● Shared Property(link)
Can be created only by the owner and accessed by all shared members.
Can be created only by the owner and accessed by all shared members.
The
below figure defines these rules, red
arrow shows
that the two entities can’t be associated with each other and the green arrows signifies a possible and
must association between entities. At
any given point of time all objects & links in the RDF graph must adhere to
these rules to maintain sanity.
Categorization of accessibility
Implicit Access
Users
are not given direct access to objects but are given indirectly by means of roles.
Various
roles are defined by the application based on accessibility criteria and
objects are given access to one or many roles. Users automatically get access
to the objects that their corresponding role has. Consider the below role
definitions & accessibility rules illustrated as RDF graph. As per the
illustration ‘Accounts’ is only accessible to ‘Ram‘ while ‘UserData’ is only
accessible to ‘Sham’.
Figure
1: Impicit definition
Explicit Access
Users are given direct
access to objects as illustrated in the below RDF graph.
Securing the RDF graph
SuperUser
Owner
of all classes, instances and properties present in the RDF graph. All security related classes, instances and
properties that the superuser maintains
for accessibility controls belong to the
‘Private Data’ category of the user.
Explicit Access in the RDF graph
Explicit
access is given to either private data or shared data in the RDF graph.
Explicit Access to private data
The
property ‘hasAccess’ is attached to the private node with value as a node with
type - ‘Person’. The below illustration shows a part of a graph where the
private data - ‘Ram’s payslip’ has access only to Ram.
Explicit Access to shared data
Sharing
data in the RDF graph needs creation of a shared node whose links decide which
node is shared by whom and for whom. For example, the below illustration shows
that ‘Ram’ the owner of ‘Ram’s PaySlip’ has shared this node with ‘Shyam’.
Implicit Access in the RDF graph
Implicit access is given to only public data in the RDF graph. The property ‘belongsTo’ is attached to the public node with value as a node with type - ‘Role’ as illustrated in figure 1.
The
‘belongsTo’ property is private data of ‘superUser’ so as to prevent users from
mistakenly make their data public. Hence it can be attached to nodes only by
the ‘superUser’ OR by a user with whom this property has been shared by
‘superUser’ (typically would be administrators).
Retrieving data from secured RDF Graph
As all data in the RDF graph is classified
into three categories viz. private, shared and public; a query run on the graph
by an user should return public, private and shared data of the user. Therefore
every query run on RDF is subdivided into three parts:
A.
Public - returns data that
has explicit access to the user. Query:
SELECT ?s ?p ?o where {
?p ‘hasAcess’ <userURI>
SELECT ?s ?p ?o where {
?p ‘hasAcess’ <userURI>
?s ?p ?o
<additional
query filters>
}
B.
Private - returns data
that has implicit access to the user. Query:
SELECT ?s ?p ?o where {
<userURI> ‘belongsTO’ ?role
?p ‘hasAcess’ ?role
?s ?p ?o
<additional query filters>
SELECT ?s ?p ?o where {
<userURI> ‘belongsTO’ ?role
?p ‘hasAcess’ ?role
?s ?p ?o
<additional query filters>
}
C.
Shared - returns data that
was shared with this user by other users. Query:
SELECT ?s ?p ?o where {
?p ’with’ <%s>
?s ‘share’ ?p
?s ?p ?o
<additional query filters>
SELECT ?s ?p ?o where {
?p ’with’ <%s>
?s ‘share’ ?p
?s ?p ?o
<additional query filters>
}
Union of above three is returned to user
as result to the query.
Labels: Semantic Web
posted by Talentica @ 3:30 PM
0 Comments
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home