Upload
ruleml
View
395
Download
3
Embed Size (px)
Citation preview
Towards Formal Semantics for ODRL PoliciesSimon Steyskal and Axel Polleres
web: http://steyskal.info
mail: [email protected]
twitter: @simonsteys
Agenda
1. Motivation Policy-driven Data Markets Compliance Checking in BPM Requirements for Policy Language
2. Formulating Expressive Policies using ODRL Open Digital Rights Language (ODRL) Policy Examples Implicit/Explicit Dependencies among ODRL Policies
3. Formal Semantics of ODRL General Evaluation Procedure Abstract Syntax of ODRL Conflict Resolution
PAGE 2
Agenda
1. Motivation Policy-driven Data Markets Compliance Checking in BPM Requirements for Policy Language
2. Formulating Expressive Policies using ODRL Open Digital Rights Language (ODRL) Policy Examples Implicit/Explicit Dependencies among ODRL Policies
3. Formal Semantics of ODRL General Evaluation Procedure Abstract Syntax of ODRL Conflict Resolution
PAGE 3
Policy-driven Data Markets
PAGE 4
Compliance Checking in BPM
PAGE 5
http://ssrg.nicta.com.au/projects/bpc
https://ai.wu.ac.at/shape-project/
Requirements for Policy Language
Expressivity It should be possible to model complex policies. Such complex policies may include obligations, constraints or
specific conflict resolution strategies.
Extensibility If required, it should be easy to add additional concepts to the
policy language.
Flexibility The policy language should be flexible enough to be used within
different scenarios.
PAGE 6
Agenda
1. Motivation Policy-driven Data Markets Compliance Checking in BPM Requirements for Policy Language
2. Formulating Expressive Policies using ODRL Open Digital Rights Language (ODRL) Policy Examples Implicit/Explicit Dependencies among ODRL Policies
3. Formal Semantics of ODRL General Evaluation Procedure Abstract Syntax of ODRL Conflict Resolution
PAGE 7
Open Digital Rights Language (ODRL)
PAGE 8https://www.w3.org/community/odrl/model/2.1/
PAGE 9
@prefix odrl: <http://w3.org/ns/odrl/2/> .@prefix : <http://www.example.com/> .
:policy1 a odrl:Agreement ;odrl:permission [
a odrl:Permission;odrl:assigner :owner;odrl:assignee :alice; odrl:action odrl:read;odrl:target :dataset1;odrl:constraint [
a odrl:Constraint;odrl:operator odrl:lteq;odrl:dateTime "2016-12-31"^^xsd:date
] .
Listing 1
Policy Examples 1/3Permitting access only in specific time frames
PAGE 10
@prefix odrl: <http://w3.org/ns/odrl/2/> .@prefix : <http://www.example.com/> .
:policy2 a odrl:Set;odrl:permission [
a odrl:Permission;odrl:action odrl:reproduce,
odrl:distribute, odrl:derive;
odrl:duty odrl:attribution, odrl:attachPolicy, odrl:shareAlike
] .odrl:prohibiton odrl:commercialize .
Listing 2
Policy Examples 2/3Representing license information (CC-BY-NC-SA)
Villata et al. (ESWC 2014)
PAGE 11
@prefix gr: <http://purl.org/goodrel/v1#> .@prefix odrl: <http://w3.org/ns/odrl/2/> .@prefix gn: <http://www.geonames.org/ontology#">.@prefix : <http://www.example.com/> .
:policy3 a odrl:Set;odrl:permission [
a odrl:Permission;odrl:action odrl:read;odrl:target :dataset;odrl:duty [
a odrl:Duty;odrl:action odrl:pay;odrl:constraint [a odrl:Constraint ;odrl:payAmount 50.00 ;odrl:operator odrl:eq ;odrl:unit
<http://cvx.iptc.org/iso4217a:EUR>] .
Listing 3
Policy Examples 3/3Combining prohibitions and permissions
odrl:prohibtion [a odrl:Prohibition;odrl:action odrl:distribute;odrl:target :dataset;odrl:constraint [
a odrl:Constraint;odrl:operator odrl:eq; odrl:spatial [
a gn:Feature.gn:countryCode “AT”
] .] .
] .
Policies govern execution of actions over assets. Does permission of one action interfere with prohibition
of another action?
Direct Dependency
Implicit Dependency
Explicit Dependency
Dependencies among ODRL Policies
PAGE 12
:ex1 a odrl:Set;odrl:permission odrl:read.
