Information Technology Reference
In-Depth Information
Fig. 4.
An example of SoD-C in multi-domain systems
to use the following approach to construct our TBox and ABox: Firstly we
extract TBox from VRBAC model manually as shown in Fig. 5, in which
dom
represents the definitional domain while
ran
means the range of the predicate,
:transitive is optional for relations with transitivity.
From Fig. 2 we can see that, besides the new VM and Domain concepts, some
predicate relations have also been declared, including with Domain for indicating
the instance's domain, has subResource for inheritance relationship between VM
and Resource and so on.
Although the vast majority of ABox will be generated automatically, a frac-
ture of them just behaves in a fundamental way like TBox and requires initial-
ization before DL reasoning. Actually, most of the initialized ABox are about
the definitions of operation and action:
•
(instance
read Operation
)
•
(instance
write Operation
)
•
(instance
execute Operation
)
•
(instance
permit Action
)
•
(instance
deny Action
)
The functionality of DL reasoning has been greatly enhanced when using with
SWRL. SWRL is a declarative language which specifies the abstract syntax for
horn-like rules. If we express every VRBAC constraint in a SWRL rule form,
we can establish a one-to-one mapping between VRBAC constrains and SWRL
rules. The SWRL rules converted can then be used for deduction of new ABox
based on pre-existing assertions.
In our VRBAC model, we have applied 9 SWRL rules, 6 auxiliary ones and
3 primary ones. Among auxiliary ones, two of them are of great importance:
•
has subSubject
(?
s
1
,
?
s
2)
∧
has subSubject
(?
s
2
,
?
s
3)
ₒ
has subSubject
(?
s
1
,
?
s
3)
