Graph based Flexible Authorisation Framework (G-FAF)

G-FAF is a general authorisation framework that can be used to deliver dynamic query results based on user credentials and to cater for the secure manipulation of linked data. 

In G-FAF data items, access rights and authorisation subjects are represented as one or more graphs that may or may not be disjoint.

Data Items

In the Semantic Web information is represented as RDF triples that are used to make statements about resources in the form of subject-predicate-object expressions. An RDF graph is a finite set of RDF triples. Named graphs are used to collectively refer to a number of RDF statements. Although there are several RDF representation formats we use nquads.

Access Rights

Like databases and file systems access can be restricted based on the operations that a user attempts to execute on the data items. In the case of RDF these operations take the form of: 
  • Graph query operations (SELECT, CONSTRUCT, ASK and DESCRIBE)
  • Graph update operations (INSERT, DELETE, DELETE/INSERT)
  • Graph management (DROP, COPY, MOVE and ADD)
Three additional access rights are required to facilitate access control administration, namely GRANT, REVOKE and FULL ACCESS:
  • The GRANT privilege allows users to grant access to others based on their own privileges. 
  • The REVOKE privilege allows users to revoke the access rights they have granted to others. 
  • FULL ACCESS is a super access right that subsumes all other access rights. 
We model the operations as one or more RDF graphs and use vocabularies such as RDFS to define a partial order over the operations. 

Authorisation Subjects

Subject is an umbrella term used to collectively refer to different user credentials. We propose the verification of access based on credential matching, as such we make no distinction between a user playing a role as opposed to belonging to a group. Therefore, we merge both the user-group and role hierarchies and refer to them simply as authorisation subjects. Such a merge does not impact the specification or enforcement of authorisations and in fact affords a greater degree of flexibility with respect to the inclusion of additional types of user credentials. As RDF is a web based distributed data model we extend the subject definition, to include user attributes. Combined users, groups, roles and attributes can be represented as one or more RDF graphs possibly disjoint.

Dataset, Authorisations, Rules and Queries

Authorisations are specified as graph patterns,  propagation rules are used to ease administration, and together integrity constraints and conflict resolution policies are used to specify and enforce consistent access control policies.

For the evaluation of G-FAF we created three separate experiments to: 
  • examine the overhead associated with access control over di.erent data sets
  • deduce the impact given an increasing number of authorisations
  • determine the performance increase for a number of propagation rules (the most expensive administration operation).
We use the Berlin SPARQL Benchmark (BSBM) dataset for evaluation of the framework. The evaluation datasets, authorisation sets, rules and queries are stored on a public Google drive: gfaf@googledocs.

Details of the evaluation can be found in the following paper Secure Manipulation of Linked Data.