:ex2 a odrl:Set;odrl:prohibition odrl:read.
:ex1 a odrl:Set;odrl:permission odrl:share.
:ex2 a odrl:Set;odrl:prohibition odrl:distribute.
:ex1 a odrl:Set;odrl:permission odrl:use.
:ex2 a odrl:Set;odrl:prohibition odrl:display.
?
?
?
ODRL explicitly defines a hierarchy among its actions e.g. odrl:present is a broader term/action for odrl:display
Governing execution of a more general action, influences execution of its narrower ones too.
Explicit Dependencies among ODRL Policies
PAGE 13
odrl:present
odrl:display odrl:play
odrl:print
skos:broaderTransitive
Implicit Dependencies among ODRL Policies
PAGE 14
Other dependencies are only implicitly expressed as part of the natural language description of ODRL actions.
e.g. odrl:share Prohibition of either odrl:reproduce/odrl:copy or odrl:distribute
would cause a conflict, if odrl:share would be permitted at the same time.
Agenda
1. Motivation Policy-driven Data Markets Compliance Checking in BPM Requirements for Policy Language
2. Formulating Expressive Policies using ODRL Open Digital Rights Language (ODRL) Policy Examples Implicit/Explicit Dependencies among ODRL Policies
3. Formal Semantics of ODRL General Evaluation Procedure Abstract Syntax of ODRL Conflict Resolution
PAGE 15
General Evaluation Procedure
PAGE 16
Data Consumer Data ProviderRequest(party,action,asset)
Check applicablepolicies
1
2
1. A query request consists of: optional information about requesting party, the requested action to be performed, and asset the requested action should be performed on.
Evaluation result3
Policy Store
2. A policy is applicable, if at least one of its rules is applicable. A rule is applicable, if its action, asset, and party (if specified) information match those of the request,
its constraints hold (if specified), and
its duties are fulfilled (if specified).
General Evaluation Procedure
PAGE 17
Data Consumer Data ProviderRequest(party,action,asset)
Policy Store
Check applicablepolicies
1
2Evaluation result3
3. Result of a query request evaluation can either be: permission – query request is permitted
prohibition – query request is prohibited
conditional prohibition – query request is prohibited due to open obligation(s)
condition permission – query request is permitted since all its obligation(s) arefulfilled
not applicable – there is no applicable nor active policy for the query request
General Evaluation Procedure
PAGE 18
Data Consumer Data ProviderRequest(party,action,asset)
Policy Store
Check applicablepolicies
1
2Evaluation result3
Abstract Syntax of ODRL
PAGE 19
Conflict Resolution
How to deal with conflicting evaluation results?
PAGE 20
ODRL defines three different conflict resolution strategies perm, prohibit, invalid
@prefix odrl: <http://w3.org/ns/odrl/2/> .@prefix : <http://www.example.com/> .
:policy1 a odrl:Agreement ;odrl:permission [
a odrl:Permission;odrl:assigner :owner;odrl:assignee :alice; odrl:action odrl:read;odrl:target :dataset1;
@prefix odrl: <http://w3.org/ns/odrl/2/> .@prefix : <http://www.example.com/> .
:policy2 a odrl:Agreement ;odrl:prohibition [
a odrl:Prohibition;odrl:assigner :owner;odrl:assignee :alice; odrl:action odrl:read;odrl:target :dataset1;
Permission Overrides (perm)
Semantics Whenever there are two rules in conflict with each other, the one
granting permission to execute an action a on a particular asset overrules the one prohibiting its execution.
PAGE 21
Prohibition Overrides (prohibit)
Semantics Whenever there are two rules in conflict with each other, the one
prohibiting execution of an action a on a particular asset overrules any permission of a.
PAGE 22
No Conflicts Allowed (invalid)
Semantics Whenever there are two rules in conflict with each other, no
answer can be returned. invalid is ODRL’s default conflict resolution strategy.
PAGE 23
Conclusion
Contributions Definition of an abstract syntax for expressing ODRL policies. Formalization of a possible interpretation of ODRL policy semantics. Discussion of a solution proposal for considering dependencies
among ODRL actions for policy evaluation. Future Work Introducing the concept of Policy Sets as container for policies which
allows to combine the evaluation results of policies independently of their respective chosen conflict resolution strategy.
Formalizing and extending the mapping between ODRL policies and logic programs, which enables basic, rule-based reasoning
Addressing the elaborate provision of proofs for constraints and duties which are currently assumed to be provided by the requester itself.
PAGE 24