policy language overview

ANDREA WESTERINENCA TECHNOLOGIES

APR 28, 2011

Policy Language Overview

1

Topics

Overview and comparison of:

DMTF’s CIM and CIM-SPL (Simplified Policy Language) Ponder2 from Imperial College XACML AIR from MIT REI from UMBC RuleML OMG’s SBVR TMForum’s SID KAoS from IHMC

2

UNCLASSIFIED // FOR OFFICIAL USE ONLY

Language Comparison

Encoding Structure Oblig/ Perm

Sem WebSupport?

Std?

CIM-SPL

DSL; UTF-8

If-then Obligation

No ~

Ponder2 DSL (Derived from Small-talk); UTF- 8 and XML

ECA and Pos/Neg Authoriz

Obligation and Permission

No No

XACML XML Condition-Effect (Permit/ Deny)

Permission with related Obligations

Yes, via 3rd party code (Clark & Parsia)

Yes

3


Language Comparison (Continued)

Encoding

Structure Oblig/ Perm

Sem WebSupport?

Std?

AIR (Account-ability in RDF)

Turtle Condition-Assertion

~Permission (Validation)

Yes No

REI (Japanese for “universal”)

OWL-Lite + Variables

Condition-Action with Starting and Ending Conditions


Yes No

4




Sem WebSupport?

Std?

RuleML Various encodings (focus on interop between the encodings)

Horn clauses (Head <- Body), Evolution toward event-condition-action

N/A Yes ~Yes

OMG’s SBVR

XMI encoding of UML instances

Instances of quantifications, atomic formulations, role bindings, fact types, …


Not directly, via mapping to ISO Common Logic

Yes

5




Sem WebSupport?

Std?

TMForum’s SID

XMI encoding of UML instances

Complex set of inter-related instances (supporting Event-Condition-Action)

Obligation No (?) Yes

IHMC’s KAoS

OWL/RDF Situation (event or history) -> Authorization and/or Obligations/ Actions


Yes No

6

Language Overviews

7

CIM and CIM-SPL

Constructs: PolicyGroup (set of rules) PolicyRule (set of conditions and actions) PolicyCondition (broad set of operators defined, but

extensible only as macros) PolicyAction

Supports definition of rules whose conditions consist of CIM data properties, and whose actions invoke CIM operations or function calls Actions include operations on the CIM data repository to

change properties, create an instance, etc.

8

PolicyGroup Structure (CIM-SPL)

Import CIM_V<major>_<minor>_<release><final or preliminary><mof file name w/o extension>::<class name>:<simple Boolean condition> ;

Strategy [Execute_All_Applicable | Execute_First_Applicable] ;

Declaration { <List of constant definition> (Optional) <List of macro definitions> (Optional) }

Policy { … } : Priority; Policy { … } : Priority; … PolicyGroup:[Association Name(Property1,Property2)]

{ … }: Priority; …

9

Example (CIM-SPL)

Import SAMPLE CIM_V_2_8_CIM_Core28-Final::PhysicalElement; May further filter target instances via the specification of a condition

Strategy Execute_All_Applicable; Declaration {

InstallDate="ManagedSystemElement.InstallDate"; Macro { Name = Age; Type = Long; Arguments Born:DATETIME; Procedure = getYear(CurrentDate) – getYear(Born) } }

Policy { Condition { 4 > Age(InstallDate) AND VendorEquipmentType == "switch“ } Decision { Upgrade (SKU) }

}:1

Target

Variables and Procs

Rule

Priority

If Multiple Policies Defined

10

Ponder2

Combines: Domain Service (for managing objects) Obligation Policy Interpreter (for handling Event-Condition-Action

rules) Command Interpreter (accepts commands written in PonderTalk

to perform actions against objects registered in the Domain Service)

Authorization Enforcement (supports positive and negative authorization and conflict resolution)

Constructs Policies are sets of rules Rules address either obligation or permission Obligation policies consist of condition/action definitions

Infrastructure resolves conflicts between policies that apply to the same (subject, target, action)-triple Based on “more specific” rule (“more specific” type in the

hierarchy)

11

Obligation Policy (Ponder2)

template := root/factory/event create: #( "monitor" "value" ).

root/event at: "monitor" put: template.policy := root/factory/ecapolicy create. policy event: root/event/monitor;

condition: [ :value | value > 100 ]; action: [ :monitor :value | root print:

"Monitor " + monitor + " has value " + value 6 ]; active: true.

12

Authorization Policy (Ponder2)

root/tauthdom at: "a3" put: (newauthpol subject: root/personnel/nurse/ward1/nurse1 action: "getrecord“ target: root/patient/ward1/patient1 focus:"t" ). root/tauthdom/a3 reqneg. root/tauthdom/a3 reqcondition:

[ :nurselevel | nurselevel < 3]. root/tauthdom/a3 repneg. root/tauthdom/a3 repcondition:

[ :patrecord | patrecord =="[name= Harry;age= 12;symptom=BonelessArm]"].

root/tauthdom/a3 active: true.

