The Study Of Ontology-Based RBAC Policies In Distributed Environments

Many emerging computational systems such as pervasive computing environments, the semantic web, grid computing, and multi-agent systems fit the paradigm of open, dynamic distributed systems. These systems have to accommodate a wide range of domain knowledge due to diverse organizational boundaries, adapt to heterogeneous, and autonomous domains, and manage variations caused by the movement of users, ambiguous boundaries, and permutable services, which have been large challenges to access control systems.While a lot of past researches have focused on some problems of special situations-- in distributed environments that were fairly static, issues relating to regulating constantly evolving domains have not been as thoroughly explored. The new techniques are required to govern the behavior of entities in these environments so that even though each entity takes individual decisions, the overall system objectives are also satisfied. In particular, the goal is to develop a policy framework that: an ontology declarative policy-based approach is proposed to be used, where the norms or rules of ideal behavior of entities in RBAC of these environments are described in a machine-understandable specification language.The primary contribution is OntoRBAC, a family of ontology-based policy specification models for building RBAC policy-directed architectures. OntoRBAC allows policies to be described in terms of attributes of users, actions, and other context and supports greater extensibility as policies can be described over domain knowledge at different levels of abstractions. And it describes policy rules to express the authorizations in autonomy domains. These policies describe what an entity can or must do in a certain context and how to deduce the behavior of entities without affecting the underlying mechanisms and architecture. It is fully compatible with the RBAC96 model, which is accepted by most of researchers, and extends the model with its own ways.Along with providing the openness required in these environments, this approach also provides how to reason about these policies and application-special rules even with conflicts. Due to the limitation of ontology and description logic to express the logic in applications, the Semantic Web Rule Langugage (SWRL) is introduced to describe the reasoning rules of OntoRBAC. Description Horn Logic, DHL, a subset of SWRL is brought in to reason about rules based on ontologies. The transformation in DHL from Description Logic to Horn Logic is discussed, to enforce the reasoning with the ontology and rules. Three kind of rule-based reasoning arithmetic are also discussed. Correspondingly, the reasoning rules for OntoRBAC models are defined in DHL, which are used for policy decision now.There should be some ways to resolve the conflicts coming from the policies specification and integrations. So two kind of reasoning about inconsistent ontology knowledge base, cancel_while_conflict and max_consistency arithmetic, are discussed to provide meaningful monotonic deduction in these KBs. And these ways are used for elimination of the conflicts in OntoRBAC.The integration is another important issue in the policy framework. Based on the specification and reasoning mentioned above, approaches of integration by single global ontology are introduced to OntoRBAC. Some details are mentioned to support and extend the traditional policy integration approaches.Meanwhile, trust management is also present into the framework. PMI and X.509 attribute certificates are used for distributed authorization between autonomy domains based on the OntoRBAC policies, which combines trust and ontology into access control as a whole.The above theoretical principles and practical techniques are adopt for developing a prototype of OntoRBAC. The architecture and components are introduced. The evaluation of arithmetics and results of performance analysis are also reported.