In the Ontology Based Data Access (OBDA) framework, users access a relational data source by querying a domain ontology, whose classes and properties are connected to the data via declarative mappings. OBDA is adopted for data management in various sectors, notably healthcare, where confidentiality of information is a key concern that requires data to be properly protected from unauthorized accesses. Controlled Query Evaluation (CQE) is a framework for privacy-preserving query answering in the presence of an ontology. In CQE, policies are used to represent the information that should be kept confidential, and the aim is to devise from policy specifications suitable censors that enforce data protection. Therefore, it is desirable to integrate CQE in OBDA to obtain a robust privacy-aware data management framework. This has been done in the recently proposed Policy-Protected OBDA (PPOBDA) framework, which ensures the integration of CQE within OBDA by embedding policies into mappings. In this paper, we present an open-source solution that implements PPOBDA and a simplified algorithm for policy embedding, compared to previously proposed ones. This facilitates the adoption of PPOBDA using any OBDA query engine capable of translating SPARQL queries into SQL. In our implementation, we rely on Ontop, a state-of-the-art open-source OBDA tool.
Within the Ontology-Based Data Access (OBDA) framework [
Guaranteeing the privacy of information represents a challenge across all data management
systems, especially in those cases where sensitive data, such as medical records, need to be
manipulated. This holds in particular for OBDA, where the main objective is to eficiently and
efectively answer queries posed by users over the ontology, but transferring the necessary
data from the underlying data source requires suitable privacy preserving methods that prevent
any unauthorized disclosure of sensitive data. Recently, Controlled Query Evaluation (CQE) has
emerged as a promising privacy-preserving framework for query answering in the presence of
ontologies [
Building upon the foundational principles of CQE and of OBDA, the Policy-Protected OBDA
(PPOBDA) framework was introduced in [
To address this limitation, our ongoing research implements PPOBDA using the open-source
OBDA engine Ontop [
In this section, we present the technical preliminaries that are necessary to understand the remaining part of the paper. Specifically, we introduced Description Logics, the logical-based formalism providing the underpinning for the OWL 2 language, and present the formalization of OBDA, and the query language used to express both queries in OBDA and policies in CQE. Finally, we introduce the open-source system Ontop, on which we rely for query reformulation.
We make use of countably infinite pairwise disjoint alphabets Σ of relation names, Σ of unary and binary ontology predicates, and Σ of constants.
Description Logics (DLs) [
The semantics of DL-Liteℛ is given in terms of FOL interpretations, where an interpretation ℐ = ⟨∆ ℐ , · ℐ ⟩, consists of a domain ∆ ℐ , and a function · ℐ that assigns to each concept name ∈ Σ a set ℐ ⊆ ∆ ℐ of objects, to each role name ∈ Σ a binary relation ℐ ⊆ ∆ ℐ × ∆ ℐ , and to each constant ∈ Σ a domain element ℐ ∈ ∆ ℐ . We make the unique name assumption, i.e., ̸= ′ implies ℐ ̸= ′ℐ . Concept and role expressions are interpreted as follows: (− )ℐ = {(′, ) | (, ′) ∈ ℐ } ¬ℐ = ∆ ℐ ∖ ℐ (∃)ℐ = { | ∃′ ∈ ∆ ℐ s.t. (, ′) ∈ ℐ } ¬ℐ = (∆ ℐ × ∆ ℐ ) ∖ ℐ We say that ℐ satisfies a concept/role inclusion/disjointness 1 ⊑ 2, if 1ℐ ⊆ 2ℐ , and it satisfies an ABox assertion () (resp., (, ′)) if ℐ ∈ ℐ (resp., (ℐ , ′ℐ ) ∈ ℐ ). An interpretation that satisfies all axioms and assertions in (resp., , ) is called a model of (resp., , ).
In OBDA, users can query a data source through an ontology TBox, which is connected to the
data source via declarative mappings [
Given an OBDA specification = ⟨ , , ℳ⟩ and a DB instance for , the pair = ⟨, ⟩ is called an OBDA instance. The retrieved ABox for , denoted ret( ), consists of all facts (IRI(⃗)), where (⃗) ⇝ (IRI(⃗)) is a mapping assertion in ℳ, and ⃗ ∈ eval( (⃗), ) is a tuple of constants in the evaluation of the mapping source query over . Notice that the fact (IRI(⃗)) contains IRIs of the form iri(⃗) constructed from the answer tuple ⃗ using the IRI template iri(⃗) in the mapping head. Hence, ret( ) is an ABox over constants in the set ∆ consisting of (i) all DB values in and (ii) all possible IRIs iri(⃗) constructed from some tuple ⃗ of values in and some IRI template iri(⃗) in some mapping assertion in ℳ. Then, a model of the OBDA instance is defined as a model of the knowledge base ⟨ , ret( )⟩. We denote the set of models of by Mod( ), and we say that is inconsistent if Mod( ) = ∅. Moreover, |= , indicating that entails a sentence , holds if is true in every model in Mod( ).