Rule name

Rule

Where enforcedPositive/Neg Authz

Additional conditionson subject/target

Active (T/F)

13


XACML 3 Concepts

Permit/Deny

First applicableDeny overridesPermit overridesOnly one applicable…

Attributes defined asname/value pairs

Broad set of operators and extensible

Action beforeor after access

14

Example (XACML)

<Policy PolicyId="SamplePolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">  <Target>

<Subjects> <AnySubject/> </Subjects> <Resources> <ResourceMatch

MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType=“...XMLSchema#string">

SampleServer</AttributeValue> <ResourceAttributeDesignator DataType=“…

XMLSchema#string" AttributeId=“…:resource:resource-id"/> </ResourceMatch> </Resources> <Actions> <AnyAction/> </Actions>

</Target>

15

Rule in a Policy (XACML)

<Rule RuleId="LoginRule" Effect="Permit">  <Target>

<Subjects> <AnySubject/> </Subjects> <Resources> <AnyResource/> </Resources> <Actions> <ActionMatch

MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType=“…

XMLSchema#string">login</AttributeValue> <ActionAttributeDesignator DataType=“…

XMLSchema#string" AttributeId="ServerAction"/> </ActionMatch> </Actions>

</Target>

16

Condition in a Rule (XACML)

 <Condition

FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> <Apply FunctionId=“…function:time-greater-than-or-equal" >

<Apply FunctionId=“…function:time-one-and-only"> <EnvironmentAttributeSelector DataType=“…

XMLSchema#time" AttributeId=“…environment:current-time"/>

</Apply> <AttributeValue DataType=“…

XMLSchema#time">09:00:00</AttributeValue> </Apply> <Apply FunctionId=“…function:time-less-than-or-equal" >

As above, but the time is 17:00:00 </Apply>

</Condition>

17

Multiple Rules in a Policy (XACML)

</Rule>





<Rule RuleId="FinalRule" Effect="Deny"/>

</Policy>

18

AIR

Allows control over reasoning by invoking rules according to pattern matching, dependency tracking (explanations), nesting of rules and goal direction

Rule types: Belief – forward chaining deduction Goal – means to limit the application of rules Hidden – not shown as step in the deduction/explanation

Rule actions: Assertions (statement added to beliefs) Subrules Alternatives

19


AIR Concepts20

Example (AIR)

@forAll :PERSON, :CITY, :STATE.:ny_neighbor_state_residency_policy a air:Policy; air:rule :non-ny-residency-rule.:non-ny-residency-rule a air:Belief-rule;

rdfs:label "Non NY residency rule"; air:pattern {:PERSON tamip:Lives_in_city :CITY.}; air:rule [ air:pattern {:CITY tamip:Has_state :NY.};

air:alt [air:rule :neighbor-state-rule] ].:neighbor-state-rule a air:Belief-rule;

rdfs:label "neighbor state rule"; air:pattern { :CITY tamip:Has_state :STATE.

:NY tamip:Neighbor_state :STATE.}; air:assert { :PERSON air:compliant-

with :ny_neighbor_state_residency_policy. }.

Rules in Policy

Subrules in Rule

21

REI

Supports deontic objects Permissions, Prohibitions, Obligations, Dispensations (waiver for

obligations) Common Properties : Actor, Action, Constraint

{StartingConstraint, EndingConstraint} StartingConstraint subproperty of Constraint

Uses speech acts for dynamic policy modification Delegation, Revocation, Request, Cancel Properties : Sender, Receiver, Content (Deontic object/Action),

Conditions

Focused on security and privacyUses meta policies for conflict resolution

22


REI Concepts23


REI Ontologies24

Example (REI)

<policy:Policy rdf:ID="DeptPolicy"> <policy:context rdf:resource="#IsMemberOfCS"/> <policy:grants rdf:resource="#Perm_StudentPrinting"/> <policy:grants rdf:resource="#Granting_StudentLaserPrinting"/> <policy:defaultBehavior

rdf:resource="&metapolicy;ExplicitPermExplicitProh"/> <policy:defaultModality

rdf:resource="&metapolicy;PositiveModalityPrecedence"/> <policy:metaDefault

rdf:resource="&metapolicy;CheckModalityFirst"/> <policy:rulePriority rdf:resource="#PriorityBA"/> <policy:imports

rdf:resource="#SchoolPolicyWithGreaterPriority"/> </policy:Policy>

Constraints that definethe domain

Associates deontic obj

Explicit/implicitpermission/prohibition

Whether pos/negrules take precedence

Or Priority

Resource defining ruleOfGreater/LesserPriority

25

Example Deontic Object (REI)

