# These assertions and rules are for the approach that represent
# roles not as classes but as property values.

@keywords a.

@prefix owl: <http://www.w3.org/2002/07/owl#> .
@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
@prefix : <http:/dig.csail.mit.edu/2007/rowlbac/approach2/rbac#> .

# all roles are instances of the Role class
Role a rdfs:Class.

# subject/principals
Subject a rdfs:Class.

# to associate permissions/prohibitions with roles
permitted a rdfs:Property;
  rdfs:domain Role;
  rdfs:range Action.

prohibited a rdfs:Property;
  rdfs:domain Role;
  rdfs:range Action.

# A justification is a comment explaining an inference.
justification a rdfs:Property;
  rdfs:subclassOf rdfs:comment.

# Subjects can have any number of roles and activeRoles.
role a rdfs:Property;
  rdfs:domain Subject;
  rdfs:range Role.

activeRole a rdfs:Property;
  rdfs:subPropertyOf role.


# Roles can be organized in a lattice.
subRole a owl:TransitiveProperty;
  rdfs:domain Role;
  rdfs:range Role.

# ssod holds between two roles if they are part of a static separation
# of duty constraint. 
ssod a owl:symmetricProperty, owl:TransitiveProperty;
  rdfs:domain Role;
  rdfs:range Role.

# dsod holds between two roles if they are part of a dynamic separation
# of duty constraint. 
dsod a owl:symmetricProperty, owl:TransitiveProperty;
  rdfs:domain Role;
  rdfs:range Role.

# Action class
Action a rdfs:Class.
subject a rdfs:property, owl:FunctionalProperty;
  rdfs:domain Action.
object a rdfs:property, owl:FunctionalProperty;
  rdfs:domain Action.

# subclasses of Action
ActivateRole rdfs:subClassOf Action.

PermittedAction rdfs:subClassOf Action.
ProhibitedAction rdfs:subClassOf Action.
PermittedRoleActivation rdfs:subClassOf PermittedAction.
ProhibitedRoleActivation rdfs:subClassOf ProhibitedAction.

# role inheritance.
{?S role ?R.
 ?R subRole ?R2.
} => {?S role ?R2.}.

# activeRole inheritance.
{?S activeRole ?R.
 ?R subRole ?R2.
} => {?S activeRole ?R2.}.


# role activation
{ ?A a ActivateRole;
     subject ?S;
     object ?R.
 ?S role ?R.  
} => { ?A a PermittedRoleActivation; object ?S; object ?R; 
          justification "Is one of subjects possible roles". 
       ?S activeRole ?R }.

# role deactivation
{ ?A a DeactivateRole;
     subject ?S;
     object ?R.
 ?S activeRole ?R.
} => {?A a PermittedRoleDeactivation; object ?S; object ?R;
          justification "Is one of subjects active roles". 
      ?S notActiveRole ?R}.

@forAll A, S, RNEW, RCURRENT.
# Violating a DSOD constraint is always prohihibited.
{ A a ActivateRole;
    subject S;
    object RNEW.
  S activeRole RCURRENT.
  RNEW dsod RCURRENT.
} => { A a ProhibitedRoleActivation; subject S; role RNEW; role RCURRENT; 
           justification "Action violates dynamic separation of duty constraint".}.

# SSOD reasoning rule
{ ?S role ?ROLE1, ?ROLE2.
  ?ROLE1 ssod ?ROLE2.
} => { [] a SSODConflict; subject ?S; ssod-role ?ROLE1; ssod-role ?ROLE2 }.

# DSOD reasoning rule
{ ?S activeRole ?ROLE1, ?ROLE2.
  ?ROLE1 dsod ?ROLE2.
} => { [] a DSODConflict; subject ?S; dsod-role ?ROLE1; dsod-role ?ROLE2 }.

# permission checking
{ ?A a ?RACTION; subject ?S.
  ?RACTION a Action.
  ?ROLE permitted ?RACTION.
  ?S activeRole ?ROLE.
} => { ?A a PermittedAction; role ?ROLE; action ?RACTION; subject ?S }.

{ ?A a ?RACTION; subject ?S.
  ?RACTION a Action.
  ?ROLE prohibited ?RACTION.
  ?S activeRole ?ROLE.
} => { ?A a ProhbitedAction; role ?ROLE; action ?RACTION; subject ?S }.

#ends