BB24.I Semantic Attribute Based Access Control (S-ABAC)

From its-wiki.no

Jump to: navigation, search
Title Semantic Attribute Based Access Control (S-ABAC)
Page Title BB24.I Semantic Attribute Based Access Control (S-ABAC)
Technology Line Distributed Cloud Integration
Lead partner UiO
Leader Christian Johansen
Contributors UiO, Wolffia, SmartIO
Related to Use Cases SCOTT:WP8, SCOTT:WP11, SCOTT:WP12"<s>SCOTT:WP12</s>" cannot be used as a page name in this wiki., SCOTT:WP13"<s>SCOTT:WP13</s>" cannot be used as a page name in this wiki., SCOTT:WP14, SCOTT:WP15, SCOTT:WP21
Description A Semantic Attribute based access control provides the means for different actors having access to different types of information of a system. The former notation of Role-based access control (RBAC) is extended, where "role" is one attribute deciding on the access. As an example, your data of your "heat pump" (energy efficiency) are of interest for a) the house owner, b) the manufacturer, c) the municipalities, d) the maintenance company, e) the person renting the flat, f) the energy distributor. Which data (e.g. statistical) and who has access (attribute: grade of access: monitor, control, configure) might be subject to a security and privacy analysis (attribute: required security level). S-ABAC is seen as tool to provide the functionality, but needs R&I to become usable in a distributed cloud.
Main output One output would be Ontologies related to Access Control for the specific domains that SCOTT works with.

Another output is a methodology and technology description for how to include semantic specifications, i.e., the above mentioned ontologies, in the ABAC model. A third outcome would be a software implementation of a S-ABAC engine that would extend existing ABAC engine/framework with semantic reasoning tools and ontology editing capabilities. These software components would form the S-ABAC-framework and would include components like policy definition endpoint and tool including Semantic concepts, policy enforcement point, Attribute management point, etc.

BB category Methodology (for SW/HW development), SW component, Profile, Tool or tool chain, Interface, Standard, Means for establishing cross-domain interoperability, Other
Baseline Attribute Based Access Control (ABAC) starts to penetrate the industry, and has been used especially in the health domain where fine grained access policies are needed. Industrial standards already exist, e.g., XACML and SAML, and industry standard implementations of ABAC also exist, e.g., Balana ...

We plan to include in ABAC notions from Semantic Technologies, e.g. ontologies for the specific domains that SCOTT works on, and reasoning engines like Protege. Semantic technologies are widely used in industries for and specific domains, with the purpose to provide amore structures way of managing and querying data. We want to use the powerful tools of ST in conjunction with ABAC models, to improve the flexibility of ABAC and ease the adoption by industry.

Current TRL 9 for Semantic Technologies

9 for ABAC
2-4 for S-ABAC.

Target TRL Aim to reach TRL 6 for S-ABAC .

Overview

WPs of interest

  • WP21 as core
  • WP9 as extended application
  • WP8 as possible future applications
  • We will not be involved in WP12 and WP13.
  • We also want to look closely to the applications to WP14 and WP15 and WP11
WPs in focus
Core Extended Future Cancelled
WP21 WP9 WP8 WP11 and WP12 and WP13

Activities

Activities chart
Title Status Responsible Deadlines
A language-based policy specification and enforcement in a semantic-directed, integrated and automated approach. In Progress Toktam Ramezani
Attribute-Based Encryption (internship at Chalmers, applicable to WP21) Planned Hamed Arshad and Christian Johansen April-June 2018
Comprehensive survey on existing literature related to Semantic ABAC In Progress Hamed Arshad and Christian Johansen April 2018
Tutorial series on Attribute-Based Access Control applied to eHealth Planned Hamed Arshad May 2018

Practical suggestions

Implementations

  • See the RoadMap
    • Second steps:
      • Make an installation local on the working computers of UiO with XACML engines and ontologies
        • One installation will be used for research, to extend to SABAC and test on our internal computers
        • A second installation will be dedicated to the SCOTT D.21.1 use case. This should be accessible as described in the I/O document provided on SharePoint.
          • This can be seen as a cloud installation, in the beginning.
          • If/when needed we investigate how such an installation can be made on the Edge inside a home gateway...
      • first Integration with the D.21.1 architecture
      • Authzforce (https://authzforce.ow2.org) is selected for implementation of the ABAC engine
        • It provides an ABAC framework compliant with XACML3. It is a JAVA project, which is open source. It provides a Java API (a PDP engine as a Java library) as well as Web API (A multi-tenant HTTP/REST API to PDPs and PAPs for managing policies, requesting authorization decisions, etc.)