We make here the standard name assumption, i.e., given ⟨, ⟩, we consider interpretations over a fixed domain ∆ containing ∆ and such that all values in ∆ are interpreted as themselves. Notice that the standard name assumption implies the unique name assumption.
We consider queries, expressed as FOL formulas, over DB and OBDA instances. A query over an OBDA instance is formulated over the ontology predicates, and we are interested in the certain answers cert(, ) to , which are defined as those answers that hold over all models of , i.e., ⃗ ∈ cert(, ) if |= (⃗). A conjunctive query (CQs) has the form (⃗) = ∃⃗. 1(⃗, ⃗) ∧ · · · ∧ (⃗, ⃗), where each is a DB/ontology predicate. A Boolean CQ (BCQ) is a CQ () without answer variables, i.e., of zero arity, which returns either the empty tuple {()} (i.e., true), or the empty set ∅ (i.e., false). A ground atom (GA) is a BCQ with only one atom and no variables. CQ denotes the language of BCQs, and GA the language of GAs.
We make use here of the state-of-the-art open-source OBDA system Ontop [
Ontop implements query answering by rewriting, i.e., it computes the certain answers to SPARQL queries over the OBDA instance, by reformulating them into SQL queries expressed over , which then get executed by the underlying DB engine. To do so, Ontop first performs some of-line tasks, in which it pre-processes , , and ℳ (e.g., by saturating ℳ w.r.t. ), in 1We can consider SPARQL as a concrete syntax for CQs, although SPARQL features additional constructs not present in CQs (e.g., OPTIONAL and aggregations), and adopts a diferent semantics for existentially quantified variables. order to be then more eficient during query answering. At query answering time, it transforms a given SPARQL query into a logically equivalent (w.r.t. ) SQL query SQL and optimizes such query by taking into account mapping information and the DB constraints in .
Ontop’s toolkit encompass a Plugin for the widely adopted Protégé ontology editor, facilitating the development of OBDA specifications. Moreover, it allows for setting up a SPARQL endpoint, via a command line interface, with which users can interact by issuing queries via HTTP requests. In our work, we have used Ontop as a blackbox to exploits its query rewriting functionalities.
To create a privacy-preserving OBDA setting, one can proceed in three ways: (i) the ontology
can be modified by adjusting TBox axioms based on policy requirements [
To introduce formally the PPOBDA setting, we first define a denial (assertion) as a FOL
sentence of the form ∀⃗. (⃗) → ⊥, such that ∃⃗. (⃗) is a BCQ. Given a set of FOL sentences
(e.g., a TBox) and a denial , we have that ∪ { } is consistent if ̸|= ∃⃗. (⃗). Following [
For a query language ℒ (e.g., CQ or GA), let ℒ( ) be the restriction of ℒ to the predicates in , and ℒ the formulas in ℒ mentioning only constants in . An optimal censor for ℰ in query language ℒ is a function cens(· ) that, for each source DB for ℰ , returns a set cens() ⊆ ℒ such that (i) ⟨⟨ , , ℳ⟩, ⟩ |= , for each ∈ cens(), and (ii) ∪ ∪ cens() is consistent. ℒ is called the censor language. We are interested in optimal censors, i.e., that return as much formulas as possible. The set of all optimal censors in ℒ for a PPOBDA specification ℰ is denoted ℒ-OptCensℰ .
To obtain a notion of censor that allows for embedding a policy into the mapping, [
Definition 1 (IGA censor [
In [
Input: a DL-Liteℛ TBox , a mapping ℳ, a policy .
Output: a mapping ℳ0. 1 Let ′ be the expansion of the policy w.r.t. ; 2 ℳ0 ← ∅ ; 3 for each atomic concept do 4 ← addConstraints((), ′); 5 ℳ′ ← ℳ ′ ∪ {(unfold(rewrite(, ), ℳ) ⇝ ()} 6 for each atomic role do 7 ← addConstraints((, ), ′); 8 ℳ′ ← ℳ ′ ∪ {(unfold(rewrite(, ), ℳ) ⇝ (, )} 9 return ℳ′ returned to queries posed over the ontology and processed by an OBDA engine making use of ℳ’ automatically comply to according to an IGA censor. We present in Algorithm 1 EncodeMapping, a streamlined version of that algorithm that reduces the number of calls to a DL-Liteℛ query rewriting procedure. We discuss its functioning on the following example: = { Reviewer ⊑ Student , ∃ReviewsProject − ⊑ Student }, ℳ = { 1 : ∃.student(, ) ⇝ Student () 2 : student(, ’review’) ⇝ Reviewer () 3 : project(, ) ⇝ ReviewsProject (, ) } = { Reviewer () ∧ ReviewsProject (, ) ∧ Student () → ⊥ } Here, the TBox specifies that reviewer students (concept Reviewer ) are special kinds of students (concept Student ), and that projects of students are being reviewed (inverse of role ReviewsProject ). The policy says that the fact that a reviewer reviews a project of a student is a confidential information (to protect the information regarding who graded whom).
