@prefix xsd: . @prefix rdf: . @prefix rdfs: . @prefix owl: . @prefix dc: . @prefix ts: . @prefix : . : a owl:Ontology ; rdfs:label "Triple Space Security Ontology"@en ; rdfs:comment "This ontology formalizes the structure and rules of Triple Space security policies, as described in deliverables D5.2 and D5.3"@en ; dc:creator "Jacek Kopecky " , "Davide Cerri " , "Francesco Corcoglioniti " ; dc:format "RDF" ; dc:date "2008-05-31"^^xsd:date . dc:creator a owl:AnnotationProperty . dc:format a owl:AnnotationProperty . dc:date a owl:AnnotationProperty . # ===================== # IMPORTED DECLARATIONS # ===================== ts:Space a owl:Class . ts:Kernel a owl:Class . ts:AccessLogEntry a owl:Class . # ===================== # SECURITY SPACE # ===================== ts:Space rdfs:subClassOf [ a owl:Restriction ; owl:onProperty :hasSecurityData ; owl:cardinality 1 ] . ts:Kernel rdfs:subClassOf [ a owl:Restriction ; owl:onProperty :hasSecurityData ; owl:cardinality 1 ] . :hasSecurityData a owl:ObjectProperty , owl:FunctionalProperty ; rdfs:isDefinedBy : ; rdfs:label "security data"@en ; rdfs:comment "Links a triplespace with its associated security space."@en ; rdfs:range :SecuritySpace . :SecuritySpace a owl:Class ; rdfs:isDefinedBy : ; rdfs:label "security space"@en ; rdfs:comment "Contains the security policies for an associated triplespace." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty :hasPolicySet ; owl:cardinality 1 ] ; owl:disjointWith :PolicySet , :Policy , :PolicyCombiningAlgorithm , :RuleCombiningAlgorithm , :TrustFilteringRule , :Role , :RoleMapping , :RuleSeq , :Rule , :Effect , :Action , :AttributeConstraint , :Authority , :AccessDeniedLogEntry . :hasTrustFilteringRule a owl:ObjectProperty ; rdfs:isDefinedBy : ; rdfs:label "trust filtering rule"@en ; rdfs:comment "Associate a trust filtering rule to a triplespace."@en ; rdfs:range :TrustFilteringRule . :definesRole a owl:ObjectProperty ; rdfs:isDefinedBy : ; rdfs:label "defined role"@en ; rdfs:comment "Defines a role in the context of a triplespace; roles can be defined only by one triplespace and they are inherited by subspaces."@en ; rdfs:domain :SecuritySpace ; rdfs:range :Role . :hasRoleMapping a owl:ObjectProperty ; rdfs:isDefinedBy : ; rdfs:label "role mapping rule"@en ; rdfs:comment "Associate a role mapping rule to a triplespace."@en ; rdfs:domain :SecuritySpace ; rdfs:range :RoleMapping . :hasPolicySet a owl:ObjectProperty ; rdfs:isDefinedBy : ; rdfs:label "policy set"@en ; rdfs:comment "Links a triplespace with its policy set or a policy set with the policy sets of child triplespaces."@en ; rdfs:range :PolicySet . # ========== # POLICY SET # ========== :PolicySet a owl:Class ; rdfs:isDefinedBy : ; rdfs:label "policy set"@en ; rdfs:comment "A policy set defines the access control policy of a triplespace and the criterion for its combination with policies of subspaces."@en ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty :hasPolicy ; owl:cardinality 1 ] ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty :hasPolicyCombiningAlgorithm ; owl:cardinality 1 ] ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty :hasTarget ; owl:cardinality 1 ] ; owl:disjointWith :SecuritySpace , :Policy , :PolicyCombiningAlgorithm , :RuleCombiningAlgorithm , :TrustFilteringRule , :Role , :RoleMapping , :RuleSeq , :Rule , :Effect , :Action , :AttributeConstraint , :Authority , :AccessDeniedLogEntry . :hasPolicy a owl:ObjectProperty , owl:FunctionalProperty ; rdfs:isDefinedBy : ; rdfs:label "policy"@en ; rdfs:comment "Relates a policy set with the access control policy of a triplespace."@en ; rdfs:range :Policy . :hasPolicyCombiningAlgorithm a owl:ObjectProperty ; rdfs:isDefinedBy : ; rdfs:label "policy combining algorithm"@en ; rdfs:comment "Defines the policy combining algorithm for this triplespace."