Demonstrations

Research Directions and Plans

ABAC

Working with ABAC and Semantic technologies; combining the two.

    • First steps:
      • Work with existing ABAC technology and engines, based on the standards like XACML and extensions/profiles for health and SAML and profiles for health.
        • Learn and make tutorial on the existing technology
          • TODO Tutorial (2 lectures) on ABAC and Semantic ABAC to be given at UiO in February. This will be filmed and provided to the SCOTT extranet in WP21 area.
        • Identify Semantic technologies and ontologies that are used in health and can be most useful for our scenario described in D.21.1
      • TODO Make a comprehensive survey on th literature related to Semantic ABAC . To be finalized before summer.
      • TODO Provide an example of usage of ABAC in health.
        • Adapt this educational example to the use case of D.21.1

Semantic ABAC

    • Third steps:
      • Include Ontologies and Semantic engine with the ABAC engine
        • Existing ontologies to be identified
          • How much do these fit the M14 demo and how much these need to be extended adapted for our use case ?
        • Existing Semantic engines identified and which can be integrated with the needed ontologies and the ABAC engine
        • Existing SABAC tools and theories identified (from the Survey done in First steps
      • Make an installation of Semantic engines with the chosen ontologies
      • Make an installation of SABAC engines
        • Either extend previous ABAC engine or choose from the existing tools identified before
        • Make one installation tailored to SCOTT D.21.1 demo
        • Make one internal installation for research purposes
      • second integration with D.21.1, including Semantics aspects this time.

ABE Attribute Based Encryption

  • Internship planned to Chalmers to work on this in April-June 2018

Dynamic ABAC

  • Here we adopt the technology from Usage Control UCON Survey


Interoperability

BB24.I (SABAC) investigates and proposes technology for access control specially intended to be used in a heterogeneous and distributed system. This means that various entities should be able to connect to the access control system and make requests for various forms of access to various forms of resources. The ABAC system itself is managed in a component fashion, each component being designed to be independently managed, i.e., by possibly different trust actors. The semantics/ontologies part are also meant to couple different domains. We investigate also ways to combine different ontologies.

In short, BB24.I (SABAC) can be seen as a means to provide interoperability for access control in a distributed scenario like IoT. Testing BB24.I in the WP21 specially looks at the interoperability since there BB24.I is only one of 3 technologies considered. Thus, event the BB24.I technology should be easy to couple to an existing system, and easy to communicate I/O with it.

RoadMap for M14 demo in WP21 on health for SABAC

Deliverables and Documents

  • UiO_WP21_BB24L_TR_1_SABAC_overview
  • Tutorial in 2 parts
    1. on 16 March 2018. Abstract: This first lecture of this tutorial presents the technology called Attribute-Based Access Control and an example of application to eHealth. Attribute-based access control (ABAC) has several advantages over the traditional access control models such as the mandatory access control (MAC), discretionary access control (DAC), or role-based access control (RBAC). ABAC uses attributes of the involved entities (i.e., subjects, objects, environment, actions) to decide the access control at a more fine-grained level than all the above models. ABAC is thus more expressive, yet it is easily implemented in a variety of tools, some of industrial grade and used by industry. This lecture will go through the basics of access control, reaching the complex policy language behind ABAC called XACML v3 and the distributed system architecture and inference engine. We will also provide hands-on demo and examples of application to eHealth.

