Promoting Interoperability between Heterogeneous Policy Domains

Daniel Weitzner
*Lalana Kagal
Tim Berners-Lee
Dan Connolly

Decentralized Information Group
MIT Computer Science and Artificial Intelligence Laboratory

Overview

Rein Framework
Reasoning Rein policy networks
Example: Policy Aware Access Control

What is Rein ?

A Web-based framework for policy specification and reasoning
Grounded in Semantic Web technologies
Allows policies, meta-policies, and policy languages to be combined, extended, and handled in the same manner as are any Web resources
Does not propose a policy language
Supports a family of policy languages and domain knowledge grounded in RDFS and OWL
Policies and meta policies can be in RDFS, OWL, and supported rule languages
Domain knowledge can be in RDFS, and OWL

Rein terminology

Policy language : A set of terms that can be used to define policies with respect to a certain domain or context
- Permitted to / prohibited from viewing photographs
- Can/cannot print documents
Policy : Resource-specific declarative rules over a policy language
- Photographs of a girl scout troop
- Printing pdfs on the xerox printer in 32G
Meta policy : Additional rules associated with a policy language that help intrepet policies (optional)
- Default rules : If no prohibition can be inferred, then permit the photo to be viewed
- Conflict resolution rules : If the printing is both prohibited and permitted, then the prohibition overrides

Rein in a Nutshell

Ontologies

Are used for describing different kinds of policy domains in a distributed manner
Include a request mechanism for encapsulating client requests for policy controlled resources

Reasoning Engine

Accepts requests
Reasons over policy domain with respect to requested resource
Decides whether or not a request is valid

Rein ontologies

Policy Network Ontology

policy : property of a resource
policy-language : property of a policy
meta-policy : property of a policy language

Request Ontology

resource : resource being requested
access : policy language specific term
requester : credentials of the requester
ans : whether the Request is valid or not

Rein Policy Networks

Resources, policies, policy languages, and meta-policies, and their relationships together form Rein policy networks
Rein allows these entities to be located on local or remote Web servers
Rein network ontology is used to describe the relationships between these entities
All entities are self describing except the resource
Relationship between resource and its policies is given to the web server by the resource owner

Rein Engine

Accepts requests for resources
Requires association between the resource and its policies
Collects distributed but linked descriptions of the resource's policy network
Uses RDFS, OWL, and rule language reasoners to reason over these descriptions
It checks whether the inferences include a relationship between the resource property, the access property, and an instance that has the same subset of properties and credentials as those defined by the requester property in the request
- Finding relationships is possible because policy languages, which define these relationships, are restricted to RDF-S or OWL and the reasoning engine understands the semantics of RDF-S and OWL.
- Example relationships : REQUESTER has a property ACCESS with value RESOURCE, ACCESS has a property RESOURCE with value REQUESTER
If relationship is found, engine infers that the request is valid
The engine can also be run in a --why mode to generate a proof for why a certain Request is valid

Implementation Testbed

Rein Ontologies

Defined in RDFS

Supported rule language : N3Logic

Rule extension of N3
does not assume closed world semantics

Reasoning engine

Written in N3Logic and runs over cwm engine
Can be accessed via commandline or python API

N3Logic

It is a tool for the open Web environment (does not assume closed world semantics)
N3Logic allows rules to be integrated with RDF and provides functions that allow information from the Web to be accessed and reasoned over
Allows entities to be aware of provenance information
Monotonic - addition of new information cannot change the meaning of the original knowledge

Examples

Example 1

Joe believes 
      { mit:Peter a GraduateStudent }.

Example 2

  @forAll X.
  { X homePage H.
    H log:semantics S.
    S log:includes { X a Vegetarian }.
  }=> { X a Vegetarian}.

Policy Aware Web

Project by DIG (MIT) and MINDSWAP (UMCP) that uses Rein
Client-based and proof-based approach to controlling access to Web resources using domain specific policies

Photo Sharing Example

Flickr, Zoomr, etc

Owner can create groups and assign photo viewing permissions to them
Role based access control

Flickr + Rein

Owner of photos has more control over who can access her photos
Owner will associate declarative policies by informing the flickr+rein web server of the URIs of these policies
- All my images are controlled by PolicyA or all my images with tag "AAAI" are controlled by PolicyB

Girl scout troop use Flickr + Rein

Domain knowledge : troop ontology, photo ontology, foaf
Policy example : All current members who attended a Jamboree are permitted to view photos taken at that Jamboree

Example

Policy Language

Troop ontology

Example

Partial FOAF ontology

Example Request

Policy Example : RDFS

Access control list
Only authorization, assumes authentication is does elsewhere

<rdf:Description rdf:about="">
     <rein:policy-language rdf:resource="http://gscout.example.org/pol-lang.rdf"/>
</rdf:Description>

<pol:PermittedToView rdf:about="http://example.org/policy#BobPerm">
    <pol:picture rdf:resource="http://example.org/group.jpg"/>
    <pol:user rdf:parseType="Resource">
        <maker rdf:resource="http://example.org/bob-foaf.rdf"/>
    </pol:user>
</pol:PermittedToView>

<pol:PermittedToView rdf:about="http://example.org/policy#AlicePerm">
    <pol:picture rdf:resource="http://example.org/pic123.jpg"/>
    <pol:user rdf:parseType="Resource">
        <maker rdf:resource="http://example.org/foaf.rdf"/>
    </pol:user>
</pol:PermittedToView>

Policy Example : OWL

Grouping members and pictures into classes and using restrictions
Only authorization, assumes authentication is does elsewhere

<rdf:Description rdf:about="">
     <rein:policy-language rdf:resource="http://gscout.example.org/pol-lang.rdf"/>
</rdf:Description>
<owl:Class rdf:ID="ViewingMeetingPhotos">
  <rdfs:subClassOf rdf:resource="http://gscout.example.org/pol-lang#PermittedToView" />
  <rdfs:subClassOf>
    <owl:Restriction> 
      <owl:onProperty rdf:resource="http://gscout.example.org/pol-lang#picture"/>
      <owl:allValuesFrom 
         rdf:resource="http://gscout.example.org/troop42#JamboreePhoto" />
    </owl:Restriction> 
  </rdfs:subClassOf>
  <rdfs:subClassOf>
    <owl:Restriction>
      <owl:onProperty rdf:resource="http://gscout.example.org/pol-lang#user" />
      <owl:allValuesFrom 
          rdf:resource="http://gscout.example.org/troop42#JamboreeAttendee" />
    </owl:Restriction>
  </rdfs:subClassOf>
</owl:Class>

Policy Example : N3 Logic

Using declarative rules and domain knowledge
Can include authentication

<> rein:policy-language <http://gscout.example.org/pol-lang.rdf>

{ REQ a rein:Request.
  REQ rein:resource PHOTO.
  ?F a TroopStuff; log:includes
        { PHOTO a t:Photo; t:location LOC.
          LOC a t:Jamboree.
          LOC t:attendee [ is foaf:maker of PG ]. }.

  REQ rein:requester WHO.
  WHO session:secret ?S.
  ?S crypto:md5 TXT.

  PG log:semantics [ log:includes
        { PG foaf:maker [ session:hexdigest TXT ] }
    ].

} => { [ ] a pol:PermittedToView; pol:user WHO; pol:picture PHOTO }.

More Information

This presentation : http://dig.csail.mit.edu/2006/Talks/1017-w3c-rein/
Rein : http://dig.csail.mit.edu/2006/06/rein/
Policy Aware Web : http://policyawareweb.org

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 2.5 License.