Graph-based access control

Last updated

Graph-based access control (GBAC) is a declarative way to define access rights, task assignments, recipients and content in information systems. Access rights are granted to objects like files or documents, but also business objects such as an account. GBAC can also be used for the assignment of agents to tasks in workflow environments. Organizations are modeled as a specific kind of semantic graph comprising the organizational units, the roles and functions as well as the human and automatic agents (i.a. persons, machines). The main difference with other approaches such as role-based access control or attribute-based access control is that in GBAC access rights are defined using an organizational query language instead of total enumeration.

Contents

History

The foundations of GBAC go back to a research project named CoCoSOrg (Configurable Cooperation System) [ [1] ] (in English language please see [2] ) at Bamberg University. In CoCoSOrg an organization is represented as a semantic graph and a formal language is used to specify agents and their access rights in a workflow environment. Within the C-Org-Project at Hof University's Institute for Information Systems (iisys), the approach was extended by features like separation of duty, access control in virtual organizations [3] and subject-oriented access control. [4]

Definition

Graph-based access control consists of two building blocks:

Organizational graph

Organizational Graph in GBAC GBACOrgGraph.pdf
Organizational Graph in GBAC

The organizational graph is divided into a type and an instance level. On the instance level there are node types for organizational units, functional units and agents. The basic structure of an organization is defined using so called "structural relations". They define the "is part of"- relations between functional units and organizational units as well as the mapping of agents to functional units. Additionally there are specific relationship types like "deputyship" or "informed_by". These types can be extended by the modeler. All relationships can be context sensitive through the usage of predicates.

On the type level organizational structures are described in a more general manner. It consists of organizational unit types, functional unit types and the same relationship types as on the instance level. Type definitions can be used to create new instances or reuse organizational knowledge in case of exceptions (for further reading see [1] [2] ).

Query language

In GBAC a query language is used to define agents having certain characteristics or abilities. The following table shows the usage of the query language in the context of an access control matrix.

The first query means that all managers working for the company for more than six months can read the financial report, as well as the managers who are classified by the flag "ReadFinancialReport".

The daily financial report can only be written by the manager of the controlling department or clerks of the department that are enabled to do that (WriteFinancialReport==TRUE).

Data ObjectReadWrite
Daily Financial ReportManager(*).(Now() - HiringYear > 0.5) OR Manager.ReadFinancialReport == TRUEManager(Controlling) OR Clerk(Controlling).WriteFinancialReport == TRUE

Implementation

Usage of C-Org CORGUsage.jpg
Usage of C-Org

GBAC was first implemented in the CoCoS Environment within the organizational server CoCoSOrg. [1] In the C-Org-Project it was extended with more sophisticated features like separation of duty or access control in distributed environments. There is also a cloud-based implementation [5] on IBM's Bluemix [6] platform.

In all implementations the server takes a query from a client system and resolves it to a set of agents. This set is sent back to the calling client as response. Clients can be file systems, database management systems, workflow management systems, physical security systems or even telephone servers.

See also

Related Research Articles

<span class="mw-page-title-main">Database</span> Organized collection of data in computing

In computing, a database is an organized collection of data or a type of data store based on the use of a database management system (DBMS), the software that interacts with end users, applications, and the database itself to capture and analyze the data. The DBMS additionally encompasses the core facilities provided to administer the database. The sum total of the database, the DBMS and the associated applications can be referred to as a database system. Often the term "database" is also used loosely to refer to any of the DBMS, the database system or an application associated with the database.

<span class="mw-page-title-main">Semantic network</span> Knowledge base that represents semantic relations between concepts in a network

A semantic network, or frame network is a knowledge base that represents semantic relations between concepts in a network. This is often used as a form of knowledge representation. It is a directed or undirected graph consisting of vertices, which represent concepts, and edges, which represent semantic relations between concepts, mapping or connecting semantic fields. A semantic network may be instantiated as, for example, a graph database or a concept map. Typical standardized semantic networks are expressed as semantic triples.