Dissemination

  1. Tutorial video available at ??
  2. Presentation at Chalmers University by Hamed Arshad


WP21

Requirements

Requirements chart
ID BB Short Name Description Rationale Source Status Progress Comments Contact
59 BB24.I S-ABAC Standard-Based SABAC should follow a well known existing standard in the applied domain such as XACML, SAML. The semantic technology part of SABAC should follow existing standard as well such as OWL or RDF. To allow interoperability. Make the BB easy to adopt with different domains. WP08 Smart Infrastr., WP11 Secure Cloud, WP13 In-vehicle comm., WP14 Car access, WP15 Vehicle within Infra., WP21 Assisted living Confirmed 40% ​We have identified standard industry grade engines that work with the standard language XACML 3.0. We have installed and started working with these engines. We also identified existing established extenssions of these standards that are useful for the Semantic aspects of ABAC that we are working on. Christian Johansen
562 BB24.I S-ABAC Tool-based SABAC should have tool support so that it can be integrated into access control operations. Tools exist for Semantic technologies, like ontology reasoners. Tools called Access Control Engines exist, as well as various industrial ABAC systems (mostly proprietary systems). These should be combined. WP08 Smart Infrastr., WP11 Secure Cloud, WP13 In-vehicle comm., WP14 Car access, WP15 Vehicle within Infra., WP21 Assisted living Confirmed 10% We are working with AuthZForce, but we have investigated other established tools, inluding Balana. We keep these open for our uture needs of extension with Semantic aspects. We are preparing one local instalation for research, and one instalation for each use case. Christian Johansen
563 BB24.I S-ABAC Catter for Contextual Authentication SABAC should at least allow for context-based authentication. The same user in different contexts may be allowed different access rights. E.g.: The same person located at his home or in any other area not listed in the "Existing Infrastructure Locations" may not be allowed to shut down the cooling centrifuges. WP08 Smart Infrastr., WP09 Facilities Mgmt., WP15 Vehicle within Infra., WP18 Rail logistics/maint. Confirmed 10% Tentative simple examples of policies in this direction have been implemented and tested. We are now working on policies coming from the use cases. We will extend these to automatically use contextual information inferred using semantic technologies and ontologies. Christian Johansen
564 BB24.I S-ABAC Temporal restricted ABAC SABAC should allow for authorizations dependent on time of day. E.g.: The same person outside working hours may not be allowed to shut down the cooling centrifuges. WP08 Smart Infrastr., WP09 Facilities Mgmt., WP14 Car access, WP15 Vehicle within Infra., WP18 Rail logistics/maint. WP21 Assisted living Confirmed 10% Tentative simple examples of policies in this direction have been implemented and tested. We are now working on policies coming from the use cases where temporal information is crucial. Christian Johansen
565 BB24.I S-ABAC Rule-based SABAC should allow different systems to define different rules of access. These rules could use semantic concepts that the SABAC system can infer from basic access labels of the users, resources, etc. Different companies and scenarios need different rules for defining how SABAC access should be decided. The SABAC tools should allow this flexibility. WP07 Air Quality, WP08 Smart Infrastr., WP09 Facilities Mgmt., WP11 Secure Cloud, WP13 In-vehicle comm., WP14 Car access, WP15 Vehicle within Infra., WP21 Assisted living Confirmed 40% We are using rule-based reasoning both for defining access control policies as well as for defining semantic inference methods. We will need to identify exactly what language can incorporate both and fits well to the use cases. Christian Johansen
566 BB24.I S-ABAC Ontology private/public SABAC should both be based on some piblically defined and standardized Ontologies for this purpose. But should also allow the ontologies to be enriched with specific semantic concepts from specific companies and IoT systems. The basic ontologies only give a minimum standard that a domain agreed upon. On this standard one company can build on using concepts and reminology specific to their product and application purpose. This is also good for optimizing the reasoning and decision times. WP07 Air Quality, WP08 Smart Infrastr., WP09 Facilities Mgmt., WP11 Secure Cloud, WP13 In-vehicle comm., WP14 Car access, WP21 Assisted living Confirmed 10% We are surveying all related works that have combined ontologies with access control. Until now the ontologies are home-made by the authors. We plan to use existing ontologies from the domain of relevance for the use case. We are working on developing extensions of the existing works in this direction. Christian Johansen