policy language overview
DESCRIPTION
Policy Language Overview. Andrea Westerinen CA Technologies Apr 28, 2011. Topics. Overview and comparison of: DMTF’s CIM and CIM-SPL (Simplified Policy Language) Ponder2 from Imperial College XACML AIR from MIT REI from UMBC RuleML OMG’s SBVR TMForum’s SID KAoS from IHMC. - PowerPoint PPT PresentationTRANSCRIPT
ANDREA WESTERINENCA TECHNOLOGIES
APR 28, 2011
Policy Language Overview
1
Topics
Overview and comparison of:
DMTF’s CIM and CIM-SPL (Simplified Policy Language) Ponder2 from Imperial College XACML AIR from MIT REI from UMBC RuleML OMG’s SBVR TMForum’s SID KAoS from IHMC
2
UNCLASSIFIED // FOR OFFICIAL USE ONLY
Language Comparison
Encoding Structure Oblig/ Perm
Sem WebSupport?
Std?
CIM-SPL
DSL; UTF-8
If-then Obligation
No ~
Ponder2 DSL (Derived from Small-talk); UTF- 8 and XML
ECA and Pos/Neg Authoriz
Obligation and Permission
No No
XACML XML Condition-Effect (Permit/ Deny)
Permission with related Obligations
Yes, via 3rd party code (Clark & Parsia)
Yes
3
UNCLASSIFIED // FOR OFFICIAL USE ONLY
Language Comparison (Continued)
Encoding
Structure Oblig/ Perm
Sem WebSupport?
Std?
AIR (Account-ability in RDF)
Turtle Condition-Assertion
~Permission (Validation)
Yes No
REI (Japanese for “universal”)
OWL-Lite + Variables
Condition-Action with Starting and Ending Conditions
Obligation and Permission
Yes No
4
UNCLASSIFIED // FOR OFFICIAL USE ONLY
Language Comparison (Continued)
Encoding Structure Oblig/ Perm
Sem WebSupport?
Std?
RuleML Various encodings (focus on interop between the encodings)
Horn clauses (Head <- Body), Evolution toward event-condition-action
N/A Yes ~Yes
OMG’s SBVR
XMI encoding of UML instances
Instances of quantifications, atomic formulations, role bindings, fact types, …
Obligation and Permission
Not directly, via mapping to ISO Common Logic
Yes
5
UNCLASSIFIED // FOR OFFICIAL USE ONLY
Language Comparison (Continued)
Encoding Structure Oblig/ Perm
Sem WebSupport?
Std?
TMForum’s SID
XMI encoding of UML instances
Complex set of inter-related instances (supporting Event-Condition-Action)
Obligation No (?) Yes
IHMC’s KAoS
OWL/RDF Situation (event or history) -> Authorization and/or Obligations/ Actions
Obligation and Permission
Yes No
6
Language Overviews
7
CIM and CIM-SPL
Constructs: PolicyGroup (set of rules) PolicyRule (set of conditions and actions) PolicyCondition (broad set of operators defined, but
extensible only as macros) PolicyAction
Supports definition of rules whose conditions consist of CIM data properties, and whose actions invoke CIM operations or function calls Actions include operations on the CIM data repository to
change properties, create an instance, etc.
8
PolicyGroup Structure (CIM-SPL)
Import CIM_V<major>_<minor>_<release><final or preliminary><mof file name w/o extension>::<class name>:<simple Boolean condition> ;
Strategy [Execute_All_Applicable | Execute_First_Applicable] ;
Declaration { <List of constant definition> (Optional) <List of macro definitions> (Optional) }
Policy { … } : Priority; Policy { … } : Priority; … PolicyGroup:[Association Name(Property1,Property2)]
{ … }: Priority; …
9
Example (CIM-SPL)
Import SAMPLE CIM_V_2_8_CIM_Core28-Final::PhysicalElement; May further filter target instances via the specification of a condition
Strategy Execute_All_Applicable; Declaration {
InstallDate="ManagedSystemElement.InstallDate"; Macro { Name = Age; Type = Long; Arguments Born:DATETIME; Procedure = getYear(CurrentDate) – getYear(Born) } }
Policy { Condition { 4 > Age(InstallDate) AND VendorEquipmentType == "switch“ } Decision { Upgrade (SKU) }
}:1
Target
Variables and Procs
Rule
Priority
If Multiple Policies Defined
10
Ponder2
Combines: Domain Service (for managing objects) Obligation Policy Interpreter (for handling Event-Condition-Action
rules) Command Interpreter (accepts commands written in PonderTalk
to perform actions against objects registered in the Domain Service)
Authorization Enforcement (supports positive and negative authorization and conflict resolution)
Constructs Policies are sets of rules Rules address either obligation or permission Obligation policies consist of condition/action definitions
Infrastructure resolves conflicts between policies that apply to the same (subject, target, action)-triple Based on “more specific” rule (“more specific” type in the
hierarchy)
11
Obligation Policy (Ponder2)
template := root/factory/event create: #( "monitor" "value" ).