<span class="mw-page-title-main">Semantic Web</span> Extension of the Web to facilitate data exchange

The Semantic Web, sometimes known as Web 3.0, is an extension of the World Wide Web through standards set by the World Wide Web Consortium (W3C). The goal of the Semantic Web is to make Internet data machine-readable.

<span class="mw-page-title-main">Wiki software</span> Software to run a collaborative wiki. (Including private wiki)

Wiki software is collaborative software that runs a wiki, which allows the users to create and collaboratively edit pages or entries via a web browser. A wiki system is usually a web application that runs on one or more web servers. The content, including previous revisions, is usually stored in either a file system or a database. Wikis are a type of web content management system, and the most commonly supported off-the-shelf software that web hosting facilities offer.

<span class="mw-page-title-main">Workflow</span> Pattern of activity often with a result

A workflow is a generic term for orchestrated and repeatable patterns of activity, enabled by the systematic organization of resources into processes that transform materials, provide services, or process information. It can be depicted as a sequence of operations, the work of a person or group, the work of an organization of staff, or one or more simple or complex mechanisms.

<span class="mw-page-title-main">Data model</span> Model that organizes elements of data and how they relate to one another and to real-world entities.

A data model is an abstract model that organizes elements of data and standardizes how they relate to one another and to the properties of real-world entities. For instance, a data model may specify that the data element representing a car be composed of a number of other elements which, in turn, represent the color and size of the car and define its owner.

<span class="mw-page-title-main">F Sharp (programming language)</span> Microsoft programming language

F# is a general-purpose, strongly typed, multi-paradigm programming language that encompasses functional, imperative, and object-oriented programming methods. It is most often used as a cross-platform Common Language Infrastructure (CLI) language on .NET, but can also generate JavaScript and graphics processing unit (GPU) code.

A query language, also known as data query language or database query language (DQL), is a computer language used to make queries in databases and information systems. In database systems, query languages rely on strict theory to retrieve information. A well known example is the Structured Query Language (SQL).

<span class="mw-page-title-main">Flowchart</span> Diagram that represents a workflow or process

A flowchart is a type of diagram that represents a workflow or process. A flowchart can also be defined as a diagrammatic representation of an algorithm, a step-by-step approach to solving a task.

Web development is the work involved in developing a website for the Internet or an intranet. Web development can range from developing a simple single static page of plain text to complex web applications, electronic businesses, and social network services. A more comprehensive list of tasks to which Web development commonly refers, may include Web engineering, Web design, Web content development, client liaison, client-side/server-side scripting, Web server and network security configuration, and e-commerce development.

<span class="mw-page-title-main">Business process modeling</span> Activity of representing processes of an enterprise

Business process modeling (BPM) in business process management and systems engineering is the activity of representing processes of an enterprise, so that the current business processes may be analyzed, improved, and automated. BPM is typically performed by business analysts, who provide expertise in the modeling discipline; by subject matter experts, who have specialized knowledge of the processes being modeled; or more commonly by a team comprising both. Alternatively, the process model can be derived directly from events' logs using process mining tools.

A federated database system (FDBS) is a type of meta-database management system (DBMS), which transparently maps multiple autonomous database systems into a single federated database. The constituent databases are interconnected via a computer network and may be geographically decentralized. Since the constituent database systems remain autonomous, a federated database system is a contrastable alternative to the task of merging several disparate databases. A federated database, or virtual database, is a composite of all constituent databases in a federated database system. There is no actual data integration in the constituent disparate databases as a result of data federation.

RDF Schema (Resource Description Framework Schema, variously abbreviated as RDFS, RDF(S), RDF-S, or RDF/S) is a set of classes with certain properties using the RDF extensible knowledge representation data model, providing basic elements for the description of ontologies. It uses various forms of RDF vocabularies, intended to structure RDF resources. RDF and RDFS can be saved in a triplestore, then one can extract some knowledge from them using a query language, like SPARQL.