@en ; rdfs:domain :PolicySet ; rdfs:range :PolicyCombiningAlgorithm . :PolicyCombiningAlgorithm a owl:Class ; rdfs:isDefinedBy : ; rdfs:label "policy combining algorithm"@en ; rdfs:comment "A policy combining algorithm defines how the policies of a space and its subspaces have to be evaluated and their results combined."@en ; owl:oneOf ( :Deny-overrides :Permit-overrides :First-applicable :Last-applicable ) ; owl:disjointWith :SecuritySpace , :PolicySet , :Policy , :RuleCombiningAlgorithm , :TrustFilteringRule , :Role , :RoleMapping , :RuleSeq , :Rule , :Effect , :Action , :AttributeConstraint , :Authority , :AccessDeniedLogEntry . :Deny-overrides a :PolicyCombiningAlgorithm ; rdfs:isDefinedBy : ; rdfs:label "deny overrides"@en ; rdfs:comment "The 'deny overrides' algorithm specifies that both the parent space policy and the child space policy are evaluated: the result is 'deny' if at least one of the two returns 'deny'; otherwise, it is 'permit' if one returned 'permit' or 'not applicable'."@en ; owl:differentFrom :Permit-overrides , :First-applicable , :Last-applicable . :Permit-overrides a :PolicyCombiningAlgorithm ; rdfs:isDefinedBy : ; rdfs:label "permit overrides"@en ; rdfs:comment "The 'permit overrides' algorithm specifies that both the parent space policy and the child space policy are evaluated: the result is 'permit' if at least one of the two returns 'permit'; otherwise, it is 'deny' if one returned 'deny' or 'not applicable'."@en ; owl:differentFrom :Deny-overrides , :First-applicable , :Last-applicable . :First-applicable a :PolicyCombiningAlgorithm ; rdfs:isDefinedBy : ; rdfs:label "first applicable"@en ; rdfs:comment "The 'first applicable' algorithm specifies that the child space policy is evaluated first and its result is taken if different from 'not applicable'; otherwise, the parent space policy is evaluated and its result taken."@en ; owl:differentFrom :Deny-overrides , :Permit-overrides , :Last-applicable . :Last-applicable a :PolicyCombiningAlgorithm ; rdfs:isDefinedBy : ; rdfs:label "last applicable"@en ; rdfs:comment "The 'last applicable' algorithm specifies that the parent space policy is evaluated first and its result is taken if different from 'not applicable'; otherwise, the child space policy is evaluated and its result taken."@en ; owl:differentFrom :Deny-overrides , :Permit-overrides , :First-applicable . # ======== # POLICIES # ======== :Policy a owl:Class ; rdfs:isDefinedBy : ; rdfs:label "policy"@en ; rdfs:comment "An access control policy defines the rule regulating which roles are authorized to perform certain actions on a triplespace."@en ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty :hasRuleCombiningAlgorithm ; owl:cardinality 1 ] ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty :hasTarget ; owl:cardinality 1 ] ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty :hasRules ; owl:maxCardinality 1 ] ; owl:disjointWith :SecuritySpace , :PolicySet , :PolicyCombiningAlgorithm , :RuleCombiningAlgorithm , :TrustFilteringRule , :Role , :RoleMapping , :RuleSeq , :Rule , :Effect , :Action , :AttributeConstraint , :Authority , :AccessDeniedLogEntry . :hasRules a owl:ObjectProperty , owl:FunctionalProperty ; rdfs:isDefinedBy : ; rdfs:label "access control rules"@en ; rdfs:comment "Associate a policy to its ordered list of access control rules."@en ; rdfs:domain :Policy ; rdfs:range :RuleSeq . :hasRuleCombiningAlgorithm a owl:ObjectProperty , owl:FunctionalProperty ; rdfs:isDefinedBy : ; rdfs:label "rule combining algorithm"@en ; rdfs:comment "Specify the rule combining algorithm of an access control rule."@en ; rdfs:domain :Policy ; rdfs:range :RuleCombiningAlgorithm . :RuleCombiningAlgorithm a owl:Class ; rdfs:isDefinedBy : ; rdfs:label "rule combining algorithm"@en ; rdfs:comment "A rule combining algorithm defines how the rules of an access control policy have to be evaluated and their results combined."