Social applications are one of the fastest growing areas in the Web. However, privacy issues ensue if all information of all users of these applica- tions is stored on a single computer system. With small extensions to Semantic Web technologies and Linked Data concepts, a distributed approach to the social web is possible, where users retain fine-grained control over their data and are still able to combine their data with users on different systems. We describe our concept of a Policy-enabled Linked Data Server (PeLDS) obeying user-defined access policies for the stored information. PeLDS also supports configuration- free distributed authentication. Access policies are expressed in a newly devel- oped compact notation for the Semantic Web Rule Language. Authentication is performed using SSL certificates and the FOAF+SSL verification approach. We evaluate our concept using a prototype implementation and a distributed address book application.
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
SWRL-based Access Policies for Linked Data
1. SWRL-Based Access
Policies for Linked Data
Hannes Mühleisen, Martin Kost and Johann-Christoph Freytag
Databases and Information Systems
Department of Computer Science
Humboldt-Universität zu Berlin
5. Access Policies
• Set of rules, its evaluation determines whether
a user can access certain information
• Different types: DAC, MAC, RbAC
• Generic system should support many types
• Data classification required
• Linked Data: classify protected parts of a graph
• Different levels of classification conceivable:
syntax, model, concepts
5
6. Model-based Classification
• Data classification on a structure-preserving
decomposition of the graph (set of triples)
• Resource, property and value of triples can be
specified, wildcards select unknown entries.
• Example:
http://
ex:name
“Bob Ross”
example.com/bob
Resource == http://example.com/bob
Property == ex:name
Value == *
6
7. Concept-based Classification
• Data classification on a structure of concepts
and properties
• Resources and their properties can be
classified using their affiliation with a concept
• Example: http://
ex:name
“Bob Ross”
example.com/bob
rdf:type http://
example.com/
per#Person
Concept == http://example.com/per#Person
7
8. Concept
Policy enabled Linked Data Server
• Policy language PsSF
• Policy evaluation algorithms
• Data and policy management operations
• Secure authentication
8
9. Policy Language PsSF
• Description Logic (DL) expressions based
on the Semantic Web Rule Language
(SWRL)
• Prolog-style syntax for concise notation
• Additional predicates for model- and
concept-based data classification:
• permit_triple(...), permit_instance(...)
9
11. Policy evaluation - Query
• For each rule contained in the policy, check
whether their preconditions are met
• Approve graph elements classified by
matching rules by adding them to a
temporary RDF graph for the current user
only containing authorized graph elements
• Evaluate queries or dereferencing requests
exclusively on those temporary graphs
11
12. sp
sp A
H * ✔
H wp nm
ps
Z
* * ✔
W
nm Rule 1
“Bob” Access Policy
Step 1
Secured Graph
sp A
H
nm
nm
H * ? “Bob”
Query Temporary Graph
Step 2
nm
R1 “Bob”
12
Query Result
14. Authentication
• Username/password-combinations are
unpractical for Linked Data
• Central authority would violate the
decentralization principle inherent in the
WWW
• FOAF+SSL enables password-free
authentication based on SSL certificates
14
18. Conclusion
• Access policies and comprehensive data
classifications are possible for Linked Data
• PeLDS enables distributed applications with
support for access policies
• PeLDS-Implementation is available as open
source software from www.pelds.org
18