The Unified Medical Language System (UMLS) is a compendium of many controlled vocabularies in the biomedical sciences. It provides a mapping structure among these vocabularies and thus allows one to translate among the various terminology systems; it may also be viewed as a comprehensive thesaurus and ontology of biomedical concepts. UMLS further provides facilities for natural language processing. It is intended to be used mainly by developers of systems in medical informatics.

Semantic integration is the process of interrelating information from diverse sources, for example calendars and to do lists, email archives, presence information, documents of all sorts, contacts, search results, and advertising and marketing relevance derived from them. In this regard, semantics focuses on the organization of and action upon information by acting as an intermediary between heterogeneous data sources, which may conflict not only by structure but also context or value.

Simple Knowledge Organization System (SKOS) is a W3C recommendation designed for representation of thesauri, classification schemes, taxonomies, subject-heading systems, or any other type of structured controlled vocabulary. SKOS is part of the Semantic Web family of standards built upon RDF and RDFS, and its main objective is to enable easy publication and use of such vocabularies as linked data.

A triplestore or RDF store is a purpose-built database for the storage and retrieval of triples through semantic queries. A triple is a data entity composed of subject–predicate–object, like "Bob is 35" or "Bob knows Fred".

<span class="mw-page-title-main">Cuneiform (programming language)</span> Open-source workflow language

Cuneiform is an open-source workflow language for large-scale scientific data analysis. It is a statically typed functional programming language promoting parallel computing. It features a versatile foreign function interface allowing users to integrate software from many external programming languages. At the organizational level Cuneiform provides facilities like conditional branching and general recursion making it Turing-complete. In this, Cuneiform is the attempt to close the gap between scientific workflow systems like Taverna, KNIME, or Galaxy and large-scale data analysis programming models like MapReduce or Pig Latin while offering the generality of a functional programming language.

The Vadalog system is a Knowledge Graph Management System (KGMS) that offers a language for performing complex logic reasoning tasks over knowledge graphs. At the same time, Vadalog delivers a platform to support the entire spectrum of data science tasks: data integration, pre-processing, statistical analysis, machine learning, algorithmic modeling, probabilistic reasoning and temporal reasoning. Its language is based on an extension of the rule-based language Datalog, Warded Datalog±, a high-performance language using an aggressive termination control strategy. Vadalog can support the entire spectrum of data science activities and tools. The system can read from and connect to multiple sources, from relational databases, such as PostgreSQL and MySQL, to graph databases, such as Neo4j, as well as make use of machine learning tools, and a web data extraction tool, OXPath. Additional Python libraries and extensions can also be easily integrated into the system.

References

  1. 1 2 3 Schaller, Thomas (1998). Organisationsverwaltung in CSCW-Systemen - Dissertation. Bamberg: Bamberg University.
  2. 1 2 Lawall, Schaller, Reichelt (2014). Enterprise Architecture: A Formalism for Modelling Organizational Structures in Information Systems. Thessaloniki: Enterprise and Organizatinal Modeling and Simulation: 10th International Workshop CAiSE2014.{{cite book}}: CS1 maint: multiple names: authors list (link)
  3. Lawall, Schaller, Reichelt (2014). "Restricted Relations between Organizations for Cross-Organizational Processes". IEEE 16th Conference on Business Informatics (CBI),Geneva: 74–80.{{cite journal}}: CS1 maint: multiple names: authors list (link)
  4. Lawall, Schaller, Reichelt (2015). S-BPM in the Wild: Role and Rights Management (1 ed.). Berlin: Springer. pp. 171–186. ISBN   978-3-319-17541-6.{{cite book}}: CS1 maint: multiple names: authors list (link)
  5. Lawall, Schaller, Reichelt (2015). Resource Management and Authorization for Cloud Services. Proceedings of the 7th International Conference on Subject-Oriented Business Process Management, ACM. pp. 18:1–18:8.{{cite book}}: CS1 maint: multiple names: authors list (link)
  6. Bluemix
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.