@en ; owl:oneOf ( :Deny-rule-overrides :Permit-rule-overrides :First-applicable-rule ) ; owl:disjointWith :SecuritySpace , :PolicySet , :Policy , :PolicyCombiningAlgorithm , :TrustFilteringRule , :Role , :RoleMapping , :RuleSeq , :Rule , :Effect , :Action , :AttributeConstraint , :Authority , :AccessDeniedLogEntry . :Deny-rule-overrides a :RuleCombiningAlgorithm ; rdfs:isDefinedBy : ; rdfs:label "deny rule overrides"@en ; rdfs:comment "The 'deny rule overrides' algorithm specifies that all rules are evaluated and their order is not relevant; the final result will by 'deny' if at least a rule returned 'deny'; otherwise 'permit' if a rule returned 'permit' or 'not applicable'."@en ; owl:differentFrom :Permit-rule-overrides , :First-applicable-rule . :Permit-rule-overrides a :RuleCombiningAlgorithm ; rdfs:isDefinedBy : ; rdfs:label "permit rule overrides"@en ; rdfs:comment "The 'permit rule overrides' algorithm specifies that all rules are evaluated and their order is not relevant; the final result will by 'permit' if at least a rule returned 'permit'; otherwise 'deny' if a rule returned 'deny' or 'not applicable'."@en ; owl:differentFrom :Deny-rule-overrides , :First-applicable-rule . :First-applicable-rule a :RuleCombiningAlgorithm ; rdfs:isDefinedBy : ; rdfs:label "first applicable rule"@en ; rdfs:comment "The 'first applicable rule' algorithm specifies that rules are evaluated according to their order; the result is the one returned by the first rule not returning 'permit' or 'deny'; otherwise, it is 'not applicable'."@en ; owl:differentFrom :Deny-rule-overrides , :Permit-rule-overrides . # =============== # TRUST FILTERING # =============== :TrustFilteringRule a owl:Class ; rdfs:isDefinedBy : ; rdfs:label "trust filtering rule"@en ; rdfs:comment "A trust filtering rule specify which attributes provided by the user may be considered trusted in the context of a triplespace and its subspaces."@en ; owl:disjointWith :SecuritySpace , :PolicySet , :Policy , :PolicyCombiningAlgorithm , :RuleCombiningAlgorithm , :Role , :RoleMapping , :RuleSeq , :Rule , :Effect , :Action , :AttributeConstraint , :Authority , :AccessDeniedLogEntry . :PreestablishedTrustRule a owl:Class ; rdfs:isDefinedBy : ; rdfs:label "preestablished trust filtering rule"@en ; rdfs:comment "A preestablished trust filtering rule specifies that certain attributes (and possibly their values) stated by a given provider authority have to be considered trusted a-priori."@en ; rdfs:subClassOf :TrustFilteringRule ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty :hasAttributeProvider ; owl:cardinality 1 ] ; owl:disjointWith :TransitiveTrustRule . :TransitiveTrustRule a owl:Class ; rdfs:isDefinedBy : ; rdfs:label "transitive trust filtering rule"@en ; rdfs:comment "A transitive trust filtering rule specifies that certain attributes (and possibly their values) stated by a given authority are trusted, as well as attributes coming from subordinate authorities or authorities that have a peering relationship with the target authority of this rule (under some constraints)."@en ; rdfs:subClassOf :TrustFilteringRule ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty :hasAttributeProvider ; owl:cardinality 1 ] ; owl:disjointWith :PreestablishedTrustRule . :hasMaxTrustChainLength a owl:DatatypeProperty , owl:FunctionalProperty ; rdfs:isDefinedBy : ; rdfs:label "max trust chain length"@en ; rdfs:comment "Specify the maximum length of a trust chain for a transitive trust filtering rule."@en ; rdfs:domain :TransitiveTrustRule ; rdfs:range xsd:nonNegativeInteger . :hasMaxPeeringTrustRelationships a owl:DatatypeProperty , owl:FunctionalProperty ; rdfs:isDefinedBy : ; rdfs:label "max number of peering trust relationships"@en ; rdfs:comment "Specify the maximum number of peering trust relationships in a trust chain for a transitive trust filtering rule."