This document describes SHI3LD, a context-aware access control system for RDF graph stores. SHI3LD uses semantic web technologies and vocabularies to define access policies and user contexts. It evaluates policies against user contexts to determine which named graphs the user can access. This allows fine-grained, context-sensitive access control over RDF data. The system was evaluated using a SPARQL benchmark dataset, and response times increased only slightly as more user contexts and consumers were added. Future work may focus on improving context data trustworthiness and performing user-centered evaluations.
1. Context-Aware Access Control
for RDF Graph Stores!
SELECT … !
WHERE {…}!
Luca
Costabello,
Serena
Villata,
Fabien
Gandon
2. SPARQL
T
Berners-‐Lee,
et
al.
On
Integra8on
Issues
of
Site-‐Specific
APIs
into
the
Web
of
Data,
DERI
Tech.Rep.
2009
2007 2009 2011
3. Background and SHI3LD Key Features!
WAC [Berners-Lee], [Toninelli et al, ISWC-2006], !
[Abel et al, ISWC-2007], [Finin et al.,SACMAT-2008], !
[Flouris et al., FIS-2010], [Sacco and Passant, LDOW-2011]
Semantic Web Pluggable to
languages only! any RDF store!
> No new Policy languages! > SPARQL 1.1!
Granularity from Mobile context in
triples to whole graphs! the loop!
> Named Graphs! > Context Awareness!
[Carroll
et
al,
WWW2005]
[Schilit
and
Theimer,
94]
RDF
1.1
[Dey,
01]
3
4. How it Works – Initial Setup!
● Named Graph Partitioning!
● Access Policy Definition!
!S4AC & PRISSMA Vocabularies!
4
6. Example of Access Conditions!
ASK {?resource dcterms:creator ?provider .! ARE
YOU
A
FRIEND
OF
?provider rel:hasFriend ?consumer . }! THE
DATA
PROVIDER
?
ASK {?resource dcterms:creator ?provider . ! ARE
YOU
A
COLLABORATOR
?provider rel:collaboratesWith ?consumer . }! THE
DATA
PROVIDER
?
OF
ASK {?resource dcterms:creator ?provider .! ARE
YOU
A
PARENT
OF
?provider rel:hasParent ?consumer . }! THE
DATA
PROVIDER
?
ASK{?resource dcterms:creator ?provider .! ARE
YOU
A
COLLEAGUE
OF
?provider rel:hasColleague ?consumer . }! THE
DATA
PROVIDER
?
6
7. Example of Access Conditions!
ASK {?resource dcterms:creator ?provider .! ARE
YOU
A
MEMBER
OF
?provider sioc:member_of ?group . ! THE
SAME
GROUP
OF
?consumer sioc:member_of ?group . }! THE
DATA
PROVIDER
?
ASK {?consumer a foaf:Person .! ARE
YOU
JOHN
?
! FILTER(?consumer = <http://example#John>) }! IF
SO
ASK {?consumer a foaf:Person .! ARE
YOU
JOHN
?
! FILTER(!(?consumer = <http://example#John>)) }! IF
SO
DO
YOU
GET
A
NUMBER
ASK { FILTER(rand()>0.5) }!
BIGGER
THAN
0.5
?
7
8. Example of Access Conditions!
ASK {?context a prissma:Context;!
prissma:environment ?env.!
?env tl:start "2012-10-26T12:00:00Z"^^xsd:dateTime;!
! tl:duration "PT5H"^^xsd:duration.!
! ?env prissma:currentPOI ?poi.!
! ?poi prissma:poiLabel http://dbpedia.org/resource/Musee_du_Louvre. !
}! ARE
YOU
LOCATED
IN
THE
LOUVRE
MUSEUM
ASK {?context a prissma:Context; ! AND
IS
IT
OCTOBER
26 ,
2012
AFTER
12
a.m.?
TH
! prissma:device ?dev;!
! prissma:user ?consumer;!
prissma:environment ?env.!
?consumer a foaf:Person;!
rel:employedBy <http://example#Bob>.!
?env prissma:currentPOI ?poi.!
! ?poi prissma:poiLabel <http://dbpedia.org/resource/Musee_du_Louvre>.!
?dev a prissma:Device;! ARE
YOU
LOCATED
IN
THE
LOUVRE
MUSEUM,
soft:deviceSoftware ?devsw.! ARE
YOU
EMPLOYED
BY
BOB,
AND
ARE
YOU
?devsw a soft:DeviceSoftware;! USING
ANDROID?
soft:operatingSystem ?opsys.!
?opsys a soft:Operatingsystem;!
common:name "Android".!
8
}!
13. How it Works!
3. Query Execution on !
accessible Named Graphs!
:ng1 ! :ng2 !
SELECT … ! :ng3 !
WHERE {…}!
SELECT …!
FROM :ng2,:ng3!
WHERE {…}!
13
14. Response Time Evaluation!
RDF
store
and
SPARQL
1.1.
engine:
Corese-‐KGRAM
with
Berlin
SPARQL
Benchmark
Dataset
3.1
• Dataset size still predominant!
• Small fraction granted!
Faster!
• More context updates, !
More consumers!
Slower!
14