If you borrow a book from the library, you’re obliged to return it before the due date, otherwise you must pay a fine<deontic:Obligation rdf:ID=”Obl_ReturnBook">

<deontic:actor rdf:resource="#PersonVar"/><deontic:action rdf:resource=”&inst;ReturnBook"/><deontic:StartingConstraint

rdf:resource="#IsMemberAndBorrowedBook"/><deontic:EndingConstraint

rdf:resource="#BeforeDueDate"/><deontic:sanction rdf:resource=”&inst;PayFine"/>

</deontic:Obligation>

26

Example Speech Act (REI)

’Marty' revokes the permission to use a specific action ’HP123Printing from 'George'<action:Revocation rdf:ID=”MartyFromGeorge"> <action:sender rdf:resource="&inst;Marty"/> <action:receiver rdf:resource="&inst;George"/> <action:content>

<deontic:Permission><deontic:action rdf:resource ="&inst;HP123Printing"/>

</deontic:Permission></action:content>

</action:Revocation>

27

RuleML

Concerned with rule interop “between industry standards Such as JSR 94, SQL'99, OCL, BPMI, WSFL, XLang, XQuery, RQL,

OWL, DAML-S, and ISO Prolog) As well as established systems (CLIPS, Jess, ILOG JRules, Blaze

Advisor, Versata, MQWorkFlow, BizTalk, Savvion, etc.)” http://ruleml.org/

Developed a base RuleML specification and a hierarchy of rule types Based on Datalog/Horn clauses and n-ary relations Unary/binary form of these clauses used in OWL/SWRL

Developed transformations from and to other rule standards/systems

Also addressing coordinated tool development Such as an XSLT normalizer to check syntax, add role tags and missing

attributes

28

http://ruleml.org/

RuleML Rule Hierarchy

Basic structure dealing with implications (head <- body), with details in relationships between variables

Most work in this area

29

RuleML Example"A customer is premium if their spending has

been min 5000 euro in the previous year.“ <Implies> <head>

<Atom> <Rel>premium</Rel> <Var>customer</Var> </Atom> </head> <body>

<Atom> <Rel>spending</Rel> <Var>customer</Var>

<Ind>min 5000 euro</Ind> <Ind>previous year</Ind> </Atom>

</body> </Implies>

DerivationConclusion

Premises

30

SBVR

Semantics of Business Vocabularies and Business RulesBased on semantic and first-order logic conceptsDefines UML constructs to represent vocabularies &

rulesAssumed multi-lingual

Separates “symbols” from their concepts/semanticsDefines basic vocabulary/rule exchange structure using

MOF/XMI Includes approach to convert “structured English” to

SBVR concepts in (non-normative) Annex C Annex “describes one … way of using English that maps

mechanically to SBVR concepts.” “It is not meant to offer all of the variety of common English,

but rather, it uses a small number of English structures and common words to provide a simple and straightforward mapping.”

31

UNCLASSIFIED // FOR OFFICIAL USE ONLYSBVR Details (Core Definitions to Instances)

http://www.omg.org/news/meetings/ThinkTank/past-events/2006/presentations/04-WS1-2_Hall.pdf

32


Major Areas Addressed by SBVR33


SBVR Community34


SBVR Meanings 35


SBVR Semantic/Logical Formulations36


SBVR Policies and Rules37

SBVR Example

Very complex instantiation, even for simple rules … For example … Definition: the age of the driver is at least the EU-

Rent Minimum Driving Age Results in a complex set of variables,

quantifications, atomic formulations, role bindings, fact types, … The definition is represented by a projection The projection is on a first variable

The first variable ranges over the concept ‘driver’ … The first variable maps to the one role of the characteristic.

The projection is constrained by a first universal quantification … Continued on the next slide

XML formulation even more complex

38

SBVR Example (Continued) The first universal quantification introduces a second variable. . . . The

second variable ranges over the concept ‘age’. . . . The second variable is unitary. . . . The second variable is restricted by an atomic formulation. . . . . The atomic formulation is based on the fact type ‘driver has age’. . . . . The atomic formulation has a role binding. . . . . . The role binding is of the role ‘driver’ of the fact type. . . . . . The role binding binds to the first variable. . . . . The atomic formulation has a second role binding. . . . . . The second role binding is of the role ‘age’ of the fact type. . . . . . The second role binding binds to the second variable.

The first universal quantification scopes over a second universal quantification. . . . The second universal quantification introduces a third variable. . . . . The third variable ranges over the concept ‘EU-Rent Minimum Driving Age’. . . . . The third variable is unitary.