@en ; rdfs:domain :TransitiveTrustRule ; rdfs:range xsd:nonNegativeInteger . :hasAttributeProvider a owl:ObjectProperty , owl:FunctionalProperty ; rdfs:isDefinedBy : ; rdfs:label "attribute provider"@en ; rdfs:comment "Specify the attribute provider whose attributes are considered by a trust filtering rule."@en ; rdfs:range :Authority . # ======================= # ROLES AND ROLE MAPPINGS # ======================= :Role a owl:Class ; rdfs:isDefinedBy : ; rdfs:label "role"@en ; rdfs:comment "Security roles are the bases for defining access control rules; they are dynamically associated to users through the application of role mapping rules to the attributes provided by them."@en ; owl:disjointWith :SecuritySpace , :PolicySet , :Policy , :PolicyCombiningAlgorithm , :RuleCombiningAlgorithm , :TrustFilteringRule , :RoleMapping , :RuleSeq , :Rule , :Effect , :Action , :AttributeConstraint , :Authority , :AccessDeniedLogEntry . :owner a :Role ; rdfs:isDefinedBy : ; rdfs:label "owner"@en ; rdfs:comment "The 'owner' role is a pre-defined system role which grants the user the ownership of a triplespace and the possibility to change its security policy; note that other roles may be defined by space owners."@en . :authenticated a :Role ; rdfs:isDefinedBy : ; rdfs:label "authenticated"@en ; rdfs:comment "The 'authenticated' role is a pre-defined system role associated to any user whose identity has been successfully verified and accepted by the SM."@en . :RoleMapping a owl:Class ; rdfs:isDefinedBy : ; rdfs:label "role mapping rule"@en ; rdfs:comment "A role mapping rule specify a set of criteria for dynamically associating security roles to a user on the basis of the attributes provided."@en ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty :hasRole ; owl:minCardinality 1 ] ; owl:disjointWith :SecuritySpace , :PolicySet , :Policy , :PolicyCombiningAlgorithm , :RuleCombiningAlgorithm , :TrustFilteringRule , :Role , :RuleSeq , :Rule , :Effect , :Action , :AttributeConstraint , :Authority , :AccessDeniedLogEntry . :hasRole a owl:ObjectProperty ; rdfs:isDefinedBy : ; rdfs:label "mapped role"@en ; rdfs:comment "Specify a role mapped to a user by a role mapping rule, in case it evaluates positively."@en ; rdfs:range :Role . # ==================== # ACCESS CONTROL RULES # ==================== :RuleSeq a owl:Class ; rdfs:isDefinedBy : ; rdfs:label "rule sequence"@en ; rdfs:comment "A sequence of access control rules; rules are ordered by means of a linked list of RDF nodes."@en ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty :hasRule ; owl:cardinality 1 ] ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty :hasTail ; owl:maxCardinality 1 ] ; owl:disjointWith :SecuritySpace , :PolicySet , :Policy , :PolicyCombiningAlgorithm , :RuleCombiningAlgorithm , :TrustFilteringRule , :Role , :RoleMapping , :Rule , :Effect , :Action , :AttributeConstraint , :Authority , :AccessDeniedLogEntry . :hasRule a owl:ObjectProperty ; rdfs:isDefinedBy : ; rdfs:label "rule"@en ; rdfs:comment "Pointer to an access control rule."@en ; rdfs:range :Rule . :hasTail a owl:ObjectProperty , owl:FunctionalProperty ; rdfs:isDefinedBy : ; rdfs:label "tail"@en ; rdfs:comment "The tail sequence associated to a rule sequence node."@en ; rdfs:domain :RuleSeq ; rdfs:range :RuleSeq . :Rule a owl:Class ; rdfs:isDefinedBy : ; rdfs:label "access control rule"@en ; rdfs:comment "An access control rule either allows or denies a certain action according to whether a client request matches a certain target, defined in terms of user roles and requested action."