Social applications are one of the fastest growing areas in the Web. However, privacy issues ensue if all information of all users of these applica- tions is stored on a single computer system. With small extensions to Semantic Web technologies and Linked Data concepts, a distributed approach to the social web is possible, where users retain fine-grained control over their data and are still able to combine their data with users on different systems. We describe our concept of a Policy-enabled Linked Data Server (PeLDS) obeying user-defined access policies for the stored information. PeLDS also supports configuration- free distributed authentication. Access policies are expressed in a newly devel- oped compact notation for the Semantic Web Rule Language. Authentication is performed using SSL certificates and the FOAF+SSL verification approach. We evaluate our concept using a prototype implementation and a distributed address book application.

1. SWRL-Based Access
Policies for Linked Data
Hannes Mühleisen, Martin Kost and Johann-Christoph Freytag
Databases and Information Systems
Department of Computer Science
Humboldt-Universität zu Berlin

2. “Social Web”
What about the system operator?
2

3. Overview
1. Linked Data principles (short)
2. Access policies / data classification
3. “Policy enabled Linked Data Server” concept
4. PeLDS implementation and evaluation
3

4. Linked Data: URLs as identifiers / dereferencing
ex:spouse
http://
example.com/bob http://
example.com/alice
ex:name ex:phone
HTTP Req.
“Bob Ross” “+4930123456”
http://example.com/bob
“42° 21′ 32″ N “Alice Ross”
71° 5′ 34″ W”
Legende ex:pos ex:name
Resource
http://
asdf Property example.com/alice
“a” Literal
Graph http://example.com/alice
4

5. Access Policies
• Set of rules, its evaluation determines whether
a user can access certain information
• Different types: DAC, MAC, RbAC
• Generic system should support many types
• Data classification required
• Linked Data: classify protected parts of a graph
• Different levels of classification conceivable:
syntax, model, concepts
5

6. Model-based Classification
• Data classification on a structure-preserving
decomposition of the graph (set of triples)
• Resource, property and value of triples can be
specified, wildcards select unknown entries.
• Example:
http://
ex:name
“Bob Ross”
example.com/bob
Resource == http://example.com/bob
Property == ex:name
Value == *
6

7. Concept-based Classification
• Data classification on a structure of concepts
and properties
• Resources and their properties can be
classified using their affiliation with a concept
• Example: http://
ex:name
“Bob Ross”
example.com/bob
rdf:type http://
example.com/
per#Person
Concept == http://example.com/per#Person
7

8. Concept
Policy enabled Linked Data Server
• Policy language PsSF
• Policy evaluation algorithms
• Data and policy management operations
• Secure authentication
8

9. Policy Language PsSF
• Description Logic (DL) expressions based
on the Semantic Web Rule Language
(SWRL)
• Prolog-style syntax for concise notation
• Additional predicates for model- and
concept-based data classification:
• permit_triple(...), permit_instance(...)
9

10. PsSF Policy Language: Example
BobPosRule:
QueryAction(?action) &&
actor(?action, http://example.com/bob)
=>
permit_triple(http://example.com/alice,ex:pos,*);
“42° 21′ 32″ N “Alice Ross”
71° 5′ 34″ W”
ex:pos ex:name
http://
example.com/alice
10

11. Policy evaluation - Query
• For each rule contained in the policy, check
whether their preconditions are met
• Approve graph elements classified by
matching rules by adding them to a
temporary RDF graph for the current user
only containing authorized graph elements
• Evaluate queries or dereferencing requests
exclusively on those temporary graphs
11

12. sp
sp A
H * ✔
H wp nm
ps
Z
* * ✔
W
nm Rule 1
“Bob” Access Policy
Step 1
Secured Graph
sp A
H
nm
nm
H * ? “Bob”
Query Temporary Graph
Step 2
nm
R1 “Bob”
12
Query Result

13. Required Operations
• Definition & modification of access policies
• Publication & modification of RDF graphs
• Querying RDF graphs
• URL dereferencing
13

14. Authentication
• Username/password-combinations are
unpractical for Linked Data
• Central authority would violate the
decentralization principle inherent in the
WWW
• FOAF+SSL enables password-free
authentication based on SSL certificates
14

15. PeLDS Implementation
• Linked-Data-Server with HTTP API
• Supports PsSF policy language
• FOAF+SSL for user authentication
• Demo: Distributed Address Book
15

16. Demo Application: Distributed Address Book
Bob’s View
Alice’s View
16

17. PeLDS prototype - Performance
50
PeLDS R! = 0,9943
Joseki / TDB
Joseki / TDB / Pellet
37,5
Processing time (s)
25
R! = 0,9959
12,5
450 1462,5 2475 3487,5 4500
Triple count
17

18. Conclusion
• Access policies and comprehensive data
classifications are possible for Linked Data
• PeLDS enables distributed applications with
support for access policies
• PeLDS-Implementation is available as open
source software from www.pelds.org
18