# to run:  cwm http://dig.csail.mit.edu/2007/rowlbac/approach1/exdomain.n3 http://dig.csail.mit.edu/2007/rowlbac/approach1/rbac.n3 http://dig.csail.mit.edu/2007/rowlbac/rpo-rules.n3 --think --filter="http://dig.csail.mit.edu/2007/rowlbac/approach1/rbac.n3" 

# example domain

@keywords a.

@prefix owl: <http://www.w3.org/2002/07/owl#> .
@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
@prefix rbac:  <http:/dig.csail.mit.edu/2007/rowlbac/approach1/rbac#> .
@prefix :  <http:/dig.csail.mit.edu/2007/rowlbac/approach1/exdomain#> .

# role descriptions 
# for each role, you need an active role which is
# associated using activeForm prop

USPerson rdfs:subClassOf rbac:Role.
ActiveUSPerson rdfs:subClassOf USPerson, rbac:ActiveRole.
USPerson rbac:activeForm ActiveUSPerson.

Citizen rdfs:subClassOf USPerson.
ActiveCitizen rdfs:subClassOf ActiveUSPerson, Citizen.
Citizen rbac:activeForm ActiveCitizen.

PermanentResident rdfs:subClassOf USPerson.
ActivePermanentResident rdfs:subClassOf ActiveUSPerson, PermanentResident.
PermanentResident rbac:activeForm ActivePermanentResident.

# static separation of duties
# you cannot be both a permanent resident and a citizen
PermanentResident owl:disjointWith Citizen.

Vote a rbac:Action.

# only citizens have the permission to vote
PermittedVoteAction a rdfs:Class;
   rdfs:subClassOf rbac:PermittedAction;
   owl:equivalentClass [
      a owl:Class;
      owl:intersectionOf 
        (  Vote
             [ a owl:Restriction;
               owl:allValuesFrom ActiveCitizen;
               owl:onProperty rbac:subject
             ] 
         )
    ] .


# second domain
UnivPerson rdfs:subClassOf rbac:Role.
ActiveUnivPerson rdfs:subClassOf rbac:ActiveRole, UnivPerson.
UnivPerson rbac:activeForm ActiveUnivPerson.

Faculty rdfs:subClassOf UnivPerson.
ActiveFaculty rdfs:subClassOf Faculty, ActiveUnivPerson.
Faculty rbac:activeForm ActiveFaculty.

Student rdfs:subClassOf UnivPerson.
ActiveStudent rdfs:subClassOf Student, ActiveUnivPerson.
Student rbac:activeForm ActiveStudent.

# dynamic separation of duties
# though you can be a student and a faculty, you cannot activate them in 
# the same session
ActiveFaculty owl:disjointWith ActiveStudent.

# possible roles
Mary a Faculty, Student, Citizen.
Karen a Student, Citizen.
Ted a Faculty, PermanentResident, Citizen. # should be a violation of SSOD

# Session1 roles
# Mary a ActiveFaculty.
# Karen a ActiveStudent.

# to activate a Faculty role, Mary performs the following action
MaryFaculty a rbac:ActivateRole;
   rbac:subject Mary;
   rbac:object Faculty.

MaryCitizen a rbac:ActivateRole;
   rbac:subject Mary;
   rbac:object Citizen.

# can Mary vote ?
MaryVote a Vote; rbac:subject Mary.

# to activate a Student role, Karen performs the following action
KarenStudent a rbac:ActivateRole;
   rbac:subject Karen;
   rbac:object Student.

MaryFaculty a rbac:DeactivateRole;
   rbac:subject Mary;
   rbac:object Faculty.

# Session2 roles
# Mary a ActiveFaculty, ActiveStudent. # should be a violation of DSOD
# Karen a ActivePermanentResident, ActiveFaculty. # not one of Karen's possible roles

MaryStudent a rbac:ActivateRole; # violation of DSOD
   rbac:subject Mary;
   rbac:object Student.

# to activate a Student role, Karen performs the following action
#MaryFaculty a ActivateRole;
#   subject Mary;
#   object Faculty.

#MaryStudent a ActivateRole;
#   subject Mary;
#   object Student.

#KarenFaculty a ActivateRole; # not one of Karen's possible roles
#   subject Karen;
#   object Faculty.

#KarenPermanentRes a ActivateRole; # not one of Karen's possible roles
#   subject Karen;
#   object PermanentResident.


#ends