@en ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty :hasEffect ; owl:cardinality 1 ] ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty :hasTarget ; owl:maxCardinality 1 ] ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty :hasTarget ; owl:allValuesFrom [ a owl:Restriction ; owl:onProperty :hasResource ; owl:cardinality 0 ] ] ; owl:disjointWith :SecuritySpace , :PolicySet , :Policy , :PolicyCombiningAlgorithm , :RuleCombiningAlgorithm , :TrustFilteringRule , :Role , :RoleMapping , :RuleSeq , :Effect , :Action , :AttributeConstraint , :Authority , :AccessDeniedLogEntry . :hasEffect a owl:ObjectProperty ; rdfs:isDefinedBy : ; rdfs:label "effect"@en ; rdfs:comment "The effect returned by an access control rule, if it applies to a given request."@en ; rdfs:domain :Rule ; rdfs:range :Effect . :Effect a owl:Class ; rdfs:isDefinedBy : ; rdfs:label "effect"@en ; rdfs:comment "An access control effect can be either 'permit', 'deny'" ; owl:oneOf ( :Permit :Deny ) ; owl:disjointWith :SecuritySpace , :PolicySet , :Policy , :PolicyCombiningAlgorithm , :RuleCombiningAlgorithm , :TrustFilteringRule , :Role , :RoleMapping , :RuleSeq , :Rule , :Action , :AttributeConstraint , :Authority , :AccessDeniedLogEntry . :Permit a :Effect ; rdfs:isDefinedBy : ; rdfs:label "permit"@en ; rdfs:comment "The 'permit' effect specify that a client request should be authorized; note that the final results will depend also on the configured rule and policy combining algorithms."@en ; owl:differentFrom :Deny . :Deny a :Effect ; rdfs:isDefinedBy : ; rdfs:label "deny"@en ; rdfs:comment "The 'deny' effect specify that a client request should not be authorized; note that the final results will depend also on the configured rule and policy combining algorithms."@en ; owl:differentFrom :Permit . # ======= # TARGETS # ======= :hasTarget a owl:ObjectProperty ; rdfs:isDefinedBy : ; rdfs:label "target"@en ; rdfs:comment "Pointer to a target of a policy element."@en ; rdfs:range :Target . :Target a owl:Class ; rdfs:isDefinedBy : ; rdfs:label "target"@en ; rdfs:comment "The target of a policy set, a policy or an access control rule. A target is a compound structure composed of a target triplespace, zero or more target user actions and zero or more security roles. Note that only the space can be specified for targets of policies and policy sets, while only actionss and roles can be specified for targets of access control rules."@en ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty :hasResource ; owl:maxCardinality 1 ] ; owl:disjointWith :SecuritySpace , :PolicySet , :Policy , :PolicyCombiningAlgorithm , :RuleCombiningAlgorithm , :TrustFilteringRule , :Role , :RoleMapping , :RuleSeq , :Rule , :Effect , :Action , :AttributeConstraint , :Authority , :AccessDeniedLogEntry . :hasSubject a owl:ObjectProperty ; rdfs:isDefinedBy : ; rdfs:label "subject role"@en ; rdfs:comment "Specify a target role; the target is considered matched only if the user is mapped to this role; multiple roles can be used in a target."@en ; rdfs:range :Role . :hasResource a owl:ObjectProperty ; rdfs:isDefinedBy : ; rdfs:label "triplespace"@en ; rdfs:comment "Specify a target triplespace; this property can be used only for the targets of policy sets and policies."@en ; rdfs:range ts:Space . :hasAction a owl:ObjectProperty ; rdfs:isDefinedBy : ; rdfs:label "action"@en ; rdfs:comment "Specify a target action; the target is considered matched only if the user requested this action or one of the other actions defined in the target."@en ; rdfs:range :Action . :Action a owl:Class ; rdfs:isDefinedBy : ; rdfs:label "action"@en ; rdfs:comment "A user action for which authorization is requested; note that actions are distinct from TS-API operations: operations may have a complex behaviour from a security point of view, thus each operation maps to one or more elementary actions, e.g. 