G-FAF is a general authorisation framework that can be used to deliver dynamic query results based on user credentials and to cater for the secure manipulation of linked data.
In G-FAF data items, access rights and authorisation subjects are represented as one or more graphs that may or may not be disjoint.
In the Semantic Web information is represented as RDF triples that are used to make statements about resources in the form of subject-predicate-object expressions. An RDF graph is a finite set of RDF triples. Named graphs are used to collectively refer to a number of RDF statements. Although there are several RDF representation formats we use nquads.
Like databases and file systems access can be restricted based on the operations that a user attempts to execute on the data items. In the case of RDF these operations take the form of:
We model the operations as one or more RDF graphs and use vocabularies such as RDFS to define a partial order over the operations.
Subject is an umbrella term used to collectively refer to different user credentials. We propose the verification of access based on credential matching, as such we make no distinction between a user playing a role as opposed to belonging to a group. Therefore, we merge both the user-group and role hierarchies and refer to them simply as authorisation subjects. Such a merge does not impact the specification or enforcement of authorisations and in fact affords a greater degree of flexibility with respect to the inclusion of additional types of user credentials. As RDF is a web based distributed data model we extend the subject definition, to include user attributes. Combined users, groups, roles and attributes can be represented as one or more RDF graphs possibly disjoint.
We use the Berlin SPARQL Benchmark (BSBM) dataset for evaluation of the framework. The evaluation datasets, authorisation sets, rules and queries are stored on a public Google drive: gfaf@googledocs.
Authorisations are specified as graph patterns, propagation rules are used to ease administration, and together integrity constraints and conflict resolution policies are used to specify and enforce consistent access control policies.
For the evaluation of G-FAF we created three separate experiments to:
Details of the evaluation can be found in the following paper Secure Manipulation of Linked Data.