wsmlVariant _"http://www.wsmo.org/wsml/wsml-syntax/wsml-flight" namespace { _"http://www.tripcom.org/ontologies/ts-sec-onto#", rdf _"http://www.w3.org/1999/02/22-rdf-syntax-ns#", rdfs _"http://www.w3.org/2000/01/rdf-schema#", xsd _"http://www.w3.org/2001/XMLSchema#", foaf _"http://xmlns.com/foaf/0.1/", dc _"http://purl.org/dc/elements/1.1/", ts _"http://www.tripcom.org/ontologies/tsonto#" } ontology _"http://www.tripcom.org/ontologies/ts-sec-onto.wsml" importsOntology _"http://www.tripcom.org/ontologies/tsonto-core.wsml" // Security space concept ts#Space hasSecurityData impliesType (1) SecuritySpace concept ts#Kernel hasSecurityData impliesType (1) SecuritySpace concept SecuritySpace hasTrustFilteringRule impliesType TrustFilteringRule definesRole impliesType Role hasRoleMapping impliesType RoleMapping hasPolicySet impliesType (1) PolicySet // Trust filtering concept TrustFilteringRule concept PreestablishedTrustRule subConceptOf TrustFilteringRule hasAttributeProvider impliesType (1) Authority hasAttributeConstraint impliesType (0 *) AttributeConstraint concept TransitiveTrustRule subConceptOf TrustFilteringRule hasAttributeProvider impliesType (1) Authority hasAttributeConstraint impliesType (0 *) AttributeConstraint hasMaxTrustChainLength impliesType (0 1) _integer hasMaxPeeringTrustRelationships impliesType (0 1) _integer concept Authority hasX509Certificate impliesType (1) _string // certificates are binary objects to be encoded as strings concept AttributeConstraint hasAttributeName impliesType (1) _string hasAttributeValue impliesType (0 1) _string // Role mapping concept RoleMapping hasAttributeConstraint impliesType (0 *) AttributeConstraint hasRole impliesType (1 *) Role concept Role // most instances of Role are user-defined; here go the predefined ones instance owner memberOf Role instance authenticated memberOf Role // Access control concept PolicySet hasPolicySet impliesType PolicySet // implied by the space hierarchy hasPolicy impliesType (1) Policy // implied by the space ownership hasPolicyCombiningAlgorithm impliesType (1) PolicyCombiningAlgorithm // default is First-applicable hasTarget impliesType (1) Target // this is implied, the target only specifies the ts:Space concept PolicyCombiningAlgorithm instance Deny\-overrides memberOf PolicyCombiningAlgorithm instance Permit\-overrides memberOf PolicyCombiningAlgorithm instance First\-applicable memberOf PolicyCombiningAlgorithm instance Last\-applicable memberOf PolicyCombiningAlgorithm concept Policy hasRules impliesType (0 1) RuleSeq // Rules in RDF are in an ordered rdf:Seq container, // in WSML it's a head-tail list hasRuleCombiningAlgorithm impliesType (1) RuleCombiningAlgorithm // default is First-applicable hasTarget impliesType (1) Target // this is implied, the target only specifies the ts:Space concept RuleCombiningAlgorithm instance Deny\-rule\-overrides memberOf RuleCombiningAlgorithm instance Permit\-rule\-overrides memberOf RuleCombiningAlgorithm instance First\-applicable\-rule memberOf RuleCombiningAlgorithm concept RuleSeq hasRule impliesType (1) Rule hasTail impliesType (0 1) RuleSeq concept Rule hasTarget impliesType (0 1) Target hasEffect impliesType (1) Effect concept Effect // there are only two members of Effect instance Permit memberOf Effect instance Deny memberOf Effect concept Target // A policy target points to exactly one ts:Space and no actions or // roles. A rule target represents a set of subjects and a set of // actions, and no ts:Space. hasSubject impliesType Role hasAction impliesType Action // hasSubject and hasAction only on rule target hasResource impliesType (0 1) ts#Space // hasResource only on policy target concept Action instance Write memberOf Action // write data instance Read memberOf Action // read data instance Delete memberOf Action // abstract action: Read+Delete=In instance Subscribe memberOf Action // subscribe instance Recursion memberOf Action // for recursive read instance Transaction memberOf Action // for transactions instance Create memberOf Action // space creation instance Create\-remote memberOf Action // for distributed spaces instance Create\-no\-local\-parent memberOf Action // kernel policy only instance Destroy memberOf Action // space deletion instance Policy\-read memberOf Action // read policy // Logging concept AccessDeniedLogEntry subConceptOf ts#AccessLogEntry