'in' maps to 'read' + 'delete'."@en ; owl:oneOf ( :Write :Read :Delete :Subscribe :Recursion :Transaction :Create :Create-remote :Create-no-local-parent :Destroy :Policy-read ) ; owl:disjointWith :SecuritySpace , :PolicySet , :Policy , :PolicyCombiningAlgorithm , :RuleCombiningAlgorithm , :TrustFilteringRule , :Role , :RoleMapping , :RuleSeq , :Rule , :Effect , :AttributeConstraint , :Authority , :AccessDeniedLogEntry . :Write a :Action ; rdfs:isDefinedBy : ; rdfs:label "write"@en ; rdfs:comment "The 'write' action corresponds to the capability of the user to add new triples to a triplespoace."@en ; owl:differentFrom :Read , :Delete , :Subscribe , :Recursion , :Transaction , :Create , :Create-remote , :Create-no-local-parent , :Destroy , :Policy-read . :Read a :Action ; rdfs:isDefinedBy : ; rdfs:label "read"@en ; rdfs:comment "The 'read' action corresponds to the capability of the user to read triples from a triplespace."@en ; owl:differentFrom :Write , :Delete , :Subscribe , :Recursion , :Transaction , :Create , :Create-remote , :Create-no-local-parent , :Destroy , :Policy-read . :Delete a :Action ; rdfs:isDefinedBy : ; rdfs:label "delete"@en ; rdfs:comment "The 'delete' action corresponds to the capability of the user to delete existing triples from a triplespace."@en ; owl:differentFrom :Read , :Write , :Subscribe , :Recursion , :Transaction , :Create , :Create-remote , :Create-no-local-parent , :Destroy , :Policy-read . :Subscribe a :Action ; rdfs:isDefinedBy : ; rdfs:label "subscribe"@en ; rdfs:comment "The 'subscribe' action corresponds to the capability of the user to subscribe to changes in data stored in a given triplespace, whose policy is evaluated."@en ; owl:differentFrom :Read , :Write , :Delete , :Recursion , :Transaction , :Create , :Create-remote , :Create-no-local-parent , :Destroy , :Policy-read . :Recursion a :Action ; rdfs:isDefinedBy : ; rdfs:label "recursion"@en ; rdfs:comment "The 'recursion' action corresponds to the capability of the user perform a recursive operation, such as a recursive read, rooted at the triplespace whose policy is evaluated."@en ; owl:differentFrom :Read , :Write , :Delete , :Subscribe , :Transaction , :Create , :Create-remote , :Create-no-local-parent , :Destroy , :Policy-read . :Transaction a :Action ; rdfs:isDefinedBy : ; rdfs:label "transaction"@en ; rdfs:comment "The 'transaction' action corresponds to the capability of a user to initiate, conclude or partecipate to transactions; this is a kernel action."@en ; owl:differentFrom :Read , :Write , :Delete , :Subscribe , :Recursion , :Create , :Create-remote , :Create-no-local-parent , :Destroy , :Policy-read . :Create a :Action ; rdfs:isDefinedBy : ; rdfs:label "create"@en ; rdfs:comment "The 'create' action corresponds to the capability of the user to create new triplespace in the context of an existing triplespace, whose policy is evaluated."@en ; owl:differentFrom :Read , :Write , :Delete , :Subscribe , :Recursion , :Transaction , :Create-remote , :Create-no-local-parent , :Destroy , :Policy-read . :Create-remote a :Action ; rdfs:isDefinedBy : ; rdfs:label "create remote"@en ; rdfs:comment "The 'create remote' action corresponds to the capability of the user to create a distributed space; this action is used in the policy of the parent space residing on the remote kernel, and determines whether the parent space allows the user to create a distributed space on a different kernel."@en ; owl:differentFrom :Read , :Write , :Delete , :Subscribe , :Recursion , :Transaction , :Create , :Create-no-local-parent , :Destroy , :Policy-read . :Create-no-local-parent a :Action ; rdfs:isDefinedBy : ; rdfs:label "create space with no local parent"@en ; rdfs:comment "The 'create space with no local parent' action corresponds to the capability of the user to create a new root space or a distributed space child of a remote parent space on the local kernel; the usage of this action is restricted to the kernel policy."