root/event at: "monitor" put: template.policy := root/factory/ecapolicy create. policy event: root/event/monitor;
condition: [ :value | value > 100 ]; action: [ :monitor :value | root print:
"Monitor " + monitor + " has value " + value 6 ]; active: true.
12
Authorization Policy (Ponder2)
root/tauthdom at: "a3" put: (newauthpol subject: root/personnel/nurse/ward1/nurse1 action: "getrecord“ target: root/patient/ward1/patient1 focus:"t" ). root/tauthdom/a3 reqneg. root/tauthdom/a3 reqcondition:
[ :nurselevel | nurselevel < 3]. root/tauthdom/a3 repneg. root/tauthdom/a3 repcondition:
[ :patrecord | patrecord =="[name= Harry;age= 12;symptom=BonelessArm]"].
root/tauthdom/a3 active: true.
Rule name
Rule
Where enforcedPositive/Neg Authz
Additional conditionson subject/target
Active (T/F)
13
UNCLASSIFIED // FOR OFFICIAL USE ONLY
XACML 3 Concepts
Permit/Deny
First applicableDeny overridesPermit overridesOnly one applicable…
Attributes defined asname/value pairs
Broad set of operators and extensible
Action beforeor after access
14
Example (XACML)
<Policy PolicyId="SamplePolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"> <!-- This Policy only applies to requests on the SampleServer --> <Target>
<Subjects> <AnySubject/> </Subjects> <Resources> <ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType=“...XMLSchema#string">
SampleServer</AttributeValue> <ResourceAttributeDesignator DataType=“…
XMLSchema#string" AttributeId=“…:resource:resource-id"/> </ResourceMatch> </Resources> <Actions> <AnyAction/> </Actions>
</Target>
15
Rule in a Policy (XACML)
<Rule RuleId="LoginRule" Effect="Permit"> <!-- Only use this Rule if the action is login --> <Target>
<Subjects> <AnySubject/> </Subjects> <Resources> <AnyResource/> </Resources> <Actions> <ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType=“…
XMLSchema#string">login</AttributeValue> <ActionAttributeDesignator DataType=“…
XMLSchema#string" AttributeId="ServerAction"/> </ActionMatch> </Actions>
</Target>
16
Condition in a Rule (XACML)
<!-- Only allow logins from 9am to 5pm --> <Condition
FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> <Apply FunctionId=“…function:time-greater-than-or-equal" >
<Apply FunctionId=“…function:time-one-and-only"> <EnvironmentAttributeSelector DataType=“…
XMLSchema#time" AttributeId=“…environment:current-time"/>
</Apply> <AttributeValue DataType=“…
XMLSchema#time">09:00:00</AttributeValue> </Apply> <Apply FunctionId=“…function:time-less-than-or-equal" >
As above, but the time is 17:00:00 </Apply>
</Condition>
17
Multiple Rules in a Policy (XACML)
</Rule>
<!-- We could include other Rules for different actions here -->
<!-- A final, "fall-through" Rule that always Denies -->
<Rule RuleId="FinalRule" Effect="Deny"/>
</Policy>
18
AIR
Allows control over reasoning by invoking rules according to pattern matching, dependency tracking (explanations), nesting of rules and goal direction
Rule types: Belief – forward chaining deduction Goal – means to limit the application of rules Hidden – not shown as step in the deduction/explanation
Rule actions: Assertions (statement added to beliefs) Subrules Alternatives
19
UNCLASSIFIED // FOR OFFICIAL USE ONLY
AIR Concepts20
Example (AIR)
@forAll :PERSON, :CITY, :STATE.:ny_neighbor_state_residency_policy a air:Policy; air:rule :non-ny-residency-rule.:non-ny-residency-rule a air:Belief-rule;
rdfs:label "Non NY residency rule"; air:pattern {:PERSON tamip:Lives_in_city :CITY.}; air:rule [ air:pattern {:CITY tamip:Has_state :NY.};
air:alt [air:rule :neighbor-state-rule] ].:neighbor-state-rule a air:Belief-rule;
rdfs:label "neighbor state rule"; air:pattern { :CITY tamip:Has_state :STATE.