Following the definition of the IGA censor, the target is to remove the facts that belong to at least one minimal ABox such that ∪ ∪ is inconsistent. Identifying such facts is facilitated when we can analyze each denial independently. This requires that the policy exhibits the following property: for every denial in , every minimal ABox where ∪ ∪ is inconsistent must also be minimal when ∪ ∪ is inconsistent.
To achieve this, [
In Step 1, we use the perfectRef(, ) algorithm of DL-Liteℛ to expand policy with respect
to [
Then, one mapping assertion is constructed for each ontology predicate.
At Step 4, for each concept of the ontology, addConstraints((), ′) transforms ()
into a formula ensuring that the conditions leading to a policy violation cannot be satisfied, when
retrieving data from the source through the mapping. Specifically, assume that all denials in ′
containing an atom that unifies with () are ∀, ⃗.(()∧ (, ⃗)) → ⊥, for ∈ {1, . . . , }.
Then addConstraints((), ′) returns () ∧ ⋀︀1≤ ≤ ¬∃⃗. (, ⃗). Similarly, at Step 7, for
each role of the ontology. For instance, assume that ′ contains the denials ∀.(() ∧
()) → ⊥ and ∀, .(() ∧ (, ) ∧ ()) → ⊥. Then, addConstraints((), ′) returns
() ∧ ¬() ∧ ¬∃.((, ) ∧ ()). For predicates that are not present in the policy ′, we
do not apply the transformation, as they pose no threat to the policy. In our running example,
Student () is not transformed, while
addConstraints(Reviewer (), ′) = Reviewer () ∧ ¬∃.ReviewsProject (, )
addConstraints(ReviewsProject (, ), ′) = (, ) ∧ ¬Reviewer ()
Steps 5 and 8 invoke rewrite(, ), which rewrites each of the transformed predicates w.r.t.
the TBox . Notice that might contain negated atoms, and for this step we rely on the
capability of the query rewriting engine to correctly deal with SPARQL queries containing the
MINUS operator. The resulting expression is then unfolded with respect to the original mapping
ℳ [
In our running example, EncodeMapping( , ℳ, ) returns the following mapping ℳ′: ′1 : ∃.student(, ) ∨ student(, ’review’) ∨ ∃.project(, ) ⇝ ′2 : (,′ ′) ∧ ¬∃.project(, )) ⇝ Reviewer () ′3 : project(, ) ∧ ¬student(, ’review’) ⇝ ReviewsProject (, ) Student ()
To implement the EncodeMapping algorithm, we need to exploit the query answering
capabilities of an OBDA engine, and specifically both query rewriting with respect to an OWL 2 QL
TBox, and query unfolding with respect to R2RML mappings. The original implementation of
the PPOBDA framework described in [
The initial step of expanding the policy w.r.t. the TBox relies on the query rewriting functionality. Since for optimization purposes, Ontop combines the steps of query rewriting and of unfolding w.r.t. the mapping, it requires the existence of a relational data source and of mappings even to perform only query rewriting. To address this, we have developed a Direct Mapping Generator, which simulates a data source with unary and binary relations corresponding directly to the concepts and roles names in the ontology, and establishes direct (one-to-one) mappings from this dummy DB to the ontology. The Policy Expander function exploits this setup to activate the Ontop query reformulation functionality over the denials in the policy as queries to be expanded. Given that the mappings are one-to-one, they have no impact on the outcome of the reformulation.
The rewritten queries, serving as policies expanded w.r.t. the ontology, are then provided as input to the addConstraints algorithm, which redefines each predicate as a SPARQL query. These SPARQL queries, along with the ontology, the original mapping, and the DB schema are then processed by the Policy Embed function, which converts them into SQL queries using Ontop for query reformulation. Subsequently, a new mapping is created with these SQL queries as the source parts for the respective predicates, which appear in the target part of the mapping assertions. This process efectively generates mappings that embed the policy constraints.
We have described an ongoing research efort that aims at extending the OBDA framework
so as to incorporate privacy policies expressed as denials, in line with the Controlled Query
Evaluation (CQE) approach. Following an approach in the literature, we have provided an
initial implementation in a prototype system that builds on the open-source OBDA system
Ontop. Our implementation is available as an open-source project2. We rely on our prototype
implementation in our ongoing research, which aims at analyzing privacy requirements in
real-world scenarios, and at assessing the adequacy of the CQE approach to capture them.
We also plan to investigate how the approach we have presented for embedding policies into
mappings impacts performance of query evaluation in OBDA, specifically when compared to
the original approach proposed in [
This work has been partially supported by the Wallenberg AI, Autonomous Systems and Software Program (WASP) funded by the Knut and Alice Wallenberg Foundation, by the Province of Bolzano and DFG through the project D2G2 (DFG grant n. 500249124), and by the HEU project CyclOps (under GA n. 101135513). 2https://github.com/divyabaura/PPOBDA-with-Ontop