Supporting Role Based Provisioning with Rules Using OWL and F-Logic

  • Patrick Rempel
  • Basel Katt
  • Ruth Breu
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6426)


The rule-based RBAC (RB-RBAC) model has been proposed to dynamically assign users to roles based on a set of rules. We identify two problems of this model: simplified rule language with limited expressiveness and the lack of rule reasoning capabilities. In this paper we propose an expressive and extensible provisioning framework that overcomes these drawbacks. Our framework supports complex user-role assignment rules and provides rule reasoning capabilities using OWL DL and F-Logic. Furthermore, we show how our approach supports (i) weak and strong negation to enhance expressiveness and strictness, (ii) defining static SoD constraints, and (iii) detecting conflicts. Finally, the paper describes a mechanism to deduce well-formed SPML requests from rules to provision policy systems with entitlements.


Access Control Policy Cost Center Assignment Rule Calculated Property Closed World Assumption 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Jena - a semantic web framework for java. Internet,
  2. 2.
    Al-Kahtani, M., Sandhu, R.: A model for attribute-based user-role assignment. In: Proc. 18th ACSAC (2002)Google Scholar
  3. 3.
    Al-Kahtani, M.A., Sandhu, R.: Induced role hierarchies with attribute-based rbac. In: Proc. 8th SACMAT (2003)Google Scholar
  4. 4.
    Al-Kahtani, M.A., Sandhu, R.S.: Rule-based rbac with negative authorization, pp. 405–415. IEEE Computer Society, Los Alamitos (2004)Google Scholar
  5. 5.
    Angele, J., Kifer, M., Lausen, G.: Ontologies in F-logic. In: Handbook on Ontologies, pp. 45–70 (2009)Google Scholar
  6. 6.
    Berners-Lee, T., Connolly, D., Kagal, L., Scharf, Y., Hendler, J.A.: N3Logic: A logical framework for the World Wide Web. TPLP 8, 249–269 (2008)MathSciNetzbMATHGoogle Scholar
  7. 7.
    Bertino, E., Catania, B., Ferrari, E., Perlasca, P.: A logical framework for reasoning about access control models. In: Proc. of SACMAT 2001, pp. 41–52. ACM, New York (2001)Google Scholar
  8. 8.
    Carroll, J.J., Roo, J.: OWL Web Ontology Language Test Cases. W3C recommendation W3C (2004),
  9. 9.
    Clark, K.L.: Negation as failure. In: Logic and Data Bases (1978)Google Scholar
  10. 10.
    Cruz, I.F., Gjomemo, R., Lin, B., Orsini, M.: A constraint and attribute based security framework for dynamic role assignment in collaborative environments. In: Proc. of the 4th CollaborateCom 2008 (2008)Google Scholar
  11. 11.
    de Bruijn, J., Heymans, S.: On the Relationship between Description Logic-based and F-Logic-based Ontologies, vol. 82. IOS Press, Amsterdam (2008)zbMATHGoogle Scholar
  12. 12.
    Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed nist standard for role-based access control. ACM TISSEC 4(3), 224–274 (2001)CrossRefGoogle Scholar
  13. 13.
    Finin, T., Joshi, A., Kagal, L., Niu, J., Sandhu, R., Winsborough, W., Thuraisingham, B.: ROWLBAC: representing role based access control in OWL. In: Proc. of the 13th ACM SACMAT (2008)Google Scholar
  14. 14.
    Giunchiglia, F., Zhang, R., Crispo, B.: Relbac: Relation based access control. In: 4th Int. Conf. on SKG 2008, pp. 3–11 (2008)Google Scholar
  15. 15.
    Giunchiglia, F., Crispo, B., Zhang, R.: Design and run time reasoning with relbac. Technical report, DISI (2008)Google Scholar
  16. 16.
    Grosof, B.N., Horrocks, I., Volz, R., Decker, S.: Description logic programs: combining logic programs with description logic. In: Proc. of the 12th international conference on WWW (2003)Google Scholar
  17. 17.
    Horrocks, I., Patel-Schneider, P.F.: A proposal for an owl rules language. In: Proc. of the 13th Int. WWW (2004)Google Scholar