:NY tamip:Neighbor_state :STATE.}; air:assert { :PERSON air:compliant-
with :ny_neighbor_state_residency_policy. }.
Rules in Policy
Subrules in Rule
21
REI
Supports deontic objects Permissions, Prohibitions, Obligations, Dispensations (waiver for
obligations) Common Properties : Actor, Action, Constraint
{StartingConstraint, EndingConstraint} StartingConstraint subproperty of Constraint
Uses speech acts for dynamic policy modification Delegation, Revocation, Request, Cancel Properties : Sender, Receiver, Content (Deontic object/Action),
Conditions
Focused on security and privacyUses meta policies for conflict resolution
22
UNCLASSIFIED // FOR OFFICIAL USE ONLY
REI Concepts23
UNCLASSIFIED // FOR OFFICIAL USE ONLY
REI Ontologies24
Example (REI)
<policy:Policy rdf:ID="DeptPolicy"> <policy:context rdf:resource="#IsMemberOfCS"/> <policy:grants rdf:resource="#Perm_StudentPrinting"/> <policy:grants rdf:resource="#Granting_StudentLaserPrinting"/> <policy:defaultBehavior
rdf:resource="&metapolicy;ExplicitPermExplicitProh"/> <policy:defaultModality
rdf:resource="&metapolicy;PositiveModalityPrecedence"/> <policy:metaDefault
rdf:resource="&metapolicy;CheckModalityFirst"/> <policy:rulePriority rdf:resource="#PriorityBA"/> <policy:imports
rdf:resource="#SchoolPolicyWithGreaterPriority"/> </policy:Policy>
Constraints that definethe domain
Associates deontic obj
Explicit/implicitpermission/prohibition
Whether pos/negrules take precedence
Or Priority
Resource defining ruleOfGreater/LesserPriority
25
Example Deontic Object (REI)
If you borrow a book from the library, you’re obliged to return it before the due date, otherwise you must pay a fine<deontic:Obligation rdf:ID=”Obl_ReturnBook">
<deontic:actor rdf:resource="#PersonVar"/><deontic:action rdf:resource=”&inst;ReturnBook"/><deontic:StartingConstraint
rdf:resource="#IsMemberAndBorrowedBook"/><deontic:EndingConstraint
rdf:resource="#BeforeDueDate"/><deontic:sanction rdf:resource=”&inst;PayFine"/>
</deontic:Obligation>
26
Example Speech Act (REI)
’Marty' revokes the permission to use a specific action ’HP123Printing from 'George'<action:Revocation rdf:ID=”MartyFromGeorge"> <action:sender rdf:resource="&inst;Marty"/> <action:receiver rdf:resource="&inst;George"/> <action:content>
<deontic:Permission><deontic:action rdf:resource ="&inst;HP123Printing"/>
</deontic:Permission></action:content>
</action:Revocation>
27
RuleML
Concerned with rule interop “between industry standards Such as JSR 94, SQL'99, OCL, BPMI, WSFL, XLang, XQuery, RQL,
OWL, DAML-S, and ISO Prolog) As well as established systems (CLIPS, Jess, ILOG JRules, Blaze
Advisor, Versata, MQWorkFlow, BizTalk, Savvion, etc.)” http://ruleml.org/
Developed a base RuleML specification and a hierarchy of rule types Based on Datalog/Horn clauses and n-ary relations Unary/binary form of these clauses used in OWL/SWRL
Developed transformations from and to other rule standards/systems
Also addressing coordinated tool development Such as an XSLT normalizer to check syntax, add role tags and missing
attributes
28
RuleML Rule Hierarchy
Basic structure dealing with implications (head <- body), with details in relationships between variables
Most work in this area
29
RuleML Example"A customer is premium if their spending has
been min 5000 euro in the previous year.“ <Implies> <head>
<Atom> <Rel>premium</Rel> <Var>customer</Var> </Atom> </head> <body>
<Atom> <Rel>spending</Rel> <Var>customer</Var>
<Ind>min 5000 euro</Ind> <Ind>previous year</Ind> </Atom>
</body> </Implies>
DerivationConclusion
Premises
30
SBVR
Semantics of Business Vocabularies and Business RulesBased on semantic and first-order logic conceptsDefines UML constructs to represent vocabularies &
rulesAssumed multi-lingual
Separates “symbols” from their concepts/semanticsDefines basic vocabulary/rule exchange structure using
MOF/XMI Includes approach to convert “structured English” to
SBVR concepts in (non-normative) Annex C Annex “describes one … way of using English that maps
mechanically to SBVR concepts.” “It is not meant to offer all of the variety of common English,
but rather, it uses a small number of English structures and common words to provide a simple and straightforward mapping.”