The second universal quantification scopes over an atomic formulation. . . . . The atomic formulation is based on the fact type ‘quantity1 > quantity2’. . . . . . The atomic formulation has a role binding. . . . . . . The role binding is of the role ‘quantity1’ of the fact type. . . . . . . The role binding binds to the second variable. . . . . . The atomic formulation has a second role binding. . . . . . . The second role binding is of the role ‘quantity2’ of the fact type. . . . . . . The second role binding binds to the third variable.

39


SID Policy Domains

Invariant definitionsInstance-specific

definitionsInfrastructure components

40


SID Policy – Big Picture41


SID Policy – Digging into Rules

Execution strategy – Do all actions, until failure, etc.Sequenced actions – Mandatory to best effortXxxCriteria are OCL-based restrictions on actions, etc. in derived rules

42

SID – Policy Details

SID – Shared Information/Data Model Described in Publication GB922, NGOSS Release 4,

Addendum 1-POL Constructs:

Policy – a set of rules Policy Rule

Policy Set – a group of policies Policy Event – an occurrence Policy Condition – an aggregation of individual PolicyConditions;

boolean expression Policy Action – an aggregation of individual PolicyActions;

“actions to be applied”

43

SID Policy – Related Constructs

Policy Subject – set of entities that is the “focus of the policy” (as Roles)

Policy Targets – set of entities that the policy will be applied to (as Roles)

But not further related in the model, except that Entities have EntityRoles, and PolicyApplications also have Roles

44

SID Example Not Provided

Cannot be compactly displayedComplex set of inter-related instancesFor example, …

PolicyRules have 1 or more PolicyConditions Which ultimately have to be defined as PolicyConditionAtomics Which are related 1-to-1 to PolicyStatements Which have 1 or more PolicyVariables Which are made up of 1 or more values with 1 or more operators Most concepts include related constraints (OCL)

See detailed UML diagrams in backup

In addition, domain-specific extensions require corresponding UML definitions

45

KAoS Overview

From IHMC – Florida Institute for Human Machine Cognition

Infrastructure and ontology for policy specification, analysis, disclosure and enforcement Backing software implemented using Java Agent Services (JAS)

Based on OWL-DL (OWL 1) for extensibility Base ontology defines general policy concepts Domain interpretations/extensions necessary for specific

environments Includes generic reasoner interface (for example, Stanford Java

Theory Prover or Pellet Reasoner)Incorporates concepts of both positive/negative

authorization and obligation http://ontology.ihmc.us/KAoS/KAoS%20Tutorial.pdf

46

http://ontology.ihmc.us/KAoS/KAoS%20Tutorial.pdf

KAoS Architecture (3 Layer)

Policies distributed to GuardsImplemented by enforcers

47


Policy Decision Point48

KAoS Policies

Starting from a Situation … Where the situation has variables describing its state, and has a

history Use of history: When [the actor] has performed [an action] which has

[attributes] at least [some number] of times within the last [some number] [time period], then …

Use of state: When the [situation] has [state] with [attributes], then …Evaluate a Rule: An [Actor] is [constrained] to

perform [an action] which has [attributes] Where an actor can be a specific instance, a type/class or role, or a

logical union/complement/… of other instances or types (concepts all natively supported by OWL)

Where the constraint defines +/- authorization or obligation Where the action is a type/class (such as movement) …

49

KAoS Policies (Continued)

Evaluate a Rule: An [Actor] is [constrained] to perform [an action] which has [attributes] … Where the attributes are the parameters of the action and can be:

Simple value restrictions (all/some values within a set of enumerated instances or of a certain type) – OR

A relation (equals, subset of/superset of, at least one, none) of 2 or more attributes

Business logic calls KAoS Policy Service in the context of a given situation to: Test permission to perform an action Get obligations Get configuration (details allowed for action to be authorized)

50

KAoS Concepts

Entity, Attribute, GroupActorSituationConditionAction, ActionStatus, ActionHistoryEvent, EventHistoryPlaceMessagePolicy

Other concepts included by subclassing (for example, W3C time)

51


KAoS Policy Ontology52


KAoS Example53


Addressing Policy Conflicts

Found by semantic (subsumption-based) reasoning

54

KAoS Infrastructure De-Confliction

Remove Policy One of the overlapping policies can be completely removed

Change Priority Priorities of the policies can be modify so they either do not

conflict or they alter the precedence relationHarmonize Policy

Controlled action of the selected overlapping policy can be modified using an automatic harmonization algorithm to eliminate their overlap

Split Policy Controlled action of the selected overlapping policy can be split

into two parts: one part that overlaps with the other policy and the other which does not. Then the priorities of these parts can be modified independently. (The splitting algorithm is similar to the harmonization and is currently in development.)

55

Backup56


SID Policy Conditions57


SID Policy Statements58


SID Policy Variables59


SID Policy Values60

policy language overview

Documents