  18. 18.
    Horrocks, I., Patel-Schneider, P.F., Boley, H., Tabet, S., Grosof, B., Dean, M.: SWRL: A Semantic Web Rule Language Combining OWL and RuleML. W3C Member Submission W3C (2004),
  19. 19.
    Horrocks, I., Patel-Schneider, P.F., van Harmelen, F.: From SHIQ and RDF to OWL: the making of a Web Ontology Language. J. Web Sem. 1(1), 7–26 (2003)CrossRefGoogle Scholar
  20. 20.
    Kattenstroth, H., May, W., Schenk, F.: Combining OWL with F-Logic Rules and Defaults. In: Proc. of 2nd Int. WS on ALPSWS (2007)Google Scholar
  21. 21.
    Kern, A., Walhorn, C.: Rule support for rolebased access control. In: Proceedings of the tenth ACM symposium on Access control models and technologies (2005)Google Scholar
  22. 22.
    Kifer, M., Lausen, G., Wu, J.: Logical foundations of object-oriented and frame-based languages. J. ACM 42, 741–843 (1995)MathSciNetCrossRefzbMATHGoogle Scholar
  23. 23.
    Nejdl, W., Olmedilla, D., Winslett, M., Zhang, C.C.: Ontology-based policy specification and management. In: Gómez-Pérez, A., Euzenat, J. (eds.) ESWC 2005. LNCS, vol. 3532, pp. 290–302. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  24. 24.
    Ni, Q., Lobo, J., Calo, S., Rohtangi, P., Bertino, E.: Automating Role-based Provisioning by Learning from Examples. In: Proc. of the 14th SACMAT (2009)Google Scholar
  25. 25.
    OASIS. Oasis service provisioning markup language (spml) v. 2 (2006),
  26. 26.
    Parsia, B., Sirin, E.: Pellet: An OWL DL Reasoner. In: McIlraith, S.A., Plexousakis, D., van Harmelen, F. (eds.) ISWC 2004. LNCS, vol. 3298. Springer, Heidelberg (2004)Google Scholar
  27. 27.
    Parsia, B., Wang, T., Golbeck, J.: Visualizing web ontologies with cropcircles. In: Gil, Y., Motta, E., Benjamins, V.R., Musen, M.A. (eds.) ISWC 2005. LNCS, vol. 3729. Springer, Heidelberg (2005)Google Scholar
  28. 28.
    Patel-Schneider, P.F., Hayes, P., Horrocks, I.: OWL Web Ontology Language Semantics and Abstract Syntax. W3C (2004),
  29. 29.
  30. 30.
    Shepherdson, J.C.: Negation as failure: a comparison of clark’s completed data base and reiter’s closed world assumption. J. Log. Program. 1(1), 51–79 (1984)MathSciNetCrossRefzbMATHGoogle Scholar
  31. 31.
    Sintek, M., Decker, S.: Triple - a query, inference, and transformation language for the semantic web. In: Horrocks, I., Hendler, J. (eds.) ISWC 2002. LNCS, vol. 2342, p. 364. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  32. 32.
    Windley, P.J.: Digital Identity. O’Reilly, Sebastopol (2005)zbMATHGoogle Scholar
  33. 33.
    Yang, G., Kifer, M., Zhao, C.: FLORA-2: A Rule-Based Knowledge Representation and Inference Infrastructure for the Semantic Web. In: Meersman, R., Tari, Z., Schmidt, D.C. (eds.) CoopIS 2003, DOA 2003, and ODBASE 2003. LNCS, vol. 2888, Springer, Heidelberg (2003)Google Scholar
  34. 34.
    Yu, H., Xie, Q., Che, H.: Description Logic Based Conflict Detection Methods for RB-RBAC Model. IJCSNS 6(1A), 120 (2006)Google Scholar
  35. 35.
    Zhao, C., Heilili, N., Liu, S., Lin, Z.: Representation and reasoning on rbac: A description logic approach. In: Van Hung, D., Wirsing, M. (eds.) ICTAC 2005. LNCS, vol. 3722, pp. 381–393. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  36. 36.
    Zou, Y., Finin, T.W., Chen, H.: F-OWL: an Inference Engine for the Semantic Web. In: Hinchey, M.G., Rash, J.L., Truszkowski, W.F., Rouff, C.A. (eds.) FAABS 2004. LNCS (LNAI), vol. 3228, pp. 238–248. Springer, Heidelberg (2004)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Patrick Rempel
    • 1
  • Basel Katt
    • 2
  • Ruth Breu
    • 2
  1. 1.Oxford Computer Group GermanyMunichGermany
  2. 2.University of InnsbruckInnsbruckAustria

Personalised recommendations