@keywords a.

@prefix owl: <http://www.w3.org/2002/07/owl#> .
@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
@prefix : <http:/dig.csail.mit.edu/2007/rowlbac/approach1/rbac#> .

# role hierarchy
AllRole a rdfs:Class.
# all possible roles
Role rdfs:subClassOf AllRole.
# associated roles that signify active roles
ActiveRole rdfs:subClassOf AllRole.

# property to associate active role with role
activeForm a owl:FunctionalProperty, owl:InverseFunctionalProperty;
   rdfs:domain Role;
   rdfs:range ActiveRole.

# subjects/principals
Subject a rdfs:Class.

# resources
Object a rdfs:Class.

# SSOD is done by setting owl:disjointWith between roles
# DSOD is done by setting owl:disjointWith between activeroles

# SSOD reasoning rule
{ ?S a ?ROLE1, ?ROLE2.
  ?ROLE1 owl:disjointWith ?ROLE2.
  ?ROLE1 activeForm [].
  ?ROLE1 rdfs:subClassOf Role.
  ?ROLE2 rdfs:subClassOf Role.
} => { [] a SSODConflict; subject ?S; role ?ROLE1; role ?ROLE2 }.

# DSOD reasoning rule
{ ?S a ?ROLE1, ?ROLE2.
  ?ROLE1 owl:disjointWith ?ROLE2.
  ?ROLE1 a ActiveRole.
  ?ROLE2 a ActiveRole.
} => { [] a DSODConflict; subject ?S; role ?ROLE1; role ?ROLE2 }.

# Violating a DSOD constraint is always prohihibited.
{ ?A a ActivateRole;
    subject ?S;
    object ?RNEW.
  ?RNEW activeForm ?ARNEW.
  ?S a ?RCURRENT.
  ?RCURRENT activeForm ?ARCURRENT.
  ?ARNEW owl:disjointWith ?ARCURRENT. 
} => { ?A a ProhibitedRoleActivation; subject ?S; object ?RNEW; role ?RCURRENT;
           justification "Action violates dynamic separation of duty constraint".}.


# action class, can be extended with additional properties such kind of acces (read/write/exec)
Action a rdfs:Class.
subject a rdfs:property, owl:FunctionalProperty;
  rdfs:domain Action; 
  rdfs:range Subject.
object a rdfs:property, owl:FunctionalProperty;
  rdfs:domain Action;
  rdfs:range Object.

# subclass of actions
ActivateRole rdfs:subClassOf Action.
DeactivateRole rdfs:subClassOf Action.
AssignRole rdfs:subClassOf Action.
RevokeRole rdfs:subClassOf Action.
StartSession rdfs:subClassOf Action.
EndSession rdfs:subClassOf Action.

# class of permitted and prohibited actions
DeonticAction rdfs:subClassOf Action.
PermittedAction rdfs:subClassOf DeonticAction.
ProhibitedAction rdfs:subClassOf DeonticAction.

# to store justification information
justification a rdfs:Property;
  rdfs:domain Action.

# simple rules to test permitted/prohibited actions
# based on small subset of expected restrictions
@forAll SUPER, ACTION, RESTRICTION, PROPERTY, VALUE, ACTION1.
{ SUPER rdfs:subClassOf PermittedAction;
      owl:equivalentClass [
       owl:intersectionOf ( ACTION RESTRICTION ) ].
       ACTION a Action.
       RESTRICTION a owl:Restriction;
          owl:onProperty PROPERTY;
          owl:allValuesFrom VALUE.
      ACTION1 a ACTION; PROPERTY  [ a VALUE ]. 
} => { ACTION1 a PermittedAction; justification SUPER }.

{ SUPER rdfs:subClassOf PermittedAction;
      owl:equivalentClass [
       owl:intersectionOf ( ACTION RESTRICTION ) ].
       ACTION a Action.
       RESTRICTION a owl:Restriction;
          owl:onProperty PROPERTY;
          owl:hasValue VALUE.
      ACTION1 a ACTION; PROPERTY VALUE.
} => { ACTION1 a PermittedAction; justification SUPER }.


{ SUPER rdfs:subClassOf ProhibitedAction;
      owl:equivalentClass [
       owl:intersectionOf ( ACTION RESTRICTION ) ].
       ACTION a Action.
       RESTRICTION a owl:Restriction;
          owl:onProperty PROPERTY;
          owl:allValuesFrom VALUE.
      ACTION1 a ACTION; PROPERTY  [ a VALUE ].
} => { ACTION1 a ProhibitedAction; justification SUPER }.

{ SUPER rdfs:subClassOf ProhibitedAction;
      owl:equivalentClass [
       owl:intersectionOf ( ACTION RESTRICTION ) ].
       ACTION a Action.
       RESTRICTION a owl:Restriction;
          owl:onProperty PROPERTY;
          owl:hasValue VALUE.
      ACTION1 a ACTION; PROPERTY VALUE.
} => { ACTION1 a ProhibitedAction; justification SUPER }.



# subclass of permitted actions that deals with role assignments
PermittedRoleAssignment rdfs:subClassOf PermittedAction.

# subclass of permitted action that deals with role activations
PermittedRoleActivation rdfs:subClassOf PermittedAction.
PermittedRoleDeactivation rdfs:subClassOf PermittedAction.

# you have the permission to activate a role if it is one of your possible roles
# Role activation rule

{ ?ACTION a ActivateRole;
       subject ?SUBJ;
       object ?ROLE.
  ?SUBJ a ?ROLE.
  ?ROLE activeForm ?AROLE.
  ?AROLE a ActiveRole.
} => { ?ACTION a PermittedRoleActivation; 
            subject ?SUBJ; object ?ROLE. 
            ?SUBJ a ?AROLE }.

# if there is a DSOD then you are prohibited from activating the role
@forAll ACTION, SUBJ, ROLE1, ROLE2.
{ ACTION a ActivateRole;
       subject SUBJ;
       object ROLE1.
  ROLE1 a ActiveRole.
  ROLE1 owl:disjointWith ROLE2.
} => { ACTION a ProhibitedRoleActivation; 
             subject SUBJ; role ROLE1, ROLE2;
             justification "Action violates dynamic separation of duty constraint" }.


# you have the permission to deactivate a role if it is one of your active roles
# Role activation rule
@forAll ACTION, SUBJ, ROLE, AROLE.
{ ACTION a DeactivateRole;
       subject SUBJ;
       object ROLE.
  SUBJ a ROLE.
  ROLE activeForm AROLE.
  AROLE a ActiveRole.
  SUBJ a AROLE.
} => { ACTION a PermittedRoleDeactivation; subject SUBJ; object ROLE. SUBJ nota AROLE }.

# you have the permission to assign a role if it is one of your possible roles
# Role assignment rule
@forAll ACTION, SUBJ, ROLE, TO.
{ ACTION a AssignRole;
       subject SUBJ;
       object ROLE;
       to TO.
  SUBJ a ROLE.
} => { ACTION a PermittedRoleAssignment; subject SUBJ; object ROLE. TO a ROLE }.

# you have the permission to revoke a role if you assigned it
# Role revoking rule
@forAll ACTION, SUBJ, ROLE, TO.
{ ACTION a RevokeRole;
       subject SUBJ;
       object ROLE;
       to TO.
  [] a PermittedRoleAssignment; action [ subject SUBJ; object ROLE; to TO ].
} => { [] a PermittedRoleRevocation; action ACTION. TO nota ROLE }.

#ends