RDF Query for Policy Enforcement

Eric Prud'hommeaux
Policy Management for the Web
a WWW2005 Workshop — 10 May 2005, Chiba, Japan
$Revision: 1.3 $ of $Date: 2005/05/10 07:07:34 $

See also:

position paper

Objectives

Off-the-shelf tools for policy enforcement where possible.
Minimum expressivity for maximum performance.
Interchangeable terse expression of tests.

Hand-tailored Policy Queries

Kind of boring.
Quite efficient.
Real-world —
used in deployed authentication/policy systems.

Simple Policy - W3C ACLs

Given a simple rule:

A person may PUT to the W3C website resource if:
  the W3C ACLs database says that:
    there is a rule that grants the holder of their public key PUT access to that resource.

Involves provenance — expression in RDF in controversial.

Simple Policy - W3C ACLs

If the web server gives us the public key, the desired operation (PUT) and the resource:

PREFIX s: <http://www.w3.org/2001/02/acls/ns#>
ASK
 WHERE { GRAPH <http://www.w3.org/2005/02/14-PMQuery/,access?w3c_display=13>
         { ?policy s:access s:put .
           ?policy s:accessor ?group .
           ?policy s:hasAccessTo <http://www.w3.org/2005/02/14-PMQuery/> .
           ?group s:includes ?user .
           ?user s:publicKey "30 82 01 0a 02 82 01 01 00..." } }

SPARQL Expressivity

Conjunction.
Disjunction.
Optional (good for defaults).
Provenance.
Value constraints.
- comparison: < > = regexp
- arithmetic: + = * /
- binding tests: URI? Literal? Blank Node? unbound?

Optional + unbound gives something like NAF.

What to Do With This

Push as much work on SPARQL as possible.
Clarify the boundry between application and infrustructure logic,
e.g. default access vs. a principal's specified access.
Calculate queries from backward-chained rules.

Calculated Queries

Proofs provide a path through rules:

Similar to proof caching.
Proove H1 from graph pattern GP1 using rules R1, R2, R3.
Substitute variables from the bodies of incurred rules.

Deploy calculated queries.
Fall back to inferencing only when necessary.