There have been two parallel themes in access control research in recent years. On the one hand there are efforts to develop new access control models to meet the policy needs of real world application domains. In parallel, and almost separately, researchers have developed policy languages for access control. This paper is motivated by the consideration that these two parallel efforts need to develop synergy. A policy language in the abstract without ties to a model gives the designer little guidance. Conversely a model may not have the machinery to express all the policy details of a given system or may deliberately leave important aspects unspecified. Our vision for the future is a world where advanced access control concepts are embodied in models that are supported by policy languages in a natural intuitive manner, while allowing for details beyond the models to be further specified in the policy language.

This paper studies the relationship between the Web Ontology Language (OWL) and the Role Based Access Control (RBAC) model. Although OWL is a web ontology language and not specifically designed for expressing authorization policies, it has been used successfully for this purpose in previous work. OWL is a leading specification language for the Semantic Web, making it a natural vehicle for providing access control in that context. In this paper we show two different ways to support the NIST Standard RBAC model in OWL and then discuss how the OWL constructions can be extended to model attribute-based RBAC or more generally attribute-based access control. We further examine and assess OWL's suitability for two other access control problems: supporting attribute based access control and performing security analysis in a trust-management framework.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Mohammad A. Al-Kahtani , Ravi Sandhu, A Model for Attribute-Based User-Role Assignment, Proceedings of the 18th Annual Computer Security Applications Conference, p.353, December 09-13, 2002
	2	F. Baader. Restricted role-value-maps in a description logic with existential restrictions and terminological cycles. Proc. DL 2003.
	3	Franz Baader , Diego Calvanese , Deborah L. McGuinness , Daniele Nardi , Peter F. Patel-Schneider, The description logic handbook: theory, implementation, and applications, Cambridge University Press, New York, NY, 2003
	4	E. Barka , R. Sandhu, Framework for role-based delegation models, Proceedings of the 16th Annual Computer Security Applications Conference, p.168, December 11-15, 2000
	5	S. Bechhofer, F. van Harmelen Jim Hendler, I. Horrocks, D. L. McGuinness, P. F. Patel-Schneider, and L. A. Stein. Owl web ontology language reference, February 2004. http://www.w3.org/TR/owl-ref.
	6	Tim Berners-lee , Dan Connolly , Lalana Kagal , Yosi Scharf , Jim Hendler, N3logic: A logical framework for the world wide web, Theory and Practice of Logic Programming, v.8 n.3, p.249-269, May 2008  [doi>10.1017/S1471068407003213]
	7	N. Damianou, N. Dulay, E. Lupu, and M. Sloman. The ponder policy specification language. Lecture Notes in Computer Science, 1995, 2001.
	8	Wu Di , Lin Jian , Dong Yabo , Zhu Miaoliang, Using Semantic Web Technologies to Specify Constraints of RBAC, Proceedings of the Sixth International Conference on Parallel and Distributed Computing Applications and Technologies, p.543-545, December 05-08, 2005  [doi>10.1109/PDCAT.2005.247]
	9	David F. Ferraiolo , Ravi Sandhu , Serban Gavrila , D. Richard Kuhn , Ramaswamy Chandramouli, Proposed NIST standard for role-based access control, ACM Transactions on Information and System Security (TISSEC), v.4 n.3, p.224-274, August 2001  [doi>10.1145/501978.501980]
	10	David F. Ferraiolo , Ravi Sandhu , Serban Gavrila , D. Richard Kuhn , Ramaswamy Chandramouli, Proposed NIST standard for role-based access control, ACM Transactions on Information and System Security (TISSEC), v.4 n.3, p.224-274, August 2001  [doi>10.1145/501978.501980]
	11	S. Godik and T. Moses. OASIS extensible access control markup language (XACML). OASIS Committee Secification cs-xacml-specification-1.0, November 2002.
	12	P. Hayes and B. McBride. RDF Semantics. http://www.w3.org/TR/rdf-mt/, 2004.
	13	N. Heilili, Y. Chen, C. Zhao, Z. Luo, and Z. Lin. An owl based approach for rbac with negative authorization. Lecture Notes in Computer Science, 4092:164, 2006.
	14	I. Horrocks, P. Patel-Schneider, H. Boley, S. Tabet, B. Grosof, and M. Dean. SWRL: A semantic web rule language combining OWL and RuleML. W3C Member Submission, 21, 2004.