@en ; owl:differentFrom :Read , :Write , :Delete , :Subscribe , :Recursion , :Transaction , :Create , :Create-remote , :Destroy , :Policy-read . :Destroy a :Action ; rdfs:isDefinedBy : ; rdfs:label "destroy"@en ; rdfs:comment "The 'destroy' action corresponds to the capability of the user to destroy an existing triplespace, whose security policy is evaluated."@en ; owl:differentFrom :Read , :Write , :Delete , :Subscribe , :Recursion , :Transaction , :Create , :Create-remote , :Create-no-local-parent , :Policy-read . :Policy-read a :Action ; rdfs:isDefinedBy : ; rdfs:label "get policy"@en ; rdfs:comment "The 'get policy' action corresponds to the capability of the user to read the security policy of a triplespace, whose policy is evaluated."@en ; owl:differentFrom :Read , :Write , :Delete , :Subscribe , :Recursion , :Transaction , :Create , :Create-remote , :Create-no-local-parent , :Destroy . # ===================== # ATTRIBUTE CONSTRAINTS # ===================== :hasAttributeConstraint a owl:ObjectProperty ; rdfs:isDefinedBy : ; rdfs:label "attribute constraint"@en ; rdfs:comment "Defines an attribute constraint specifying for which attributes a preestablished trust filtering or role mapping rule applies."@en ; rdfs:range :AttributeConstraint . :AttributeConstraint a owl:Class ; rdfs:isDefinedBy : ; rdfs:label "attribute constraint"@en ; rdfs:comment "An attribute constraint specifies a boolean condition of a key=value attribute, which can be either satisfied or not."@en ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty :hasAttributeName ; owl:cardinality 1 ] ; owl:disjointWith :SecuritySpace , :PolicySet , :Policy , :PolicyCombiningAlgorithm , :RuleCombiningAlgorithm , :TrustFilteringRule , :Role , :RoleMapping , :RuleSeq , :Rule , :Effect , :Action , :Authority , :AccessDeniedLogEntry . :hasAttributeName a owl:DatatypeProperty , owl:FunctionalProperty ; rdfs:isDefinedBy : ; rdfs:label "attribute name"@en ; rdfs:comment "Specify the attribute name for an attribute constraint."@en ; rdfs:domain :AttributeConstraint ; rdfs:range xsd:string . :hasAttributeValue a owl:DatatypeProperty , owl:FunctionalProperty ; rdfs:isDefinedBy : ; rdfs:label "attribute value"@en ; rdfs:comment "Optionally constrain the attribute value for an attribute constraint."@en ; rdfs:domain :AttributeConstraint ; rdfs:range xsd:string . # =========== # AUTHORITIES # =========== :Authority a owl:Class ; rdfs:isDefinedBy : ; rdfs:label "authority"@en ; rdfs:comment "An authority able to certify the identity or the attributes of a user; authorities are securely identified by means of certificates stored in policies."@en ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty :hasX509Certificate ; owl:cardinality 1 ] ; owl:disjointWith :SecuritySpace , :PolicySet , :Policy , :PolicyCombiningAlgorithm , :RuleCombiningAlgorithm , :TrustFilteringRule , :Role , :RoleMapping , :RuleSeq , :Rule , :Effect , :Action , :AttributeConstraint , :AccessDeniedLogEntry . :hasX509Certificate a owl:DatatypeProperty ; rdfs:isDefinedBy : ; rdfs:label "X509 certificate"@en ; rdfs:comment "Specify an X509 certificate identifying an authority."@en ; rdfs:range xsd:string . # ========== # ACCESS LOG # ========== :AccessDeniedLogEntry a owl:Class ; rdfs:isDefinedBy : ; rdfs:label "access denied log entry"@en ; rdfs:comment "An access denied log entry generated for rejected user requests."@en ; rdfs:subClassOf ts:AccessLogEntry ; owl:disjointWith :SecuritySpace , :PolicySet , :Policy , :PolicyCombiningAlgorithm , :RuleCombiningAlgorithm , :TrustFilteringRule , :Role , :RoleMapping , :RuleSeq , :Rule , :Effect , :Action , :AttributeConstraint , :Authority .