31
UNCLASSIFIED // FOR OFFICIAL USE ONLYSBVR Details (Core Definitions to Instances)
http://www.omg.org/news/meetings/ThinkTank/past-events/2006/presentations/04-WS1-2_Hall.pdf
32
UNCLASSIFIED // FOR OFFICIAL USE ONLY
Major Areas Addressed by SBVR33
UNCLASSIFIED // FOR OFFICIAL USE ONLY
SBVR Community34
UNCLASSIFIED // FOR OFFICIAL USE ONLY
SBVR Meanings 35
UNCLASSIFIED // FOR OFFICIAL USE ONLY
SBVR Semantic/Logical Formulations36
UNCLASSIFIED // FOR OFFICIAL USE ONLY
SBVR Policies and Rules37
SBVR Example
Very complex instantiation, even for simple rules … For example … Definition: the age of the driver is at least the EU-
Rent Minimum Driving Age Results in a complex set of variables,
quantifications, atomic formulations, role bindings, fact types, … The definition is represented by a projection The projection is on a first variable
The first variable ranges over the concept ‘driver’ … The first variable maps to the one role of the characteristic.
The projection is constrained by a first universal quantification … Continued on the next slide
XML formulation even more complex
38
SBVR Example (Continued) The first universal quantification introduces a second variable. . . . The
second variable ranges over the concept ‘age’. . . . The second variable is unitary. . . . The second variable is restricted by an atomic formulation. . . . . The atomic formulation is based on the fact type ‘driver has age’. . . . . The atomic formulation has a role binding. . . . . . The role binding is of the role ‘driver’ of the fact type. . . . . . The role binding binds to the first variable. . . . . The atomic formulation has a second role binding. . . . . . The second role binding is of the role ‘age’ of the fact type. . . . . . The second role binding binds to the second variable.
The first universal quantification scopes over a second universal quantification. . . . The second universal quantification introduces a third variable. . . . . The third variable ranges over the concept ‘EU-Rent Minimum Driving Age’. . . . . The third variable is unitary.
The second universal quantification scopes over an atomic formulation. . . . . The atomic formulation is based on the fact type ‘quantity1 > quantity2’. . . . . . The atomic formulation has a role binding. . . . . . . The role binding is of the role ‘quantity1’ of the fact type. . . . . . . The role binding binds to the second variable. . . . . . The atomic formulation has a second role binding. . . . . . . The second role binding is of the role ‘quantity2’ of the fact type. . . . . . . The second role binding binds to the third variable.