	15	Sushil Jajodia , Pierangela Samarati , V. S. Subrahmanian, A Logical Language for Expressing Authorizations, Proceedings of the 1997 IEEE Symposium on Security and Privacy, p.31, May 04-07, 1997
	16	Lalana Kagal , Tim Finin , Anupam Joshi, A Policy Language for a Pervasive Computing Environment, Proceedings of the 4th IEEE International Workshop on Policies for Distributed Systems and Networks, p.63, June 04-06, 2003
	17	O. Lassila, R. Swick, et al. Resource Description Framework (RDF) Model and Syntax Specification. 1999.
	18	Ninghui Li , Benjamin Grosof , Joan Feigenbaum, A Practically Implementable and Tractable Delegation Logic, Proceedings of the 2000 IEEE Symposium on Security and Privacy, p.27, May 14-17, 2000
	19	N. Li and J. Mitchell. RT: A Role-based Trust-management Framework. DARPA Information Survivability Conference and Exposition (DISCEX), pages 123--139.
	20	Ninghui Li , John C. Mitchell , William H. Winsborough, Design of a Role-Based Trust-Management Framework, Proceedings of the 2002 IEEE Symposium on Security and Privacy, p.114, May 12-15, 2002
	21	Ninghui Li , John C. Mitchell , William H. Winsborough, Beyond proof-of-compliance: security analysis in trust management, Journal of the ACM (JACM), v.52 n.3, p.474-514, May 2005  [doi>10.1145/1066100.1066103]
	22	D. L. McGuinness and F. van Harmelen. Owl web ontology language overview, February 2004. http://www.w3.org/TR/owl-features/.
	23	T. Moses et al. eXtensible Access Control Markup Language (XACML) Version 2.0. OASIS Standard, 200502, 2005.
	24	J. Park and R. Sandhu. The UCONABC usage control model. ACM Transactions on Information and System Security, 5(6), 2007.
	25	Alexander Pretschner , Manuel Hilty , David Basin, Distributed usage control, Communications of the ACM, v.49 n.9, September 2006  [doi>10.1145/1151030.1151053]
	26	M. Reith, J. Niu, and W. Winsborough. Model checking to security analysis in trust management. In ICDE Workshop on Security Technologies for Next Generation Collaborative Business Applications, 2007.
	27	C. N. Ribeiro, A. Zuquete, P. Ferreira, and P. Guedes. SPL: An access control language for security policies with complex constraints. In Network and Distributed System Security Symposium (NDSS'01), 2001.
	28	Ravi S. Sandhu , Edward J. Coyne , Hal L. Feinstein , Charles E. Youman, Role-Based Access Control Models, Computer, v.29 n.2, p.38-47, February 1996  [doi>10.1109/2.485845]
	29	R. S. Sandhu. Role-based access control. In M. Zerkowitz, editor, Advances in Computers, volume 48. Academic Press, 1998.
	30	M. Schmidt-Schauss. Subsumption in KL-one is undecidable. Fachber. Informatik, Univ, 1988.
	31	A. Prasad Sistla , Min Zhou, Analysis of dynamic policies, Information and Computation, v.206 n.2-4, p.185-212, February, 2008  [doi>10.1016/j.ic.2007.05.006]
	32	Anna C. Squicciarini , Elisa Bertino , Elena Ferrari , Indrakshi Ray, Achieving Privacy in Trust Negotiations with an Ontology-Based Approach, IEEE Transactions on Dependable and Secure Computing, v.3 n.1, p.13, January 2006  [doi>10.1109/TDSC.2006.3]
	33	B. Thuraisingham. Assured information sharing. Technical Report UTDCS-43-06, Computer Science Department, University of Texas Dallas, 2006. to appear as Book Chapter in Security Informatics by Springer, editor: H. Chen.
	34	G. Tonti, J. M. Bradshaw, R. Jeffers, R. Montanar, N. Suri1, and A. Uszok1. Semantic web languages for policy representation and reasoning: A comparison of kaos, rei, and ponder. In Proceedings of the 2nd International Semantic Web Conference (ISWC2003). Springer-Verlag, 2003.
	35	Lingyu Wang , Duminda Wijesekera , Sushil Jajodia, A logic-based framework for attribute based access control, Proceedings of the 2004 ACM workshop on Formal methods in security engineering, October 29-29, 2004, Washington DC, USA  [doi>10.1145/1029133.1029140]