[Attempto] ACE for XACML?

[Kaarel Kaljurand]

Hi,

On Mon, Nov 15, 2010 at 00:26, Brad Cox <bradjcox at gmail.com> wrote:
> No response? Can someone please advise.

I don't know much about XACML, but people have used OWL before
to work with XACML so maybe this is the way to go and the ACE->OWL
mapping can be used.

> Where I'm stuck is bog-stupid stuff that connects with my procedural
> background. All the examples are "Bob loves Mary" stuff, which I can't
> bridge to my "if the contents of field X is "Y" kind of problem. For
> example, I think I need to begin by teaching it XACML request
> structure and what amounts to assignment statements. Once the stupid
> stuff is in hand I'll move on to policy statements which are far more
> involved.
>
> Here's a first shot, that does compile in AceView.
>
> Every request R has a resource
> and has a action
> and has an environment
> and has a subject.

Here the use of the variable R has no impact on the semantics: it is not
referenced from within the every-sentence, and it is not possible to reference
it from the outside. Consider e.g. snippet (1)

(1) Every man R owns a car. R is rich.

which has the paraphrase (2)

(2) Every man owns a car.

There is something X1. X1 is rich.

i.e. the R of the first sentence in snippet (1) is not the same as the
R in the second
sentence of snippet (1).


> Notice the two levels; requests contain subjects which contain other
> stuff. How do I specify "the uniqueidentifier of the request's
> subject? Is that even possible, or must it all stay flattened?

First notice that the verb 'has'/'have' translates to an object property.
Possibly for XACML a data property is more suitable. Also, consider
that 'has' is not a syntactic sugar for the of-construct or the Saxon genitive,
it translates to a completely different logical entity. I.e. (3) and (4)
are not semantically equivalent in ACE:

(3) John has a friend who is Bill.

(4) John's friend is Bill.

I've been thinking of implementing (3) and (4) to map to the same
OWL form but haven't done this yet.

Otherwise, you can say things like:

(5) Request123 has a subject that has a uniqueidentifier that is ID123 .

where Request123 and ID123 will map to OWL individuals, 'has'
to an object property, and subject and uniqueidentifier to classes.

or

(6) The uniqueidentifier of the subject of Request123 is ID123 .

where Request123 and ID123 will map to OWL individuals,
and subject and uniqueidentifier to object properties.


> Then how to assign values. Here's what I've tried:
>
> The id of S is "Steve Finn".
>
> The cn of S is "Steve Finn".
>
> The sn of S is "Finn".
>
> The citizenshipstatus of S is "True".
>
> The clearance of S is "T".

The problem here is that all these sentences are separated by two
linebreaks which places them into different paragraphs. As a result,
the variable
S introduces a new individual every time. Try instead:

(7) The id of S is "Steve Finn".
The cn of S is "Steve Finn".
The sn of S is "Finn".
The citizenshipstatus of S is "True".
The clearance of S is "T".

or equivalently:

(8) S's id is "Steve Finn".
S's cn is "Steve Finn".
S's sn is "Finn".
S's citizenshipstatus is "True".
S'clearance is "T".

Note that id, cn, ... will be data properties because their arguments in these
ACE sentences are strings.


Hope this helps a bit,
kaarel