In decentralized environments usage control (UC) is crucial for governing asset and resource usage. In an earlier work, we proposed GUCON, a generic graph pattern based policy framework for UC enforcement, which ofers a formal semantics for specifying and reasoning over UC policies. Although GUCON caters for the expression of various rules using graph patterns, the incorporation of temporal constraints is cumbersome. In this paper, we propose an instantiation of the GUCON framework that demonstrates how RDF-star can be used for rule representation and SPARQL-star for compliance checking. Additionally, we extend the original policy language to cater for temporal constraints.
CEUR ceur-ws.org
In modern decentralized systems, such as the Internet of Things (IoT) and data spaces, usage
control becomes crucial for managing assets and resources [
Listing 1: Policy Representation using GUCON.
SPARQL-star for our compliance checker. We illustrate the application of our solution with a football embargo use case. In this scenario, media outlets are permitted to share specific extracts from a football match, such as highlights, photographs, and interviews, only after a specified time or event (e.g., the end of the match). To model this information, we developed an ontology based on the Sport Schema ontology1, which describes a sports event as part of a competition structure (e.g., league, championship), and the ontology for media resources2, which details media coverage (e.g., photos, interviews) as part of an event. In this paper, we use the 2020 English Premier League competition as a recurring example.
RDF reification is the standard way to express metadata about RDF triples. Reification involves converting a basic triple to an rdf:Statement, that describes the original triple as a resource. While RDF reification is a standard approach, it can be verbose and cumbersome [ 6]. Alternative approaches include the use of named graphs, or RDF-Star3. When it comes to UC specifically, Robaldo [7] proposed to use reified I/O logic to express norms and make use of representation languages, such as SHACL, to implement compliance checking [8]. While their work highlights the significance of reification in compliance checking, it primarily focuses on normative reasoning. Additionally, expressing environmental or system constraints is outside of their focus. In this paper, due to their enhanced expressivity and eficiency, we propose to use RDF-star to express constraints on top of UC rules and SPARQL-star to build a compliance checking algorithm on top of GUCON. 1IPTC Sport Schema, https://sportschema.org/schema-overview/ 2Media Resources 1.0, https://www.w3.org/TR/mediaont-10/ 3RDF-star and SPARQL-star, https://w3c.github.io/rdf-star/cg-spec/editors_draft.html
A KB is an RDF graph describing the set of actual knowledge. A GUCON rule is of the form: ⇝ , where is a SPARQL graph pattern, and is a deontic pattern, where ∈ {A, P, O, D}, and is a called an action pattern. An action pattern is a SPARQL triple pattern where the subject, property, and object refer to an entity name, an action name, and a resource name, respectively, with variables present in all three positions. A UCR can be read as follows: if the condition ( ) is satisfied by the KB, then the deontic pattern ( ) may (A), must not (P), must (O), or need not (D) be satisfied. In Listing 1, we express the permission rule from our use case using GUCON (we assume that 2021-02-25T21:00:00 implies the end of the match).
In this paper, we propose to extend GUCON with reification in order to express constraints on top of the rules, also called GUCON-Star. In particular, the action pattern representing the action of sharing data is reified by using a quoted triple. This quoted triple can then be used in the body of the rule as a way to describe constraints, in our case, a temporal constraint. The same rule from Listing 1 is expressed using GUCON-Star in Listing 2.
The original GUCON compliance algorithm from [2] checks for only obligation and prohibition compliance, assuming permissions and dispensations are always valid. With the addition of constraints, rule semantics change, such as temporal permissions becoming valid only after a specific time. We extend our compliance checker to evaluate permissions, prohibitions, obligations, and dispensations with constraints. Below, we present a KB extract containing logs from a system tracking media coverage sharing for football matches. The KB is described using the SPECIAL Policy Log Vocabulary4. The log shows eg:JohnSmith sharing a media resource from the English Premier League 2020 Season, including details like occurrence time and description. More details describing the logs can be found in our GitHub5. The compliance 4The SPECIAL Policy Log Vocabulary, https://ai.wu.ac.at/policies/policylog/ 5https://github.com/Ines-Akaichi/GUCON-star/tree/main checker uses a UC rule and a KB as input. It determines rule condition matches via ASK SPARQL-star queries over the KB, deciding compliance accordingly. For temporal permissions and dispensations, the engine checks whether the KB contains a match for the UC rule’s body that satisfies the temporal constraint; if so, the KB is compliant. For obligations and prohibitions, a match means the KB is compliant for obligations and non-compliant for prohibitions. The sharing that occured at ”2021-02-25T20:30:50Z”, makes eg:JohnSmith non compliant with the rule defined in Listing 2. The compliance checker and inputs are available on our GitHub page.
In this poster, our focus was on demonstrating how RDF-star and SPARQL-star syntax can be utilized to serialize GUCON policies with various constraints. As an important next step, we aim to define the semantics of this new serialization so that future implementations of compliance engines are able of consistently and accurately enforcing GUCON UCPs. Furthermore, our compliance checker primarily handles temporal constraints and filter operators. We aim to expand its functionality to accommodate other types of constraints. Given that UC involves managing dynamic policies, temporal constraints can evolve, such as when a match ends, thus we are interested in exploring the mutability of constraints within the context of GUCON. Additionally, due to the absence of benchmarking in UC [9], we plan to represent GUCON using various representation languages such as Datalog, ASP, etc. This will allow us to compare the performance of diferent engines. [2] I. Akaichi, G. Flouris, I. Fundulaki, S. Kirrane, Gucon: A generic graph pattern based policy framework for usage control enforcement, in: Rules and Reasoning: 7th International Joint Conference, RuleML+RR 2023, Oslo, Norway, September 18–20, 2023, Proceedings, 2023.
URL: https://doi.org/10.1007/978-3-031-45072-3_3. [3] J. Pérez, M. Arenas, C. Gutierrez, Semantics and complexity of sparql, in: The Semantic
Web - ISWC, 2006. [4] M. Hilty, D. Basin, A. Pretschner, LNCS 3679 - On Obligations, Technical Report, 2005. [5] M. Hilty, A. Pretschner, D. Basin, C. Schaefer, T. Walter, A policy language for distributed usage control, in: Computer Security – ESORICS, 2007. [6] O. Hartig, Foundations of rdf* and sparql* (an alternative approach to statement-level metadata in rdf), in: Alberto Mendelzon Workshop on Foundations of Data Management, 2017. URL: https://api.semanticscholar.org/CorpusID:2010537. [7] L. Robaldo, Towards compliance checking in reified I/O logic via SHACL, Proceedings of the 18th International Conference on Artificial Intelligence and Law, ICAIL 2021 (2021). [8] L. Robaldo, S. Batsakis, R. Calegari, F. Calimeri, M. Fujita, G. Governatori, M. Morelli, F. Pacenza, G. Pisano, K. Satoh, I. Tachmazidis, J. Zangari, Compliance checking on firstorder knowledge with conflicting and compensatory norms: a comparison among currently available technologies, Artificial Intelligence and Law 32 (2023). [9] I. Akaichi, S. Kirrane, Usage control specification, enforcement, and robustness: A survey, 2022. URL: https://arxiv.org/abs/2203.04800.