39
UNCLASSIFIED // FOR OFFICIAL USE ONLY
SID Policy Domains
Invariant definitionsInstance-specific
definitionsInfrastructure components
40
UNCLASSIFIED // FOR OFFICIAL USE ONLY
SID Policy – Big Picture41
UNCLASSIFIED // FOR OFFICIAL USE ONLY
SID Policy – Digging into Rules
Execution strategy – Do all actions, until failure, etc.Sequenced actions – Mandatory to best effortXxxCriteria are OCL-based restrictions on actions, etc. in derived rules
42
SID – Policy Details
SID – Shared Information/Data Model Described in Publication GB922, NGOSS Release 4,
Addendum 1-POL Constructs:
Policy – a set of rules Policy Rule
Policy Set – a group of policies Policy Event – an occurrence Policy Condition – an aggregation of individual PolicyConditions;
boolean expression Policy Action – an aggregation of individual PolicyActions;
“actions to be applied”
43
SID Policy – Related Constructs
Policy Subject – set of entities that is the “focus of the policy” (as Roles)
Policy Targets – set of entities that the policy will be applied to (as Roles)
But not further related in the model, except that Entities have EntityRoles, and PolicyApplications also have Roles
44
SID Example Not Provided
Cannot be compactly displayedComplex set of inter-related instancesFor example, …
PolicyRules have 1 or more PolicyConditions Which ultimately have to be defined as PolicyConditionAtomics Which are related 1-to-1 to PolicyStatements Which have 1 or more PolicyVariables Which are made up of 1 or more values with 1 or more operators Most concepts include related constraints (OCL)
See detailed UML diagrams in backup
In addition, domain-specific extensions require corresponding UML definitions
45
KAoS Overview
From IHMC – Florida Institute for Human Machine Cognition
Infrastructure and ontology for policy specification, analysis, disclosure and enforcement Backing software implemented using Java Agent Services (JAS)
Based on OWL-DL (OWL 1) for extensibility Base ontology defines general policy concepts Domain interpretations/extensions necessary for specific
environments Includes generic reasoner interface (for example, Stanford Java
Theory Prover or Pellet Reasoner)Incorporates concepts of both positive/negative
authorization and obligation http://ontology.ihmc.us/KAoS/KAoS%20Tutorial.pdf
46
KAoS Architecture (3 Layer)
Policies distributed to GuardsImplemented by enforcers
47
UNCLASSIFIED // FOR OFFICIAL USE ONLY
Policy Decision Point48
KAoS Policies
Starting from a Situation … Where the situation has variables describing its state, and has a
history Use of history: When [the actor] has performed [an action] which has
[attributes] at least [some number] of times within the last [some number] [time period], then …
Use of state: When the [situation] has [state] with [attributes], then …Evaluate a Rule: An [Actor] is [constrained] to
perform [an action] which has [attributes] Where an actor can be a specific instance, a type/class or role, or a
logical union/complement/… of other instances or types (concepts all natively supported by OWL)
Where the constraint defines +/- authorization or obligation Where the action is a type/class (such as movement) …
49
KAoS Policies (Continued)
Evaluate a Rule: An [Actor] is [constrained] to perform [an action] which has [attributes] … Where the attributes are the parameters of the action and can be:
Simple value restrictions (all/some values within a set of enumerated instances or of a certain type) – OR
A relation (equals, subset of/superset of, at least one, none) of 2 or more attributes
Business logic calls KAoS Policy Service in the context of a given situation to: Test permission to perform an action Get obligations Get configuration (details allowed for action to be authorized)
50
KAoS Concepts
Entity, Attribute, GroupActorSituationConditionAction, ActionStatus, ActionHistoryEvent, EventHistoryPlaceMessagePolicy
Other concepts included by subclassing (for example, W3C time)
51
UNCLASSIFIED // FOR OFFICIAL USE ONLY
KAoS Policy Ontology52
UNCLASSIFIED // FOR OFFICIAL USE ONLY
KAoS Example53
UNCLASSIFIED // FOR OFFICIAL USE ONLY
Addressing Policy Conflicts
Found by semantic (subsumption-based) reasoning
54
KAoS Infrastructure De-Confliction
Remove Policy One of the overlapping policies can be completely removed
Change Priority Priorities of the policies can be modify so they either do not
conflict or they alter the precedence relationHarmonize Policy
Controlled action of the selected overlapping policy can be modified using an automatic harmonization algorithm to eliminate their overlap
Split Policy Controlled action of the selected overlapping policy can be split
into two parts: one part that overlaps with the other policy and the other which does not. Then the priorities of these parts can be modified independently. (The splitting algorithm is similar to the harmonization and is currently in development.)
55
Backup56
UNCLASSIFIED // FOR OFFICIAL USE ONLY
SID Policy Conditions57
UNCLASSIFIED // FOR OFFICIAL USE ONLY
SID Policy Statements58
UNCLASSIFIED // FOR OFFICIAL USE ONLY
SID Policy Variables59
UNCLASSIFIED // FOR OFFICIAL USE ONLY
SID Policy Values60